Creating a Windows 7 Self Updating Hardware Independent Image Using Deployment Solution 6.9sp4 and Symantec Management Platform 7.X
Prerequisites:
- Symantec Deployment Solution v6.9sp4 Installed
- PXE Server and DHCP Server Running Correctly in your environment
- WIN PE as PXE Option
- Windows 7 WAIK Installed on Machine other than Deployment Server
- Symantec Notification Server 7.X with Patch Management Solution Installed
Links:
Windows 7 AIK - http://www.microsoft.com/downloads/en/details.aspx...
REMEMBER, test imaging first without any patches. Once that is working correctly add patches as needed. As certain patches can break an image (Not permanently, just will have to be removed from the Updates$ share)
Steps:
- Install Windows 7 WAIK from Microsoft’s site onto any Windows XP/Vista or 7 client box.
- Create a folder on the Deployment Server eXpress share under WAIK folder called Tools_v2
- Copy the contents of the following directory, C:\Program Files\Windows AIK\, on the client machine to the WAIK directory, renaming the folder Tools_v2.
- Install the version of Windows 7 on a system, to create our base image.
- Patch to the latest level (However, this will be the last time we have to update the image, as after this point, after the image is laid down, all enabled patches will be installed, no more quarterly security updates J)
- Modify all settings in the user profile to how you would like the default user profile to look like. Remember, we can change a lot of these after the fact. However, we would like to get it to as close as possible of what we want the end result to look like. REMEMBER; do not install either the dagent or the NS agent. We will do this post imaging, via the SetupComplete.cmd file (formerly known as cmdlines.txt). Now onto creating our unattend.xml file (formerly known as sysprep.inf)
- On the client machine with the Windows 7 AIK installed, insert your Windows 7 DVD and Launch Windows System Image Manager. We will now create our unattend.xml file (formerly known as sysprep.inf). DO NOT install the WAIK on the computer you are making the Windows 7 Image on.
- The main areas of the unattend.xml file we are concerned with are,
Generalize (Phase 3)
Specialize (Phase 4)
Out of the Box Experience, also known as OOBE (Phase 7)
Fig 1. Opening Windows System Image Manager
Fig 2. Adding Windows install.wim image
Fig 3. Choosing Windows 7 Image Type (Should be either Enterprise or Professional)
Fig 4. Create a New Answer File
Fig 5. Disable workstation from becoming a network browser
Fig 6. Disable workstation from becoming a network browser
Fig 7. Configuring Language Settings
Fig 8. Configuring Language Settings
Fig 9. Configuring Language Settings
Fig 10. Configuring Computer Name and Company Information
Fig 11. Configuring Computer Name and Company Information – Also put in KMS/MAK Key
Fig 12. Disabling EULA and configuring Network Updates and Location
Fig 13. Disabling EULA and configuring Network Updates and Location
Fig 14. Configuring Built In Administrator Accounts Password
Fig 15. Configuring Built In Administrator Accounts Password
Fig 16. Configuring Additional User Account (Required)
Fig 17. Configuring Additional User Account (Required)
Fig 18. Configuring Additional User Account (Required)
Fig 19. Enabling Remote Desktop
Fig 20. Enabling Remote Desktop
Fig 21. Enabling Automatic Domain Join for Computer Account
Fig 22. Enabling Automatic Domain Join for Computer Account
Fig 23. Enabling Automatic Domain Join for Computer Account
Fig 24. Enabling Automatic Domain Join for Computer Account
Fig 25. Configure Language for OOBE Settings
Fig 26. Configure Language for OOBE Settings
Fig 27. Configure Timezone for OOBE
Fig 28. Saving unattend.xml file to Desktop –Ignore warnings, as these are settings we did not set.
Note:
Phase 1 (WinPE) is not used, as the PXE Boot Disk Creator is what replaces this.
Phase 2 (Service Mode) is no longer used; this was for Windows Vista driver injection.
Phase 5 (auditSystem) is for adding drivers the old fashion way, putting them in a directory. However, requires another sysprep command after it boots into audit mode. Thus requiring the Altiris dagent to be installed into the image
Phase 6 (auditUser) see above.
(9) Copy the unattend.xml file to the Windows 7 Base Image Machine, C:\Windows\System32\Sysprep\unattend.xml
(10) Copy the unattend.xml file to the eXpress Share\Sysprep\unattend.xml.
(11) Run the command, C:\Windows\System32\Sysprep /generalize /oobe /shutdown. After the computer is shutdown, Create a new machine in the Altiris DS console using the primary lookup key, in most cases specifying the MAC address, as follows,
(12) Now create a “Create Disk Image” job to capture the image we have now created. Drag and drop this job onto the newly created machine, boot up the machine and make sure it PXE boots into WinPE. It will now capture the image up to the eXpress share. NOTE, while I am using WinPE in this step, you can also use Linux PE also but for this step only. For distributing the image, we require 1.21 Jiggawatts, I mean, WinPE, to use the Microsoft utility, dism.exe, to inject the drivers and patches into the offline image.
(13) In order for patches to be automatically installed, we must create a share on our Symantec Management Platform Server (Altiris NS). So on the Notification Server with Patch Management installed, share the following directory, (Installed directories may vary, so change accordingly), C:\Program Files\Altiris\Patch Management\Packages\Updates, as Updates$
(14) Now that we have our image, we must start to create the directory structure for our drivers. So on the Deployment server; create the following directory structure under the eXpress share. REMEMBER, Windows 7 looks for drivers’ recursively; therefore these names are not built in stone.
\HWII
\HWII\Windows7
\HWII\Windows7\ModelNum
\HWII\Windows7\ModelNum\audio
\HWII\Windows7\ModelNum\misc1
\HWII\Windows7\ModelNum\misc2
\HWII\Windows7\ModelNum\misc3
\HWII\Windows7\ModelNum\misc4
\HWII\Windows7\ModelNum\sec1
\HWII\Windows7\ModelNum\sec2
\HWII\Windows7\ModelNum\sec3
\HWII\Windows7\ModelNum\net
\HWII\Windows7\ModelNum\video
\HWII\Windows7\ModelNum\wnet
(15) Download all drivers and extract each into their appropriate model\type folder, as created above. NOTE - this step may have to be revisited if after imaging a machine, not all drivers are present. This is a cyclical step, to be repeated until all drivers are identified for each model of the Hardware Independent Image.
(16) We will now create a custom setupcomplete.cmd file, in the express share, \Sysprep folder. You can also have custom setupcomplete.cmd files for each model, if need be. However, in this example, I did not require this. If this is the case, you would have to modify the first script, REM Hardware Independent Script Portion. An example of the setupcomplete.cmd file is shown below,
C:\Windows\System32\msiexec.exe /qn /i C:\PostInstall\dagent.msi TCPADDR=192.168.1.212 TCPPORT=402 /norestart |
(17) We will now create our job to distribute our Hardware Independent Image
(a)Create a Distribute Disk Image, pointing to the image created in step 12. Make sure to pick Windows PE as the boot environment. Also, my suggestion is to use x86, as it is more reliable for drivers.
(b) Create a Run Script; with the following code (Also, pick the same Windows PE boot environment as step A). You will want to edit the following lines,
(i) conExpressShare, if you change the default share letter
(ii) conUNCPath, the \\NSServer\Update$share
(iii) conUserName, username with rights to the above share
(iv) conPassword, password for above username
(v) conType, for if this is a x86 or x64 image
(vi) conTempDirectory – Temp folder on the conExpressShare Drive
|
'Update Image with Current Patches 'vbscript
' Declare Constants Const ForReading = 1 Const ForWriting = 2 Const ForAppending = 8 Const conExpressShare = "F:" Const conDismLocation = "WAIK\Tools_v2\Tools\x86\Servicing\dism.exe" Const conUNCPath = "\\192.168.0.215\Updates$" Const conLocalDrive = "P:" Const conUserName = "NET\madmin" Const conPassWord = "password" Const conWinVersion = "Windows6.1" Const conType = "x86" Const conImageLocation = "D:" Const conTempDirectory = "\Temp\" Const conComputerID = "%ID%"
' Declare Variables Dim objNetwork Dim strComputer Dim osShell Dim intRC Dim strDismCommand Dim objFSO Dim objFile Dim objTextFile Dim strFileLocation
strComputer = "." Set osShell = CreateObject("WScript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") strFileLocation = conExpressShare & conTempDirectory & conComputerID & ".cmd"
' Check if File Exists If objFSO.FileExists(strFileLocation) Then ' Delete File objFSO.DeleteFile strFileLocation
' Create File Set objFile = objFSO.CreateTextFile(strFileLocation) Else ' Create File Set objFile = objFSO.CreateTextFile(strFileLocation) End If
Set objFile = Nothing
' Open File For Writing Set objTextFile = objFSO.OpenTextFile(strFileLocation, ForAppending, True)
' Map Drive to NS Patch Management Share Set objNetwork = CreateObject("WScript.Network") objNetwork.MapNetworkDrive conLocalDrive, conUNCPath, "false", conUserName, conPassWord
' Recursively Search Directorys for all Windows 7 Patches Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colFiles = objWMIService.ExecQuery("Select * from CIM_DataFile where Drive= '" & conLocalDrive & "'" & " AND Name Like ""%" & conWinVersion & "%""" & " AND Name Like ""%" & conType & "%""" & " AND Extension = 'msu'")
' Run dism to apply all Windows 7 Patches For Each objFile in colFiles strDismCommand = conExpressShare & "\" & conDismLocation & " /Image:" & conImageLocation & "\" & " /Add-Package:" & conLocalDrive & objFile.Path objTextFile.WriteLine(strDismCommand) Next
' Run batch file to update image objTextFile.WriteLine("net use " & conLocalDrive & " /delete") objTextFile.Close
Dim objPatchProcess Set objPatchProcess = CreateObject("WScript.Shell") intRC = objPatchProcess.Run("cmd /c " & strFileLocation, 0, 1)
' Disconnect Network Drive Set objFile = Nothing Set osShell = Nothing |
(c) Create a Run Script, with the following code (Also, pick the same Windows PE boot environment as step A)
(i) This script will need to be modified in the REM Get Production Name section for your particular environment. You want to map the model that Altiris DS gets to the name of the folder you stored all that models drivers. i.e. A HP z200 Workstation is reported to Altiris as 0B40h. Therefore, I have a folder named z200, but the script has to change the model number to the folder number. As seen in the line, If %model%==”0B40h” set retrieve=z200
|
REM Hardware Independent Script Portion
REM Copy Dagent Installation to Drivers Share mkdir D:\PostInstall mkdir D:\PostInstall\Drivers copy F:\Agents\AClient\dagent.msi D:\PostInstall\dagent.msi
REM Find Current Model Set model="%#!computer@model_num%"
REM Get Production Name If %model%=="3056" set retrieve=2140 If %model%=="1722" set retrieve=6540 If %model%=="30C0" set retrieve=6710b If %model%=="30DD" set retrieve=6730b If %model%=="09E8h" set retrieve=dc5100 If %model%=="0A60h" set retrieve=dc5700 If %model%=="2820h" set retrieve=dc5800 If %model%=="099C" set retrieve=6120 If %model%=="30AA" set retrieve=6320 If %model%=="30B1" set retrieve=tc4400 If %model%=="0B40h" set retrieve=z200 If %model%=="3048h" set retrieve=6000
REM Copy Over Needed Drivers xcopy F:\HWII\Windows7\%retrieve% D:\PostInstall\Drivers /E /C /I /H /Y
REM Start Service Mode F:\WAIK\Tools_v2\Tools\x86\Servicing\dism.exe /Image:D:\ /logpath:D:\PostInstall\dism.log /add-driver:D:\PostInstall\Drivers /recurse
REM Copy Over SetupComplete.CMD file mkdir D:\Windows\Setup\Scripts copy F:\Sysprep\setupcomplete.cmd D:\Windows\Setup\Scripts\setupcomplete.cmd
REM Tokenize Unattend File for Specialization Phase REM ReplaceTokens .\Sysprep\unattend.xml .\Temp\%ID%.txt
REM Copy Unattend File for Specialization Phase copy F:\Temp\%ID%.txt D:\Windows\Panther\unattend.xml /Y
|
(18) Add any additional tasks to run to install additional software. REMEMBER, if you want best practices, you don’t want anything in your base image. Even Microsoft Office, as then we never have to update this image, only the additional task. Then for different software builds, we have a different job that starts off with the same 3 first steps of this, but then adds all the additional tasks to install all the required software.
Comments 20 Comments • Jump to latest comment
Very good article!
Why is this so complicatetd? I'm using Microsoft Windows Deployment Server ( integrated in Windows Server, no additional Costs)
Its Hardware independent, with R2 uses dynamic Driver +allows Driver grouping, uses 2 GUI creatable (WAIK) XML Files for complete unattend (no scripts) and its faster.
I wanted to change to DS for PC-transplant (not 64 bit compatible yet) but I need to script a lot to gain the same functionaltity.
Its a little bit frustrating buying a software to gain less comfort and features.
If you are using MS Deployment Server with Windows 7 and Sysprepping,
than most of the steps here, also have to be done in MS Deployment Server.
Also MDS is considered Lite Touch..
Altiris can do it all for you from start to finish. Sort of a comparison to MS SCCM.
All of the Sysprep steps ect are done but i never managed to install working .wim images with ADS even with Symantec Support Gui based. As an Option wouldremain the script based install. I'v seen on Presentations working Installations but unfortunately the scripts were consultant property.
With Altiris 7.1 an The Release of PC Transplant x64 I'm going to retry the Deployment, hoping in improvements.
First, I would just like to say,
Great job and appreciate you taking the time...
Do you happen to have a pdf version that would have higher quality screen shots? The connect tools don't scale screen shots so that they can be viewed large enough. You get my thumbs up and I appreciate the time you took to put this together.
If you find this post helpful please give it a thumbs up!
If you find that this solves your problem please mark it as the solution!
Since i'm not incredibly script saavy, I couldn't tell if the script looked for patches based on architecture? You just say patches for Windows 7...will it look for x64 patches if the base image is x64 and x86 if the base image is x86?
Oh, also, are you capturing the image using RDeploy, ImageX or Ghost?
Sorry, guess that's 2 questions. :-)
---> i'm no stranger to slack, but i'm not a slacker
The script I created looks to see if it is an x86 or x64 box and applies the appropriate patches
Thanks,
David Ramazetti
XCEND Group
Great article...i've followed your steps and i'm at the part where i've imaged down the Win7 image to the computer and it is running through the steps. It errors out during applying system settings with this error....
"Windows could not parse or process the unattend answer file for pass [specialize]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for components [Microsoft-Windows-Shell-Setup]."
I've looked at my unattend.xml file and everything looks good. Any help would be appreciated.
thanks...
Virgil C. Palisoc City of San Diego | San Diego Police Department | Data Systems Unit Information Systems Analyst III | Altiris Administrator Ph: 619-531-2229 Fax: 619-531-2101 email: vpalisoc@pd.sandiego.gov
Just out of curiousity, are you able to view your unattend.xml file in say internet explorer? This will verify it is formatted correctly and no errors exist. If that works, then what I usually do, is create an unattend.xml file with the bare minimum. Say just hard code the machine name, see if that works. Then put the rest back one at a time to find out what is causing the issue. I have had weird things in the past because of something I added in the unattend.xml file.
Thanks,
David Ramazetti
XCEND Group
Hi, this is a good article; however I have a few comments.
Integrating Windows updates using DISM
Looks like you are deploying the image to your target PC and apply updates to an offline image (before PC boots to windows for the first time) on the actual target PC.
Doesn’t it add a bit more time to actual image deployment?
And because you DISM updates to the every single PC you image, doesn’t increase a chance of an update not installing correctly?
It all depends on your workstation patching policy, but wouldn’t it be easier to actually modify the image before deployment and then just deploy updated image. It will require and additional manual task, but it can also be scripted and run after you have staged new updates with Patch Management.
Drivers on Windows 7
Working with drivers I have found that running dpinst.exe from the network location gives me better results and allows me to update drivers later at any time (as a task from DS or NS).
By the end of the day one will use particular set of tools depending on his environment, but what makes a great help is articles and forums like this.
To RichC
conType is the search parameter for x86
Andrey Shipov
Manchester, UK
Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK
Step #11 seems incorrect, the command would have to be C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /shutdown unless you copied the contents of the Sysprep folder out to %windir%\system32
This is a great step by step article. Very helpful. I have everything working well with one exception. When I log into any machine for the first time, it prompts me to select a network location. I have "work" identified in the unattend.xml file but it still prompts me to select the location the first time I log in.
Any Suggestions??
Thanks
Hi there,
There is a hot fix available for this problem, have a look at KB 2028749 on Microsoft website:
http://support.microsoft.com/kb/2028749
You just need to apply this to your WIM....instructions will tell you how.
Cheers,
did anyone get better screen shots to this? I am having a really hard time reading them
Hi All,
Excuse my lack on knowledge in terms of Windows 7 deployments, I'm just wondering what is the C:\Windows\Panther directory for? Also why do we need to copy the unattend.xml file to this directory? why not the C:\Windows\System32\Sysprep\ folder instead?
Thanks,
Ajay
We are getting "Error with token replacement in embedded script" when running:
REM Hardware Independent Script Portion
REM Copy Dagent Installation to Drivers Share
mkdir D:\PostInstall
mkdir D:\PostInstall\Drivers
copy F:\Agents\AClient\dagent.msi D:\PostInstall\dagent.msi
REM Find Current Model
Set model="%#!computer@model_num%"
REM Get Production Name
If %model%=="0K0DNP" set retrieve=E6420
If %model%=="0NVF5K" set retrieve=E6520
If %model%=="01MCMN" set retrieve=E6320
REM Copy Over Needed Drivers
xcopy F:\HWII\Windows7\%retrieve% D:\PostInstall\Drivers /E /C /I /H /Y
REM Start Service Mode
F:\WAIK\Tools_v2\Tools\x86\Servicing\dism.exe /Image:D:\ /logpath:D:\PostInstall\dism.log /add-driver:D:\PostInstall\Drivers /recurse
REM Copy Over SetupComplete.CMD file
mkdir D:\Windows
mkdir D:\Windows\Setup
mkdir D:\Windows\Setup\scripts
copy F:\Sysprep\setupcomplete.cmd D:\Windows\Setup\Scripts\setupcomplete.cmd
REM Tokenize Unattend File for Specialization Phase
REM ReplaceTokens
.\Sysprep\unattend.xml .\Temp\%ID%.txt
REM Copy Unattend File for Specialization Phase
copy F:\Temp\%ID%.txt D:\Windows\Panther\unattend.xml /Y
Anyone have any thoughts?
Thanks.
keep it up man, articles llike this is what keeps us pushing forward
Hello,
I followed the same procedure for windows 7 deployment. I face any issue. After completing the image distribution task, system reboots and the next step for setupcommand is not loading. Could any one please let me know what might be the issue
Regards
Srivas
Srivas - I run into same problem. Add "Wait" -task just after image distribution task (between these two tasks). This will do the trick (atleast for me).
Would you like to reply?
Login or Register to post your comment.