Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Creating a Windows 7 Self Updating Hardware Independent Image Using Deployment Solution 6.9sp4 and Symantec Management Platform 7.X

Created: 28 Sep 2010 • Updated: 05 Nov 2010 | 20 comments
Language Translations
daveram's picture
+19 19 Votes
Login to vote

Prerequisites:

  • Symantec Deployment Solution v6.9sp4 Installed
  • PXE Server and DHCP Server Running Correctly in your environment
  • WIN PE as PXE Option
  • Windows 7 WAIK Installed on Machine other than Deployment Server
  • Symantec Notification Server 7.X with Patch Management Solution Installed

 

Links:

     Windows 7 AIK - http://www.microsoft.com/downloads/en/details.aspx...

 

REMEMBER, test imaging first without any patches. Once that is working correctly add patches as needed. As certain patches can break an image (Not permanently, just will have to be removed from the Updates$ share)

 

Steps:

  1. Install Windows 7 WAIK from Microsoft’s site onto any Windows XP/Vista or 7 client box.
  2. Create a folder on the Deployment Server eXpress share under WAIK folder called Tools_v2
  3. Copy the contents of the following directory, C:\Program Files\Windows AIK\, on the client machine to the WAIK directory, renaming the folder Tools_v2.
  4. Install the version of Windows 7 on a system, to create our base image.
  5. Patch to the latest level (However, this will be the last time we have to update the image, as after this point, after the image is laid down, all enabled patches will be installed, no more quarterly security updates J)
  6. Modify all settings in the user profile to how you would like the default user profile to look like. Remember, we can change a lot of these after the fact. However, we would like to get it to as close as possible of what we want the end result to look like. REMEMBER; do not install either the dagent or the NS agent. We will do this post imaging, via the SetupComplete.cmd file (formerly known as cmdlines.txt). Now onto creating our unattend.xml file (formerly known as sysprep.inf)
  7. On the client machine with the Windows 7 AIK installed, insert your Windows 7 DVD and Launch Windows System Image Manager. We will now create our unattend.xml file (formerly known as sysprep.inf). DO NOT install the WAIK on the computer you are making the Windows 7 Image on.
  8. The main areas of the unattend.xml file we are concerned with are,

               Generalize (Phase 3)

               Specialize (Phase 4)

               Out of the Box Experience, also known as OOBE (Phase 7)

 

Fig 1. Opening Windows System Image Manager

Fig 2. Adding Windows install.wim image

Fig 3. Choosing Windows 7 Image Type (Should be either Enterprise or Professional)

Fig 4. Create a New Answer File

Fig 5. Disable workstation from becoming a network browser

Fig 6. Disable workstation from becoming a network browser

Fig 7. Configuring Language Settings

Fig 8. Configuring Language Settings

Fig 9. Configuring Language Settings

Fig 10. Configuring Computer Name and Company Information

Fig 11. Configuring Computer Name and Company Information – Also put in KMS/MAK Key

Fig 12. Disabling EULA and configuring Network Updates and Location

Fig 13. Disabling EULA and configuring Network Updates and Location

Fig 14. Configuring Built In Administrator Accounts Password

Fig 15. Configuring Built In Administrator Accounts Password

Fig 16. Configuring Additional User Account (Required)

Fig 17. Configuring Additional User Account (Required)

Fig 18. Configuring Additional User Account (Required)

Fig 19. Enabling Remote Desktop

Fig 20. Enabling Remote Desktop

Fig 21. Enabling Automatic Domain Join for Computer Account

Fig 22. Enabling Automatic Domain Join for Computer Account

Fig 23. Enabling Automatic Domain Join for Computer Account

Fig 24. Enabling Automatic Domain Join for Computer Account

Fig 25. Configure Language for OOBE Settings

Fig 26. Configure Language for OOBE Settings

Fig 27. Configure Timezone for OOBE

Fig 28. Saving unattend.xml file to Desktop –Ignore warnings, as these are settings we did not set.

Note:

Phase 1 (WinPE) is not used, as the PXE Boot Disk Creator is what replaces this.

Phase 2 (Service Mode) is no longer used; this was for Windows Vista driver injection.

Phase 5 (auditSystem) is for adding drivers the old fashion way, putting them in a directory. However, requires another sysprep command after it boots into audit mode. Thus requiring the Altiris dagent to be installed into the image

Phase 6 (auditUser) see above.

 

(9) Copy the unattend.xml file to the Windows 7 Base Image Machine, C:\Windows\System32\Sysprep\unattend.xml

(10) Copy the unattend.xml file to the eXpress Share\Sysprep\unattend.xml.

(11) Run the command, C:\Windows\System32\Sysprep /generalize /oobe /shutdown. After the computer is shutdown, Create a new machine in the Altiris DS console using the primary lookup key, in most cases specifying the MAC address, as follows,

 

(12) Now create a “Create Disk Image” job to capture the image we have now created. Drag and drop this job onto the newly created machine, boot up the machine and make sure it PXE boots into WinPE. It will now capture the image up to the eXpress share. NOTE, while I am using WinPE in this step, you can also use Linux PE also but for this step only. For distributing the image, we require 1.21 Jiggawatts, I mean, WinPE, to use the Microsoft utility, dism.exe, to inject the drivers and patches into the offline image.

(13) In order for patches to be automatically installed, we must create a share on our Symantec Management Platform Server (Altiris NS). So on the Notification Server with Patch Management installed, share the following directory, (Installed directories may vary, so change accordingly), C:\Program Files\Altiris\Patch Management\Packages\Updates, as Updates$

(14) Now that we have our image, we must start to create the directory structure for our drivers. So on the Deployment server; create the following directory structure under the eXpress share. REMEMBER, Windows 7 looks for drivers’ recursively; therefore these names are not built in stone.

\HWII

\HWII\Windows7

\HWII\Windows7\ModelNum

\HWII\Windows7\ModelNum\audio

\HWII\Windows7\ModelNum\misc1

\HWII\Windows7\ModelNum\misc2

\HWII\Windows7\ModelNum\misc3

\HWII\Windows7\ModelNum\misc4

\HWII\Windows7\ModelNum\sec1

\HWII\Windows7\ModelNum\sec2

\HWII\Windows7\ModelNum\sec3

\HWII\Windows7\ModelNum\net

\HWII\Windows7\ModelNum\video

\HWII\Windows7\ModelNum\wnet

(15) Download all drivers and extract each into their appropriate model\type folder, as created above. NOTE - this step may have to be revisited if after imaging a machine, not all drivers are present. This is a cyclical step, to be repeated until all drivers are identified for each model of the Hardware Independent Image.

(16) We will now create a custom setupcomplete.cmd file, in the express share, \Sysprep folder. You can also have custom setupcomplete.cmd files for each model, if need be. However, in this example, I did not require this. If this is the case, you would have to modify the first script, REM Hardware Independent Script Portion. An example of the setupcomplete.cmd file is shown below,

 

C:\Windows\System32\msiexec.exe /qn /i C:\PostInstall\dagent.msi TCPADDR=192.168.1.212 TCPPORT=402 /norestart

 

(17) We will now create our job to distribute our Hardware Independent Image

  (a)Create a Distribute Disk Image, pointing to the image created in step 12. Make sure to pick Windows PE as the boot environment. Also, my suggestion is to use x86, as it is more reliable for drivers.

  (b) Create a Run Script; with the following code (Also, pick the same Windows PE boot environment as step A). You will want to edit the following lines,

    (i) conExpressShare, if you change the default share letter

    (ii) conUNCPath, the \\NSServer\Update$share

    (iii) conUserName, username with rights to the above share

    (iv) conPassword, password for above username

    (v) conType, for if this is a x86 or x64 image

    (vi) conTempDirectory – Temp folder on the conExpressShare Drive

 

'Update Image with Current Patches

'vbscript

 

' Declare Constants

Const ForReading = 1

Const ForWriting = 2

Const ForAppending = 8

Const conExpressShare = "F:"

Const conDismLocation = "WAIK\Tools_v2\Tools\x86\Servicing\dism.exe"

Const conUNCPath = "\\192.168.0.215\Updates$"

Const conLocalDrive = "P:"

Const conUserName = "NET\madmin"

Const conPassWord = "password"

Const conWinVersion = "Windows6.1"

Const conType = "x86"

Const conImageLocation = "D:"

Const conTempDirectory = "\Temp\"

Const conComputerID = "%ID%"

 

' Declare Variables

Dim objNetwork

Dim strComputer

Dim osShell

Dim intRC

Dim strDismCommand

Dim objFSO

Dim objFile

Dim objTextFile

Dim strFileLocation

 

strComputer = "."

Set osShell = CreateObject("WScript.Shell")

Set objFSO = CreateObject("Scripting.FileSystemObject")

strFileLocation = conExpressShare & conTempDirectory & conComputerID & ".cmd"

 

' Check if File Exists

If objFSO.FileExists(strFileLocation) Then

                ' Delete File

                objFSO.DeleteFile strFileLocation            

 

                ' Create File

                Set objFile = objFSO.CreateTextFile(strFileLocation)

Else

                ' Create File

                Set objFile = objFSO.CreateTextFile(strFileLocation)

End If

 

Set objFile = Nothing

 

' Open File For Writing

Set objTextFile = objFSO.OpenTextFile(strFileLocation, ForAppending, True)

 

' Map Drive to NS Patch Management Share

Set objNetwork = CreateObject("WScript.Network")

objNetwork.MapNetworkDrive conLocalDrive, conUNCPath, "false", conUserName, conPassWord

 

' Recursively Search Directorys for all Windows 7 Patches

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colFiles = objWMIService.ExecQuery("Select * from CIM_DataFile where Drive= '" & conLocalDrive & "'" & " AND Name Like ""%" & conWinVersion & "%""" & " AND Name Like ""%" & conType & "%""" & " AND Extension = 'msu'")

 

' Run dism to apply all Windows 7 Patches

For Each objFile in colFiles

                strDismCommand = conExpressShare & "\" & conDismLocation & " /Image:" & conImageLocation & "\" & " /Add-Package:" & conLocalDrive & objFile.Path

                objTextFile.WriteLine(strDismCommand)

Next

 

' Run batch file to update image

objTextFile.WriteLine("net use " & conLocalDrive & " /delete")

objTextFile.Close

 

Dim objPatchProcess

Set objPatchProcess = CreateObject("WScript.Shell")

intRC = objPatchProcess.Run("cmd /c " & strFileLocation, 0, 1)

 

' Disconnect Network Drive

Set objFile = Nothing

Set osShell = Nothing

  (c) Create a Run Script, with the following code (Also, pick the same Windows PE boot environment as step A)

    (i) This script will need to be modified in the REM Get Production Name section for your particular environment. You want to map the model that Altiris DS gets to the name of the folder you stored all that models drivers. i.e. A HP z200 Workstation is reported to Altiris as 0B40h. Therefore, I have a folder named z200, but the script has to change the model number to the folder number. As seen in the line, If %model%==”0B40h” set retrieve=z200

 

REM Hardware Independent Script Portion

 

REM Copy Dagent Installation to Drivers Share

mkdir D:\PostInstall

mkdir D:\PostInstall\Drivers

copy F:\Agents\AClient\dagent.msi D:\PostInstall\dagent.msi

 

REM Find Current Model

Set model="%#!computer@model_num%"

 

REM Get Production Name

If %model%=="3056" set retrieve=2140

If %model%=="1722" set retrieve=6540

If %model%=="30C0" set retrieve=6710b

If %model%=="30DD" set retrieve=6730b

If %model%=="09E8h" set retrieve=dc5100

If %model%=="0A60h" set retrieve=dc5700

If %model%=="2820h" set retrieve=dc5800

If %model%=="099C" set retrieve=6120

If %model%=="30AA" set retrieve=6320

If %model%=="30B1" set retrieve=tc4400

If %model%=="0B40h" set retrieve=z200

If %model%=="3048h" set retrieve=6000

 

REM Copy Over Needed Drivers

xcopy F:\HWII\Windows7\%retrieve% D:\PostInstall\Drivers /E /C /I /H /Y

 

REM Start Service Mode

F:\WAIK\Tools_v2\Tools\x86\Servicing\dism.exe /Image:D:\ /logpath:D:\PostInstall\dism.log /add-driver:D:\PostInstall\Drivers /recurse

 

REM Copy Over SetupComplete.CMD file

mkdir D:\Windows\Setup\Scripts

copy F:\Sysprep\setupcomplete.cmd D:\Windows\Setup\Scripts\setupcomplete.cmd

 

REM Tokenize Unattend File for Specialization Phase

REM ReplaceTokens .\Sysprep\unattend.xml .\Temp\%ID%.txt

 

REM Copy Unattend File for Specialization Phase

copy F:\Temp\%ID%.txt D:\Windows\Panther\unattend.xml /Y

 

(18) Add any additional tasks to run to install additional software. REMEMBER, if you want best practices, you don’t want anything in your base image. Even Microsoft Office, as then we never have to update this image, only the additional task. Then for different software builds, we have a different job that starts off with the same 3 first steps of this, but then adds all the additional tasks to install all the required software.

Comments 20 CommentsJump to latest comment

mRizz's picture

Why is this so complicatetd? I'm using Microsoft Windows Deployment Server ( integrated in Windows Server, no additional Costs)

Its Hardware independent, with R2 uses dynamic Driver +allows Driver grouping, uses 2 GUI creatable (WAIK) XML Files for complete unattend (no scripts) and its faster.

 

I wanted to change to DS for PC-transplant (not 64 bit compatible yet) but I need to script a lot to gain the same functionaltity.

Its a little bit frustrating buying a software to gain less comfort and features.

0
Login to vote
dbunch's picture

If you are using MS  Deployment Server with Windows 7 and Sysprepping,

than most of the steps here, also have to be done in MS Deployment Server.

 

Also MDS is considered Lite Touch..

 

Altiris can do it all for you from start to finish.    Sort of a comparison to MS  SCCM.

 

0
Login to vote
mRizz's picture

All of the Sysprep steps ect are done but i never managed to install  working .wim images with ADS even with Symantec Support Gui based. As an Option wouldremain the script based install. I'v seen on Presentations working Installations but unfortunately the scripts were consultant property.

 

With Altiris 7.1 an The Release of PC Transplant x64 I'm going to retry the Deployment, hoping in improvements.

-1
Login to vote
dbunch's picture

First, I would just like to say,  

Great job and appreciate you taking the time...

I just have one small request....
 
I can barely make out the pictures, that you attached...
Is there something, I can do to make them clearer.
+1
Login to vote
ICHCB's picture

Do you happen to have a pdf version that would have higher quality screen shots?  The connect tools don't scale screen shots so that they can be viewed large enough.    You get my thumbs up and I appreciate the time you took to put this together.

If you find this post helpful please give it a thumbs up!
If you find that this solves your problem please mark it as the solution! 

0
Login to vote
RichC's picture

Since i'm not incredibly script saavy, I couldn't tell if the script looked for patches based on architecture?  You just say patches for Windows 7...will it look for x64 patches if the base image is x64 and x86 if the base image is x86?

Oh, also, are you capturing the image using RDeploy, ImageX or Ghost? 

Sorry, guess that's 2 questions.  :-)

--->    i'm no stranger to slack, but i'm not a slacker

0
Login to vote
daveram's picture

The script I created looks to see if it is an x86 or x64 box and applies the appropriate patches

 

Thanks,

  David Ramazetti

  XCEND Group

0
Login to vote
vpalisoc's picture

Great article...i've followed your steps and i'm at the part where i've imaged down the Win7 image to the computer and it is running through the steps.  It errors out during applying system settings with this error....

"Windows could not parse or process the unattend answer file for pass [specialize].  The settings specified in the answer file cannot be applied.  The error was detected while processing settings for components [Microsoft-Windows-Shell-Setup]."

I've looked at my unattend.xml file and everything looks good.  Any help would be appreciated.

 

thanks...

Virgil C. Palisoc City of San Diego | San Diego Police Department | Data Systems Unit Information Systems Analyst III | Altiris Administrator Ph: 619-531-2229 Fax: 619-531-2101 email: vpalisoc@pd.sandiego.gov

0
Login to vote
daveram's picture

Just out of curiousity, are you able to view your unattend.xml file in say internet explorer? This will verify it is formatted correctly and no errors exist. If that works, then what I usually do, is create an unattend.xml file with the bare minimum. Say just hard code the machine name, see if that works. Then put the rest back one at a time to find out what is causing the issue. I have had weird things in the past because of something I added in the unattend.xml file.

 

Thanks,

   David Ramazetti

   XCEND Group

0
Login to vote
Andrey Shipov's picture

Hi, this is a good article; however I have a few comments.

Integrating Windows updates using DISM

Looks like you are deploying the image to your target PC and apply updates to an offline image (before PC boots to windows for the first time) on the actual target PC.

Doesn’t it add a bit more time to actual image deployment?

And because you DISM updates to the every single PC you image, doesn’t increase a chance of an update not installing correctly?

It all depends on your workstation patching policy, but wouldn’t it be easier to actually modify the image before deployment and then just deploy updated image. It will require and additional manual task, but it can also be scripted and run after you have staged new updates with Patch Management.

Drivers on Windows 7

Working with drivers I have found that running dpinst.exe from the network location gives me better results and allows me to update drivers later at any time (as a task from DS or NS).

 

By the end of the day one will use particular set of tools depending on his environment, but what makes a great help is articles and forums like this.

 

To RichC

conType is the search parameter for x86

 

 

Andrey Shipov

Manchester, UK

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

+1
Login to vote
dfnkt_'s picture

Step #11 seems incorrect, the command would have to be C:\Windows\System32\Sysprep\sysprep.exe /generalize /oobe /shutdown unless you copied the contents of the Sysprep folder out to %windir%\system32

0
Login to vote
paul.mahoney's picture

This is a great step by step article.  Very helpful.  I have everything working well with one exception.  When I log into any machine for the first time, it prompts me to select a network  location.  I have "work" identified in the unattend.xml file but it still prompts me to select the location the first time I log in.

 

Any Suggestions??

 

Thanks

0
Login to vote
ajay_gulani's picture

Hi there,

There is a hot fix available for this problem, have a look at KB 2028749 on Microsoft website:

http://support.microsoft.com/kb/2028749

You just need to apply this to your WIM....instructions will tell you how.

Cheers,

 

 

+1
Login to vote
lsattan's picture

did anyone get better screen shots to this? I am having a really hard time reading them

0
Login to vote
ajay_gulani's picture

Hi All,

Excuse my lack on knowledge in terms of Windows 7 deployments, I'm just wondering what is the C:\Windows\Panther directory for? Also why do we need to copy the unattend.xml file to this directory? why not the C:\Windows\System32\Sysprep\ folder instead?

 

Thanks,

Ajay

 

0
Login to vote
sjbend's picture

We are getting "Error with token replacement in embedded script" when running:

REM Hardware Independent Script Portion

REM Copy Dagent Installation to Drivers Share

mkdir D:\PostInstall

mkdir D:\PostInstall\Drivers

copy F:\Agents\AClient\dagent.msi D:\PostInstall\dagent.msi

REM Find Current Model

Set model="%#!computer@model_num%"

REM Get Production Name
If %model%=="0K0DNP" set retrieve=E6420

If %model%=="0NVF5K" set retrieve=E6520

If %model%=="01MCMN" set retrieve=E6320

REM Copy Over Needed Drivers

xcopy F:\HWII\Windows7\%retrieve% D:\PostInstall\Drivers /E /C /I /H /Y

REM Start Service Mode

F:\WAIK\Tools_v2\Tools\x86\Servicing\dism.exe /Image:D:\ /logpath:D:\PostInstall\dism.log /add-driver:D:\PostInstall\Drivers /recurse

REM Copy Over SetupComplete.CMD file

mkdir D:\Windows

mkdir D:\Windows\Setup

mkdir D:\Windows\Setup\scripts
copy F:\Sysprep\setupcomplete.cmd D:\Windows\Setup\Scripts\setupcomplete.cmd

REM Tokenize Unattend File for Specialization Phase

REM ReplaceTokens
.\Sysprep\unattend.xml .\Temp\%ID%.txt

REM Copy Unattend File for Specialization Phase

copy F:\Temp\%ID%.txt D:\Windows\Panther\unattend.xml /Y

Anyone have any thoughts?

Thanks.

0
Login to vote
toca's picture

keep it up man, articles llike this is what keeps us pushing forward

0
Login to vote
srivastcha's picture

Hello,

I followed the same procedure for windows 7 deployment. I face any issue. After completing the image distribution task, system reboots and the next step for setupcommand is not loading. Could any one please let me know what might be the issue

 

Regards

Srivas

0
Login to vote
gunnari's picture

Srivas - I run into same problem. Add "Wait" -task just after image distribution task (between these two tasks). This will do the trick (atleast for me).

0
Login to vote