Video Screencast Help

Windows 7 Image Deployment with Deployment Solution 6.9 SP4

Created: 23 Jun 2011 • Updated: 23 Jun 2011 | 27 comments
Language Translations
Andrey Shipov's picture
+10 10 Votes
Login to vote

Introduction

We are well on the way with Windows 7 deployment to our client computers, but it took us quite a bit of time to get our image deployment process working as we wanted, with diverse computer hardware and software we have.
In this article I will share my experience with Windows 7 image deployment and explain reasoning behind decisions I have made at different stages of deployment.
This article is based on Deployment Solution 6.9 SP4 and Windows 7 Ent x86 SP1.
This is by no means a universal guide, but hopefully it will help you to make a working solution for your environment. This is a long read, so please take your time.
I wrote it trying to explain every step, so it will be easier if you replicate my settings in your environment.  All referenced files are attached in the correct folder layout (see mydata.rar).
There are few articles on Symantec Connect regarding different parts of Windows 7 deployment, but I wanted to create an article that will help someone from start to finish.

We currently run Deployment Server 6.9 SP4.
We use DS purely for image deployment and initial installation of standard applications.
We use NS for everything else as it offers great deal of flexibility and feedback.
For the simplicity I will talk about the environment with the single deployment server, in future articles I will show how we configured our Deployment Servers across multiple sites.

In this article I will talk about:

Part 1: Configuring DS for Windows 7 deployment

Configure WinPe preboot

Create additional folder \MYDATA in the express folder

Part 2 Create Master Windows 7 image

Imaging tool

Single image

Imaging process logic

Building the master image

Create Image with Deployment Server task

Part 3  Sysprep answer file (unattend.xml)

Part 4 Image deployment

Part 5 Drivers installation: LAN and other devices

 

 Part 1: Configuring DS for Windows 7 deployment

I assume you already have your deployment server built and configured. Below are the additional changes I have done to DS for Windows 7 deployment.

Configure WinPe preboot

When configuring WinPE make sure that your express share is mapped with something like letter Z, so there are no conflicts in assigning drive letters in WinPE later to a hard disk with multiple partitions.
We use Altiris WinPE 2.1 (shipped with DS 6.9 SP4) for production image deployment and DOS for task we perform manually.
Please note that WinPE 2.1 is based on Windows Vista and any additional drivers for WinPE will have to be Vista drivers (if Windows 7 drivers don’t work)

Install WinRAR

WinRAR creates self extracting archives and allows extracting of data from compressed drivers’ packages without installing actual driver.  You can try 7-Zip, but WinRAR is my preferred tool.

Create additional folder \MYDATA in the express folder

I use this folder to store: image files, software packages, executables, scripts and drivers. It allows me to have all my custom data in one location and I can replicate, backup/restore it very easily.
MYDATA folder looks like this

Agents

In this folder I have all the executables and configuration files for my environment. I deliberately put them here, so I can guarantee consistency of the deployed agents and use the same deployment job on other Deployment Servers.

dagent.bat: script to install DAgent during sysprep
listing is below, I will show where it is used later

mkdir "C:\Program Files\Altiris\Dagent"
xcopy C:\Windows\Source\aclient.inp "C:\Program Files\Altiris\Dagent\"
msiexec.exe /i "C:\WINDOWS\Source\dagent.msi" /qb
exit

where
dagent.msi: DAgent installation file, shipped with the DS
dagent.inp:  configuration file for DAgent installation, specific file for each Deployment Server, only different by the DS IP address.
Please find an example attached.
Folders are named to reflect DS NetBIOS name, so we can use token %DSSERVER% later
It is possible to have one template dagent.inp file and then tokenized it, I just did not do it yet.

DISM

DISM utility is located in the WAIK installation folder (Program Files\Windows AIK\Tools\Servicing). I use it to integrate updates and it also can be used to pre-stage drivers in to offline Windows 7 image. I have copied Servicing and renamed it to DISM.

You can find WAIK here
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696DD665-9F76-4177-A811-39C26D3B3B34
You can find more information about using DISM for drivers integration here
http://technet.microsoft.com/en-us/library/dd744355%28WS.10%29.aspx
Link below is for using DISM to add packages
http://technet.microsoft.com/en-us/library/dd744559%28WS.10%29.aspx

Drivers

Here we store drivers for the client computers in production.
All drivers are stored per OS\Model.
Model as a folder and each driver is in the individual subfolder.

You need to download drivers from the manufacturer web site, they usually come as *.exe files.
Unpack all *.exe files using WinRAR. Do not put LAN drivers in here, more on this in part 5.

I have also copied the firm.exe (windows x86 version) from .\eXpress\RDeploy\Windows to the route of Drivers folder. I use firm to copy files to a target computer while in WinPE as it is more reliable then copy command. Dpinst.exe and dpinst.xml are here also.

Images

Image files we deploy to the client computers, each image is in an individual folder.

Packages

All software packages we deploy as part of provisioning.

Sysprep

All sysprep files templates used in production.

Part 2 Create Master Windows 7 image

Imaging tool

Before we start with image creation, we need to choose an appropriate tool.

Altiris provides the choice of different technologies to be used for image capturing\deployment.

  • Rdeploy Captures whole disk and preservers all existing partitions, supports multicast out of the box
  • ImageX Microsoft tool, captures only single partition at the time and requires a bit of scripting to marry together different partitions. You will also have to use scripts to fix MBR
  • Ghost Captures whole disk and preservers all existing partitions, NO native multicast support from DS (requires additional scripting)
     

The choice will depend on the goals you want to achieve with the image deployment.
We had the following requirements in our environment

  • Windows 7 Enterprise 32 bit
  • Bit Locker ready
  • Single production partition
  • Single image for various vendors, but all Intel based client computers hardware
  • Use of Bluetooth or finger print sensors is prohibited
  • Easy scalable for different business units software requirements
  • Reduce network load caused by image deployments

Only one tool could allow us to achieve the above requirements: RDeploy with enabled multicast.

Single image

Windows 7 is hardware independent by design and syspreped image can be deployed to any hardware with the same architecture, such as: x86 or AMD, etc.
As a test, I have successfully deployed the Intel based Windows 7 image to an AMD based Dell laptop and it is working fine, however it looks like this is more a miss then a hit. I have seen some articles on the internet when people do some registry hacking to make the same image work on Intel and AMD hardware. I have never tried it, but believe it is possible.

Imaging process logic

Based on the requirements we have decided to split the imaging process in to two logical parts

1 Image deployment

o   Image to have no software
o   Computer is not part of the domain
o   No specific drivers installed or available in the image
o   No Windows updates
o   Altiris agents is installed during sysprep stage

2 Software Deployment

o   All software is installed from Deployment Server as an additional tasks\jobs.
It allows us to manage applications’ deployment and upgrade to the new version with the minimum engineer time
o   Computer is joined to domain

After reviewing the software list we have to deliver we found out that some software cannot be installed silently and will have to be integrated into the image (CISCO CTIOS for example).

Building the master image

Image deployment is faster and more consistent compared to scripted OS installation.
So, first of all you need to create the maser image: image that you will deploy to all client computers later.
You can be creative with your image building, as long as you can guarantee the consistent final result.
You can use Deployment Server scripted OS installation task or do it manually.
We decided to build our master image manually, because we still had to do some changes after the scripted OS installation and we wanted to keep the master computer off the network.

Master image build check list

Source the latest models of the Client PC
Source the right OS DVD media: Windows 7 Enterprise 32 SP1

Install Windows 7 from DVD with:
NB DO NOT CONNECT PC TO A NETWORK DURING IMAGE PREPARATION

o   Install Windows to 20480mb partition (DS is better at expanding then shrinking partitions)
o   Keep 100mb reserved partition
o   User Account: RAW7
o   Check PC name: RAW7PC, no password
o   Windows updates ask me later
o   Enable Local Admin account In users’ accounts, no need for password
(or use command [net user administrator /active:yes] from cmd as admin)

o   Login as local Admin
o   Delete RAW 7 user account and delete RAW7 user profile from hard disk
o   Reboot
o   Show extensions of known file types
o   Show Empty Drives in explorer
o   Check Regional Settings (UK in my case)
o   Disable Firewall
o   Set paging file to: system managed
o   Leave Windows updates as default (will be set by GPO)
o   Create folder C:\Windows\Source\ - this is a local source for installation files
o   Change registry key to point to a local source for LAN drivers
HKLM\Software\Microsoft\Windows\CurrentVersion   Key:DevicePath
%SystemRoot%\inf;%SystemRoot%\Source\LANDRV
more on this in the Drivers section

o   Enable telnet
run in cmd: dism /online /Enable-Feature /FeatureName:TelnetClient

o   Install any “pain” software

·         Prepare PC to be syspreped

o   Reboot
o   Login as local Admin
o   Run sysprep.exe from %systemdrive%\Windows\System32\sysprep
with: OOBE, generalize, shutdown

So, now you have syspreped computer and need to capture the image for distribution.
You have two choices

  1. Use Deployment Server task: Create Disk Image
  2. Do it manually from DOS or WinPE pre-boot environment (WinPE will require wait task to be run against the machine)

 

Create Image with Deployment Server task

  • Create a computer account in DS for master image machine and make sure network card is set to the first boot device in BIOS
  • Create new Job
  • Add new task: Create Disk Image
  • Use RDeploy.exe
  • Do not boot to windows option is ticked
  • Prepare using Sysprep is NOT ticked (we will inject custom sysprep file later)
  • Run the job against your syspreped master computer and make sure computer boots from network card

Advanced options should be set to like this:

  • Maximum file size: 2.0GB
  • Compression: Balanced for Size and Speed

Part 3  Sysprep answer file (unattend.xml)

Windows 7 sysprep is completely different from XP sysprep process.
Biggest differences are:

  • Different file name: Unattend.xml
  • Different file location: Windows\Panther\Unattend.xml

There are quite a few articles about how to make sysprep file for Windows 7
http://technet.microsoft.com/en-us/library/dd744263%28WS.10%29.aspx

https://www-secure.symantec.com/connect/articles/creating-windows-7-self-updating-hardware-independent-image-using-deployment-solution-69sp4

http://www.rt7lite.com/downloads.html

http://www.symantec.com/connect/articles/what-are-system-variable-tokens-used-deployment-solution-and-can-be-inserted-sql-scripts

I am not going to spend much time on how to make it, but will show what we have done with it and how it works for us.
We use sysprep for the following:

  • Install DAgent
  • Skip Auto Activation
  • Set Computer name and product key
  • Set regional settings
  • System Restore disabled
  • Windows defender disabled

Details are below

General view of used components

Install DAgent

dagent.bat listing is above in part 1

Activate local administrator account and set password for it

You need to type local administrator password and it will be encrypted once you save the answer file
 


 

Skip Auto Activation

Set Computer name and product key

We use token %COMPNAME% and it will be replaced with the real computer name dynamically in production.
We use KMS server for all our Windows 7 computers activation. Product Key used in sysprep file is the key that tells the computer that it’s running Windows 7 Ent and needs to go and find local KMS server to activate Windows.
Keys can be found here
http://technet.microsoft.com/en-us/library/ff793421.aspx

Set Regional settings

UK in my case

Registered Organization:     Your Company
Registered User:                  IS Services

Rest of the features are set via Group Policies
Please find my working sysprep file attached.
Local Admin password:        P455w0rd

So, now when we have the working sysprep file, we need to tokenize it with the real computer name and put it to Windows\Panther\Unattend.xml before windows starts for the first time after image is deployed.

Part 4 Image deployment

After all the work above is complete we are ready to deploy the image to client computers.
Majority of scripts and software installations are run from the local source on the target machine.
Local source location: C:\Windows\Source\

Create computer account in Deployment Server console (use MAC and Name of your target computer) and then schedule a job for it.
Make sure that network card is set to the first boot device, as computer will boot to WinPE a few times.
Please find the sample job attached and other files attached

Quick overview

Tasks in red are happening in WinPE:

  • Run diskpart script to clean the target hard disk (we perform clean installation)
  • Distribute disk image using RDeploy
  • Rebooting PC, so WinPE can enumerate all hard disk partitions again
  • Tokenize sysprep answer file and copy it to the target computer
  • Copy DAgent installation files to the target computer

Tasks in blue are happening in Windows OS:

  • Computer goes through sysprep process and boots to Windows 7
  • Disable UAC, as it causes a few issues with installations later
  • Install drivers for specific model from network location
  • Remove letter D:\ from the system reserved partition on the hard disk
  • Clean up temp files on Deployment Server

 

Imaging job in details

It would be easier if you can import the job attached to your DS, but don’t forget to point tasks to your WinPE pre boot environment

Tasks 01 - 04 are running in WinPE
Tasks 05 - 11 are running in Windows on client computer
Taks 12 is running on Deployment Server

Task 01 Run diskpart script to clean the target hard disk

We are doing clean OS rollout and do not preserver any data on the hard disk during image deployment. This task will clean all partitions information from the target hard disk, so we have nice and clean disk to deploy too.

Scrip Run Location:         On the client computer
Automation pre-boot:       WinPE
Return codes:                   Default
Dpclean.txt listing
select disk 0
clean

Task 02 Distribute Disk Image

Image is distributed using RDeploy in WinPE
Please note that we do not use built in option for sysprep, we use stand alone file. I will explain in the next step.
First Partition size:           100Mb, this is system reserved
Second Partition size:      100%, this is Windows production

In Advanced... at the bottom:
Graphical Mode for RDeploy
Delete OEM and Automatin partitions

Task 03 Reboot Target Computer

When image is downloaded, target computer needs to restart and boot to WinPE again, so WinPE can reassigned letters to all new hard disk partitions and run additional WinPE scripts.

Task 04 Replace tokens in sysprep and copy DAgent and LAN drivers

Here, we do three things

  • Take our custom sysprep answer file template and change token %COMPNAME% in it for the real computer name and then this modified file is copied to the target computer.
  • Copy DAgent installation files to the local source
  • Copy network card drivers to the local source, more details on this when we get to drivers installation.

Scrip Run Location:        On the client computer (don’t forget to take comments out)
Automation pre-boot:      WinPE
Return codes:                  Default

 

Comment:  italic – source, normal – target

REM ReplaceTokens .\MYDATA\Sysprep\win7x86ENT.txt .\temp\%ID%.inf
where %ID% is the internal computer name used in DS
.\MYDATA\Drivers\firm.exe copy ".\temp\%ID%.inf" "D:\Windows\Panther\Unattend.xml"
please note that because of the hidden system partition, system drive on the target machine was given letter D: in WinPE
.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\%DSSERVER%\dagent.inp" "D:\Windows\Source\aclient.inp"
.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\dagent.bat" "D:\Windows\Source\dagent.bat"
.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\dagent.msi" "D:\Windows\Source\dagent.msi"

copies DAgent installation files
.\MYDATA\Drivers\firm.exe -recurse copy ".\MYDATA\Drivers\Win7x32\01LANDRV" "D:\Windows\Source\LANDRV"
copies network drivers

After this is script is complete, target computer will reboot and boot to windows.
It will go through the sysprep first and will do the following:

  •  Install Network Drivers provided in the custom location
  •  Install Windows standard drivers for all other devices
  •  Install DAgent

When sysprep is finished, computer will boot to Windows and process all other tasks/jobs.

Task 05 Turn off Windows 7 UAC

If you do not turn UAC off, you are asking for troubles while installing drivers and software.
You can always enable it later.

REM Turns off UAC
'vbscript
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."

Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
    strComputer & "\root\default:StdRegProv")

objReg.SetDwordValue HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA",0

Task 06 Reboot Target Computer

We reboot target computers after each software installation or registry change, so each installation or change is finish correctly.

Task 07 Install Drivers

Drivers are installed in Windows from the network location.
I will provide more details in the Drivers chapter as it’s quite a bit to consider.

Task 08 Reboot Target Computer

Task 09 Copy diskpart script to local source

Task 10 Run diskpart script to remove letter from the hidden system partition

After sysper, hidden system partition will be assigned a letter and we need to remove this letter, so partition is hidden from the user.
It is easily done and below example is for the machine that has

  • One production partition: drive C
  • Zero or one optical drive: drive E

This scripts removes drive letter from the hidden partition and reassigns letter E to the optical drive
Dpremove.txt listing
select volume 0
remove letter=d noerr
select volume 1
remove letter=d noerr
select volume 0
assign letter=e noerr

Scrip Run Location:         On the client computer
Run environment:            Client OS with system account
Return codes:                  Default

 

Task 11 Reboot Target Computer

Task 12 Delete temp files on DS

This script will delete all temporary files we have created so far on DS
Run script
REM Delete temp files on DS
del .\temp\%ID%.inf
del .\temp\%ID%.cfg

Scrip Run Location:         Locally on DS, when client computer is connected
Run environment:            Server OS
Return codes:                   Default

 

 Part 5 Drivers installation: LAN and other devices

Drivers, drivers, drivers… It’s great when they just work, but when they don’t play ball it may be very frustrating.
To understand drivers’ installation we need to have a look at how Windows 7 works with them.
Windows 7 has a few different mechanisms to install drivers, below are some of them with examples.

Theory

Windows is shipped with preinstalled divers in DriverStore

Hit and miss results because Windows uses drivers that are already in DriverStore, so newer hardware maybe missed
Good:

  • Some hardware between 2 to 5 years old will have most drivers installed

Bad:

  • Not all hardware is cater for
  • No drivers for new hardware
  • Not consistent end result

Install drivers from Windows Update

If driver is not found in DriverStore, you can configure Windows to install/update drivers from the Windows update site.
Good:

  • Almost all hardware will be found, but latest and greatest
  • You may use it to find working drivers for some odd hardware, where manufacturer driver is not available. Just install driver from Windows update site and take it from DriverStore for later deployment

Bad:

  • Not all hardware is cater for, especially new
  • May cause user interruption
  • Will not work if Windows auto updates disabled
  • Not consistent end result

Manually install drivers while Windows is running (online mode)

Download drivers from manufacturer and run the installation
Good:

  • You know precisely what you are installing

Bad:

  • Not suitable for the enterprise environment, as you need to cater for different hardware and install drivers automatically.

Use registry key to point to custom drivers location HKLM\Software\Microsoft\Windows\CurrentVersion   Key:DevicePath

This method worked very well in Windows XP and you can use it in Windows 7 also.
Modify the DevicePath key to point to your driver’s source, something like
%SystemRoot%\inf;%SystemRoot%\Source\LANDRV
Good:

  • All drivers found in the custom location will be installed for devices that are online
  • Predictable end result

Bad:

  • If network card driver is there, network connection will be dropped while driver is getting installed, as a result deployment server task will fail
  • Drivers conflicts as all drivers are installed concurrently and resources are not distributed correctly

Pre-stage drivers while Windows is not running (offline mode)

You can add drivers to the DriverStore while Windows is in offline mode using DISM in WinPE.
Good:

  • All drivers found in the custom location will be added to DriverStore and drivers will be installed when device is switched on
  • Majority of drivers will be installed during sysprep (if drivers pre-staged before sysprep)
  • Predictable end result

Bad:

  • All drivers are added to the DriverStore, even if device does not exist on the client computer
  • DriverStore size may get out of control
  • Drivers conflicts as all drivers are installed concurrently and resources are not distributed correctly

Use DPinst.exe to install drivers from the dedicated location while Windows is running (online mode)

DPinst.exe is part of Driver Package Installer
http://msdn.microsoft.com/en-us/library/ff544842%28v=vs.85%29.aspx
You can usually find it shipped with driver packages or download full Driver Kit Package from Microsoft
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
you need to use version 2.1.0
Good:

  • All drivers found in the custom location will be installed for devices that are online
  • No drivers conflict as you can force it to install drivers one at a time
  • Predictable end result

Bad:

  • If device is disabled, driver will not be installed or pre-staged.
  • If network card driver is there, network connection will be dropped while driver is getting installed, as a result deployment server task will fail

DPinst.xml is configuration file for DPinst.exe and needs to be in the same folder as DPinst.exe.
Have a look here for configuration flags
http://msdn.microsoft.com/en-us/library/ff550803%28v=vs.85%29.aspx
Alternatively you can use command line switches for
http://msdn.microsoft.com/en-us/library/ff544775%28v=VS.85%29.aspx

One more thing to note is that Windows 7 recursively searches all subfolders for the drivers, so we only need to point to the top level folder
So, with the theory part over, I will get back to our setup and examples.

Implementation

First of all you need to download drivers from the manufacturer web site, they usually come as *.exe files. Unpack all *.exe files using WinRAR. Some odd machines will only install drivers from Windows update, find those drivers in DriverStore and copy them to your drivers source

All drivers are stored per OS\Model. Model as a folder and each driver is in the individual subfolder. LAN drivers are stored in different location.

We have decided that installing drivers using DPinst from network share works best for us. However, when installing from network share you cannot have network LAN drivers there, as network connection will drop and task will fail. So we used 2 methods

  • Registry location – to install LAN drivers from local source during sysprep
  • DPinst – to install rest of the drivers in Windows from a network share

Network Drivers

are copied to the local source in WinPE, before sysprep. It requires registry change on the client machine you took the master image from prior final sysprep.
We only use Broadcom and Intel LAN drivers and copy all of them to client computer.
It is done in the Task 04 of image deployment by the following line
.\MYDATA\Drivers\firm.exe -recurse copy ".\MYDATA\Drivers\Win7x32\01LANDRV" "D:\Windows\Source\LANDRV"
where italic – source, normal – target

You can put all network drivers into per model folder and use similar to other devices script (below) to copy them to local source in WinPE.

Other devices

Installed when client computer finishes sysprep and runs as a task from the deployment server in Windows 7
We made a simple bat file script to point to specific folder and install drivers, we did not use vbs script as it was more complicated.  
You will need to know computer model numbers as they appear in Deployment Server.
To get the list of computer models run this SQL query on your eXpress data base

select  model_num, max (prod_name)
from dbo.computer
group by model_num

Please see the script for drivers installation attached, below is the explanation.

echo off
REM Install hardware drivers
REM If model is unknown Windows 7 default drivers will be used
REM and file NO_DRIVERS.txt will be created in C:\
REM Windows 7 x86
REM No network drivers
echo Computer model:  %#!computer@model_num%
set modelname=none

Comment:Queries eXpress data base for computer model number
rem -------------------HP Desktops-------------------------
REM HP DC7800
if "%#!computer@model_num%" =="0AA8h" set modelname=HP_DC7800
if "%#!computer@model_num%" =="0AACh" set modelname=HP_DC7800

Comment:sets model number to modelname (folder name on share)
if "%modelname%"=="none" (goto nomodelnumber) ELSE (goto installdrivers)
goto exit
: installdrivers
echo on
set server=%DSSERVER%.your FQDN
set share=express
set drive=s:
set domain= your FQDN
set user=User name with access to drivers network share
set password=user password in open text
net use %drive% \\%server%\%share% %password% /user:%domain%\%user% /persistent:no

Comment for above: maps network drive on client computer
start /w %drive%\MYDATA\drivers\Win7x32\dpinst.exe /path %drive%\MYDATA\drivers\Win7x32\%modelname%\

Comment for above: start driver installation one at a time
net use %drive% /delete

Comment for above: disconnects network drive on client computer
echo off
goto exit

:nomodelnumber
echo on
set server=%DSSERVER%.your FQDN
set share=express
set drive=s:
set domain= your FQDN
set user=User name with access to drivers network share
set password=user password in open text
net use %drive% \\%server%\%share% %password% /user:%domain%\%user% /persistent:no

Comment for above: maps network drive on client computer
copy %drive%\MYDATA\drivers\Win7x32\NO_DRIVERS.txt C:\NO_DRIVERS.txt /V /Y

Comment for above: copies NO_DRIVERS.txt to the root of C:\
net use %drive% /delete

Comment for above: disconnects network drive on client computer
echo off
goto exit
:exit
echo Finished.
exit

You can have your LAN drivers in per model basis folder as well and modify this script to pre-stage network drivers in WinPE with this command
REM pre-stage drivers
.\TTT\dism\dism /image:D:\ /scratchdir:D:\Windows\Temp\ /add-driver:.\TTT\Drivers\Win7x32\
01LANDRV\%modelname%\ /recurse

Conclusion

Hopefully this article was useful and will help you with Windows 7 deployment.
In the next article I will show how we

  • Create Image manually in DOS
  • Install Windows 7 updates after the image deployment
  • Deploy software
  • Configured multisite Deployment Servers infrastructure.

Feel free to post any question or comments.

Comments 27 CommentsJump to latest comment

readzzz's picture

This is almost my exact process accept for we use the generalized image to create QA's hardware centric images.

 

Hey Symantec, we need DS7.1 to duplicate this process exactly and give realtime feedback to Windows 7 deployment with console status.

 

Thumbs up from me!!!

DS + SVS = IT Bliss

0
Login to vote
amattson25's picture

This article has been very helpful to me. I just have a few questions as there only certain parts of this I would like to use.

I have built the Windows 7 from scratch using our Corporate Key

Syspreped the image using the following command:

sysprep /generalize /oobe /shutdown

And created an image off of this like your documentation states and this works great.

I can even push this image no problem.

The problem comes when I try to use the unattend file I have created.

Per your instructions I have pushed the image and rebooted
Created a script for just the unattend file portion of it.

Rem Sysprep unattend
\\altiris\express\MyData\Win7\firm.exe copy "c:\Windows\Panther\Unattend.xml"

It copies the file but fails Error 1 during script execution. I didn't understand the section on replacing the tokens (I assume you have a special file that contains the computer name) so I had skipped that. I can always rename it at the end as I am not always sure who I am giving the computer to anyway.  Can you help me with why this fails. I am assuming this unattend file isn't on the computer before the image is taken, but maybe I am misunderstanding your documentation.  Any further light you can shed on this would be immensely helpful. Thanks.

If you need more info please let me know.

0
Login to vote
Andrey Shipov's picture

Hi

If you look at my unattend file (win7x86ENT.txt), you will see that I use token %COMPNAME% for computer name. This token will tell DS to look in DS console for real computer name. This token is used, so you can have a template unattend file and then automatically change it for each machine you image.

See below

            <ComputerName>%COMPNAME%</ComputerName>

            <ProductKey>33PXH-7Y6KF-2VJC9-XBBR8-HVTHH</ProductKey>

Above key is for KMS activation of Win 7 Ent

 

To troubleshoot try to do the following:

01 Make sure that you use real computer name (not token)

 <ComputerName>YOUR Compuer Name</ComputerName> in unattend and it is the same as computer on DS console.

 

02 Make sure that you copy this file over to target machine in WinPE, before machine boots to Windows.
Your copy file script is missing the source file
\\altiris\express\MyData\Win7\firm.exe copy "c:\Windows\Panther\Unattend.xml"

Should be like this

\\altiris\express\MyData\Win7\firm.exe copy \\altiris\express\MyData\Win7\sysprep\unattend.xml "c:\Windows\Panther\Unattend.xml"

Where unattend.xml you production sysprep file with specific computer name.

 

03 If it still fails, take the hard disk out of the machine and connect it to another machine, so you can have a look if file has been copied correctly and investigate log files in c:\Windows\Panther\

 

When you get your specific unattend.xml to work, you can experiment with tokens to understand them better.

I would suggest running following first

REM ReplaceTokens .\MYDATA\Sysprep\win7x86ENT.txt .\temp\%ID%.inf

And compare win7x86ENT.txt (has token for a name) with %ID%.inf (will look like 5001036.inf, numbers will vary), latter  file will have specific name for target computer

 

Then run both commands together in WinPE, before system boots to Windows

REM ReplaceTokens .\MYDATA\Sysprep\win7x86ENT.txt .\temp\%ID%.inf
.\MYDATA\Drivers\firm.exe copy ".\temp\%ID%.inf" "D:\Windows\Panther\Unattend.xml"

 

It will create customised unattend.xml and copy it to a target machine

 

One more thing, do you use KMS or MAK activation?

If KMS, then you need to use keys from here

http://technet.microsoft.com/en-us/library/ff793421.aspx

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
toca's picture

do you think i can use a virtual machine as my virtual image?

0
Login to vote
toca's picture

hey Andrey,

i followed the article and everything went well; i created a master image from a vm.

then created a new vm fromscratch with the same settings and dropped the image....

the image job gets to task 4...

the vm starts up but blue screens.....

have you seen that behaviour before?

0
Login to vote
Andrey Shipov's picture

Hi Toca

I never tried using VM, but believe it should work  (make sure you give at least 2GB of RAM).

Task 04 should not cause BSOD as it changes files on the server and then just copies them to a  target  computer before it boots to Windows for the first time.

As for BSOD, I have never had it with Windows 7 deployment; I would recommend trying these steps to troubleshoot:

·         Can you open the image file with Altiris Deployment Serer image explorer and does is seem fine? Image file maybe corrupt.

·         Can you start up your master VM and does it go through sysprep  setup OK? Sysprep may have damaged Windows installation.

·         Can you deploy image on to original VM (take a snapshot first)?

·         Can you start Windows installation from DVD to your new VM (just to rule out hardware misconfig)?

·         On your new VM, can you run diskpart in WinPE (schedule wait command from DS in WinPE pre boot) and see if systems detects disk correctly

·         Try to deploy just the image: Task 01 and Task 02 and see if windows start

·         If all above fails, get a physical machine and 2 hard drives. At least you will be able to look at log files if you get a BSOD again or any problems with sysprep process.

 

Good luck, I am sure it something very simple (usually is) and you will sort it in no time.

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
toca's picture

It turned out to be the vm itself,

when i restarted the master image vm machine it also blue screened...

i'm doing it over on a physical box... onward and upward :-)

i want to make an rdeploy and a ghost image.... would there be much change when doing a ghost image?

0
Login to vote
Andrey Shipov's picture

Hi Toca

Switching to Ghost should be strait forward, you just need to change from rdeploy to ghost engine in existing tasks (make a copy).

You may need to look at and play with ghost command line switches (you will find them in one of the user guides), but default ones should work fine, as we clean disk with diskpart before deploying image. I think that DS 7.x uses ghost as default engine, so I will be looking at using ghost also. 

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
toca's picture

the blue screen was the master vm that was causing the problem... so made a new master image and working well up until it reboots and goes into windows... it fails on my unattend...

something in the specialize pass it could not process..

I'm going to the variable computername and see if it works with a specific name...

i'm also using a volume license install for windows 7 but i do not have the key... so going to leave the key out... and see if it work or atleast error out complaining about the license...

unattend error.JPG
0
Login to vote
toca's picture

Hi Andrey,

below is my win7x86ENT.txt file...

does everything still look ok to you...?

also added a vm video of my components for the job... could you have a look at it and tell me if you agree with everything?

 

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Path>net user administrator /active:yes</Path>
                    <Order>2</Order>
                    <Description>Activates Local Admin Account</Description>
                </RunSynchronousCommand>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Installs DS Agent</Description>
                    <Order>1</Order>
                    <WillReboot>Always</WillReboot>
                    <Path>C:\WINDOWS\Source\dagent.bat</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
        <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SkipAutoActivation>true</SkipAutoActivation>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <ComputerName>pc1</ComputerName>
            <CopyProfile>false</CopyProfile>
        </component>
        <component name="Microsoft-Windows-SystemRestore-Main" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DisableSR>1</DisableSR>
        </component>
        <component name="Security-Malware-Windows-Defender" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DisableAntiSpyware>true</DisableAntiSpyware>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-gb</InputLocale>
            <SystemLocale>en-gb</SystemLocale>
            <UILanguage>en-gb</UILanguage>
            <UserLocale>en-gb</UserLocale>
            <UILanguageFallback></UILanguageFallback>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <WindowsFeatures>
                <ShowInternetExplorer>true</ShowInternetExplorer>
                <ShowMediaCenter>false</ShowMediaCenter>
                <ShowWindowsMediaPlayer>true</ShowWindowsMediaPlayer>
            </WindowsFeatures>
            <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>
            <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
            <ShowWindowsLive>false</ShowWindowsLive>
            <TimeZone>GMT Stndrard Time</TimeZone>
            <DoNotCleanTaskBar>true</DoNotCleanTaskBar>
            <RegisteredOrganization>TOCATECH</RegisteredOrganization>
            <RegisteredOwner>TOCA</RegisteredOwner>
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>1</ProtectYourPC>
                <SkipMachineOOBE>true</SkipMachineOOBE>
                <SkipUserOOBE>true</SkipUserOOBE>
            </OOBE>
            <UserAccounts>
                <AdministratorPassword>
                    <Value>UAA0ADUANQB3ADAAcgBkAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==</Value>
                    <PlainText>false</PlainText>
                </AdministratorPassword>
            </UserAccounts>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="catalog:f:/sources/install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
 

AttachmentSize
NS6 Movie024.avi 8.88 MB
0
Login to vote
Andrey Shipov's picture

Hi Toca

You sysprep file looks fine and it gets copied to the client machine, but it is definitely failing on the Windows Key part.

I had the same issue when I was building my Windows 7 image.

There is a lot of contradicting information about which Key to use in sysprep or no key at all depending on your Windows version.

I remember reading MS article which says that with VLK versions of Windows 7 you must provide a Key in unattend.xml, so depending on your licensing model you will have to provide correct key:

 

If you use MAK: your MAK key

 

If you use KMS server to activate your Windows 7 clients internally on your network you need to use one of the keys from here

http://technet.microsoft.com/en-us/library/ff793421.aspx

these are not real Keys, they just tell the computer that it needs to go and find local KMS server to activate Windows.

 

We use KMS activation and Windows 7 Ent, so our key is 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH

If you use KMS server, you will have “real KMS” key given to you by MS and you will have to register it on your KMS server.

When sysprep fails, take a hard disk out and connect it to another computer, so you can have a look at log files.

What Windows version do you want to deploy and what licensing model do you have?

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
toca's picture

Thanks Andrey,

i think my problem is with the image i'm using... it was created from a windows 7 pro volume license cd... i did not put a license key in and i did not activate it.

i also noticed that when i dropped the image without an unattend, it's asks you for options like date/time; pcname etc... but by default does not ask you for a key or activate online.

i've also just been using your unattend file, because i did'nt have waik at my disposal....

so i think its breaking because yours is geared for enterprise....

i've got waik now.... so think i'm just gonna get a windows 7 cd with a key that definitley works (just wanted to use unattend skipping online activation) and take it from there.....

thanks for all the help so far man.

0
Login to vote
Andrey Shipov's picture

Hi Toca

When you build your master image it does not really matter if you activate windows or not as sysprep preparation will reset activation. As for sysprep, you are correct that it is better to create a new one using WAIK and your media (mirror my sysprep in WAIK it for your environment).

 

It is always tricky to get sysprep working with different licensing models, you just have to try different things and it will eventually work.

 

Good luck and if you have more questions please ask.

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
toca's picture

I'm getting closer.

i noticed that no matter what machine i try and sysprep i always get a bluescreen afterward.

i'm using win7pro cd and just leaving cd key out...

so then i try sysprepping a machine a machine without making any changes to it eg: delete RAW7 username; adding "Source" folder enabling telnet etc; and that worked....

so one of those extra steps is causing the bluescreen.

I will have to eliminate the steps one by one to see which one is causing the problem....

just have a feeling it's either the registry adition or maybe the telnet... so going to add everything except that two and see waht happens.

Andrey in your steps above should we only make a "Source" folder or must I make "LANDRV" folder aswell? 

0
Login to vote
toca's picture

finaly got a syspreped image... onward ... :-)

0
Login to vote
toca's picture

For all the help, I got it working 100%

now just want to add getsrv to the job so that it dynamically find the local imagestore.

great article

0
Login to vote
Andrey Shipov's picture

Hi Toca, sorry for late reply, was offsite for a few days.

Glad you have sorted it out, would you mind sharing what was the issue and how you fixed it please.

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
toca's picture

it was really a stupid mistake;

when adding the custom folder path the driver location..... (blushing); I used a "," instead of a ";" which caused my image to break everytime it came out of sysprep.

took me a week to figure that out.... :-(...

so your doc is correct to the letter...

i've also add getsrv to my winpe preboot now the image can be delivered to remote sites, pulling the image from a local remote store dynamically..

just trying to tweak the way the non lan drivers get's copied and installed to the server, because that task does not run in winpe...

0
Login to vote
Benjamin Fuller's picture

Just as an FYI, I see you had steps to create the Username / PC Name and then delete the user name at a later time and the profile folders following.

According to Microsoft best practices and from my own personal experience, it would be easier that once your computer boots for the first time and you are promped for a user name and PC name (before getting into windows itself, this is the (OOBE Out Of Box Experience first question);

Instead of doing that, boot into "Audit Mode" to configure the entirety of your image. Everything should be done in Audit Mode to avoid leaving behind trails to network paths, you can setup your applications, settings, your "default" profile, (must use the copyprofile command in the Unattend.xml to copy profile settings) and to finally sysprep the image and capture upon boot.

 

To Boot to Audit Mode

There are several ways to boot to audit mode, this being the best route for preparing an Image:

  • From the Windows Welcome screen, press SHIFT+CTRL+F3.
  • To exit, you will need to run Sysprep.exe with the /OOBE switch to exit the Audit mode

 

The link to the Microsoft write up is here:

http://technet.microsoft.com/en-us/library/cc722413(WS.10).aspx

You break IT, I fix IT!

0
Login to vote
Andrey Shipov's picture

Hi
Yes, you can use audit mode, but we only install one application into image and do not do much configuration with custom settings, most of the settings are done via unuttend.xml and GPOs later.
As for: copyprofile command in the Unattend.xml, I find it not very reliable.

Also, your URL points to Vista and not Windows 7 section of TechNet, just an observation, should be
http://technet.microsoft.com/en-us/library/dd744337%28WS.10%29.aspx

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
Benjamin Fuller's picture

Andrey, I could understand where you are coming from, however; to use the Audit Mode at the first boot screen will still avoid you from having to creat a nonsense user profile and computer name. Having to answer the first screen will do this and you will have a full c:\users\YOU_CREATED_AN_EXTRA and then an extra Registry GUID to delete in HKEY_USERS\S-1-5-21-XXXXXXXX

This just makes a clean image, hence why it is a Microsoft standard to use.

 

As for the link, Audit Mode is the same for Vista or Windows 7, no changes made - Microsoft does do some wierd things sometimes HA! But Audit Mode is not one of them... It's a great tool to avoid unnecessary cleanup...

You break IT, I fix IT!

0
Login to vote
RFredette's picture

OK, so I forgot to put the Source directory into the Windows directory of my image.  And that caused a "User Defined" error 94 when running the put down the image script.

SO I added the following code to the script:

REM ReplaceTokens .\MYDATA\Sysprep\win7x86ENT.txt .\temp\%ID%.inf

.\MYDATA\Drivers\firm.exe copy ".\temp\%ID%.inf" "D:\Windows\Panther\Unattend.xml"

REM The next part will error if Source does not exist...
IF EXIST D:\Windows\Source GOTO COPYLAN
MD D:\Windows\Source
:COPYLAN

.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\%DSSERVER%\dagent.inp" "D:\Windows\Source\aclient.inp"

Other than that I am LOVING this article!  Thanks!

0
Login to vote
khoran's picture

First off I'd like to thank you for providing these great instructions.

I do have a question if you don't mind.  The script that finds the model number and then installs the drivers based on the model number is giving me a problem.

How do you run this in Altiris?  Are you running this in Automation (PXE) or do you run this in Production?  If run in production will it know what the token names are? i.e. %DSSERVER%?

Also, where does this script move the drivers to on the local computer that the image has been deployed to?  Does it copy every driver down to the local machine and then run it?  I am not familiar with dpinst.exe and how it works.

Thank you for your time.

0
Login to vote
Andrey Shipov's picture

Hi  khoran, regarding drivers

dpinst is the windows application and runs in production.

The script that identifies a model will point dpinst to the specific folders on the express share that only has drivers for this model.

dpinst works like this: interrogates devices in device manager and will try to find a driver in the folder specified above.

Only drivers that are installed get copied to the client machine and after installation get stored in Windows driver cash folder
C:\Windows\System32\DriverStore\FileRepository

So, to answer your question: if you point dpinst to a folder that has 100 drivers, but your client machine only needs two, only two drivers will be installed and copied to the  client machine.

%DSSERVER% is the default Altiris token and stands for Deployment Server name, I used it to make my imaging job universal as this job runs on four different deployment servers.
you can find list of default tokens in Deployment Server Admin/ User guide

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
khoran's picture

Andrey

Thank you for the response above.  I have a much better understanding now of how dpinst works in the process.  When my script runs it fails though and I can't pin point where the failure point is, i.e what is causing the task to fail.

Would you be willing to look at my scrip and double check my work?

Again, great detailed instructions!  Thank you!

Kyle Horan

0
Login to vote
Andrey Shipov's picture

and I will have a look

 

Andrey

Andrey Shipov
IS Infrastructure Senior Engineer
Manchester, UK

0
Login to vote
evgen007's picture

Hello Andrey,

thanks for the post - trying to follow it.

The step I got stack so far - HKLM\Software\Microsoft\Windows\CurrentVersion   Key:DevicePath

I added ;c:\drivers to it, copied LAN driver to c:\drivers, but it's not being installed during setup.

I was able to install it by adding dpinst command into RunSynchronous step, but it leaves computer out of domain.

PS. found the problem - unuttend.xml was created by altiris, and I did not check it properly - there was PersistAllDeviceInstalls parameter set to true.

0
Login to vote