Altiris DS & Windows 7

DS SP3 provides support for Windows 7.  Havne't done any of it myself so no hints or tips yet

I do things a little differently than most but I ran across this link a while back when it was on Juice.  You might want to check it out:

https://www-secure.symantec.com/connect/articles/b...

Also, here's another link that I've refered to frequently in the last couple weeks as I was working on our 7 image:

http://technet.microsoft.com/en-us/library/dd349348(WS.10).aspx

I also care about it .

DS 6.9 SP3 is in beta at the moment, but will provide Windows 7 support.

I have downloaded and installed SP3, it is available on the download site now. 

The thing to consider is that you really don't need 6.9 sp3 to deploy Windows 7.  For convenience sake, yes it's nice but in order to make things work you just have to get familiar with ImageX and WinPE.  It really is easy to capture and deploy images once you learn these things.  I'm still on 6.8 and it's working great.   There are two sample ImageX scripts listed on Samples in 6.8 that got me started.  However, I'm still going to move forward with 6.9 sp3 when we are able to move forward.

Now that DS SP3 is out, is the BCDEDIT still needed? Do I need to recapture my master 2K8 images after upgrading to DS SP3?

I can confirm. It is no longer needed on 2K8 or Win7. You can just take that step out of the job. You do not need to build a new image.

for Windows 7 images and Altiris deployment as opposed to WAIK, MDT, etc?  I know there's one for Vista, but it seems there are a few differences with 7.

Depending on how you installed win7 depends on if you need to use the bcdedit scripts.  Ive been pulling my hair out for the last week and a half trying to figure out why one master image worked, and one didnt.  I finally realized what I did differently.  If you install win7 to a disk without creating a partition, it will create a 100mb recovery/boot partition before the main partition.  Then you must use the bcdedit script and set the partition=d: (not c: even if its your c: partition...the bootmgr must just see d as being partition 2) If you create the partition before you install win7, then you do not need the script.  Glad I finally figured that out.

Thanks for sharing that with us - I normally prepare the partition before installing an operating system, but I'm sure I would have been caught out by that one sooner or later.  ;-)

Since we're in a completely managed environment and users aren't going to be doing repairs, etc., I blew away this hidden partition on my master image using information from this article:

http://www.shivaranjan.com/2009/05/11/how-to-preve...

If we weren't in a managed environment, I probably wouldn't do this.  Anyway, I thought I'd share for what it's worth. 

Bitlock function in windows 7 will use this hidden partition. I would think it is better to keep it.

Yeah, we're not planning on using bitlocker, though.

I got to thinking about this and we might end up having a few user with laptops that would or should use BitLocker.  99.9% won't need this in our environment.  In any case, I avoided it because there just isn't any good documentation about how to do this - basically capturing and applying two partitions using ImageX (one of them being hidden).   I've read Microsoft's technet articles and it thoroughly describes the process for a single partitions but it really doesn't indicate how to handle the hidden System Recovery partition.

Worst case, I did figure out out to add the partition back in using this article (http://support.microsoft.com/kb/933246/en-us) but then I have to apply my captured hidden partition overtop of this newly created partition and then run the recovery tool on the DVD.  It's a little hokey but it will work for the few laptops that we have and that's what I have to work with until we upgrade to 6.9 SP3.

I still use v6.9 SP2, and have been playing with W7 RTM to get it ready for my environment. At this stage I have decided to go with a very basic (driverless) Altiris Image of my system. This includes the 100MB System, xxGB Windows and yyGB Data partition. I am simply issuing commands in the "Duistribute Disk Image" task like "-p1 -p2 -kp3" in order to retain the data aprtition and blow everything else away... which is what we want.

Downside: Can't inject drivers or perform offline maintentnance on the IMG without risking corruption (see "Image Explorer" issues). Taking a size hit as the IMG contains everything including pagefile etc.

Upside: Without introducing MDT/WDS etc, and without forking out for a Windows 2008 Server, we can multi-cast our Sysprepped and generalised images.

Pre deplyment I generate the driver and utility list, post deployment I copy the drivers, setup script, "unattend.xml", "setupcomplete.cmd" etc to the system, then fix the boot manager ready for booting to production. In my particular case I need to set BCDEDIT to change {bootgmr} to partition "C:" and {default} device/osdevice to partition "D:". All works a treat so far.

Now to sort out why the DAgent MSI causes the "setupcomplete.cmd" to stop processing :(

I've DS 6.9 SP3 installed, I do a PXE boot to server run WinPE 2.1 bring the image up to server (create image).  The image is 1 partion (tried dual also).  Create image works.  Then try to deploy image using WinPE.  The goes down to workstation but when it reboots I get an error:

Status:0xc000000e
Boot Selection Failed because a required device is Inaccessible

I run the following commands in winpe:

REM Find the system root and append system32 and BCDedit
%SYSTEMROOT%/system32/Bcdedit.exe -set {bootmgr} device BOOT
%SYSTEMROOT%/system32/Bcdedit.exe -set {default} device BOOT
%SYSTEMROOT%/system32/Bcdedit.exe -set {default} osdevice BOOT

Reboot and it boots to windows.  Tried to run the script after imaging in deployment job, does not work even though DS show it ran.  Have to boot to Winpe & run manually. 
Any one have any ideas why my image is not working ?  Get the same error whether I have 1 or 2 partions, or use WinPE or Linux??

Update:  Running script that Ryann listed above, changing the D to a C is working.  Big Thanks to Ryann

REM To fix boot order with BCDEDIT
bcdedit /store c:\boot\BCD /set {bootmgr} device boot
bcdedit /store c:\boot\BCD /set {default} device PARTITION=c:
bcdedit /store c:\boot\BCD /set {default} osdevice PARTITION=c:

But since I'm running 6.9 SP 3 don't know why I need the script?   I was under the impression going to SP3 it would work...  Working now with work around.  I'll keep trying to get it to work correctly and waiting for DS 7 maybe it will work.

 I am still a little confused about when you run this script.  Does it just need to occur before creating the image?

Also, if you have the recovery partition +system partition do you use the script:

REM To fix boot order with BCDEDIT
bcdedit /store c:\boot\BCD /set {bootmgr} device boot
bcdedit /store c:\boot\BCD /set {default} device PARTITION=D:
bcdedit /store c:\boot\BCD /set {default} osdevice PARTITION=D:

REM To fix boot order with BCDEDIT
bcdedit /store c:\boot\BCD /set {bootmgr} device boot
bcdedit /store c:\boot\BCD /set {default} device PARTITION=c:
bcdedit /store c:\boot\BCD /set {default} osdevice PARTITION=c:

In any case, I have tried many variations of these tasks and non seem to work for me.  I always get the dreaded BOOTMGR error.  I specifically tried the straight DS 6.9 SP3 way with the DAgent installed and allowing the DS to fully manage the sysprep process using my autounattend.xml file.  As far as I am concerned this feature is not working as stated (or it needs to be documented better because of the issue with the hidden partition).  I'm extremely frustrated with this.

Have to slipt this in 2 parts will not take in 1 for some reason.

Powellbc, tell me about it, took me some time also.  1st the script to use....  Which script to use depends on your image.  Does it have 2 partitions or 1 single.  Usually by default Windows 7 likes to put 2 partitions on a drive unless it is already partitioned as 1 big drive. So if you have 2 partions you use this script:
REM To fix boot order with BCDEDIT dual partition
bcdedit /store c:\boot\BCD /set {bootmgr} device boot
bcdedit /store c:\boot\BCD /set {default} device PARTITION=D:
bcdedit /store c:\boot\BCD /set {default} osdevice PARTITION=D:

If you have 1 partition use this script:
REM To fix boot order with BCDEDIT Single partition
bcdedit /store c:\boot\BCD /set {bootmgr} device boot
bcdedit /store c:\boot\BCD /set {default} device PARTITION=C:
bcdedit /store c:\boot\BCD /set {default} osdevice PARTITION=C:
 

Where to put the script?  On DS server create Distribute Disk Image if not all ready done.  After you've completed the basic job,   Select the job under Jobs if not still selected.  Now on the top right side you have the "Discription" window showing the "Distribute Disk Image" under task and under Details shows the path.  
Click the ADD>> button.  The choose "Run Script".  Should be about 4 up from bottom of list.
Run Script Window opens, now you can put it in a file or just paste it in Under "Run This Script".  I just pasted mine in.     Make sure "Windows" is picked under "Choose the script Operating system", beacuse your using winpe to boot client from.   Click "Next"
Script Information window, under "Script Run Location" pick "On the client computer",
Then below where it says Automation Pre-boot environment, I picked "WinPE_32bit".

I did the last step because we had problems with workstations with 64bit cpu booting to 64 bit Winpe when the OS/image is 32 bit and causing problems.  So we boot to 32 bit to do 32 bit image and 64 bit to do 64 bit image, just to be safe.  Never had a problem booting to 32 bit winpe to do a 64 OS/image.

So if you watch the image come down, after the copy to the workstation is complete, winpe will then run the script, note do not touch the mouse of keyboard.  I try to open i believe the admin comand prompt just as the script started to run, and in WINPE which ever window you click on has run priority and the script stopped till I click on its window again.

Good luck

 Rick, thanks for the comments and details.

I have this working but it is all via Scripts deployed via the DS.  Image X use on the DS and Windows 7 does work correctly (the issue is actually the lack of customization ImageX commands).  We need to do it this way because we elected to follow what we assume is the MS best practice:

1. Partition the disk using diskpart.
2. Deploy the image to the second partition (this is not possible using ImageX via the DS console AFAIK).
3. Run bcdboot from the just imaged volume to populate the system partition.
4. Inject Unattend.xml to the image.

With regards to step 3, this is how Microsoft says to do it and from what we know it is important to do it this way so the system partitions are unique per machine.  We are not using Bitlocker at this time but may some day so we did not want a fleet of machines without this partition or with one that would cause problems down the road.  I don't think this is the same as what is described above with the BCEdit script.  I found this info here: http://technet.microsoft.com/en-us/library/dd349348(WS.10).aspx (kubasa posted this a while ago).

I think it is sort of disingenuous to say DS 6.9 sp3 support Windows 7 imaging.  It really does not, at least not correctly.  If you could simply run ImageX with full control it would be no issue, but since it is setting command line switches and running diskpart on its own it does not work.
 

Powellbc and Rick, are you able to turn on bitlocker without any problems?  I have the imaging portion working going to both partitions just fine but in order to get bitlocker working, I have to use the recovery tool (bootrec) off the DVD and restore the MBR and then bitlocker works just fine. 

Like I mentioned in a previous post, we might have about 50 laptops out of 3100 computers that might use bitlocker so I'm not overly concerned.  I guess what does concern me is why or how my MBR is getting messed up and what else it might affect down the road.

Because we are still at 6.8, I use a whole series of scripts to get this to work so it is a bit cumbersome.  I asked Altiris what scripts they are using in 6.9 knowing full well that someone at Altiris has dealt with this (hopefully) but they basically told me to upgrade which we can't do for a while yet.   Anyway, are you running the bcdedit script before capturing your base (non-sysprepped) image or are you only applying this after applying the image to the computer?  If yes, do you do the same for your deployable image?  Most of all, I'm really curious if either of you are able to turn on bitlocker using whatever scripts you are using.  If you can enable it, I might have to post what I'm doing and see where I'm going wrong.

 We are not using bitlocker.  I will attempt to run a test if possible.  We use PGP for WDE now but if that ever changes we want to be prepared.

Here are the exact steps (each step is a separate script and we are using DS 6.9 sp3):

1.   Format/partition Drive using diskpart.  This creates 2 partitions in the WinPE environment.  C: is a 200MB system partition and the rest (D:)is for the OS.
2.  Apply Windows image to D using this command: imagex.exe /apply "Win7Ent.wim" 1 D:
3.  Run BCDBoot witht his command: d:\windows\system32\bcdboot d:\windows (this step creates the fresh system partition).
4.  Copy answer file to copy D:\windows\panther\unattend.xml and D:\windows\system32\sysprep\unattend.xml tro ensure they are used.

Because we are deploying Windows 7 x64, we had to create 64 bit boot disks for step 3 to work (otherwise it will try to call a 64 bit app in a 32 bit environment because it is actually executing BCDBoot from the just deployed image).


Although somewhat unwieldy, this process works well except that Diskpart ALWAYS fails on the first attempt on a fresh drive.  After a reboot of the system and a rerun of the job it works and everything goes correctly.  Not sure why what is happening.  I tried building a reboot into the job but using the command "wpeutil.exe reboot" but it  causes the machine to reboot in a loop because the task never completes on the DS for some reason.

bcdboot......that's got to be what I'm missing.  Thank you.  I'm off for a couple of days but I will be trying that as soon as I get back.  I really appreciate it!

 No problem, glad to help.

Darn - I really thought this was it.  If I run the bcdboot, then I get an error message "Failure when attempting to copy boot files".  I tried running it before my bcdedit, after bcdedit and running it without including bcdedit but I always get the same error.   I guess I'll keep playing around with this until we can upgrade to 6.9 sp3. 

Basically, I am running the following as a script job and I can upload and pull down images just fine so in reality, I shouldn't worry, right?  The main problem is if I try to turn on bitlocker, then I get an error and have to use the Windows 7 DVD, run bootrec and then life is good.  Not a big deal really because we will only have about 40 or 50 laptop users but it still bugs me that something isn't quite right.

@echo off

net use y: \\server\eXpress
y:
cd software\hotfixes

diskpart /s W7E_disk_prep.txt

format c: /fs:ntfs /v:Reserved /q <dual_boot_prep_answer1.txt
format d: /fs:ntfs /q <dual_boot_prep_answer1.txt /v:

cd y:\
cd WAIK\Tools\PETools\x86\
bootsect /nt60 SYS

cd y:\
cd WAIK\Tools\x86\
imagex /apply "y:\Images\Windows 7\sr_boot.wim" 1 c:
imagex /apply "y:\Images\Windows 7\1_0.wim" 1 d:

d:
cd windows\system32
Bcdedit.exe -set {bootmgr} device boot
Bcdedit.exe -set {default} device partition=d:
Bcdedit.exe -set {default} osdevice partition=d:
Bcdedit.exe -set {default} description "Windows 7 Enterprise"

W7E_disk_prep.txt

select volume 0
remove letter=d noerr
select volume 1
remove letter=d noerr
select volume 2
remove letter=d noerr
select volume 3
remove letter=d noerr
select volume 4
remove letter=d noerr
select volume 5
remove letter=d noerr
Select disk 0
Clean
Create partition primary size=100
Select partition 1
Assign letter=c
Active
Create partition primary
Select partition 2
Assign letter=d
Exit

dual_boot_prep_answer1.txt

Y

Just so you know, don't expect 6.9 SP3 to fix any of your problems.  There seems to be a big duifference between how Microsoft says you should deploy images and the way it is implemented in the Ds for Windows 7.  As it is now I am using a win PE 2.1 boot disk (not 3.0) because they have not added that support yet.

Where not using bitlocker either, we're using PGP, but we don't encrypt the drive till the machine is given to a user.  Might setup a VM and try it.  We had no problems since we starting running the scripts after imaging with DS 6.9 SP3.  But still don't know why we need it.  DS 6.9 sp3 is suppose to work.  We have a single partition also still need bcdedit.exe.  Only problem we are having is with a Dell 960 which will not take a image.  We've a newer Dell 960 which is a few months newer working no problem, but the older keeps locking up.

We use RDeploy (*.exe; *.img)(Test Mode) to create our images, not imageX.

OK.  I just got this figured out for those of you who are not at 6.9, sp3 and thought I would share this information in hopes that this will save someone else a lot of time.  Here’s what I did – I upgraded my bootsect tool within WinPE from version 6.0.6 (Vista RTM) to version 6.1.76 (Windows 7 RTM) so I could use the /MBR flag and it appears that this did the trick.   In reality if I had been using WinPE 3 instead of WinPE 2.1, this probably wouldn’t have happened but because we haven't upgraded - well, we are stuck at WinPE 2.1.   Bootsect for me is located in the following directory: \\server\eXpress\WAIK\Tools\x86\bootsect.exe. 

Additionally, I changed a few things in my script and after testing it, I finally have a fully functioning deployment script for WIM images using ImageX.  I know a lot of folks on this forum are using .img images so it wouldn't apply.  I headed down this path because we were worried about our funds getting pulled for Altiris so I wanted to be ready to use the Microsoft tools if this were to happen.  As such, this is the road were on and now it's working.

Here's my new script job in case others are struggling with this.  Note that I added bcdboot.exe d:\windows and I'm only applying the OS partition and not the System Reserved partition - I received this suggestion from the folks over at one of the Microsoft deployment forums.  This allows Setup to automatically create the System Reserved partition.  I'm using version 6.1.76 for bcdboot.  Also, because we have Dell OptiPlex systems with card readers which creates 4 additional drives that are read by diskpart, I have to run remove letter=d for the first 6 volumes.  On our laptops, I remove d from volume 0 and volume 1 since they don't have any card readers.  The beauty of Altiris is that I can setup a filter and point the filter according to the computer model and point the laptops to a script that only removes the letter from the 2 volumes.  I could use different drive letters and simplify this whole process but I guess I just feel more comfortable using C and D drives (strange hang-up of mine).  In any case, this whole combination of events is making things work to deploy Windows 7 Enterprise AND allows BitLocker to work properly.

net use y: \\server\eXpress
y:
cd software\hotfixes

diskpart /s W7E_disk_prep.txt  (see below txt file below)

format c: /fs:ntfs /v:Reserved /q <dual_boot_prep_answer1.txt  (see below txt file below)
format d: /fs:ntfs /q <dual_boot_prep_answer1.txt /v:  (see below txt file below)

cd y:\
cd WAIK\Tools\PETools\x86\
bootsect /nt60 SYS /mbr

cd y:\
cd WAIK\Tools\x86\
imagex /apply "y:\Images\Windows 7\1_0.wim" 1 d:

bcdboot.exe d:\windows

d:
cd windows\system32
Bcdedit.exe -set {bootmgr} device partition=d:
Bcdedit.exe -set {default} device partition=d:
Bcdedit.exe -set {default} osdevice partition=d:
Bcdedit.exe -set {default} description "Windows 7 Enterprise"

W7E_disk_prep.txt
select volume 0
remove letter=d noerr
select volume 1
remove letter=d noerr
select volume 2
remove letter=d noerr
select volume 3
remove letter=d noerr
select volume 4
remove letter=d noerr
select volume 5
remove letter=d noerr
Select disk 0
Clean
Create partition primary size=300
Select partition 1
Assign letter=c
Active
Create partition primary
Select partition 2
Assign letter=d
Exit

dual_boot_prep_answer1.txt
Y

Using ghost to deploy. This bit really helped a lot:

bcdboot.exe d:\windows

d:
cd windows\system32
Bcdedit.exe -set {bootmgr} device partition=d:
Bcdedit.exe -set {default} device partition=d:
Bcdedit.exe -set {default} osdevice partition=d:
Bcdedit.exe -set {default} description "Windows 7 Enterprise"

Now to troubleshoot SEP 11 MR5 installation. I am getting an error 1603 in the MSI log file.

Has anyone tried adding this to the unttend.xml? I have it in the FirstLogonCommands section right after DAgent...