Deployment and Imaging Group

We want to streamline our image build process so that it can be automated and done monthly.  We wish to do the following:

1. Boot to PXE
2. Scripted OS Install
3. Fully patch the OS per our standard (currently WSUS but will be using Patch Management at some point).
4. Sysprep
5. Boot to PXE
6. Ghost to create Image.gho file(s)
7. Shutdown

Simple enough but what is the best way to accomplish #3 above in the most automated fashion?  We do not wish to install any software on our image (that will be done with Altiris software delivery policies).  We just want to be able to put out an up to date image monthly. 

If you're going to be using patch mgmt, then just install the SMP agent and let it get patched up on its own. You'll need something there to do a reboot after patches are done, and then do the sysprep, so might as well use the smp agent.  unfortunately there's no way to know when it's done patching, so you may just have to let it sit for a day, then do the reboot.  

don't forget to clear out the SID and such since you'll presumably be leaving the SMP agent installed.  

Yeah that's the part that keeps it from being automated.  Is there a way to install ALL windows patches when running a Windows 7 unattended install?

You bring up a process that I have been meaning to get nailed down.

One of the options I was thinking of using is DISM to automatically install patches. I've read some place that you can inject the patches into an offline wim using dism. My thought on this would be to build the automation to perform this task and then do the SOI. That way your up to date from the start.

I haven't taken the time to dig into this but that was going to be one of my first processes to investigate.

The prepare for capture task will cleanup the GUID for the SMA.

i'd like to know, too - i'm thinking about changing to SOI instead of creating an image by hand, patching it up, doing some tweaks, then sysprep/capture... and then cracking it open to patch and re-sysprep every few months.  the main things keeping me from doing it is just what you've pointed out - a SOI has zero patches.  the other thing is a SOI won't have the tweaks we want made, since i don't know how to replicate them programatically.  sure, they're probably in the registry or are file copy/deletes, but i haven't invested the time to figure out where to go in the registry to accomplish them.

The problem with cracking open a sysprep'ed Win7 system is that you are limited on the number of times you can do that. Last I checked it was 3 times.

Once you get your first process worked out you could use a straight SOI process and never use an image. Of course this is all dependent on getting your tweaks worked out between scripting and GPO's.

I prefer this method. Offline patching and automated tasks for maintaining offline "sources" could, in the right hands, be the key to reduce the time and effort needed in complete workstation setup. We tried updating offline images when we planned to use factory instal process for our workstations. We got it working, but decided to drop the factory installations and still use DS to run scripted installs.

I am looking at implenting the same solution in my environment.  Although I am not ready to take on that project (automated image build) just yet, in my initial research I found this utility which may do exactly what you want.  WuInstall lets you install Windows Updates on demand from a command line from internal WSUS server or external Microsft Update Server.  There is a free and pay for version:

http://www.wuinstall.com/

If you give this a try, I would love to hear how it works for you.

the way i do it is to make my image in vmware, do all patches and tweaks (including cleaning out MRU from the registry) and get it to the point where i'm ready to sysprep.  then i shut down the VM, capture a snapshot, boot up, sysprep, and capture image.  then next time i'm ready to change something in the image, i go back to the "ready to sysprep" snapshot, do whatever i need to do, then capture a new snapshot, then sysprep and capture again.  i'm only limited by disk space that way, and can do it as often as i want with no complications.  and after a while i can delete older, unneeded snapshots to free some space if i ever needed to.  

Not a bad idea.  I had thought about doing this as well.  We may go with this solution although the automated solution with a job seemed so much "cleaner".

i agree with the automated solution being better... IF you can work out the kinks and still have the customizations we want.  that way you can just have a VM sitting somewhere getting reimaged once in a while on a schedule, and you don't even have to do ANYTHING to update your image regularly once you get it all set up.  in fact i think that's how a lot of people do it who use MS system center/SCCM.  

Gibson's process is how most engineers maintain an image. At least in my experience with Altiris.

That has been how I've been doing it for years. One of the upsides to using a VM is that you don't need to load any drivers into the image and the ability to take snapshots.

I was talking to another engineer two years ago (wow, I’ve been sitting on this a long time) about creating a process to build a base that anyone could follow and end with the same configuration each time. This would take the load off one or two people and still give you a consistent build process. Everyone does not build an image the same way twice.

By using DISM or some other FREE tool to inject patch’s you can speed up the rebuilding process. My thought to all of this is to set a WIM on a network share and update it on a schedule using a Run Script Task. You still have the manual process of gathering your files and placing them in a specific location but I would chock that up to standard maintenance.

Once the WIM is up to date you could then deploy it using a standard SOI process. Oh, did I forget to mention? You will need to update your distribution points after patching the WIM.

Microsoft has supplied a lot of tools to help us get this done. We just need to fine tune a process and document it (I'm sure that too has been done in some form or another).

Between DISM, LGPO's, and scripting, you should be able to customize your base before sysprep’ing it. You may want to use GPO’s once its built depending on your environment. The only reason I say sysprep is that laying down an image may be quicker than running an SOI in high volume shops.

Another option or spin to all of this is to recapture your “Image” back into a WIM and deploy it using SOI. I don’t know if that is a viable solution but one I think is worth looking into.

Let me see what I can come up with over the next couple of weeks. I'm sure I can get something together short of customizing the OS to everyone’s liking.

Our process here is have a compeltely automated image build process. This scripts the install, installs the software, patches (using a vbscript, though I've tried wuinstall and this is very good too), syspreps and then uploads the image.

This can be initiated overnight, so in the morning you have a completely updated image ready for distribution.

A virtual machine holding an image at the point before you sysprep is fantastic too -especially if you are in a rush, though it lacks automation.

The best thing about the automated process (for me) is that I always know the configuration of the final image which means there is very little chance that human error can leak undetected into the process. The process takes about 1-4 hours (depending on the image being built) and sends an email on completion with no time wasted.

Kind Regards,
Ian./

I have done the automated process with DS 7.1 and i use the patch managent part of CMS to patch to our standard levels, which works pretty well. I just run a creation job overnight which builds and patches it and then run another job to create the image the following day. This approach also makes it easy when new service packs get released as we just update the SOI job.

Agree with the previous comment that this is the best way as it minimises human error.

Our process is pretty much 100% automated also for building the images.

In respect of Updates we use WSUS and just drop the registry settings in as part of the build process then run a Windows Update Agent API lookup to get it to scan for updates and report back and install all neccessary updates.

TechNet has this on it: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387102(v=vs.85).aspx

Its a good starter for 10 to look at atleast.

Ian, is the vbscript you use to pull down the patches something you maintain monthly or does it automatically pull the patches from WSUS / Microsoft Update?  Can you share your script?  Thanks!

Eric

@Jason -Do you need any more assistance on this one?

I cleaned that script up and removed the prompts, but could never get Altiris to run that script as part of an automated build.  If I manually ran the task on a machine, it would work perfectly.  I gave up on it.

I always find it odd that the best way to initially patch clients is NOT to use Patch Management. surely they must be looking into this to speed up the process ?

I'm interested in how everybody manages "step 2. script OS install"...  How do all you managed the driver piece for each type of computer model?  We still make a base image for each model.

For patching we've create series of jobs to restore the initial backup (taken before sysprep) patch then create the base new image:

.

Suggestion welcome.

You might want to take a look at our deployment solution, DeployExpert (DX) http://www.altrinsicsolutions.com/dx/smp.  DX is natively integrated into the SMP enabling you to analyze every device in your environment and harvest drivers for each device within your models and integrate all the drivers into a deployment so you can have a single image. We have engineers available to provide additional information or a POC so you can see exactly what DX can do in your environment.

If you’re using Dell, they have a CAB file that you could use to get you 90/95% of the way there.

If you are using other hardware you will have to check with them to see if they have something similar.

I know HP has a process that you could implement. I have never used it but have seen reference to it in the forum.

For those Drivers that require Software. Well, I have found only one way to handle them. Tokens and Scripts.

The built in DeployAnywhere works but it requires you to know your hardware.

I have seen others use DISM with the Tokens and Scripts also.

All of the above processes require you to know your hardware and pre-stage your drivers on a network share.

Rae is offering a good solution if it fits your environment. I believe it is, or can be, more automated than the above options. You should at least have a look at what they offer. A test drive in a lab using your hardware would be a good start.

I use Lenovo Machines. I use their tool called "update retriever" to download drivers for each model onto a share on the NS server. I create a package for this folder which replicates it to all site servers. On the client I run the Lenovo "ThinInstaller" tool - this points to the local package server and downloads all the drivers. You can use command line switches to automate all the driver installs or do it manually. It doesn't work 100% for all machines (skips the odd driver) but better than using deployment jobs in CMS.

Joe.

We have mostly Lenovo machines in our environment as well and use this tool for them.  With the others I am forced to script the copying of the drivers to the system after imaging is complete and letting dpinst.exe take care of installing them.  This allows for one 32-bit Windows 7 image and one 64-bit Windows 7 image.

Jim this link appears to be broken.

Appreciate the feedback.

We are a HP shop. NS 6 had a HP client which handled hardware drivers but that never made it to 7. Driver Management (DeployAnwhere) will not work with all drivers, I have tried.  Not sure that DeployExpert mentioned above would be handle all driver?  I've not heard of dpinst.exe, I'll have to check it out.  There is a trade off in time spent creating automated methods to make a golden image or simple making a image for each model.  As we don't have many models we go with the latter.

Hi Rick.  DeployExpert would be able to driver/device diversity for HP as well as additional peripheral devices and would allow you to quickly and easily have a golden image with driver packages specifically for each unique device configuration (not just model) in your environment automatically injected into your deployment job.  During execution, the system is inventoried and the database queried to generate a dynamic list of drivers and applications that are then copied down to the client and installed during the sysprep unsealing process.  You can see how here http://www.altrinsicsolutions.com/dx/smp/video  You can also download trial code to test in your environment here http://www.altrinsicsolutions.com/download?product=SMP.  I'd be happy to arrange a POC so you can see how DX would work in your environment or answer any questions youmight have about specific drivers and how we handle individual instances.  You can email me at rachel.landua@altrinsicsolutions.com or call 316.453.0063.

Rick,

Dpinst.exe is the windows driver manager.  We have it setup so that it scans the c:\drivers folder and automagically installs every applicable driver contained in that folder and subfolders.  The nice part about it is that it will only install relevant drivers for that system so if you wanted to you could copy down every driver for all of your hardware and let it do its thing.  There are of course always exceptions (those drivers that actually need a utility installed like a touchpad driver for example).

If you would like I can provide the xml and bat file I use to call dpinst.exe.

Jason - i'd like to see your xml/batch used with dpinst.  i'm coming up on my next image refresh cycle, and might experiment with integrating that into my hw-independant image, to simplify my scripts.  i'm sure others could benefit, too.

Here is the link to the technet article on how to implement it and where to download dpinstsamples.zip.

http://blogs.technet.com/b/svengruenitz/archive/2008/07/02/driver-installation-and-updating-made-easy-dpinst-exe.aspx

I pretty much use it "as is".  I call the installdrvs.cmd from within my unattend.xml file in the audituser pass using the following command:

cmd /c C:\Drivers\InstallDrvs.cmd

I hope this helps.

Hi Jason,

You've started a really good thread here! In response to your particular query of automating the patch cycle I've posted our slightly modified microsoft windows updates script to Connect,

http://www.symantec.com/connect/downloads/vbscript-windows-updates

This is what we use before our sysprep and upload scripts to ensure our images are completely up-to-date. The download link should be active by Monday once Cheryl's checked it to confirm I'm not marketing my infamous "Intel Inside" silk boxer shorts.....

Kind Regards,
Ian./

Hi Jason, just curious as to what command your task contains to run thin installer. Is it a silent install ?

Joe.

Ian - it seems the whole post you linked to is locked (by you, it says) rather than just a download contained within.  but maybe i'm misunderstanding how connect works - is this not just a file attached to a normal forum/blog post?

Jason's (boy that sounds weird; as if i'm referring to myself in the 3rd person) link to technet was enlightening.  i don't know how i didn't find that in all my reading up on WAIK and such, when making my original win7 (even even xp) builds so long ago.  

and as a side note, I'd much rather have "intel inside" than "advanced micro devices" printed on my undergarments.  ;)  

Wow -Advanced Micro Devices!! I never thought of that. This is all mechandising gold I tell you!

As for the download, that will get authed when Ohzone awakes from her autumnal rest....

Jason -the windows updates script we use is now live on CONNECT,

http://www.symantec.com/connect/downloads/vbscript-windows-updates

This should enable you to fully automate your patch process.

Kind Regards,
Ian./