Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Imaging Windows 7 computers daily

Created: 25 Aug 2011 | 11 comments

I am the Net Admin for a public library. We like to have our public PC's work as much like home PC as possible, which means I try to not cripple them with unnecessary security measures. It has been my practice to simply reimage every public machine every night using Altiris 6.9. When updates are due, I simply update one machine, create a new image of it and then use that image to send to all the other machines.

I have just recieved new Windows 7 computers to replace my Public PC's but from what I'm reading, even with a volume license, Windows 7 will not allow me to push an activated image to coomputers without requiring re-activation. Is there a way, or is there a version of Windows 7 that I can relialably reimage daily?

Comments 11 CommentsJump to latest comment

bhawver's picture

It depends on how the image was originally taken.  You really need to sysprep it if you are putting it on multiple machines.  Also it will depend on your license as well.  Do you have an EA or other Volume license agreement?  If so, you would be able to use either the KMS or MAK keys.  In your environment, it would probably be best to use KMS and have a machine on the network that doesn't have to be reimaged daily that would serve as the KMS activator.  The key here would be to keep track of how many licenses you have vs. how many licenses you have deployed.  If you go over your allotted licenses in your agreement, you will need to true up with Microsoft.

Another option that we have come across may be an easier solution for your environment would be to use a product called Baseline Shield (http://www.eazsolution.com/en/baselineshield.php).  This would allow you to be as open as you are currently (security-wise) but still be able to reset the computer back to a baseline everyday, or even every reboot.  We currently are using this in our classrooms and it works great.  It even comes with a free network console to be able to manage all of them remotely and all at once.  They give you a trial for free from their website, it might be something you can look at and save time.

DISCLAIMER - I don't work for EAZSolution, nor do I have anything to gain from it if you were to purchase this product.  It's just something I've used and has helped me in the past in a similar environment.

Brian Hawver
Systems Engineer
Yaskawa America, Inc.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

KPuffer's picture

I am familiar with Faronics Deep Freeze and use it in some places, but I have never tried "Baseline Shield" and will have to do some research to see how it compares. I know with the Faronics product, it gets squilrly if you try to deploy an image with Deep Freeze installed. The safest deployment is to deploy the image and then run the install through a post-script. I understand that using a product like Baseline Shield eliminates having to deploy an image every day, so I think I will investigate using this tool a little more.

I am still unsure about how Windows 7 will image using my MAK license key. I haven't actually got an image to work yet; I keep finding out things I should have done but didn't. like creating the image before activation. Also, I'm deploying to HP desktops which have two additional partitions on them and after I send the image DS get's confused with drive letters (I think) and Windows says it's broken and requires the DVD to repair before it can start. I'm still working this out too.

What I'd like is for someone who regularly deploys Win 7 images to offer a chronological series of steps to image a win 7 desktop mulitple times with a MAK license.

Thanks again bhawver for your suggestions.

Tim.Jing's picture

Doesnt this mean he will never exceed the 3 day trial period?

Thomas Baird's picture

Awesome idea...  I don't think MS would be pleased though...

Thomas Baird
Looking for opportunities
(translation: unemployed!  LOL)
Yes, able to help people beyond the forum if need be.

 

Thomas Baird's picture

Keep in mind that, though you can do this still with Windows 7, you have to be creative.

What we suggest is that you have a base system image - call it version one. Capture it.  Then update it, now it's version 2.  Deploy that.  Restore Version 1 to the base system.  Update it.  Capture it - new version 2. Deploy that.  Restore Version 1.

See how that works?  Each time, you revert to version 1 which has only been captured 1 or 2 times depending on how the thing counts up, and each time it wont exceed the image count that MS supports.

Make sense?

Thomas Baird
Looking for opportunities
(translation: unemployed!  LOL)
Yes, able to help people beyond the forum if need be.

 

KPuffer's picture

So Thomas are you saying:

Get a new Out-of-the-box image up and running

Add my software, preferences, additions, etc. but not activate it.

Sysprep it, & Create image 1

Deploy it to my clients and  activate it on each client.

 

Later, when I have to update the clients:

Update the original unactivated image.

Sysprep it, & Create image 2.

Deploy it, and Activate it on my clients

Then restore image 1 for the next upgrade?

Thomas Baird's picture

Does that actually make sense to you?  This is how you avoid the 3-strikes thing.  Since MS no longer lets you apply Sysprep as many times as you want, so long as you keep restoring the one that has only 1 use of Sysprep, then your images will always beon the 2nd application of it.  It's a bit of a pain, but it works.

 

OH  except for one other problem.  <sigh>  I didn't realize that the baseline will always be short ALL of the newly added "stuff".  RATS.

 

oh yeah!  I remember now!!!!!!

 

The first time you image, you do a Backup image.  That way, you're not applying sysprep.  I'll put a new process in here now.

 

  1. Create baseline from fresh installation of Windows 7.
  2. Add all software until it's ready.
  3. Make a Backup of it (not using Sysprep)
  4. Apply Sysprep and capture an image.
  5. Deploy Image
  6. Next time you have an update, restore the Backup (pre-sysprep) to the original system.
  7. Add software
  8. Run a Backup again (no sysprep) for the new Baseline.
  9. Apply Sysprep and capture the image
  10. Deploy the image.

OK - so there are a few more steps, but the Backup image, as long as it's always on the same source system, will work just fine and never have the Sysprep "strike" applied to it.  Fully legit.

Does that help?

Thomas Baird
Looking for opportunities
(translation: unemployed!  LOL)
Yes, able to help people beyond the forum if need be.

 

bhawver's picture

Another way around this if you are dealing with OEM Windows 7 and not volume licensing (i.e. EA or Select) and also depending on how many machines you are talking about, you could have a separate image for each machine.  If the hardware never changes, it should theoretically never have to re-activate, and the count would never increase.

If you have a volume licensing copy, just set it to KMS and you'll be fine if you image it daily.

Brian Hawver
Systems Engineer
Yaskawa America, Inc.

Connect Etiquette: "Mark as Solution" those posts which resolve your problem, and give a thumbs up to useful comments, articles and downloads.

jcbazemore's picture

For you build machine, use the SkipRearm command in the unattend file used for sysprep.  This allows you to update and capture an image machine as often as necessary without running into the 3 count issue.  As you push the image out to machine, you can activate windows individually either through the unattend file or using setupcomplete.cmd, another windows tool.  We have used this process successfully since we started rolling out our Windows 7 computer lab images.  The benefit here is being able to use the regular MS tools and no extra cost.  

We do use DeepFreeze on our iMac machines and it works quite well for maintaining them without having to update the build, so a solution like that might provide extra benefits to you.  Here's an article that discusses the SkipRearm as well as steps for creating the Default Profile in Windows 7: http://www.minasi.com/newsletters/nws1005.htm

KPuffer's picture

Thanks for all the help. I am migrating my DS 6.9 to a new server, dumping 7.1 for now, and I will experiment with these suggestions once I have a stable platform to work from. Thanx Again

Benjamin Fuller's picture

Although I agree with many of these answers - I would like to address the reasoning for re-imaging the machines in the first place and provide one more solution you perhaps have not thought about.

Microsoft (Windows) has a couple of programs that could make things a lot simpler for you to ensure the same experience of a clean image is given every time someone signs into the machine.

One of them which you should consider first is Microsofts (Built In) PC SafeGuard.

How to set up PC Safeguard:

1. Click to open Manage Accounts. ? If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

2. Click the user account picture for the account you want to change.

3. Click Set up PC Safeguard. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

4. Click Turn on PC Safeguard.

5. Click Apply. 

 

Then I would consider utilizing GPO if this doesnt cut it for you and you would like to allow more functionality or personalizations:

http://technet.microsoft.com/en-us/library/gg176673(WS.10).aspx

 

Let me know what you think!

You break IT, I fix IT!