Video Screencast Help

Best Practices for Standardized Desktop Images

Created: 09 Oct 2006 • Updated: 09 Oct 2006 | 16 comments
Language Translations
CondorMan's picture
+7 7 Votes
Login to vote

If there's a part in your job description that mentions desktop imaging, bookmark this article. Now. Frequent contributor CondorMan picks up a slew of imaging best practices and lays down how you can use those tools on your belt to make it all happen.

This document accompanies the Best Practices for Standardized Desktop Images Presentation. It is intended as a guideline to creating a Standard Image and will introduce you to the methods you can use to create a Hardware Independent Image including HII Tools and the Altiris Hardware Independent Imaging Best Practices Document.


Deployment Server makes it possible to create and deploy disk images to similar hardware. With a little extra work, you can easily create and deploy disk images to any computer regardless of hardware. You will need to prepare your Deployment Server to create and distribute Hardware Independent Images; this must be done only once. Once you have done this, you can create and distribute these Images from any computer to any computer.

This document focuses on creating and distributing a Standardized Desktop Image. However, you can use Hardware Independent Images for the following scenarios and more:

  1. Create a hardware independent backup of any workstation.

    1. You will be able to restore this backup to any replacement laptop, workstation, or server without regard to hardware.

  2. Upgrade a server or workstation with minimal down-time.
    1. Order a more robust server, take a hardware independent image of your old server, and deploy it to your new server.
    2. Often, when the boss orders a new computer, his old one is sent down the chain. With these methods, you can take an image of the boss' old computer (it's just the way he likes it) and deploy it to the new and do the same for the person who inherits the old computer.

This document has an accompanying Presentation that you can download here.

Step I: Prepare to Create and Distribute Hardware Independent Images.
  1. Install the latest version of Deployment Server 6.8

  2. Prepare Deployment Server to Create and Distribute Hardware Independent Images using one of the following options:
    1. Altiris Hardware Independent Imaging Best Practices Document is the officially supported method of creating Hardware Independent Images. You can find it here.
    2. HII Tools was written as a proof of concept by an Altiris employee. It may be used as a prototype, but is not supported by Altiris. [The tools are not currently available; e-mail to request notification of updates to the tools.]
    3. Note
      The rest of this document assumes that you are using this option. You may need to alter your steps if you use one of the other two options.
    4. Altrinsic Solutions' Hardware Independent Imaging Solution (HIIS) has not yet been released, but you can find information here.
  3. If you want to be able to change your Administrator password without re-creating your images, do the following.
    1. When you install the OS on the source computer, leave the Administrator password blank.
    2. To supply or modify the Administrator password for Windows XP or 2003, with using Encryption.
      1. Extract \\<YourServer>\Sysprep\DotNet\ and run setupmgr.exe
      2. Choose to Create New, Sysprep setup, for any version, do not fully automate the installation.
      3. Go to the Administrator Password section, choose Use the following, enter your password, and check Encrypt the Administrator password…
      4. Click File, Save, choose a location to save your temporary sysprep.inf file and click OK.
      5. Open the temporary sysprep.inf file in Notepad, select the line that begins with AdminPassword= and copy it to the clipboard.
      6. Edit the Sysprep.inf file that was created when you followed the Quick Start Guide in Step I.2. Replace AdminPassword=* with the line that you copied into the clipboard in the last step. Save the file.
    3. To supply or modify the Administrator password for Windows 2000, XP, or 2003, without using Encryption.
      1. Edit the Sysprep.inf file that was created when you followed the Quick Start Guide in Step I.2. Find the line that begins with AdminPassword= and replace * with the desired password. Save the file.

  4. Deployment Server includes default Sysprep.inf files that use information in the Database to configure the computer. The files are located in the eXpress share under Sysprep. You can modify them with any token. For example, if you want the computer name to be WS-<SerialNumber>, you could replace %COMPNAME% with WS-%SERIALNUM%. For a list of tokens, see Deployment Solution Reference Guide, page 500.
  5. Collect the drivers* for each device in your environment into your Driver Library. You have three options to do this.
    1. Run the Capture Drivers for Hardware Independent Imaging job on computer(s) that already have the appropriate drivers installed.
    2. Download the drivers from the device manufacturer's website, extract each driver into a unique subfolder under "<Deployment Server Install Dir>\HII\Manual Driver Collect\" and then run "Manual Driver Collect.bat."
    3. If neither of these works, you must use a Run Script or Distribute Software task to install the driver after the image has been deployed.
  6. * You must collect drivers for hardware before deploying images to computers with that hardware. You must re-create the image to support new Mass Storage Drivers.

Step II: Create your Standard Desktop Image
  1. Install your operating system.

    1. Slipstream Service Packs, Hotfixes, and Update Packs to reduce the resulting size of the OS. This can be easily done using nLite*.
    2. Remove unused components to decrease the file size† and memory requirements‡. This can be easily done using nLite*. Be careful when doing this, it is possible to remove too much and you will have an OS that is incapable of running your applications.
    3. Do not join the source computer to a domain. When the image is deployed to the destination computer, Sysprep can join it to the domain.
    4. Do not install any additional drivers. Drivers will be dynamically installed during the image deployment to the destination computer.
    5. Tweak the OS to conform to your company's desktop standard. This can be easily done using nLite*, via Active Directory Group Policy, or manually.
      1. Change the Driver Signing Policy to Ignore.
      2. Disable the Antivirus Alerts if you plan to manage antivirus at a corporate level.
      3. Disable the Windows Firewall and Alerts if you have a corporate Firewall.
      4. Disable Automatic Updates and Alerts if you plan on updating Windows via Deployment Server or Patch Management.
    6. If you would like to provide the Administrator password in the sysprep.inf file so that it can be changed later without re-creating your image (recommended), leave the Administrator password blank on the source computer. See Step I.3 (page 1) for instructions on supplying the Administrative password in the sysprep.inf file.
    7. Optionally: Build an Unattended Install to save time and reduce the chance of error when you need to rebuild your Standard Desktop Image. This can be done using nLite* or Deployment Server's Scripted OS Install Wizard.

    * nLite is a freeware tool that will add updates to and remove unwanted components from your Windows Setup files. nLite can then create an Attended or Unattended Install CD for you. Go to for details.

    If you use nLite, be careful to test the resulting configuration because removing some components can make your OS incompatible with some applications and/or provide unwanted results.

    † I was able to get the size of Windows XP down to 400MB and Windows 2000 down to 250MB installing minimal components using nLite.
    ‡ I was able to get the memory usage of Windows XP from 73MB down to 49MB and Windows 2000 from 47MB down to 33MB installing minimal components using nLite.

  2. Install your applications.
    1. Only install applications that are required for all computers in your company. You can install other applications after the image deployment departmentally or individually.

      You may want to exclude all applications and install all applications as Distribute Software tasks so that you don't need to update your Master Image as often.
    2. Install AClient.
    3. If you use Notification Server, you can install the Notification Server Agent now.
  3. Finalize the source computer.
    1. Review everything to make sure it is configured correctly.
    2. Reboot the computer to make sure all pending file writes are made.
  4. Capture the Image.
    1. Use the Create Hardware Independent Image sample job to capture your image. You may make a copy of this sample job and modify it to suit.

  5. Create Distribute Software jobs/tasks for the applications that are not installed as a part of the Standard Desktop Image.
    1. Use the application vendor's Silent Install option if one is available and feasible.
    2. Otherwise, you can create a silent installer for any application using Wise SetupCapture. See KB Article #20052 for details.
Step III: Distribute your Standard Desktop Image.
  1. Distribute the Image.
    Use the Distribute Hardware Independent Image sample job to distribute your image. You may make a copy of this sample job and modify it to suit.

    You could use this job with existing clients or with new computers using pre-defined computers or initial deployment. If you use a pre-defined computer, you must ensure that the information for all tokens in the Sysprep.inf file exists.
  2. Distribute additional applications.
    Run the Distribute Software jobs/tasks created in Step II.5 (page 4) to install applications that are not installed as part of the Standard Desktop Image.
  3. Distribute PCT Package.
    If you have a PCT Package for this destination computer, distribute it now.

Comments 16 CommentsJump to latest comment

riva11's picture

Really well done document. Also, the nLite tool is really useful to remove all Media Player, Outlook Express and Messenger files that are not part of IT applications approved by the corporate policy.

Login to vote
therefreshments's picture

Looks like there isnt much that Altiris cant do. There is a definite market for creating Independent images, and any easier way would make it easier on those of us who do the imaging process.

Login to vote
jsjj01's picture

We have been looking at switching our imaging process and this will definitely make the Altiris solution easier to sell to management. Thanks for your work on this.


Login to vote
jgo's picture

Great article. Remember that Win Driver Ghost is also a great way to pull drivers from various destination machines.

John Golembiewski
Midwest Practice Principal
ITS Partners

Login to vote
sholcomb's picture

Hi Condorman....Great article; thanks! Just wanted to update that HIIS has been released since the beginning of the 07 year and is just getting ready to release a new version with single driver instancing and a lot of great new features (including handling of mass storage controllers). Find out more at or




Login to vote
ropree's picture

Most of you may already, but there is a GREAT software out there which will allow you to build ONE image for muliple hardware. When I say multiple hardware, I mean multiple hardware (you can put the same image on all models of Lenovo, Dells, desktops and laptops).

This is how it works:
1. Build your image on the latest hardware you have.
2. Make a sysprep file; don't run it just yet...
3. Install this magic software (at this time it will call for the sysprep file).
4. WhaaaLaa, you have one image that you can throw on any hardware plateform....

So what is this magic software - UIU. Here is the link:

Hope this helps someone out there...we use it for about 2 years now....


Login to vote
mlkoziol's picture

I have seen this process for a single image, the only issue with it is time. Applying the drivers after a base os is adding time to end result. May not mean anything in the field, but may mean something to the hardware deployment facility with your company.

Login to vote
Magnum45's picture

So the best method I assume is to leave all drivers off of the base image. What should I do about the network card driver? It has to be installed inorder to see the DS right?

If that is true then where should I install the NIC card from?

Is there anyway to boot to PXE and run the image capture job with no NIC driver installed?

Thanks for any advice!

Nevermind I found all my answers here -->

Login to vote
jebba's picture

I don't think you want to install the Notification server agent into the image unless you know how to remove the Guid before you capture the image

Login to vote
cwitter's picture

You could also create a standard image using sysprep and that call another job with seperate conditions for each hardware types drivers. This would allow you to push just the image down without anything else if you wanted. I wouldnt recommend however installing any agents into the image as its more difficult to update them as the image gets older. An applications job after sysprep runs will take care of it. It can also be easily updated as agent version and configurations change.


Login to vote
CondorMan's picture

There should not be any problem installing the Altiris Agent to your base image since AClient removes the GUID as it prepares for imaging.

However, I stongly recommend that you do not install any sub-agents to the base image since you will want them to install based on the collection(s) the destination computer ends up being a member of.

Login to vote
Keslaa's picture

How do you incorporate the SATA drives into the base image? I have run into an issue that required me to build a separate image for our Dell E-series laptops.

One thing I found with using nLite on this image, I was required to slipstream in the SATA drivers and because of that, the post image boot could not find many of the files located in C:\I386. Instead, I created a separate I386 folder under Sysprep containing just the .DLL and other files Windows couldn't find.

Login to vote
CondorMan's picture

Deployment Server 6.9 SP1 and SP2 include DeployAnywhere, which will install Mass Storage and NIC drivers after the image has been deployed and before it boots into Windows.

Login to vote
Sean_Ebeling's picture

Thanks a lot!!!


Login to vote
chris.vanderlinden's picture

If you slipstream the drivers of say the video card / chipset / sound card / wifi adapter into the base image CD, it will actually carry over for any future Deploy tasks via DS.

IE I used nliteOS to add all the dell drivers every PC in my office needs, and then used that XP install as my base image... When I go to image any of my PC's the drivers get picked up and I don't have to worry about creating more jobs to install specific drivers for each type of hardware.  It increases the image size, but we are talking maybe 400-800MB at most, which IMO is well worth it.

Login to vote
JuniorDS's picture

In regards to having the agent in the base image, while building the image, we install the agent and then stop the agent service before it gets a guid.  Just make sure it is set to automatic so when the imaged pc is booted for the first time, after mini-setup has run, the service starts and gets a guid for the pc it is on.

Login to vote