Prerequisites:
- Symantec Deployment Solution v6.9sp4 Installed
- PXE Server and DHCP Server Running Correctly in your environment
- WIN PE as PXE Option
- Windows 7 WAIK Installed on Machine other than Deployment Server
- Symantec Notification Server 7.X with Patch Management Solution Installed
Links:
Windows 7 AIK - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en
REMEMBER, test imaging first without any patches. Once that is working correctly add patches as needed. As certain patches can break an image (Not permanently, just will have to be removed from the Updates$ share)
Steps:
- Install Windows 7 WAIK from Microsoft’s site onto any Windows XP/Vista or 7 client box.
- Create a folder on the Deployment Server eXpress share under WAIK folder called Tools_v2
- Copy the contents of the following directory, C:\Program Files\Windows AIK\, on the client machine to the WAIK directory, renaming the folder Tools_v2.
- Install the version of Windows 7 on a system, to create our base image.
- Patch to the latest level (However, this will be the last time we have to update the image, as after this point, after the image is laid down, all enabled patches will be installed, no more quarterly security updates J)
- Modify all settings in the user profile to how you would like the default user profile to look like. Remember, we can change a lot of these after the fact. However, we would like to get it to as close as possible of what we want the end result to look like. REMEMBER; do not install either the dagent or the NS agent. We will do this post imaging, via the SetupComplete.cmd file (formerly known as cmdlines.txt). Now onto creating our unattend.xml file (formerly known as sysprep.inf)
- On the client machine with the Windows 7 AIK installed, insert your Windows 7 DVD and Launch Windows System Image Manager. We will now create our unattend.xml file (formerly known as sysprep.inf). DO NOT install the WAIK on the computer you are making the Windows 7 Image on.
- The main areas of the unattend.xml file we are concerned with are,
Generalize (Phase 3)
Specialize (Phase 4)
Out of the Box Experience, also known as OOBE (Phase 7)
Fig 1. Opening Windows System Image Manager
Fig 2. Adding Windows install.wim image
Fig 3. Choosing Windows 7 Image Type (Should be either Enterprise or Professional)
Fig 4. Create a New Answer File
Fig 5. Disable workstation from becoming a network browser
Fig 6. Disable workstation from becoming a network browser
Fig 7. Configuring Language Settings
Fig 8. Configuring Language Settings
Fig 9. Configuring Language Settings
Fig 10. Configuring Computer Name and Company Information
Fig 11. Configuring Computer Name and Company Information – Also put in KMS/MAK Key
Fig 12. Disabling EULA and configuring Network Updates and Location
Fig 13. Disabling EULA and configuring Network Updates and Location
Fig 14. Configuring Built In Administrator Accounts Password
Fig 15. Configuring Built In Administrator Accounts Password
Fig 16. Configuring Additional User Account (Required)
Fig 17. Configuring Additional User Account (Required)
Fig 18. Configuring Additional User Account (Required)
Fig 19. Enabling Remote Desktop
Fig 20. Enabling Remote Desktop
Fig 21. Enabling Automatic Domain Join for Computer Account
Fig 22. Enabling Automatic Domain Join for Computer Account
Fig 23. Enabling Automatic Domain Join for Computer Account
Fig 24. Enabling Automatic Domain Join for Computer Account
Fig 25. Configure Language for OOBE Settings
Fig 26. Configure Language for OOBE Settings
Fig 27. Configure Timezone for OOBE
Fig 28. Saving unattend.xml file to Desktop –Ignore warnings, as these are settings we did not set.
Note:
Phase 1 (WinPE) is not used, as the PXE Boot Disk Creator is what replaces this.
Phase 2 (Service Mode) is no longer used; this was for Windows Vista driver injection.
Phase 5 (auditSystem) is for adding drivers the old fashion way, putting them in a directory. However, requires another sysprep command after it boots into audit mode. Thus requiring the Altiris dagent to be installed into the image
Phase 6 (auditUser) see above.
(9) Copy the unattend.xml file to the Windows 7 Base Image Machine, C:\Windows\System32\Sysprep\unattend.xml
(10) Copy the unattend.xml file to the eXpress Share\Sysprep\unattend.xml.
(11) Run the command, C:\Windows\System32\Sysprep /generalize /oobe /shutdown. After the computer is shutdown, Create a new machine in the Altiris DS console using the primary lookup key, in most cases specifying the MAC address, as follows,
(12) Now create a “Create Disk Image” job to capture the image we have now created. Drag and drop this job onto the newly created machine, boot up the machine and make sure it PXE boots into WinPE. It will now capture the image up to the eXpress share. NOTE, while I am using WinPE in this step, you can also use Linux PE also but for this step only. For distributing the image, we require 1.21 Jiggawatts, I mean, WinPE, to use the Microsoft utility, dism.exe, to inject the drivers and patches into the offline image.
(13) In order for patches to be automatically installed, we must create a share on our Symantec Management Platform Server (Altiris NS). So on the Notification Server with Patch Management installed, share the following directory, (Installed directories may vary, so change accordingly), C:\Program Files\Altiris\Patch Management\Packages\Updates, as Updates$
(14) Now that we have our image, we must start to create the directory structure for our drivers. So on the Deployment server; create the following directory structure under the eXpress share. REMEMBER, Windows 7 looks for drivers’ recursively; therefore these names are not built in stone.
\HWII
\HWII\Windows7
\HWII\Windows7\ModelNum
\HWII\Windows7\ModelNum\audio
\HWII\Windows7\ModelNum\misc1
\HWII\Windows7\ModelNum\misc2
\HWII\Windows7\ModelNum\misc3
\HWII\Windows7\ModelNum\misc4
\HWII\Windows7\ModelNum\sec1
\HWII\Windows7\ModelNum\sec2
\HWII\Windows7\ModelNum\sec3
\HWII\Windows7\ModelNum\net
\HWII\Windows7\ModelNum\video
\HWII\Windows7\ModelNum\wnet
(15) Download all drivers and extract each into their appropriate model\type folder, as created above. NOTE - this step may have to be revisited if after imaging a machine, not all drivers are present. This is a cyclical step, to be repeated until all drivers are identified for each model of the Hardware Independent Image.
(16) We will now create a custom setupcomplete.cmd file, in the express share, \Sysprep folder. You can also have custom setupcomplete.cmd files for each model, if need be. However, in this example, I did not require this. If this is the case, you would have to modify the first script, REM Hardware Independent Script Portion. An example of the setupcomplete.cmd file is shown below,
C:\Windows\System32\msiexec.exe /qn /i C:\PostInstall\dagent.msi TCPADDR=192.168.1.212 TCPPORT=402 /norestart
|
(17) We will now create our job to distribute our Hardware Independent Image
(a)Create a Distribute Disk Image, pointing to the image created in step 12. Make sure to pick Windows PE as the boot environment. Also, my suggestion is to use x86, as it is more reliable for drivers.
(b) Create a Run Script; with the following code (Also, pick the same Windows PE boot environment as step A). You will want to edit the following lines,
(i) conExpressShare, if you change the default share letter
(ii) conUNCPath, the \\NSServer\Update$share
(iii) conUserName, username with rights to the above share
(iv) conPassword, password for above username
(v) conType, for if this is a x86 or x64 image
(vi) conTempDirectory – Temp folder on the conExpressShare Drive
'Update Image with Current Patches
'vbscript
' Declare Constants
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Const conExpressShare = "F:"
Const conDismLocation = "WAIK\Tools_v2\Tools\x86\Servicing\dism.exe"
Const conUNCPath = "\\192.168.0.215\Updates$"
Const conLocalDrive = "P:"
Const conUserName = "NET\madmin"
Const conPassWord = "password"
Const conWinVersion = "Windows6.1"
Const conType = "x86"
Const conImageLocation = "D:"
Const conTempDirectory = "\Temp\"
Const conComputerID = "%ID%"
' Declare Variables
Dim objNetwork
Dim strComputer
Dim osShell
Dim intRC
Dim strDismCommand
Dim objFSO
Dim objFile
Dim objTextFile
Dim strFileLocation
strComputer = "."
Set osShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
strFileLocation = conExpressShare & conTempDirectory & conComputerID & ".cmd"
' Check if File Exists
If objFSO.FileExists(strFileLocation) Then
' Delete File
objFSO.DeleteFile strFileLocation
' Create File
Set objFile = objFSO.CreateTextFile(strFileLocation)
Else
' Create File
Set objFile = objFSO.CreateTextFile(strFileLocation)
End If
Set objFile = Nothing
' Open File For Writing
Set objTextFile = objFSO.OpenTextFile(strFileLocation, ForAppending, True)
' Map Drive to NS Patch Management Share
Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive conLocalDrive, conUNCPath, "false", conUserName, conPassWord
' Recursively Search Directorys for all Windows 7 Patches
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * from CIM_DataFile where Drive= '" & conLocalDrive & "'" & " AND Name Like ""%" & conWinVersion & "%""" & " AND Name Like ""%" & conType & "%""" & " AND Extension = 'msu'")
' Run dism to apply all Windows 7 Patches
For Each objFile in colFiles
strDismCommand = conExpressShare & "\" & conDismLocation & " /Image:" & conImageLocation & "\" & " /Add-Package:" & conLocalDrive & objFile.Path
objTextFile.WriteLine(strDismCommand)
Next
' Run batch file to update image
objTextFile.WriteLine("net use " & conLocalDrive & " /delete")
objTextFile.Close
Dim objPatchProcess
Set objPatchProcess = CreateObject("WScript.Shell")
intRC = objPatchProcess.Run("cmd /c " & strFileLocation, 0, 1)
' Disconnect Network Drive
Set objFile = Nothing
Set osShell = Nothing
|
(c) Create a Run Script, with the following code (Also, pick the same Windows PE boot environment as step A)
(i) This script will need to be modified in the REM Get Production Name section for your particular environment. You want to map the model that Altiris DS gets to the name of the folder you stored all that models drivers. i.e. A HP z200 Workstation is reported to Altiris as 0B40h. Therefore, I have a folder named z200, but the script has to change the model number to the folder number. As seen in the line, If %model%==”0B40h” set retrieve=z200
REM Hardware Independent Script Portion
REM Copy Dagent Installation to Drivers Share
mkdir D:\PostInstall
mkdir D:\PostInstall\Drivers
copy F:\Agents\AClient\dagent.msi D:\PostInstall\dagent.msi
REM Find Current Model
Set model="%#!computer@model_num%"
REM Get Production Name
If %model%=="3056" set retrieve=2140
If %model%=="1722" set retrieve=6540
If %model%=="30C0" set retrieve=6710b
If %model%=="30DD" set retrieve=6730b
If %model%=="09E8h" set retrieve=dc5100
If %model%=="0A60h" set retrieve=dc5700
If %model%=="2820h" set retrieve=dc5800
If %model%=="099C" set retrieve=6120
If %model%=="30AA" set retrieve=6320
If %model%=="30B1" set retrieve=tc4400
If %model%=="0B40h" set retrieve=z200
If %model%=="3048h" set retrieve=6000
REM Copy Over Needed Drivers
xcopy F:\HWII\Windows7\%retrieve% D:\PostInstall\Drivers /E /C /I /H /Y
REM Start Service Mode
F:\WAIK\Tools_v2\Tools\x86\Servicing\dism.exe /Image:D:\ /logpath:D:\PostInstall\dism.log /add-driver:D:\PostInstall\Drivers /recurse
REM Copy Over SetupComplete.CMD file
mkdir D:\Windows\Setup\Scripts
copy F:\Sysprep\setupcomplete.cmd D:\Windows\Setup\Scripts\setupcomplete.cmd
REM Tokenize Unattend File for Specialization Phase
REM ReplaceTokens .\Sysprep\unattend.xml .\Temp\%ID%.txt
REM Copy Unattend File for Specialization Phase
copy F:\Temp\%ID%.txt D:\Windows\Panther\unattend.xml /Y
|
(18) Add any additional tasks to run to install additional software. REMEMBER, if you want best practices, you don’t want anything in your base image. Even Microsoft Office, as then we never have to update this image, only the additional task. Then for different software builds, we have a different job that starts off with the same 3 first steps of this, but then adds all the additional tasks to install all the required software.