Deployment and Imaging Group

Is it possible to upload the base Windows 10 Pro volume license ISO and create an image deployment job around it in Altiris 7.6 HF7?

We want to use a base OS with unattended.xml for automation along with driver injection to keep the images HW agnostic. Post OS installation we would use our current set of application jobs to install depending on need software.In addition adding a WinPE 10 mode for PXE.

I am used to creating a cloned PC to capture my gho image from to make a deployment image and using the client with boot automation folder. 

You could do a scripted OS install with the Windows volume license ISO files, but to my knowledge you still need to make a base image (with your tweaks, if needed) and then capture it if you want a unified image. We deploy Windows 7, *8.1 and *10 (*Surface 3 and 4 hybrids) that way utilizing PXE instead of boot folders. We build a base image and then capture with the built-in tasks used for image prep and capture. Works well for us.

Can you explain a little more? I see where I can upload OS Files (states i386 or AMD64 and i386 folders? not sure about that). As for the base image you are stating I need the OS files and to capture from Audit mode a gho image in order for the deploy job to work?

Where did you go to create the PXE network boot?

We have been testing out different products and Kace allows just the unpacked ISO to push an image with. 

As tloenhorst pointed out, the answer is yes, but you should understand the limitations behind using SOI as your sole method of provisioning computers. 

When you use SOI as your provisioning method, you are not taking advantage of the delivery methods of the data leaving the site server and received from your clients (unicast vs multicast). This will, in turn, limit in the number of computers that you'll be able to provision simultaneously.  Additionally, you'll find that while you may be getting a "fresh" copy of Windows, you're also going to increase the traffic for all of the necessary patches to bring it up to date. 

You could (and should) use SOI for building the golden master. This would require you to import the sources from the ISO. If you are using MAK's you'd also add a coresponding key in the OS Licenses. If you are using a KMS, us can also add the KMS key here too. By importing your hardware-specific PNP drivers in the DeployAnywhere tab of the Driver Management page, you can enable yourself for hardware independent imaging for BOTH SOI and monolithic imaging.  You'll find that not all drivers from your manufacturers are PNP. In those cases, it would be wise to create tasks (I use the Copy File task specifically for this. For user software deliveries, I use the Quick Delivery task. For example, Dell audio driver would be delivered to the computer based on model and I would use a Copy File task, but for delivering 7-Zip, I'd use the Quick Delivery task). 

As a quick snapshot on how to efectively use DS7.6, you could use the following as a guideline:

1. Job to create computer - This would be a scripted OS install (SOI). Add additional tasks to add base software that would be common to all of your computers. YOu could also add basic tweaks that wouldn't be undone by a sysprep operation. 
2. Job to back up computer - This would be a simple job with: boot to PXE or Automation; create image - Backup; boot to Production. You'd do this to create a snapshot to come back to when it is time to refresh your image (quarterly). 
3. Job to capture computer - This would be a simple job with 3 steps: Boot to PXE; create image - Image; shut down
4. Jobs to deploy image (initial, redeploy, migration) - You'd create your varying jobs that will refer to the captured image. You can then add "above base" applications specific to the user/department and finish the configuration. In the deploy image task, you can check the box to use DeployAnywhere. 
5. Job to decommission - This is a useful job to have to take a computer down before retiring. It could be: Boot to PXE; erase disk; shut down. You could also create a job that puts a factory image back on the computer if you choose to sell the computer. 
6. Job to restore a backup - This job should restore the backed up image, which would give you a base to start from to refresh the image. Once you restore the image to a computer, you'd then refresh/update your software and then pick back up at step 2. 

 I hope this was helpful. 

Do you know if there is a way to deploy Windows 10 using ITMS 7.5 or can it be deployed using only 7.6?

When you are importing your sources, you'd select specific parts of the ISO.

For your purposes, you'd select the folder called "sources" within the Windows 10 ISO and not the root of the ISO. 

You will need to roll out the NBS to at least one site server to be able to utilize PXE or BSDP. 

The process of importing your source files is typically done only once or when you get a newer version of your sources. 

When you are installing ITMS/CMS/SMS, and you plan to use DS, you will need to import a preboot environment (PE). Once it is imported, creating the PE to be delivered via PXE is a simple process, which I will explain further in this post. I will assume you haven't imported a PE. 

You will need to perform this step while logged onto the Notification Server (NS). 

Open the Symantec Management Console as an admin.

From the Setting>Deployment>Manage Preboot Configurations you may see a message stating that you need to import WinPE. (ITMS/CMS/SMS only distributes a linux preboot environment. Microsoft longer allows us to distribute WinPE directly with our installer.) If you have not imported WinPE, you should see 2 messages at the top of the window. You would start with selecting a version of WinPE that you'd like to use. For your case, you'd select WinPE5 - this will work with Windows 10. Once you do, you will have a link that will direct you to install the appropriate version of Microsoft's ADK using the options noted in the message in the yellow box (Deployment Tools and Window Preinstallation Environment). As you are downloading and installing, close the Symantec Management Console. 

Once the ADK is installed, you would then reopen the Symantec Management Console and return to the Manage Preboot Configurations window. You should notice that the second link will now be enabled to import the WinPE environment. Click it and follow any prompts. The import process can take 30+ minutes. 

You can monitor the progress of the import process by watching the Task Manager. You may notice a process called bootwiz running. It will run and close several times. 

Once the import is complete, you can now create a PE for PXE. 

The rest of these operations do not need to be performed from the NS and can be performed from any computer that has access to the Symantec Management Console. 

Open the SMC and return to the Manage Preboot Configurations page. 

Click the Add button

Give your PE a name. i.e. My_WinPE5

Select the operating system (WinPE 5.x)

If you need the ability to lock the keyboard and mouse, check the checkbox. 

Then select the type of PE you want to create. If you are new to DS, just select PXE and then click OK. 

As you are returned to the Manage Preboot Configurations page, you will need to click save. 

Once you save, the process is then sent to your site server that is hosting the NBS to build the PE's. Again, this process can take about 30 minutes. Once bootwiz completes on the site server, you can then configure the NBS General Settings to respond to computers via PXE. 

Jesse did a fantastic job explaining the processes involved and the differences between Scripted OS Installs (SOI) and have a master (unified) image. An SOI is essentially a semi-automated installation of Windows every time. It isn't an "image". It CAN be fully automated with other things like custom computer naming, domain joining, etc, but a singular Ghost image is like pressing a record (remember those?) or CD. The master is used to press a copy every time and it is the same every time.

All of the related OS patches can be already installed into an image so you don't have to patch so much after every SOI install. How many patches did you have to deploy to Windows 7 the last time you installed Windows? A lot! Plus, as Jesse stated, you can do more deployments simultaneously.

Once PXE (called NBS in the Altiris console) is set up we use an IP helper on the network switch on our network to send any PXE requests (F12 in many BIOS setups) from workstations to the NBS services on the Altiris server. That's a big part of it. Once you get that set then sending an image with post-installation tasks, etc, is easy.

Hope this helps.

Yes, but it isn't as easy (or necessarily supported) until you go to 7.6. We are on 7.6 HF6 and are working with Windows 10 quite nicely.

Thank you for the great overview, is there a 7.6 HF7 best practices and examples that show the steps of how to setup basic versons of these jobs?

Tloenhorst is there a quick and dirty guide to setup a way to capture the OS image and how to patch update the OS to keep the post install tme down?

Howdy...here's how I do it....

Install Windows and make any tweaks, install all needed patches.

• In the Altiris console create a "Run Prepare for Image Capture" task and then a "Create Image" task. I also Create a "Boot To" task to boot into Production
• Create a Job with above tasks in that order (Run...Create...Boot to...)
• Run the above job on Master Image

I never use Audit Mode for sysprep. Others do, but I have seen no further need for it for my builds...YMMV.

The above will prep the master image for capture by sysprepping and cleaning up any GUID info in the registry so any subsequent images won't have duplicate GUIDs.

See screenshots. Prepare, Create, Boot.

As your environment ages...more and more patches will come out for Windows, Office, etc...

If you use Patch Management in Altiris you can accelerate the post-imaging patch process by running the patch cycle using a command line script...

"C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /I /C /q
choice /C X /T 1500 /D X > nul
"C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\AeXPatchUtil.exe" /q /C /Xa /reboot

This runs the patch cycle on the endpoint (if you have patch policies enabled and running) with a 25 minute pause in between scanning for patches and installing them. This is a unique time frame for our environment and might need to be tweaked for yours depending on how often you do Resource Membership Updates in Settings>Notification Server>Resource Membership Update.

When it comes time to refresh the image you can get more patches wrapped up into the image moving forward.

Does anyone have a way to setup the Win10PE PXE and automation boot? 

Try this and look at Chapter 4 (page 94):

http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/DOCUMENTATION/5000/DOC5678/en_US/Symantec_Deployment_Solution%207.5%20powered_by_Altiris_User%20Guide.pdf

It is a lot to read, but should guide you.

Is that a server or client job?

Really appreciate the help

Client job only.

We use WSUS to update our deployed devices, I was more inquireing about how to keep your master image uptodate with patches to limit the deployment time.

The WinPE10 version is not technically supported in the platform. WinPE5 should provide the necessary tools to image a Win10 computer. Is there a particular feature that you are trying to use from the WinPE10 environment?

With regards to a start to finish resource, please see the following: https://www-secure.symantec.com/connect/articles/putting-it-all-together-deployment-solution-71-landing-page

A colleague of mine made this and while it is for 7.1, it is still relevant and gets most people up and running quickly. 

As far as sample jobs for my outline, I'll take some screenshots of my personal lab environment. 

Is it ok or best practice to capture an image with the altiris client installed? 

I have had bad experiences with 7.1 and the client would check in once and you would have to manually refresh or re-install to the local computer.

Yes, you can and in fact you have to have it installed when you run the Prepare for Capture Task. That task will run sysprep, take care of cleaning up the registry, etc so you won't have any duplicate GUIDs in the console. Duplicate GUIDs are not fun to clean up.

There is a way to manually clear specific registry keys and then run Syprep manually, but you need to know exactly what you are doing to be successful. I don't recommend it unless you know exactly what you are doing. Best to use the built in tasks.

The best case is to install windows and get it set how you want it with patches, tweaks, etc. Then install the agent and make sure all the sub-agents also get installed. Then you can Prepare, capture and deploy with the built in tasks in the console.