Introduction
We are well on the way with Windows 7 deployment to our client computers, but it took us quite a bit of time to get our image deployment process working as we wanted, with diverse computer hardware and software we have.
In this article I will share my experience with Windows 7 image deployment and explain reasoning behind decisions I have made at different stages of deployment.
This article is based on Deployment Solution 6.9 SP4 and Windows 7 Ent x86 SP1.
This is by no means a universal guide, but hopefully it will help you to make a working solution for your environment. This is a long read, so please take your time.
I wrote it trying to explain every step, so it will be easier if you replicate my settings in your environment. All referenced files are attached in the correct folder layout (see mydata.rar).
There are few articles on Symantec Connect regarding different parts of Windows 7 deployment, but I wanted to create an article that will help someone from start to finish.
We currently run Deployment Server 6.9 SP4.
We use DS purely for image deployment and initial installation of standard applications.
We use NS for everything else as it offers great deal of flexibility and feedback.
For the simplicity I will talk about the environment with the single deployment server, in future articles I will show how we configured our Deployment Servers across multiple sites.
In this article I will talk about:
Part 1: Configuring DS for Windows 7 deployment
Configure WinPe preboot
Create additional folder \MYDATA in the express folder
Part 2 Create Master Windows 7 image
Imaging tool
Single image
Imaging process logic
Building the master image
Create Image with Deployment Server task
Part 3 Sysprep answer file (unattend.xml)
Part 4 Image deployment
Part 5 Drivers installation: LAN and other devices
Part 1: Configuring DS for Windows 7 deployment
I assume you already have your deployment server built and configured. Below are the additional changes I have done to DS for Windows 7 deployment.
Configure WinPe preboot
When configuring WinPE make sure that your express share is mapped with something like letter Z, so there are no conflicts in assigning drive letters in WinPE later to a hard disk with multiple partitions.
We use Altiris WinPE 2.1 (shipped with DS 6.9 SP4) for production image deployment and DOS for task we perform manually.
Please note that WinPE 2.1 is based on Windows Vista and any additional drivers for WinPE will have to be Vista drivers (if Windows 7 drivers don’t work)
Install WinRAR
WinRAR creates self extracting archives and allows extracting of data from compressed drivers’ packages without installing actual driver. You can try 7-Zip, but WinRAR is my preferred tool.
Create additional folder \MYDATA in the express folder
I use this folder to store: image files, software packages, executables, scripts and drivers. It allows me to have all my custom data in one location and I can replicate, backup/restore it very easily.
MYDATA folder looks like this
Agents
In this folder I have all the executables and configuration files for my environment. I deliberately put them here, so I can guarantee consistency of the deployed agents and use the same deployment job on other Deployment Servers.
dagent.bat: script to install DAgent during sysprep
listing is below, I will show where it is used later
mkdir "C:\Program Files\Altiris\Dagent"
xcopy C:\Windows\Source\aclient.inp "C:\Program Files\Altiris\Dagent\"
msiexec.exe /i "C:\WINDOWS\Source\dagent.msi" /qb
exit
where
dagent.msi: DAgent installation file, shipped with the DS
dagent.inp: configuration file for DAgent installation, specific file for each Deployment Server, only different by the DS IP address.
Please find an example attached.
Folders are named to reflect DS NetBIOS name, so we can use token %DSSERVER% later
It is possible to have one template dagent.inp file and then tokenized it, I just did not do it yet.
DISM
DISM utility is located in the WAIK installation folder (Program Files\Windows AIK\Tools\Servicing). I use it to integrate updates and it also can be used to pre-stage drivers in to offline Windows 7 image. I have copied Servicing and renamed it to DISM.
You can find WAIK here
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696DD665-9F76-4177-A811-39C26D3B3B34
You can find more information about using DISM for drivers integration here
http://technet.microsoft.com/en-us/library/dd744355%28WS.10%29.aspx
Link below is for using DISM to add packages
http://technet.microsoft.com/en-us/library/dd744559%28WS.10%29.aspx
Drivers
Here we store drivers for the client computers in production.
All drivers are stored per OS\Model.
Model as a folder and each driver is in the individual subfolder.
You need to download drivers from the manufacturer web site, they usually come as *.exe files.
Unpack all *.exe files using WinRAR. Do not put LAN drivers in here, more on this in part 5.
I have also copied the firm.exe (windows x86 version) from .\eXpress\RDeploy\Windows to the route of Drivers folder. I use firm to copy files to a target computer while in WinPE as it is more reliable then copy command. Dpinst.exe and dpinst.xml are here also.
Images
Image files we deploy to the client computers, each image is in an individual folder.
Packages
All software packages we deploy as part of provisioning.
Sysprep
All sysprep files templates used in production.
Part 2 Create Master Windows 7 image
Imaging tool
Before we start with image creation, we need to choose an appropriate tool.
Altiris provides the choice of different technologies to be used for image capturing\deployment.
- Rdeploy Captures whole disk and preservers all existing partitions, supports multicast out of the box
- ImageX Microsoft tool, captures only single partition at the time and requires a bit of scripting to marry together different partitions. You will also have to use scripts to fix MBR
- Ghost Captures whole disk and preservers all existing partitions, NO native multicast support from DS (requires additional scripting)
The choice will depend on the goals you want to achieve with the image deployment.
We had the following requirements in our environment
- Windows 7 Enterprise 32 bit
- Bit Locker ready
- Single production partition
- Single image for various vendors, but all Intel based client computers hardware
- Use of Bluetooth or finger print sensors is prohibited
- Easy scalable for different business units software requirements
- Reduce network load caused by image deployments
Only one tool could allow us to achieve the above requirements: RDeploy with enabled multicast.
Single image
Windows 7 is hardware independent by design and syspreped image can be deployed to any hardware with the same architecture, such as: x86 or AMD, etc.
As a test, I have successfully deployed the Intel based Windows 7 image to an AMD based Dell laptop and it is working fine, however it looks like this is more a miss then a hit. I have seen some articles on the internet when people do some registry hacking to make the same image work on Intel and AMD hardware. I have never tried it, but believe it is possible.
Imaging process logic
Based on the requirements we have decided to split the imaging process in to two logical parts
1 Image deployment
o Image to have no software
o Computer is not part of the domain
o No specific drivers installed or available in the image
o No Windows updates
o Altiris agents is installed during sysprep stage
2 Software Deployment
o All software is installed from Deployment Server as an additional tasks\jobs.
It allows us to manage applications’ deployment and upgrade to the new version with the minimum engineer time
o Computer is joined to domain
After reviewing the software list we have to deliver we found out that some software cannot be installed silently and will have to be integrated into the image (CISCO CTIOS for example).
Building the master image
Image deployment is faster and more consistent compared to scripted OS installation.
So, first of all you need to create the maser image: image that you will deploy to all client computers later.
You can be creative with your image building, as long as you can guarantee the consistent final result.
You can use Deployment Server scripted OS installation task or do it manually.
We decided to build our master image manually, because we still had to do some changes after the scripted OS installation and we wanted to keep the master computer off the network.
Master image build check list
Source the latest models of the Client PC
Source the right OS DVD media: Windows 7 Enterprise 32 SP1
Install Windows 7 from DVD with:
NB DO NOT CONNECT PC TO A NETWORK DURING IMAGE PREPARATION
o Install Windows to 20480mb partition (DS is better at expanding then shrinking partitions)
o Keep 100mb reserved partition
o User Account: RAW7
o Check PC name: RAW7PC, no password
o Windows updates ask me later
o Enable Local Admin account In users’ accounts, no need for password
(or use command [net user administrator /active:yes] from cmd as admin)
o Login as local Admin
o Delete RAW 7 user account and delete RAW7 user profile from hard disk
o Reboot
o Show extensions of known file types
o Show Empty Drives in explorer
o Check Regional Settings (UK in my case)
o Disable Firewall
o Set paging file to: system managed
o Leave Windows updates as default (will be set by GPO)
o Create folder C:\Windows\Source\ - this is a local source for installation files
o Change registry key to point to a local source for LAN drivers
HKLM\Software\Microsoft\Windows\CurrentVersion Key:DevicePath
%SystemRoot%\inf;%SystemRoot%\Source\LANDRV
more on this in the Drivers section
o Enable telnet
run in cmd: dism /online /Enable-Feature /FeatureName:TelnetClient
o Install any “pain” software
· Prepare PC to be syspreped
o Reboot
o Login as local Admin
o Run sysprep.exe from %systemdrive%\Windows\System32\sysprep
with: OOBE, generalize, shutdown
So, now you have syspreped computer and need to capture the image for distribution.
You have two choices
- Use Deployment Server task: Create Disk Image
- Do it manually from DOS or WinPE pre-boot environment (WinPE will require wait task to be run against the machine)
Create Image with Deployment Server task
- Create a computer account in DS for master image machine and make sure network card is set to the first boot device in BIOS
- Create new Job
- Add new task: Create Disk Image
- Use RDeploy.exe
- Do not boot to windows option is ticked
- Prepare using Sysprep is NOT ticked (we will inject custom sysprep file later)
- Run the job against your syspreped master computer and make sure computer boots from network card
Advanced options should be set to like this:
- Maximum file size: 2.0GB
- Compression: Balanced for Size and Speed
Part 3 Sysprep answer file (unattend.xml)
Windows 7 sysprep is completely different from XP sysprep process.
Biggest differences are:
- Different file name: Unattend.xml
- Different file location: Windows\Panther\Unattend.xml
There are quite a few articles about how to make sysprep file for Windows 7
http://technet.microsoft.com/en-us/library/dd744263%28WS.10%29.aspx
https://www-secure.symantec.com/connect/articles/creating-windows-7-self-updating-hardware-independent-image-using-deployment-solution-69sp4
http://www.rt7lite.com/downloads.html
http://www.symantec.com/connect/articles/what-are-system-variable-tokens-used-deployment-solution-and-can-be-inserted-sql-scripts
I am not going to spend much time on how to make it, but will show what we have done with it and how it works for us.
We use sysprep for the following:
- Install DAgent
- Skip Auto Activation
- Set Computer name and product key
- Set regional settings
- System Restore disabled
- Windows defender disabled
Details are below
General view of used components
Install DAgent
dagent.bat listing is above in part 1
Activate local administrator account and set password for it
You need to type local administrator password and it will be encrypted once you save the answer file
Skip Auto Activation
Set Computer name and product key
We use token %COMPNAME% and it will be replaced with the real computer name dynamically in production.
We use KMS server for all our Windows 7 computers activation. Product Key used in sysprep file is the key that tells the computer that it’s running Windows 7 Ent and needs to go and find local KMS server to activate Windows.
Keys can be found here
http://technet.microsoft.com/en-us/library/ff793421.aspx
Set Regional settings
UK in my case
Registered Organization: Your Company
Registered User: IS Services
Rest of the features are set via Group Policies
Please find my working sysprep file attached.
Local Admin password: P455w0rd
So, now when we have the working sysprep file, we need to tokenize it with the real computer name and put it to Windows\Panther\Unattend.xml before windows starts for the first time after image is deployed.
Part 4 Image deployment
After all the work above is complete we are ready to deploy the image to client computers.
Majority of scripts and software installations are run from the local source on the target machine.
Local source location: C:\Windows\Source\
Create computer account in Deployment Server console (use MAC and Name of your target computer) and then schedule a job for it.
Make sure that network card is set to the first boot device, as computer will boot to WinPE a few times.
Please find the sample job attached and other files attached
Quick overview
Tasks in red are happening in WinPE:
- Run diskpart script to clean the target hard disk (we perform clean installation)
- Distribute disk image using RDeploy
- Rebooting PC, so WinPE can enumerate all hard disk partitions again
- Tokenize sysprep answer file and copy it to the target computer
- Copy DAgent installation files to the target computer
Tasks in blue are happening in Windows OS:
- Computer goes through sysprep process and boots to Windows 7
- Disable UAC, as it causes a few issues with installations later
- Install drivers for specific model from network location
- Remove letter D:\ from the system reserved partition on the hard disk
- Clean up temp files on Deployment Server
Imaging job in details
It would be easier if you can import the job attached to your DS, but don’t forget to point tasks to your WinPE pre boot environment
Tasks 01 - 04 are running in WinPE
Tasks 05 - 11 are running in Windows on client computer
Taks 12 is running on Deployment Server
Task 01 Run diskpart script to clean the target hard disk
We are doing clean OS rollout and do not preserver any data on the hard disk during image deployment. This task will clean all partitions information from the target hard disk, so we have nice and clean disk to deploy too.
Scrip Run Location: On the client computer
Automation pre-boot: WinPE
Return codes: Default
Dpclean.txt listing
select disk 0
clean
Task 02 Distribute Disk Image
Image is distributed using RDeploy in WinPE
Please note that we do not use built in option for sysprep, we use stand alone file. I will explain in the next step.
First Partition size: 100Mb, this is system reserved
Second Partition size: 100%, this is Windows production
In Advanced... at the bottom:
Graphical Mode for RDeploy
Delete OEM and Automatin partitions
Task 03 Reboot Target Computer
When image is downloaded, target computer needs to restart and boot to WinPE again, so WinPE can reassigned letters to all new hard disk partitions and run additional WinPE scripts.
Task 04 Replace tokens in sysprep and copy DAgent and LAN drivers
Here, we do three things
- Take our custom sysprep answer file template and change token %COMPNAME% in it for the real computer name and then this modified file is copied to the target computer.
- Copy DAgent installation files to the local source
- Copy network card drivers to the local source, more details on this when we get to drivers installation.
Scrip Run Location: On the client computer (don’t forget to take comments out)
Automation pre-boot: WinPE
Return codes: Default
Comment: italic – source, normal – target
REM ReplaceTokens .\MYDATA\Sysprep\win7x86ENT.txt .\temp\%ID%.inf
where %ID% is the internal computer name used in DS
.\MYDATA\Drivers\firm.exe copy ".\temp\%ID%.inf" "D:\Windows\Panther\Unattend.xml"
please note that because of the hidden system partition, system drive on the target machine was given letter D: in WinPE
.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\%DSSERVER%\dagent.inp" "D:\Windows\Source\aclient.inp"
.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\dagent.bat" "D:\Windows\Source\dagent.bat"
.\MYDATA\Drivers\firm.exe copy ".\MYDATA\Agents\DAgent\dagent.msi" "D:\Windows\Source\dagent.msi"
copies DAgent installation files
.\MYDATA\Drivers\firm.exe -recurse copy ".\MYDATA\Drivers\Win7x32\01LANDRV" "D:\Windows\Source\LANDRV"
copies network drivers
After this is script is complete, target computer will reboot and boot to windows.
It will go through the sysprep first and will do the following:
- Install Network Drivers provided in the custom location
- Install Windows standard drivers for all other devices
- Install DAgent
When sysprep is finished, computer will boot to Windows and process all other tasks/jobs.
Task 05 Turn off Windows 7 UAC
If you do not turn UAC off, you are asking for troubles while installing drivers and software.
You can always enable it later.
REM Turns off UAC
'vbscript
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
objReg.SetDwordValue HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System","EnableLUA",0
Task 06 Reboot Target Computer
We reboot target computers after each software installation or registry change, so each installation or change is finish correctly.
Task 07 Install Drivers
Drivers are installed in Windows from the network location.
I will provide more details in the Drivers chapter as it’s quite a bit to consider.
Task 08 Reboot Target Computer
Task 09 Copy diskpart script to local source
Task 10 Run diskpart script to remove letter from the hidden system partition
After sysper, hidden system partition will be assigned a letter and we need to remove this letter, so partition is hidden from the user.
It is easily done and below example is for the machine that has
- One production partition: drive C
- Zero or one optical drive: drive E
This scripts removes drive letter from the hidden partition and reassigns letter E to the optical drive
Dpremove.txt listing
select volume 0
remove letter=d noerr
select volume 1
remove letter=d noerr
select volume 0
assign letter=e noerr
Scrip Run Location: On the client computer
Run environment: Client OS with system account
Return codes: Default
Task 11 Reboot Target Computer
Task 12 Delete temp files on DS
This script will delete all temporary files we have created so far on DS
Run script
REM Delete temp files on DS
del .\temp\%ID%.inf
del .\temp\%ID%.cfg
Scrip Run Location: Locally on DS, when client computer is connected
Run environment: Server OS
Return codes: Default
Part 5 Drivers installation: LAN and other devices
Drivers, drivers, drivers… It’s great when they just work, but when they don’t play ball it may be very frustrating.
To understand drivers’ installation we need to have a look at how Windows 7 works with them.
Windows 7 has a few different mechanisms to install drivers, below are some of them with examples.
Theory
Windows is shipped with preinstalled divers in DriverStore
Hit and miss results because Windows uses drivers that are already in DriverStore, so newer hardware maybe missed
Good:
- Some hardware between 2 to 5 years old will have most drivers installed
Bad:
- Not all hardware is cater for
- No drivers for new hardware
- Not consistent end result
Install drivers from Windows Update
If driver is not found in DriverStore, you can configure Windows to install/update drivers from the Windows update site.
Good:
- Almost all hardware will be found, but latest and greatest
- You may use it to find working drivers for some odd hardware, where manufacturer driver is not available. Just install driver from Windows update site and take it from DriverStore for later deployment
Bad:
- Not all hardware is cater for, especially new
- May cause user interruption
- Will not work if Windows auto updates disabled
- Not consistent end result
Manually install drivers while Windows is running (online mode)
Download drivers from manufacturer and run the installation
Good:
- You know precisely what you are installing
Bad:
- Not suitable for the enterprise environment, as you need to cater for different hardware and install drivers automatically.
Use registry key to point to custom drivers location HKLM\Software\Microsoft\Windows\CurrentVersion Key:DevicePath
This method worked very well in Windows XP and you can use it in Windows 7 also.
Modify the DevicePath key to point to your driver’s source, something like
%SystemRoot%\inf;%SystemRoot%\Source\LANDRV
Good:
- All drivers found in the custom location will be installed for devices that are online
- Predictable end result
Bad:
- If network card driver is there, network connection will be dropped while driver is getting installed, as a result deployment server task will fail
- Drivers conflicts as all drivers are installed concurrently and resources are not distributed correctly
Pre-stage drivers while Windows is not running (offline mode)
You can add drivers to the DriverStore while Windows is in offline mode using DISM in WinPE.
Good:
- All drivers found in the custom location will be added to DriverStore and drivers will be installed when device is switched on
- Majority of drivers will be installed during sysprep (if drivers pre-staged before sysprep)
- Predictable end result
Bad:
- All drivers are added to the DriverStore, even if device does not exist on the client computer
- DriverStore size may get out of control
- Drivers conflicts as all drivers are installed concurrently and resources are not distributed correctly
Use DPinst.exe to install drivers from the dedicated location while Windows is running (online mode)
DPinst.exe is part of Driver Package Installer
http://msdn.microsoft.com/en-us/library/ff544842%28v=vs.85%29.aspx
You can usually find it shipped with driver packages or download full Driver Kit Package from Microsoft
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
you need to use version 2.1.0
Good:
- All drivers found in the custom location will be installed for devices that are online
- No drivers conflict as you can force it to install drivers one at a time
- Predictable end result
Bad:
- If device is disabled, driver will not be installed or pre-staged.
- If network card driver is there, network connection will be dropped while driver is getting installed, as a result deployment server task will fail
DPinst.xml is configuration file for DPinst.exe and needs to be in the same folder as DPinst.exe.
Have a look here for configuration flags
http://msdn.microsoft.com/en-us/library/ff550803%28v=vs.85%29.aspx
Alternatively you can use command line switches for
http://msdn.microsoft.com/en-us/library/ff544775%28v=VS.85%29.aspx
One more thing to note is that Windows 7 recursively searches all subfolders for the drivers, so we only need to point to the top level folder
So, with the theory part over, I will get back to our setup and examples.
Implementation
First of all you need to download drivers from the manufacturer web site, they usually come as *.exe files. Unpack all *.exe files using WinRAR. Some odd machines will only install drivers from Windows update, find those drivers in DriverStore and copy them to your drivers source
All drivers are stored per OS\Model. Model as a folder and each driver is in the individual subfolder. LAN drivers are stored in different location.
We have decided that installing drivers using DPinst from network share works best for us. However, when installing from network share you cannot have network LAN drivers there, as network connection will drop and task will fail. So we used 2 methods
- Registry location – to install LAN drivers from local source during sysprep
- DPinst – to install rest of the drivers in Windows from a network share
Network Drivers
are copied to the local source in WinPE, before sysprep. It requires registry change on the client machine you took the master image from prior final sysprep.
We only use Broadcom and Intel LAN drivers and copy all of them to client computer.
It is done in the Task 04 of image deployment by the following line
.\MYDATA\Drivers\firm.exe -recurse copy ".\MYDATA\Drivers\Win7x32\01LANDRV" "D:\Windows\Source\LANDRV"
where italic – source, normal – target
You can put all network drivers into per model folder and use similar to other devices script (below) to copy them to local source in WinPE.
Other devices
Installed when client computer finishes sysprep and runs as a task from the deployment server in Windows 7
We made a simple bat file script to point to specific folder and install drivers, we did not use vbs script as it was more complicated.
You will need to know computer model numbers as they appear in Deployment Server.
To get the list of computer models run this SQL query on your eXpress data base
select model_num, max (prod_name)
from dbo.computer
group by model_num
Please see the script for drivers installation attached, below is the explanation.
echo off
REM Install hardware drivers
REM If model is unknown Windows 7 default drivers will be used
REM and file NO_DRIVERS.txt will be created in C:\
REM Windows 7 x86
REM No network drivers
echo Computer model: %#!computer@model_num%
set modelname=none
Comment:Queries eXpress data base for computer model number
rem -------------------HP Desktops-------------------------
REM HP DC7800
if "%#!computer@model_num%" =="0AA8h" set modelname=HP_DC7800
if "%#!computer@model_num%" =="0AACh" set modelname=HP_DC7800
Comment:sets model number to modelname (folder name on share)
if "%modelname%"=="none" (goto nomodelnumber) ELSE (goto installdrivers)
goto exit
: installdrivers
echo on
set server=%DSSERVER%.your FQDN
set share=express
set drive=s:
set domain= your FQDN
set user=User name with access to drivers network share
set password=user password in open text
net use %drive% \\%server%\%share% %password% /user:%domain%\%user% /persistent:no
Comment for above: maps network drive on client computer
start /w %drive%\MYDATA\drivers\Win7x32\dpinst.exe /path %drive%\MYDATA\drivers\Win7x32\%modelname%\
Comment for above: start driver installation one at a time
net use %drive% /delete
Comment for above: disconnects network drive on client computer
echo off
goto exit
:nomodelnumber
echo on
set server=%DSSERVER%.your FQDN
set share=express
set drive=s:
set domain= your FQDN
set user=User name with access to drivers network share
set password=user password in open text
net use %drive% \\%server%\%share% %password% /user:%domain%\%user% /persistent:no
Comment for above: maps network drive on client computer
copy %drive%\MYDATA\drivers\Win7x32\NO_DRIVERS.txt C:\NO_DRIVERS.txt /V /Y
Comment for above: copies NO_DRIVERS.txt to the root of C:\
net use %drive% /delete
Comment for above: disconnects network drive on client computer
echo off
goto exit
:exit
echo Finished.
exit
You can have your LAN drivers in per model basis folder as well and modify this script to pre-stage network drivers in WinPE with this command
REM pre-stage drivers
.\TTT\dism\dism /image:D:\ /scratchdir:D:\Windows\Temp\ /add-driver:.\TTT\Drivers\Win7x32\01LANDRV\%modelname%\ /recurse
Conclusion
Hopefully this article was useful and will help you with Windows 7 deployment.
In the next article I will show how we
- Create Image manually in DOS
- Install Windows 7 updates after the image deployment
- Deploy software
- Configured multisite Deployment Servers infrastructure.
Feel free to post any question or comments.