In which Mike tries to figure out a solution to a problem and ends up making it much, much worse.
All because I didn’t follow best practices.
Because I’m a dolt.
A fast learning dolt, but a dolt nonetheless.
So, I’ve been pushing hard for WDS to take over all our imaging responsibilities and it’s been going pretty well. I got our Windows 10 image squared away, finally. It was time to work on our Windows 7 image. Different trials and tribulations there, believe me. I’ll make a big overview at the end of the discussion.
The first problem stemmed from the media I needed for imaging. We have Dell devices that have OEM Product Keys in the BIOS / EFI. This required Dell OEM Media to install. No problem we have tons of those. I pop the disc in a computer and make an ISO out of it. I mount the ISO, grab the install.wim and import it into WDS. I deploy it to a PC. It doesn’t activate. Argh.
Problem 1: Using OEM media install.wim does not (apparently) save the OEM data required for automatic BIOS/EFI activation. Balls.
Process 1: Well, after fighting with it for about a day, I decided to just install Windows 7 via OEM Media onto a Desktop and make sure it activates, then collect that image and try deploying it elsewhere. Victory!
Solution 1: Don’t import install.wim from the OEM Media, install Windows 7 via the OEM Media to a desktop and capture from it.
Solution 1 lead me to a different problem though…
Problem 2: The captured image from one Desktop fails on a different model of Desktop. Example: I built on a 9020. It worked on a 5040. It failed on a 7010. It failed on an M2800.
Process 2: Best Practices Alert! You never want to have any sort of driver injection in the image itself. Never, ever. It’s going to cause you problems, I guarantee it. This means you should NEVER build your image on a physical machine. Some sort of driver will always be getting installed. SysPrep can only do so much, and if it doesn’t clear out all those system-specific drivers you’re going to encounter some kind of a problem, I guarantee it.
Solution 2: Create a Virtual Machine (Image Builder) and install Windows via the OEM Media. It won’t activate (Obviously) but you can re-arm it a bunch of times. Take snapshots throughout and you can re-arm from the snapshot a lot. It’ll save you a lot of headaches. Trust me.
So, great, I now have an image that activates and installs on every model in the district. Score!
Wait a minute, what’s going on here with my 9020s and 5040s?
Wait a minute, it’s happening on every single device that has USB3 ports?
Balls. Again.
The Intel USB3 drivers were not being deployed via WDS, despite the drivers being added to the WDS shares. This is apparently a known issue, as evidenced by the multitude of threads found by Google.
Problem 3: The image deployed from WDS does not properly install drivers for all hardware. Things I’ve noted not working: Intel USB3 drivers, Intel 530 Display drivers.
Process 3a: Ok, I know! We’ll use PNPUtil to install the drivers into the driver store of the base image. That way WDS doesn’t have to inject drivers for these pieces of hardware.
Failure 3a: Great, I captured an image with the drivers injected. I tried to deploy it. Sweet! My 9020s and 5040s are working fine. Cool. I deploy it on my 7010s: it fails to start, rebooting infinitely. Fuck. Same for the M2800.
Process 3b: Ok, fine, let’s try something else. A post install script… Yes! A post install script that WDS can run on first login Cool. I deploy the image with the updated unattended file, and it works! I have a file per model. Let’s fix that.
Solution 3: Added the following lines to my Unattended-Windows7.xml which is applied to the Windows 7 images I capture:
<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> <CommandLine>\\WDSServer\REMINST\Scripts\DeviceSpecific.bat</CommandLine> <Description>Attempt Device Specific Driver Installations</Description> <RequiresUserInput>false</RequiresUserInput> </SynchronousCommand> </FirstLogonCommands> <AutoLogon> <Password> <Value>NeenerNeeneNeener</Value> <PlainText>false</PlainText> </Password> <Domain>org.local</Domain> <Enabled>true</Enabled> <LogonCount>1</LogonCount> <Username>DomainUser</Username> </AutoLogon> </component> </settings> </unattend>
This bit of unattended.xml will make WDS run the DeviceSpecific.bat batch file that I’ve created. You can see the contents of that batch file here. It basically uses WMI to get the model of the computer, and compares that to a known list of computers. It then deploys the files directly to the computer via the Dell distribution packages and executes setup silently while overwriting anything that exists already. You can see in this that for the Optiplex 5040 model I install both the USB3 drivers and the Intel 530 Display driver, because both fail to deploy for me in WDS for some unknown reason.
My process so far has been:
- Install Windows 7 Pro SP1 via Dell OEM Installation Media to a Virtual Machine.
- Upon first startup, press Ctrl Shift and F3 to Enter Audit mode.
- Disable UAC (because I get tired of the prompts).
- Perform Windows Updates.
- Run Windows Update once to update the Windows Update Runtimes.
- Run the following Windows Updates (which you can download ahead of time and store somewhere):
- KB3020369
- KB3177467
- KB3172605
- KB3197867
- KB3197868
- KB2617858 (SVCHost slow login fix, we install this on every machine after some slow login issues years back)
- KB2647753 (Picture Manager/Printer fix)
- KB2585811 (NVME fixes for newer hardware)
- KB2585813 (NVME fixes for newer hardware)
- KB2990941 (NVME fixes for newer hardware)
- Note: If you download all those files and put them into a folder, you can execute the following one-liner from a command prompt (with admin):
- forfiles /s /m *.msu /c “cmd /c wusa.exe @PATH /quiet /norestart”
- Reboot.
- Run Windows Updates until there are no updates available any longer.
- Shutdown.
- Snapshot your Virtual Machine. I call this my Phase 1 Snapshot, where the VM has nothing but Windows Updates applied to it. Next time I need to build an image, I’ll revert to this snapshot and run Windows Updates from there to save me some time!
- Optional: SysPrep and Capture the image. This way you have a Stock Dell / OEM Image to use just in case.
- The SysPrep Command I use is: C:\Windows\System32\sysprep\sysprep.exe /oobe /shutdown /generalize
- Capture via WDS.
- If you did Step 6, revert to the snapshot you took in Step 5.
- Make your customizations:
- Control Panel:
- Small Icons
- UAC Disable
- Disable Hibernation
- powercfg – h off
- Power Options
- Set your power plan and / or import your power plan (don’t forget to make it active).
- Optional: Delete Panther folder from C:\Windows
- Internet Option Settings:
- Add your domain sites to trusted sites.
- Disable Windows 7 Offline Files
- Disable Tablet Input Service
- Remove items from Navigation pane as necessary (we remove a bunch of stuff)
- Add Desktop shortcuts.
- Install CutePDF.
- Always show all icons in the taskbar.
- Disable Action Center.
- Create our log folder.
- Install Altiris Agent.
- Add a timeserver.
- Disable “Highlight Installed Programs”
- Add your UnattendedCapture.xml with a CopyProfile setting.
- Shutdown.
- Control Panel:
- Snapshot your Virtual Machine. I call this my Phase 2 Snapshot, where the VM has Windows Updates and Customizations applied to it. If I forgot anything I can go back to here and fix it without having to rebuild everything.
- SysPrep and Capture the image.
- The SysPrep Command I use is: C:\Windows\System32\sysprep\sysprep.exe /oobe /shutdown /generalize /unattend:C:\CaptureUnattended.xml
- Capture via WDS.
- Viola? I think?
I’m a complete noob at this stuff, and I’m sort of hacking and slashing my way through the entire process. I’m documenting it here for posterity. If something I’m completely off base, I’d appreciate a heads up and being pointed in the right direction.
-M, out.
1 comment