Deploying Windows using Windows 2012 Deployment Services WDS – Part 3

[This is Part 3 of 3]

Check other parts:

WDS commands that i found useful when managing and administering WDS:

  • Configure how often the server settings are changed

WDSUTIL /Set-Server /RefreshPeriod: <time in seconds>

  • Specify the network interfaces to which the PXE provider must listen

WDSUTIL /Set-Server /BindPolicy /Add /Address:<IP- or MAC address> /Address Type: IP {|} MAC

  • Forcing the server to update the Remote Install folder files

WDSUTIL  /Update-ServerFiles

  • Show configuration of WDS:

WDSUTIL /Get-Server /Show:Config

  • Show detailed configuration of WDS:

WDSUTIL /Get-Server /Show:All /Detailed

Reference Link : http://technet.microsoft.com/en-us/library/cc771206.aspx 

Deploying Windows using Windows 2012 Deployment Services WDS – Part 2

[This is Part 2 of 3]

Check other parts:

Hi again,

In part 2 of this blog series, i will be talking about one thing which is configuring WDS DHCP options.

So imagine you have a WDS installed on SRV1 and DHCP installed on the same subnet on SRV2 and you want to allow clients in different subnets that uses the DHCP on SRV2, to be able to get WDS images.

wds100

To do this, two DHCP options should be configured on SRV2.

  • Option 066: simply your WDS IP or host name
  • Option067: bootfile name, in my case im using X64 version of the boot file as nowadays most machines and O.S are X64. You can use boot\X86\wdsnbp.com if you want the X86 version of boot file.

wds101

This configuration works fine for me.

Deploying Windows using Windows 2012 Deployment Services WDS – Part 1

[This is Part 1 of 3]

Check other parts:

Hi everyone,

If you viewed my blog posts about creating custom Windows 8.1 Image, you saw how we got a customized WIM file and (CopyProfileunattend.xml) file that does couple of customization. We have also generated an ISO file from the WMI file so we can boot a machine from a DVD or USB and manually install Windows and get all the customization and apps.

Now, i will be talking about taking those two files (WIM) and (CopyProfileunattend.xml) file and deliver Windows 8.1 over the network using Server 2012 Windows Deployment Services WDS. You can deliver the original Windows files over WDS by taking the default wim file located under sources\install.wim on the DVD media if you do not have built a customized image yet.

Reference Link > What’s New in Windows Deployment Services in Windows Server 2012 :   http://technet.microsoft.com/library/hh974416  

WDS can be integrated with Active Directory or standalone configuration. I will be talking about Active Directory integrated mode.

Installation

From Server Manager, go to  Configure this local server > Add roles and features

wds1

Click Role-based or feature-based installation

wds2

Choose Windows Deployment Services.

wds3

Choose both check boxes. Transport Server is used usually to control unicast. It doesn’t harm to include it.

wds4

After the installation is done, open Server Manager, click Tools> Windows Deployment Services.

wds5

This will open the WDS console, right click the server name under Servers and click Configure Server.

wds6

In the Install Options window, choose Integrated with Active Directory.

wds7

In the Remote Installation Folder Location, enter a path. This is the place where all Windows images are stored. It is highly recommended to dedicate a volume to host WDS files and not the O.S drive. For simplicity, i will keep the default. WDS will create the folder C:\RemoteInstall.

wds8

As i said, you will get a warning if you are selecting a place on the C drive, just click Yes to continue.

wds9

In the PXE Initial Image Settings, choose Response to all client computers (known and unknown). This is the least relaxed setting, but for now in order to test things, keep it like this and do not check any other check boxes. This means that any client booting from the network can see images hosted in the WDS.

wds10

In the Operation Complete window, do not check the box, and just click Finish.

wds11

Now your WDS console will look like this:

wds12

Right click Boot Images and click Add Boot Image. Boot images are simply the small boot file that is so similar to WindPE. It is just a small O.S used to connect to WDS, get the image and install the actual windows.

wds13

In the Image File window, click Browse.

wds14

Browse to the Windows installation files (this can be the Original Windows installation file, or any Customized image directory), and go to Sources>Boot.wim.

wds15

In the Image Metadata, leave defaults unless you want to customize the image name or description.  Click Next.

wds16

Now that you have finished adding a boot file, your WDS console will show that file added.

wds17

Now in the WDS console, right click the Install Images node and click Add Image Group. Install Image Group is like a folder to host multiple images inside it. Actually it has the following usage:

  • Single Instance Storage (SIS). So if you have created an image group with both Windows 8 and Windows 8.1, then WDS will store any duplicate files once, thus saving space.
  • Setting permissions : you can assign permissions on the image level and on the Image group level.

wds18

Name the Image group something like Windows 8 Images.

wds19

Once the Image group is created, right click it and click Add Install Image.

wds20

In the Image File window, click Browse.

wds21

Browse to your customized WIM file. If you do not have one, then go to the Windows media > sources >Install.wim.

wds22

In the Available Images, you can choose the accept the default image name and description, or uncheck the check box at the bottom to enter custom name and description of the image that others will see when choosing an image to install.

wds23Wait for the Image to get imported.

wds24

Now on your WDS console, you can see your image added successfully.

wds25

Now right click the image you have just added, click Properties.

wds26

On the Image Properties, and if you have an unattended XML file, you can add it here. In our case, since we created Custom Windows 8.1 image with CopyProfileunattend.xml, then we will check Allow image to install in unattended mode and click Select File, and browse to the CopyProfileunattend.xml file.

wds27

On the User Permissions tab, you can set the permission so that only authorized people can connect to that image and start install it. Anyone with Read permission can download the image from the WDS and install it. So i usually clean up things here and remove the Everyone permissions leaving only System, Administrators and WDSServer.

wds28

I also tend to create an AD security group like (Allow WDS Installation) and give it Read/Read & Execute permissions. Those are the people who can connect and install this image.

wds29

Now return to the WDS console, right click the server name and click Properties.

wds30

On the PXE Response tab, you will see:

  • PXE Response Policy : with :
    • Do not respond to any client computer: this basically disable WDS
    • Response only to known client computers : you have to pre-stage or pre create computers in the WDS console with the computer GUID (ID) or MAC. I usually do not do this.
    • Response to all client computers (known and unknown): if you want the easiest thing, then choose this.
  • PXE Response Delay: if you have multiple WDS servers and you want this one to be secondary in case your main WDS is down, then set a delay so that the primary WDS with 0 delay will always respond first.

wds31

In the AD DS tab, this is where you set the name conversion and OU path if WDS is going to join the machine to domain after formatting. I usually do not want WDS to do this since i work in environment with complex naming standard and AD restrictions. So i will ignore this tab.

wds32

In the Boot tab, you can configure what is the user interaction when booting the network. For both known clients and unknown clients, i will choose Require the user to press the F12 key to continue the PXE boot. Again, known clients are those pre-created by you on the WDS console by providing the computer MAC or GUID. Unknown clients are those who you did not pre-create in WDS.

So now, when someone boot from the network, he will detect WDS, and then the user should press F12 to connect to WDS and boot from the network.

Under Default boot image (optional), i usually assign my boot image (boot.wim) i have created for Windows 8.1 as the default boot for X64. You can leave this option if you like.

wds33

Under Client tab, you can choose another type of xml unattended file. This is usually an XML containing how WDS may format the disk and create volume. In my case i do not want WDS to be that clever and format things.

Under Joining a Domain, i will check the box Do not join the client to a domain after an installation. This is only me, as i want to name the computer according my naming standard and as the AD team to pre-create the account in AD.

Under Client Logging, i always enable logging.

wds34

Under DHCP tab, if this server has also the DHCP role, then you have to click those check boxes. DHCP and WDS listen to the same ports, so you do not want WDS to screw your DHCP by using the same ports. In my case, i do not have WDS collocated with DHCP.

wds35

Under Multicast tab, i always check (Use addresses from the following range) to set the multicast range, and under Transfer Settings you have many options. Those options are to control how many download groups will the WDS use when multiple clients with multiple connection speeds download the same image at the same time. For example, if two clients are connecting at the same time to WDS and downloading same image, and one of those clients are connecting using slow network, then the WDS will send the image with slow multicast transmission. If you click Separate clients into three sessions (slow, medium,fast), then WDS will always divide all connected clients to three groups depending on their speed, and will send separate transmission to each group so that slow clients will not affect faster ones.wds36

On the Advanced tab, i totally ignore all settings here. I always keep the defaults and i will not authorize it in AD.  Authorization is same as DHCP authorization and needs Enterprise Admin rights, and it simply protect from unauthorized WDS servers.

wds222

On the Network tab, i usually choose a UDP port range to control the UDP ports to open when downloading the images from WDS.

wds38

On the TFTP tab, remember that the WDS simply acts as TFTP Server to offer the images to clients. You can control the block size and other settings. I usually leave the defaults.

wds39

That’s it for Part one. You have now installed WDS on Windows Server 2012, added Install and Boot image, and configured the WDS server and image properties. See you in Part 2.

Custom Windows 8.1 Image – Part 7

[This is Part 7 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/

This blog post is interesting indeed. Let me explain why.

I got a requirement that the custom Windows 8.1 machine should have the corporate wallpaper as a lock screen. The Marketing department created a nice wallpaper with the company logo and they want it to be set as the default lock screen. Users can choose to change it later, but at least it should be set as the default lock screen. Let us assume that the corporrate custom locks screen image that we need to set is named corp.png

I thought that this was easy. Remember that the Reference Machine is never activated nor have the license key. So while in audit mode, I tried to set the lock screen with corp.png and guess what ?! I cannot set it because the lock screen option is greyed and and not available because Windows is not activated !!

Here is the a nice trick that I used and it works everytime. The trick is completely described in a nice way here http://www.youtube.com/watch?v=Yusczt18RGg. This guy is amazing and the way and effort he put in the video is nothing but brilliant. Once thing though, is that the corp.png should be cop.jpg to work with Windows 8.1, and ofcourse the resolution should be exactly as described in the YouTube link. Mainly, you will replace img100.jpg located under C:\Windows\Web\Screen\ with  your own custom jpg after renaming it to img100 with jpg extension, and delete all jpg files located under C:\ProgramData\Microsoft\Windows\SystemData subfolders, all that while booting from WinPE.

So after watching the video, I convert the format of corp.png to corp.jpg and make sure it is in the right resolution, I then placed it in the D:\corp.jpg on the Reference Machine, boot in WinPE, do the trick in the YouTube video, boot in the reference machine which will lead me back to audit mode, and then continue the steps of creating the image. Nicely done !

Now, when Ii deliver Windows  8.1 to end users, they will get the new shiny corporate lock screen. So professional and looks right.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

 

Custom Windows 8.1 Image – Part 6

[This is Part 6 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Final steps on the ADK Machine

Now that you have the captured image (MyImage.wim) on the USB, I found it useful to mount the image, do couple of things, and then unmount it again.

Tip: Why this is important to mount the image, do things and unmounts it again? Well, I encountered a problem last year that when I deployed my custom image to end users, the installation wizard prompt me for a license key!! And sometimes the whole installation wizard exit with an error. After opening a case with Microsoft, the solution was to mount the image, inject something called Global Volume License Key GVLK to the image wim file, and then unmount it. This is needed because I know that my clients will activate using my internal KMS or Active Directory (using the new AD activation method) and we need to inject a publicly available key to the windows file to tell it not to prompt for a license key during the installation as it shall connect to KMS or AD for activation. This is why the following step is important.

Link: http://technet.microsoft.com/en-us/library/jj612867.aspx

Now, let us get back to the ADK Machine and review the folder structure again. On the C drive of the ADK Machine, we have created the following folder structure under the C:\ drive:

  • Downloads  [contains the ADK Installation files]
  • Software\Windows 8.1 Installation [contains the Windows 8.1 original installation files]
  • Workplace
    • Mount
    • ImageWorkplace

Remember also, that on the ADK Machine, we have created a Virtual Machine Snapshot after installing the ADK Tools on it.

Now, let us do the following on the ADK Machine:

  • Copy the Windows 8.1 installation files from C:\Software\Windows 8.1 Installation to C:\Worlplace\ImageWorkplace
  • Copy the MyImage.wim that we have generated from the Reference Machine to C:\ drive of the ADK Machine.
  • Rename C:\MyImage.wim on the ADK Machine to install.wim.
  • Replace C:\Worlplace\ImageWorkplace\sources\install.wim with C:\install.wim
  • Go to Start and run Deployment and Imaging Tools Environment CMD as an Administrator and type:

Dism /mount-image /imagefile:C:\Workplace\ImageWorkPlace\sources\install.wim /index:1 /mountdir:C:\WorkPlace\Mount

  • Browse to C:\WorkPlace\Mount and you can see the expanded files here.
  • If you plan to activate Windows 8.1 in your environment using KMS or Active Directory Activation, then you have to inject a Global Volume License Key to the image. Choose one of the licensing key that match your needs from here http://technet.microsoft.com/en-us/library/jj612867.aspx. In my case, I will be using the Windows 8.1 Enterprise key, so while in the Deployment and Imaging Tools Environment CMD , I will run:

Dism /image:C:\Workplace\Mount /Get-CurrentEdition /Set-ProductKey:MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Tip: You can get a list of the metro apps on your image, by running:Dism.exe /Image:C:\WorkPlace\Mount /Get-Provisionedappxpackages ,and you can remove any metro app package by running:Dism.exe /Image:C:\WorkPlace\mount /Remove-Provisionedappxpackage /PackageName:XXX, where XXX is the Package name you get from the Get-Provisionedappxpackages.

  • Now let us unmount the image and commit changes by running:

Dism /unmount-image /mountdir:C:\Mount /commit

Tip: If you face any problem in mounting and unmounting the image, revert the ADK Machine to the snapshot that we took before which is a clean ADK Machine with ADK Tools installed. I ran into situation while mounting and unmounting images over and over again on the ADK Machine and getting errors about unmounting operation failing because some open files or so. Reverting the machine to a clean snapshot solves the issue everytime.

  • Now, to create an ISO image, run
    Oscdimg -u2  -m  -b“C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg\etfsboot.com” C:\Worlplace\ImageWorkplace  C:\MyImage.iso

    Note: There is space after the -b switch.

  • Now, you got an ISO file named MyImage.ISO on the root drive of the ADK Machine!. Congrats.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 5

[This is Part 5 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Boot Reference Machine in Audit Mode

So now the Windows will enable the disabled built in administrator account and log you on. Audit mode is a special mode where the windows will enable the default built in administrator account and log on to its profile with some limited functionality.

Now that you are in Audit Mode, make sure you are still connected to the Internet without Proxy connection, and make sure the Windows is not activated and do not ever try to open any Metro Apps.

Tip: In Audit Mode, you can perform something called Profile Customization, in which you customize the profile that you are currently logged on in Audit mode (which is the default Built in administrator). This is exactly what we will do here.

So now that you are in Audit Mode, I start by doing the following Customization:

  • Change the desktop background.
  • Opening IE and click (use recommended settings) for the prompt that appears when you open IE for the first time.
  • Go to IE > IE Internet Options > Security > Local Intranet, I added *.contoso.com.
  • I add Google as the default search provider in IE.
  • I set www.contoso.com as the default home page in IE.
  • I go to Control Panel > Default Programs > Set your default programs, and I change the defaults for (Adobe as the default application for pdf files, Windows Media Player as the default application for all media files, Windows Photo Viewer as the default application for photos)
  • I opened MMC > Certificates> Local Computer> Trusted Root Certificate, and I added my internal root CA public key certificate as a trusted root authority.
  • I go to C:\Users and I delete the profile of the user that get created when I first installed Windows 8.1 on the Reference Machine. Then I go to Computer Management and I delete that user. This way, you will have only the default administrator and guest accounts.
  • Place some corporate internal portals in the IE favorites or tabs.
  • I delete the Event Viewer log files, by going to event viewer mmc, and right click Application, Security, and System categories and clear them. This way, the reference image will not have old events.
  • Open IE, and clear history, passwords and cookies. Close IE and do not open it again.
  • Go to Control panel> Credential Manager, and make sure no stored credentials are available there.
  • Place handy shortcuts on the desktop if you like. 

Tip: When you are in Audit Mode, any move you make will affect the customized profile that you are in. For example, when you are in audit mode, and you open c:\windows\web\ from windows explorer, then this path will get cached. When you deploy the image, users who start browsing the file system, will get suggestions to open c:\windows\web. So try not to browse any registry paths or file system paths while in audit mode to prevent windows to cache those paths and make them appear as a suggestion for all users. I usually use CMD and copy command to browse and copy files while in audit mode.

Note: I made a mistake once that while being in audit mode, I opened the registry editor, and I browsed to strange path and I closed the registry editor. After deploying the image to users, whenever someone tries to open the registry editor, he will find himself inside that strange path. So consider the previous tip seriously.

Now the final thing is to customize the start screen. It is very important to notice that since the machine is not licensed or activated yet, you cannot customize everything. Windows will show most of the customization options as grayed because Windows is not activated. It is absolutely OK. Do not try to be clever and tweak things. Just customize the look of things that can be customized.

Tip: I saw people and even myself, trying to search for the registry keys or file paths that allow us to do more customization and bypass the grayed settings that is caused by the fact that Windows is not activated yet. Sometimes, those files are located in hidden folders and even the SYSTEM or Built-in administrators cannot access. Only a special SID called (TRUSTED INSTALLER) have access to those files. Do not try to be smart and take ownership of those hidden folders and change things. Just do the customization of the look and feel of Windows that Windows allows you to do while it is not activated or you will screw things up, believe me.

Now it is time to customize the start screen. In my case I do the following:

  • The first thing that matters to users is to find the shutdown, restart and logoff keys, so I downloaded this PowerShell script to help creating those tiles for me.
    • From your personal machine, download a script zip file called (CreateWindowsTile) from here: http://gallery.technet.microsoft.com/scriptcenter/Create-a-ShutdownRestartLog-37c8111d
    • Take only the CreateWindowsTile.PS1 and copy it to a USB and move it to the reference machine while you are in Audit mode and past it to the desktop.
    • From the reference machine, open PowerShell using Run as administrator and type:
      • Set-ExecutionPolicy unrestricted
      • C:\users\administrator\desktop\ CreateWindowsTile.ps1
      • By running that script, three tiles will be created for you
        • Shutdown
        • Restart
        • Logoff
    • Set-ExecutionPolicy restricted.
    • Next, I populate the start screen with Office applications, control panel icon, and (Notepad, Paint, Sticky note, CMD, calculator, RDP)

Tip: do not try to be smart from your first try and download special tools to create customize tiles that look nice and put them in your image. Keep it simple and design the start screen with basic things that your users need only. You do not have to include everything here, after all, users can search for things but what we are trying to do here, is to make it one step easier by putting say the top 10 application shortcuts.

Finally, empty the recycle bin and move to the next step.

Sysprep while in Audit Mode

Now, it is time to sysprep every application that you have installed in your reference image. You have to check with the software provider how to sysprep their applications and if they support to have their software to be captured as an image to avoid duplicate IDs. I will list couple of applications that I have in my reference machine that needs sysprep:

How to sysprep SCCM?

If you have SCCM in your reference machine, you have to sysprep it while in audit mode. You do this by doing the following:

  • Stop the SMS Agent Host Service.
  • Go to computer certificate store and delete the two signing and encrypting certificates under SMS store.
  • If exists, delete the %SystemRoot%\SmsCfg.
  • Make sure to capture the image before the service starts or the system reboots.

Note: Tested with SCCM 2007 Agent

How to rearm Microsoft Office 2013?

  • We need to do something called REARM. When this happen, the grace period of office is frozen and the Office client machine ID (CMID) is reset. 
  • To rearm office, go to C:\Windows\Program Files\Microsoft Office\Office15 and run CMD as administrator on this path and run ospprearm.exe. Don’t open the office application after Rearm operation. Do not restart the machine. 

How to sysprep Symantec Antivirus?

  • To clone Symantec installation, we need to run a cloning exec before taking the image:

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

  • It should be done as the last step in the image preparation process, before running sysprep and/or shutting down the system. If the system is rebooted or the Endpoint Protection client services are restarted then new identifiers will be generated and you must re-run the tool before cloning. 

 Booting the Reference Machine into Windows PE

After you have sysprep everything in audit mode, and while you are in audit mode, copy the CopyProfileunattend.xml that has been created on the ADK machine, to the reference machine D:\ drive. (remember that the reference machine has D drive with 20 GB capacity).

Now while in audit mode, and form the reference machine, open cmd as administrator, browse to c:\Windows\System32\sysprerp, and run this:

sysprep.exe /generalize /oobe /shutdown /unattend:D:\CopyProfileunattend.xml

Windows then will sysprep the operating system and shutdown.

Now connect the WinPE ISO image to the reference virtual machine DVD drive , and boot the machine from the DVD. If for any reason, you could not catch to press F2 to boot from the DVD and the machine booted from its hard disk, then you need to do all the application sysprep steps and run (sysprep.exe /generalize /oobe /shutdown /unattend:D:\CopyProfileunattend.xml) again.

Once you are in WinPE, note that all drive letters are changed most of the cases. For example, you may find that the G drive is now the C drive. So to identify the new volume names, we will use diskpart command line. So on the WinPE command prompt, type:

  • Diskpart
  • List disk
  • List volume
  • Exit

From the output you can map what drive letter is for your reference machine C drive and what drive letter is for your reference machine D drive. For simplicity, I will assume that the drive letters are not changed at this point.

Now run this command:

DISM /Capture-Image /CaptureDir:C:\ /ImageFile:D:\MyImage.wim /Name:”corporate win8.1 Image v1” /description: “Corporate Image user type”

Let us describe the options here:

  • CaptureDir: is the directory of the reference machine C drive. Again, you should use the previous diskpart to identify if C is still that drive or not.
  • ImageFile: is the drive to store the captured image. In my case it should be the D drive of the reference machine.
  • /Name : is the name of the image. When you browse the WIM file in the future, this name will appear.
  • /Description: sometimes if you do not supply this field, you will get errors in future steps.

Once the capture is done, reboot the reference machine and complete the wizard that windows will show because you are in the OOBE experience now, and then browse to the D drive and copy MyImage.wim to the ADK machine.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 4

[This is Part 4 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Working on the Reference Machine

Virtual Machine Preparation

Reference machine is the machine that you will use as a reference to capture your image. This is the machine that you will install your custom apps and profile tweaks.

Tip: I highly recommend using virtual machine as a reference machine, and not a physical machine. Why? Well, if you use a physical machine, then many graphic drivers get installed. I spent couple of days using physical machine as a reference machine, and I got the metro apps failing. I read a blog somewhere saying something about metro apps failing randomly because of those graphic drivers. I moved to virtual machine as a reference image and the problem is sorted out. This is a very expensive lesson!!!

Tip: When using Virtual machines, usually integration tools get installed like (Hyper-v integration tools or VMware Tools), after you are have installed all applications on the reference virtual machine, make sure to uninstall those integration tools before capturing the image.

So, I have created a virtual machine with 4 GB RAM, one processor, 40 GB C drive virtual disk, and 20 GB D drive that will be used to store the captured image. I then installed Windows 8.1 from the original ISO Image that I have. I recommend to use the original Windows 8.1 ISO to initially install Windows on the reference machine, not any custom ISO to install Windows 8.1 to the reference machine.

Tip: Make sure the reference virtual machine is connected to the internet. I cannot emphasis enough that you should not use proxy settings on the reference machine in order to be able to access internet. Instead, connect the machine to direct internet line if possible without any proxy requirements. Two reasons for that, the first one, is most of the time your proxy will need credentials or have restrictions on the type of web sites to visit, you do not want anything to interfere with the type of sites your reference machine can access, and you do not want to have password popup and the need to enter passwords that will be saved on the reference machine’s credential manager. The second reason, sometimes Metro apps connect to internet to activate and they may not work correctly with proxy. I am not sure how accurate this is, but this is how I got the image working.

Finally, make sure you have couple of USB drives in hand, as you may need them to copy things around, I usually always have two 16 GB USB drives around me just in case. You do not have to do the same, this is only me.

Software Installation

After installing Windows 8.1 on the reference machine, and logging in using the account that is created during the Windows 8.1 installation wizard, I make sure it is connected to the internet without any proxy configuration or the need to enter credentials to access the internet.

Do not join the reference machine or activate the Windows installation. I usually connect that machine on a separate dedicated network with unrestricted internet access.

Then I start installing my custom software (not in audit mode). Below is a brief list of the software I installed in my case:

  • Office 2013 including Visio
  • Adobe Reader
  • Silverlight
  • Microsoft SCCM Client
  • Antivirus solution and security clients
  • Chrome browser
  • .net 3.5

I it very helpful to include the .net 3.5, you can use this link to help you install 3.5 on Windows 8.1 (http://msdn.microsoft.com/en-us/library/hh506443(v=vs.110).aspx ). Usually I run  (DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:e:\sources\sxs) where E:\ is the DVD drive where the Windows 8.1 media is located.

I included Chrome browser as IE 11 that ships with Windows 8.1 sometimes has compatibility issues with some internal web sites or even public ones.

Tip: no need to install flash as IE11 handles flash sites like YouTube video without the need to do anything.

Tip: I see people installing Java Runtime here. I highly recommend not doing that. Java Runtime gets crucial updates every day and it is the main entry point for attacks. You do not want to deploy an image with outdated Java Runtime and compromise security of the machine. Instead, use SCCM or any other deployment tool that you have in place to install Java Runtime and updates after the image is deployed. In my case, I do not install Java Runtime to machines at all. When someone needs Java Runtime, the local IT will go and install the latest version on his machine. No need to have Java Runtime in all machines from day one because someday they may use it. Huge security tip.

Tip: in Microsoft documentation, software and patches are applied while in audit mode. I saw couple of blog posts reporting issues with that, so I only sysprep and customize things in audit mode, and I install everything before entering the audit mode. This is my way and I do not state that this is Microsoft way.

Tip: When installing Adobe, make sure you configure its update settings from now if you do not want the users to get a prompt to install a newer version or not. If users are not admin on their machines which is the normal case I hope, then you do not want them to get such notifications all the time about newer versions available, and no power to do anything.

Installing Updates

Once I have everything installed, I then connect to Windows Update and install all windows updates available there. I prefer not connecting to the internal WSUS server and connect directory to Microsoft portals to get updates. Then, I update the antivirus solution, adobe and any updates available for the software I installed previously.

Tools included

Once I have installed and updates everything, I usually create a folder called Tools under C:\. In this folder, I put all the administrative tools that can help local IT to do basic troubleshooting. My list is:

  • FIM CM Client installation files, in case we need to provision a smart card on this machine. FIM CM is Microsoft Forefront Identity Management/ Certificate Management Client.
  • Gemalto Smart Card mindriver files, which is the driver to support Gemalto Smart Cards.
  • Microsoft Message Analyzer: Network tracing tool from Microsoft.
  • Outlook Configuration Analyzer Tool: tool to help troubleshoot Outlook issues.
  • PortQuery and PortQueryGUI: Tools to help testing connectivity on a TCP or UDP ports. Very handy tool.
  • CMTrace: Configuration Manager log tracing tool. This tool is essential if you have SCCM in place and want to trace client side log files.
  • MOCLogin: Tool to troubleshoot Lync issues.
  • TCPView: Sysinternal GUI tool to track which processes are opening network connections.
  • ProcessExplorer: Sysinternal GUI tool to track processes.
  • Zoomit: Sysinternal tool.
  • SysInternal Package: Zip file containing all sysinternal tools.
  • Install the Telnet Client Feature.
  • Readme.txt file: file to describe and document the custom image

Note: If you are not familiar with Sysinternals tools, check this URL http://technet.microsoft.com/en-us/sysinternals/bb545021.aspx. It is a must knowledge.

Note: I mentioned that I put readme.txt on the C:\Tools folder, this is a very important text file I created in notepad that has the following information, to document the version, settings and software that this image contains. The text file contains the following sections in my case:

  • Header Section:
    • Image Name : Windows 8.1 x64 Enterprise Edition
    • Image version : v1.2
    • Image type : user edition (in case you have another custom image for finance people which has the financial application installed, so I classify my images to types)
    • Image creation date: 29th Jan 2014
    • Software included :

Here you mention all software included in the image + the version and build number + update and patch level for each item.

  • Windows Patches: I usually document here any special patches or service pack levels if any
  • Tools included: Here I document every tool that I included in the C:\Tools folder

Tip: during all this, I avoid opening or updating any metro apps. It is extremely not recommended to update any metro app in the custom image. In TechNet you can find all the reasons of that.

Final Touches

An interesting thing that I do here is to open the registry and browse to HKEY_LOCAL_MACHINE\SYSTEM, right click and choose New Key, name it “Corp”. Inside it, I create the following values:

  • String value (Image Name) : Windows 8.1 x64 EE
  • String value (Image Creation) : 29th Jan 2014
  • String value (Image Type) : User
  • DWORD 32bit (Image version) : 1

This is extremely handy, so you can walk to any computer, and open the registry, and you have all the information that you have about what image was used to install the O.S on that computer. I also use SCCM to collect this registry value on all machines and get reports about how many computers running this version of my image!

Next, I go to C:\Windows\Web\Wallpaper\Windows, and I put their many professional wallpapers, so that if any user wants to get corporate or nice wallpaper, he can right click his desktop, personalize, desktop backgrounds, and since Windows reads the directory that we have just populated, the end user will see now many options for wallpapers that we provided him with. Cool thing indeed.

I also make sure Windows Firewall is enabled and configured correctly, and I go to services.msc and do my final touches (i.e if you are using BranchCache technology, you can set the start mode for BranchCache as automatic and start it). Even if you can do those configuration via GPOs, I always like to configure everything in the base image, and rely on GPO to enforce things.

If you are in an extreme security environment, you can open GPEDIT.MSC and configure a security settings for the machine, so that from the moment that the O.S is installed and until it is joined to the domain, it remains secured. In my case, I do not configure group policy settings in my image reference.

Finally, I restart the reference machine and check for updates one last time just to make sure everything is fine. At this phase, the reference machine has never and will never be joined to any domain, nor is it licensed or activated.

Now, open CMD as Administrator, and browse to c:\Windows\system32\sysprep>, and type:

Sysprep /OOBE

Note: OOBE stands for Out Of Box Experience.

Windows then will reboot and show you the wizard that asks you questions when you install a new Windows Computer. Do not do anything or choose anything, just press (Control + Shift + F3) and Windows will enter something called Audit Mode.

Check out my YouTube Windows 8 Advertisement 2 minute Video : 

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 3

[This is Part 3 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Create Windows PE media

Windows PE or pre-installed environment is the environment that you can boot from and do administrative tasks on your installed O.S.

  • On the ADK machine, go to start > Deployment and Imaging Tools Environment CMD as an administrator.
  • Type the following, Specify either x86, amd64, or arm:

copype amd64 C:\WinPE_amd64

  • This will create a folder on the ADK machine on the C:\ drive root called WinPE_amd64
  • Install Windows PE to the USB flash drive, specifying the drive letter:

MakeWinPEMedia /UFD C:\WinPE_amd64 F:

  • In our case, we are working with virtual machines, so we do not want to burn WinPE on a USB, we want to generate ISO, so we will type the following command to generate an ISO on the root of the C drive:

MakeWinPEMedia /ISO C:\winpe_amd64 c:\ winpe.iso

Reference links:

Now, you have an xml file called CopyProfileunattend.xml that you have generated from the ADK SIM tool. You also have the ADK machine ready and setup. Now it is time to move to the reference virtual machine and work on it.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 2

[This is Part 2 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

 

Working on the ADK Machine

Introduction

The first thing that I do when performing any type of Windows Images, is to take my time preparing an isolated environment with all the tools I want. In this section, we will be working on the ADK machine.

ADK machine is a non-domain joined machine without any security baselines or antivirus or security solutions installed on it. Why this is important? This is not a requirement from Microsoft, but it is the way that I find very productive and reduce the possibility of errors. The need to have the machine without antivirus, can prevent offline image servicing errors. When the machine is not joined to the domain, then it will reduce the possibility of a restriction from GPO that can interfere with DISM commands that heavily access the file system and do complex stuff. After long time doing imaging, I found this way working well for me.

ADK machine is a Windows 8.1 machine, not joined to the domain, does not have any security products or antivirus installed, and has Microsoft ADK installed on it, hence the name ADK machine.

ADK stands for Assessment and Deployment Kit. Those are tools that can help you to deploy Windows in unattended way. Make sure you install the ADK version that supports Windows 8.1. Make sure to download the ADK and save the installation files in your file server as you may need to reinstall it.

Tip: I usually use a virtual machine for the ADK machine. I install Windows 8.1 on it and ADK for Windows 8.1, and I take a snapshot immediately after that with the name (ADK machine clean). You will find this handy when troubleshooting offline image servicing and the need to revert back to clean ADK machine state.

Prepare the ADK Machine

I prefer to have a virtual machine with 4 GB RAM (2 GB is possible), normal processing power and one system drive c:\. The C drive should be big enough to hold all imaging operations, so make sure you have at least 60 GB drive size.

Create the following folders on the C drive of the ADK machine:

  • Downloads
  • Software\Windows 8.1 Installation
  • Workplace
    • Mount
    • ImageWorkplace

Get your hands on the Windows 8.1 installation files, and place them under C:\Software\Windows 8.1 Installation folder on the ADK Machine.

Install Windows ADK for Windows 8.1 on the ADK Machine

Note: ADK Portal: (http://www.microsoft.com/en-us/download/confirmation.aspx?id=39982)

When you go to Microsoft portal to download the ADK for Windows 8.1, and you click Download, then a 1.402 MB get downloaded to your machine called (adksetup.exe). You have to run this adksetup.exe. When you do that, you will have two options:

  • Install
  • Download

Windows 8.1 custome image ID232

I recommend highly to choose the second option (Download), so you will have the installation files offline. Once the download is completed, you can run it and pick the following components to install:

  • Deployment Tools
  • Windows PreInstallation Environment (Windows PE)

Windows 8.1 custome image ID292

Now, if you go to the start screen, you can see the ADK tiles are available. We will be using two of the ADK tools:

  1. Windows System Image Manager (SIM)
  2. Deployment and Imaging Tools Environment CMD

Windows 8.1 custome image ID532

I highly recommend here to take a snapshot on the ADK machine after you have installed ADK, name the snapshot something like (ADK machine clean).

Create Answer File

  • We are still in the ADK machine.
  • Now go to Start > Windows System image Manager.
  • In the Windows System Image Manager window, right click the (Windows Image) sub window and click (Select Windows Image) , browse to:

C:\Software\Windows 8.1 Installation\Sources\install.wim

Windows 8.1 custome image ID992

  • You will get a warning that a catalog need to be created, click OK.

Windows 8.1 custome image ID892

  • Now, under the “Answer File” window, right click and choose “New Answer File”.
  • Once done, this will show a template for a new answer file.

Windows 8.1 custome image ID792

  • Now as you can notice, you have three important windows:
    • Windows Image Window: contains settings that you can pick from and add to the answer file.
    • Answer File Window: contains an answer file to be populated with settings.
    • Properties Window: contains the sub settings for a highlighted setting in the Answer File Window.
  • If interested, checkup the below link for information about all settings available under the “Windows Image” window.

Link:  http://technet.microsoft.com/en-us/library/ff715394.aspx

  • I have configured many settings in the answer file, so I will show you how to configure one setting with screenshots, and you will get the idea, then I will list the settings that I have added and you can do the same.
  • So let me show you now how to add a setting to the answer file:
    • In the “Windows Image” window, expand “Components” and search for “….Microsoft-Windows-Shell-Setup_……._neutral”. Right click the setting and click “Add setting to Pass 4 specialize”. This simply means that we are adding a setting that will specialize the image.

Windows 8.1 custome image ID492

  • Now look at the “Answer File” window, and expand “4 specialize” folder, and you can see the setting that we have added in the previous step. Click on it, and notice the “Properties” window at the right. Click “Copy Profile” in the “Properties” window and choose “true”, and also in the “TimeZone” setting, write down the time zone that you wish. In order to learn how to type the correct format of the time zone, check the URL mentioned previously.

Windows 8.1 custome image ID332

Now that you know how to add settings to, here is the settings I have added:

1.     “Microsoft-Windows-Shell-Setup”\pass: specialize

a.     CopyProfile = true

b.     TimeZone = China Standard Time

2.     “Microsoft-Windows-International-Core”\pass: “oobeSystem”

a.     InputLocale: en-us

b.     SystemLocale: en-us

c.     UILanguage: en-us

d.     UserLocale: en-us

e.     UILanguageFallback: en-us

3.     Microsoft-Windows-Shell-Setup\oobeSystem

  • RegisteredOrganization: Contoso International
  • RegisteredOwner: Contoso International
  • OOBE:
    • HideEULAPage:true
    • HideOnlineAccountScreens:true
    • NetworkLocation:work
    • ProtectYourPC:1
    • HideOEMRegistrationScreen:true
  • VisualEffects:
    • SystemDefaultBackgroundColor: 1            

Tips: Let me explain couple of those settings:

  • CopyProfile: the most important setting, this will give us the chance to customize the profile of each user using the image.
  • HideEULAPage: this will hide the accept license agreement
  • HideOnlineAccountScreens: this will remove the option to log on using Microsoft account during installation wizard.
  • SystemDefaultBackgroundColor: This setting simply set the default color for the start screen background. Refer here for the numeric values for colors. Those values are not the same for Windows 8 and Windows 8.1. Check the link below for more info about background color:

Link: http://technet.microsoft.com/en-us/library/jj570859.aspx

The result XML file will look like this:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">

  <settings pass="specialize">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <CopyProfile>true</CopyProfile>
      <TimeZone>Jordan Standard Time</TimeZone>
    </component>
  </settings>

  <settings pass="oobeSystem">
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <InputLocale>en-us</InputLocale>
      <SystemLocale>en-us</SystemLocale>
      <UILanguage>en-us</UILanguage>
      <UILanguageFallback>en-us</UILanguageFallback>
      <UserLocale>en-us</UserLocale>
    </component>

    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <OOBE>
        <HideEULAPage>true</HideEULAPage>
        <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
        <NetworkLocation>Work</NetworkLocation>
        <ProtectYourPC>1</ProtectYourPC>
        <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
      </OOBE>
      <VisualEffects>
        <SystemDefaultBackgroundColor>1</SystemDefaultBackgroundColor>
      </VisualEffects>
      <RegisteredOwner>Aramex International</RegisteredOwner>
      <RegisteredOrganization>Aramex International</RegisteredOrganization>
    </component>
  </settings>
  <cpi:offlineImage cpi:source="wim:c:/users/claudea/desktop/install.wim#Windows 8.1 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Finally, after adding all those settings to the answer file, go to Tools > Validate Answer File. Make sure you do not have errors, and then save the answer file as CopyProfileunattend.xml.


Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 1

[This is Part 1 of 7]

Check out other parts:
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
https://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

I am writing this blog post to document the steps I went through to create a corporate Windows 8.1 Image.

I found a lot of ways and options in the internet talking about advance ways to do such image, like WDS, MDT, SCCM  Zero/Light touch deployments.

That’s cool actually, but the requirement I have is: Give me an ISO that has Windows 8.1 Image that is customized. Saying that, I have to do all customizations packaged inside that ISO.

One recommendation here is to create an updated custom image every 3 months, so that it contains all the windows and application updates. Keep a good version information in place so you can track your custom images.

I also avoid creating any custom refresh image with all apps installed in my image for a good reason. I want the IT teams to always check for newer version of my custom image that I produce every three months, instead of deploying the first release of my custom image and then use the custom refresh that ships with it to sort any problems. This way, if the local IT teams have a problem with one machine, they will check for the newest image version of Windows 8.1 that I have made and not rely on the outdated custom refresh image.

The steps described below is a collection of knowledge from Microsoft TechNet, webcasts, blogs and practical experience beside trial and error. Trial and error is my best friend when it comes to deployment, so here is how I did it.

Summary of steps:

  1. Prepare two virtual machines: “ADK Machine” and “Reference Machine”.
  2. Use ADK machine to prepare unattended xml file.
  3. Use ADK machine to prepare a bootable WinPE disk.
  4. Install all software and patches in “Reference Machine”.
  5. Place the unattended xml from step 2 in to the D drive of the “Reference Machine”
  6. Boot the reference machine in audit mode.
  7. Perform advance customization to the built in administrator profile on the “Reference Machine” and run sysprep. This will cause the “Reference Machine” to shutdown”.
  8. Inset the WinPE disk to the “Reference Machine” DVD virtual drive and boot the “Reference Machine” from it.
  9. While in the WinPE environment, capture an image from the “Reference machine” and save it to the “Reference Machine” D:\ drive.
  10. Boot the “Reference Machine” normally and copy the captured wim file to the ADK machine.
  11. Go to the ADK machine and use ADK tools to mount the wim file, inject a GVLK, remove any metro app packages, and unmounts the wim file again.
  12. Now, you can generate ISO file from the resulting wim file on the ADK machine.

Tip: you can use that wim file generated from step 11 on your WDS server and network deliver the customize Windows 8.1 image, or you can just use the ISO image generated from step 12 to burn it in to USB and deliver the image physically to target machines.

Overview about the setup needed:

You have to prepare two virtual machines. The figure below is a graphical presentation of those machines:

Windows 8.1 custom image

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4