Windows XP Universal Image and ZENworks Deployment
ZENworks Universal Image – from base image to deployment
This article describes our imaging method, from creating the base/universal image to adding driver images and machine specific changes, then creating imaging scripts that will figure out which piece of hardware the image is being restored to and apply the correct imaging files. While this is one way to do it, it is by no means the only way. This is what’s worked for us and I hope it will help someone else out there.
Step one: deployment design
We wanted the base image to be as lean as possible, and use scripting to add any drivers or applications required. Below is an overview of how it should work.
As we are a multi-site company we have to also take into account changes required for each site – these are things like Novell client properties, ZENworks server address, NTP servers and Symantec antivirus groups.
Step two: create the base image
During the initial XP Setup, press the F5 key when Setup asks you to press F6 for adding mass storage drivers. This is where you specify the HAL to be installed. I chose "Advanced Configuration and Power Interface (ACPI) PC".
Microsoft Best Practices for image deployment suggest that you should use the smallest possible partition size. This will keep the size of the image file reduced and will allow you to deploy the image to machines with smaller hard drives then the original.
- Base Windows XP with SP3
Create a C:\ partition that is 4030MB in size
- Base Windows XP with SP3 OS + Office
Create a C:\ partition that is 6030MB in size
Choose to use a 6030MB disk (because it gave me a little breathing room!)
Change all regional/keyboard options to English (New Zealand). Remove English (US).
Personalize your Software
Name = a name
Organisation = Company name
Computer name and administrator password
Computer name = COMPANY-IMAGE
No admin password set
Date and Time
Timezone = GMT+12 (Auckland, Wellington)
Automatically adjust clock for daylight savings = ticked
Left the default "Workgroup"
Turned off windows update
Did not register Windows
User account creation
At the end of the OS install, Windows will prompt you to create a user account for the computer. I created one called "DELETEME" to remind me to delete it before imaging. (see further down)
Post-OS install configuration
Configure login screen
When the installation of the OS has completed successfully and you've booted into Windows, open up the Windows Control Panel and select "User Accounts".
- Select "Change the way users log on or off"
- Uncheck "Use the Welcome screen"
- Uncheck "Use Fast User Switching"
- Click "Apply Options"
- Log off of the computer.
- Login as Administrator
Remove un-needed programs
Start > Control Panel
- Add or Remove Programs
- Add/Remove Windows Components
- Accessories & Utilities > Games
- MSN Explorer
- Network Services
- Windows Messenger
Run Windows Update
Browse to http://update.microsoft.com and fully update, including a "Custom" update and update these components:
.NET framwork 3.5 SP1
Group Policy preference client side extensions for Windows XP
Root Certificate update
Windows Media Player 11
Microsoft .NET framework 1.1
|By-pass proxy server for local addresses||TICKED|
|Advanced||Use the same proxy for all protocols||proxy.address.co.nz:80|
|Windows Explorer settings|
|Tools||Folder Options||General tab||Use windows classic folders|
|Open each folder in the same window|
|Double-click to open an item (single click to select)|
|View tab||Defaults, except:|
|Untick 'Display simple folder view in Explorer's folder list|
|Show hidden files and folders|
|Display the full path in the title bar|
|Untick 'Hide extensions for known file types'|
|Untick 'use simple file sharing|
|Taskbar and start menu Properties|
|Taskbar tab||Untick||Lock the taskbar|
|Autohide the taskbar|
|Hide inactive icons|
|Tick||Keep the taskbar on top of other windows|
|Show quick launch||Show the clock|
|Start menu||Customize||General tab||Large icons|
|Number of programs on start menu = 10|
|Show IE on start menu, not Email client|
|Advanced tab||Tick open submenus when I pause over them with my mouse|
|Untick highlight newly installed programs|
|List my most recently opened documents|
|Start menu items|
|Control panel as a link
Enable drag and dropping
Help and support
My computer as a link
Don't display My Documents
Don't display My Music
My Network Places
Don't display My Pictures
Don't display Network Connections
Printers and faxes
Untick Set Program access and defaults
Don't display System Administrative Tools
- Moved Windows Explorer shortcut from Start > All Programs > Accessories to Start > All Programs
- Moved Command Prompt shortcut from Start > All Programs > Accessories to Start > All Programs
- Deleted Windows Movie Maker from Start > All Programs
- Deleted Remote Assistance from Start > All Programs
- Deleted Set Program Access and Defaults from Start > All Programs
- Deleted Remote Assistance from Start > All Programs
- Deleted Windows Catalog from Start > All Programs
- Deleted Windows Update from Start > All Programs
- Removed File and Settings Transfer Wizard from the Start Menu
- Removed Tour Windows XP from the Start Menu
|(ie right-click desktop -> Properties)|
|Customise desktop||General Desktop icons||My Computer, My Network Places, Internet Explorer|
|Untick Run desktop cleanup wizard every 60 days|
|Screen saver||Windows XP screensaver|
|Wait 10min, tick on resume password protect|
Note: monitor power see power options section below
|Power options||(ie Control Panel -> Power Options)|
|Turn off monitor 30 min|
|Turn off harddisks 45min|
Power scheme saved as "Company Standard"
|Change the way security center notifies me||Untick all options|
|Advanced tab||Performance Settings||Adjust for best performance|
|Virtual memory||Change||Custom size: 2048min, 2048max|
|Regional and language options|
|Standards and formats: English|
|Advanced tab||Language for non-unicode programs||English (New Zealand)|
Configure IE search box
Run IE7 (first time after updates above). Chose to change the default search provider and change to Google.
Start > All Programs > Command prompt
- Menu > Defaults > Tick Quick Edit Mode
- Right-click the Windows explorer icon on the quicklaunch bar
- Shortcut tab
- In the 'target' paste the below in
Repeate for the icon in Start > All Programs
Windows Media Player
Run Windows Media Player, accept all defaults and finish wizard.
Hide My Documents folder between users
Set My Documents to private
Windows Registry Editor Version 5.00
Configure NTP server
Start > Control Panel
Internet Time tab
Tick "Automatically synchronize with an Internet Time server"
Server = ntp1.server.co.nz
Remove hotfix backups
From \\niwa-bacon\archive\itsupp\setup\winxp\Remove hotfix uninstall information\
copied to niwa-image and ran xp_remove_hotfix_backup.exe
Removed all backup information
Right-click > Empty
Copy the Administrator profile to Default User
Reboot the computer
Logon to the computer with the username "Deleteme" which was created as part of the Windows setup.
Open "My Computer"
- Choose "Tools"
- Choose "Folder Options"
- Choose the tab "View"
- Put a check in the box "Show hidden files and folders"
- Click "Apply to All Folders"
- Click OK
- Close "My Computer"
Click on the Windows Start Menu
- Right-Click on "My Computer"
- Chose Properties
- Choose the tab "Advanced"
- Under the User Profiles section choose "Settings"
- Single-click on the Administrator's profile and choose "Copy To"
- Select Browse, and browse to the folder:
"C:\Documents and Settings\default user"
- Under the "Permitted to use option click "Change"
- Type in "Everyone"
- Click OK
- Click OK to copy the profile
- When this has completed reboot and login to the computer with the username "Administrator"
We will now delete the user profile for "DeleteMe" as follows
- Right-click on "My Computer"
- Choose "Manage"
- Expand "Local Users and Groups"
- Delete the username "DeleteMe"
- Close the MMC
- Open Windows Explorer
- Delete the folder "C:\Documents and Settings\DeleteMe" which is the default user profile that was created.
- Empty the Windows Recycle Bin
At this point create a pre-sysprep image called basexpB4sp.zmg
Boot from CD (download latest imaging drivers/CD from http://download.novell.com)
- File > Make image > Server
- Server = IPaddressofserver
- Filename = //IPaddressofserver/path/basexpb4sp.zmg
- From the Windows XP Sp3 CD, extract the Deploy.cab file located in the Support\Tools folder to C:\sysprep
- Download, extract and copy mysysprep to C:\sysprep
- Copy and edit the sysprep.inf, from previous images (there are far too many sysprep options to list here, see the sysprep section later on for some explanation of what we do)
mp.inf, up.inf are exactly the same except for this line:
inside mysysprep.inf I have these lines:
which mean when mysysprep starts on first boot it detects which type of processor is running and assigns the correct .inf file, which in turn installs the correct hal.
The sysprep.inf already has the masstoragedevices section built, but if you want to rebuild it, in sysprep.inf add these lines to the bottom of the file.
Then from a command prompt run:
However remember that I have added some new Intel mass storage devices drivers manually - these are located here in the image:
and in sysprep.inf
Start > Control Panel > System > Hardware tab > Device Manager.
Uninstall the below, select no to any reboot requests.
- Disk drives
- DVD/CD-ROM drives
- Floppy disk controllers
- IDE ATA/ATAPI controllers
- Network adapters
- Ports (COM & LPT)
- ALL "unknown" devices
I then ran mysysprep.exe and chose:
- Use mini-setup
- Detect non-plug and play hardware
- Shutdown PC
Created a post-sysprep image called base.zmg
Booted from CD (downloaded latest imaging drivers/CD from http://download.novell.com)
- File > Make image > Server
- Server = IPaddressofserver
- Filename = //IPaddressofserver/path/base.zmg
Step three: drivers.zmg and monitor.zmg
We created a folder ‘drivers’ below the root of our imaging directory to hold all our driver images. Each .zmg file populates the directories below:
specific to each model of machine, which is found during imaging. See further down for how.
drivers/monitor.zmg Adds ALL drivers for monitors we have to \sysprep\drivers\monitor, that way sysprep can decide which driver to install.
Step four: applications.zmg
This adds (to C:\temp) the below applications.
- Novell Client v4.91SP4
- ZENworks agent v7sp1hp6
- Symantec Antivirus 10.1.6
These are installed via a runonce.bat file that runs the first time the machine boots after the image is put down. Runonce.bat also calls machine_specific.bat (see step 6). Here’s what the runonce.bat looks like:
REM install Novell Client
start "novell" /wait "%systemdrive%\Temp\491sp4\acu.exe" /U
REM install ZENworks 7 agent
start "zenworks" /wait "%windir%\system32\msiexec.exe" /i "%systemdrive%\ZfDAgent.msi" /qb ADDLOCAL=ALL LOGIN_PASSIVE_MODE=0 STARTUP_APPEXPLORER=1 ZENWORKS_TREE=TREENAME REBOOT=ReallySuppress
REM install Symantec Antivirus (GRC.DAT populated from site\<site>.zmg)
start "sav" /wait "%windir%\system32\msiexec.exe" /i "%systemdrive%\Temp\sav\Symantec AntiVirus.msi" /qb REBOOT=ReallySuppress
REM import novell client properties (file updated by site\<site>.zmg)
reg import "%systemdrive%\Temp\novell_client_properties.reg"
REM import zenworks middle-tier server address (file updated by site\<site>.zmg)
reg import "%systemdrive%\Temp\zenworks.reg"
REM import time server settings (file updated by site\<site>.zmg)
reg import "%systemdrive%\Temp\time.reg"
REM any machine-specific installs to do?
rmdir /S /Q "%systemdrive%\Temp\491sp4"
rmdir /S /Q "%systemdrive%\Temp\sav"
del /Q "%systemdrive%\ZfDAgent.msi"
del /Q "%systemdrive%\Temp\novell_client_properties.reg"
del /Q "%systemdrive%\Temp\zenworks.reg"
del /Q "%systemdrive%\Temp\time.reg"
REM reboot the system
"%windir%\system32\shutdown.exe" -r -t 05 -fREM reboot the system
"%windir%\system32\shutdown.exe" -r -t 05 –f
The registry files that are imported in the above batch file are put in place in the next step.
Step five: site specific changes
Used to edit settings/files on a per-site basis:
- Symantec GRC.dat -
copy the correct GRC.dat file into C:\temp\SAV\ so that SAV imports into the right group
This is imported during the runonce.bat (added in the 'applications.zmg' above) and configures the Novell client for the specific site of that machine.
add a registry key to set the local ZENworks server
add a registry key to set the local time server(s) up
Step six: machine-specific/<model>.zmg
This adds files/installs specific to each model of machine (if required). This applies to notebooks usually. The .zmg also adds a machine_specific.bat to %systemroot%, which then gets called during runonce.bat on first boot. An example .zmg for one of our HP Compaq 6930p laptops puts these folders on the PC:
And the machine_specific.bat looks like this:
REM ATI Catalyst Control Center
start "dotnet" /wait "%systemdrive%\Temp\ati_video\NET32\dotnetfx.exe" /q:a /c:"install.exe /q"
start "ati" /wait "%systemdrive%\Temp\ati_video\CCC\setup.exe" /S /V"/qb REBOOT=ReallySuppress"
REM HP Integrated module (Bluetooth stack)
start "bt" /wait "%windir%\system32\msiexec.exe" /i "%systemdrive%\Temp\hp_bluetooth\Win32\BTW.msi" TRANSFORMS="%systemdrive%\Temp\hp_bluetooth\Win32\1033.mst" ALLUSERS=2 /qn
REM HP Quicklaunch buttons
start "hpqlb" /wait "%systemdrive%\Temp\quicklaunch\setup.exe" /s /f1"%systemdrive%\Temp\quicklaunch\setup.iss"
rmdir /S /Q "%systemdrive%\temp\ati_video"
rmdir /S /Q "%systemdrive%\temp\hp_bluetooth"
rmdir /S /Q "%systemdrive%\temp\quicklaunch"
Step seven: sysprep.inf and "mysysprep"
Sysprep, or System Preparation Utility can be used to prepare an operating system for disk cloning and restoration via a disk image. It can be extracted from the WinXP CD under Support/Tools/deploy.cab.
Once extracted I ran setupmgr.exe and created a fully automated install (see below "mysysprep" for more information about this).
Sysprep cannot intelligently select the right hardware abstraction layer (HAL) during first boot (after imaging), mysysprep can do just that. Mysysprep detects which type of processor is installed (Intel, AMD, single-core, multi-core) and applies the correct HAL.
i.e. in mysysprep.inf are these lines:
If the vendor ID is GenuineIntel and the logical processor count is greater than 1, The answer file mp.inf will be merged to Sysprep.inf. If the logical processor count is 1, the answer file up.inf will be merged.
Intel processors have the vendor ID: GenuineIntel, while AMD processors have AuthenticAMD
up.inf and mp.inf are exactly the same, except for this line
Mysysprep also allows us to name the PC from the BIOS asset tag information. By adding the below to to the sysprep.inf (as well as up.inf and mp.inf) we can have a fully automated install of WinXP that also names the PC as per standard naming conventions.
Step eight: Editing the initrd and PXE menu
Editing the PXE menu
go here: \\servername\sys\tftp
Open your menu – if you’ve never edited it it’ll be DEFMENU.MNU
Add a new item “Restore WinXP image”
Put any heading, information and help screens you want
In the command box put:
Save the file
Now go to \\servername\sys\tftp\cmds
Here’s what our z_xpimage.cmd looks like:
APPEND initrd=boot/initrd vga=0x314 install=tftp://$TFTPIP/boot rootimage=/root PROXYADDR=IP_ADDRESS_OF_SERVER TFTPIP=$TFTPIP splash=silent PXEBOOT=YES mode=2 IMGCMD="runScript.s /bin/xp_image.s"
copy \\servername\sys\tfp\boot to a temporary directory on a linux machine
mv initrd initrd.gz
cpio -idmuv < ../initrd >/dev/null 2>&1
Now we have initrd extracted to /home/baarsd/boot/work.
From here we can e.g. add script files to /bin - make sure you make the rights the same as the other files in that directory.
chmod 755 xp_image.s
Note: xp_image.s is explained below
Re-create the initrd
find . | cpio --quiet -o -H newc > ../initrd
gzip -v9c initrd > initrd.gz
mv initrd.gz initrd
You can then copy the file back to your Zenworks server.
Step nine: imaging script
Initially we need to detect where the PC is and what ZENworks server to use - e.g.
if [ $PROXYADDR = "192.168.10.1" ]
This sets the site_path variable so the script knows where to look for images.
With the site found, we can restore the base image.
# Clear the image safe data
# install the image
img rp $PROXYADDR $site_path/base.zmg
Which also clears the image safe data prior to imaging.
Drivers and machine-specific software
From the imaging command prompt you can do this:
Which gives you information from and about the BIOS of the PC you run it on...so expanding on that:
hwinfo --bios | grep 'Product:'
gives us 3 results (on the dc7800 I tried it on anyway) ... one of which is the model name of the PC
hwinfo --bios | grep 'Product:'
Product: "HP Compaq dc7800 Small Form Factor"
so....in a script we can do this
if [ `hwinfo --bios | grep -ic 'Product: "HP Compaq dc7800 Small Form Factor"' = "1"` ]
img rp $PROXYADDR drivers/dc7800.zmg
So with that information we can restore the base.zmg (initial image) then put the drivers specific to that hardware on the PC.
Using the same hardware detection we can expand that to include the restore of the machine-specific software - e.g.
# HP 550
if [ 'hwinfo --bios | grep -ic "HP 550"' = "1" ]
img rp $PROXYADDR $site_path/drivers/550.zmg
img rp $PROXYADDR $site_path/machine-specific/550.zmg
img rp $PROXYADDR $site_path/drivers/monitor.zmg
# add applications to run post-image (ie during first login)
img rp $PROXYADDR $site_path/applications.zmg
Site specific changes
# site specific changes required
if [ $PROXYADDR = "192.168.12.3" ]
img rp $PROXYADDR $site_path/site/auckland.zmg
The above script then obviously gets put in the initrd as explained in step 8.