Custom Windows 8.1 Image – Part 7

[This is Part 7 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/

This blog post is interesting indeed. Let me explain why.

I got a requirement that the custom Windows 8.1 machine should have the corporate wallpaper as a lock screen. The Marketing department created a nice wallpaper with the company logo and they want it to be set as the default lock screen. Users can choose to change it later, but at least it should be set as the default lock screen. Let us assume that the corporrate custom locks screen image that we need to set is named corp.png

I thought that this was easy. Remember that the Reference Machine is never activated nor have the license key. So while in audit mode, I tried to set the lock screen with corp.png and guess what ?! I cannot set it because the lock screen option is greyed and and not available because Windows is not activated !!

Here is the a nice trick that I used and it works everytime. The trick is completely described in a nice way here http://www.youtube.com/watch?v=Yusczt18RGg. This guy is amazing and the way and effort he put in the video is nothing but brilliant. Once thing though, is that the corp.png should be cop.jpg to work with Windows 8.1, and ofcourse the resolution should be exactly as described in the YouTube link. Mainly, you will replace img100.jpg located under C:\Windows\Web\Screen\ with  your own custom jpg after renaming it to img100 with jpg extension, and delete all jpg files located under C:\ProgramData\Microsoft\Windows\SystemData subfolders, all that while booting from WinPE.

So after watching the video, I convert the format of corp.png to corp.jpg and make sure it is in the right resolution, I then placed it in the D:\corp.jpg on the Reference Machine, boot in WinPE, do the trick in the YouTube video, boot in the reference machine which will lead me back to audit mode, and then continue the steps of creating the image. Nicely done !

Now, when Ii deliver Windows  8.1 to end users, they will get the new shiny corporate lock screen. So professional and looks right.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

 

Custom Windows 8.1 Image – Part 6

[This is Part 6 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Final steps on the ADK Machine

Now that you have the captured image (MyImage.wim) on the USB, I found it useful to mount the image, do couple of things, and then unmount it again.

Tip: Why this is important to mount the image, do things and unmounts it again? Well, I encountered a problem last year that when I deployed my custom image to end users, the installation wizard prompt me for a license key!! And sometimes the whole installation wizard exit with an error. After opening a case with Microsoft, the solution was to mount the image, inject something called Global Volume License Key GVLK to the image wim file, and then unmount it. This is needed because I know that my clients will activate using my internal KMS or Active Directory (using the new AD activation method) and we need to inject a publicly available key to the windows file to tell it not to prompt for a license key during the installation as it shall connect to KMS or AD for activation. This is why the following step is important.

Link: http://technet.microsoft.com/en-us/library/jj612867.aspx

Now, let us get back to the ADK Machine and review the folder structure again. On the C drive of the ADK Machine, we have created the following folder structure under the C:\ drive:

  • Downloads  [contains the ADK Installation files]
  • Software\Windows 8.1 Installation [contains the Windows 8.1 original installation files]
  • Workplace
    • Mount
    • ImageWorkplace

Remember also, that on the ADK Machine, we have created a Virtual Machine Snapshot after installing the ADK Tools on it.

Now, let us do the following on the ADK Machine:

  • Copy the Windows 8.1 installation files from C:\Software\Windows 8.1 Installation to C:\Worlplace\ImageWorkplace
  • Copy the MyImage.wim that we have generated from the Reference Machine to C:\ drive of the ADK Machine.
  • Rename C:\MyImage.wim on the ADK Machine to install.wim.
  • Replace C:\Worlplace\ImageWorkplace\sources\install.wim with C:\install.wim
  • Go to Start and run Deployment and Imaging Tools Environment CMD as an Administrator and type:

Dism /mount-image /imagefile:C:\Workplace\ImageWorkPlace\sources\install.wim /index:1 /mountdir:C:\WorkPlace\Mount

  • Browse to C:\WorkPlace\Mount and you can see the expanded files here.
  • If you plan to activate Windows 8.1 in your environment using KMS or Active Directory Activation, then you have to inject a Global Volume License Key to the image. Choose one of the licensing key that match your needs from here http://technet.microsoft.com/en-us/library/jj612867.aspx. In my case, I will be using the Windows 8.1 Enterprise key, so while in the Deployment and Imaging Tools Environment CMD , I will run:

Dism /image:C:\Workplace\Mount /Get-CurrentEdition /Set-ProductKey:MHF9N-XY6XB-WVXMC-BTDCT-MKKG7

Tip: You can get a list of the metro apps on your image, by running:Dism.exe /Image:C:\WorkPlace\Mount /Get-Provisionedappxpackages ,and you can remove any metro app package by running:Dism.exe /Image:C:\WorkPlace\mount /Remove-Provisionedappxpackage /PackageName:XXX, where XXX is the Package name you get from the Get-Provisionedappxpackages.

  • Now let us unmount the image and commit changes by running:

Dism /unmount-image /mountdir:C:\Mount /commit

Tip: If you face any problem in mounting and unmounting the image, revert the ADK Machine to the snapshot that we took before which is a clean ADK Machine with ADK Tools installed. I ran into situation while mounting and unmounting images over and over again on the ADK Machine and getting errors about unmounting operation failing because some open files or so. Reverting the machine to a clean snapshot solves the issue everytime.

  • Now, to create an ISO image, run
    Oscdimg -u2  -m  -b“C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg\etfsboot.com” C:\Worlplace\ImageWorkplace  C:\MyImage.iso

    Note: There is space after the -b switch.

  • Now, you got an ISO file named MyImage.ISO on the root drive of the ADK Machine!. Congrats.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 5

[This is Part 5 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Boot Reference Machine in Audit Mode

So now the Windows will enable the disabled built in administrator account and log you on. Audit mode is a special mode where the windows will enable the default built in administrator account and log on to its profile with some limited functionality.

Now that you are in Audit Mode, make sure you are still connected to the Internet without Proxy connection, and make sure the Windows is not activated and do not ever try to open any Metro Apps.

Tip: In Audit Mode, you can perform something called Profile Customization, in which you customize the profile that you are currently logged on in Audit mode (which is the default Built in administrator). This is exactly what we will do here.

So now that you are in Audit Mode, I start by doing the following Customization:

  • Change the desktop background.
  • Opening IE and click (use recommended settings) for the prompt that appears when you open IE for the first time.
  • Go to IE > IE Internet Options > Security > Local Intranet, I added *.contoso.com.
  • I add Google as the default search provider in IE.
  • I set www.contoso.com as the default home page in IE.
  • I go to Control Panel > Default Programs > Set your default programs, and I change the defaults for (Adobe as the default application for pdf files, Windows Media Player as the default application for all media files, Windows Photo Viewer as the default application for photos)
  • I opened MMC > Certificates> Local Computer> Trusted Root Certificate, and I added my internal root CA public key certificate as a trusted root authority.
  • I go to C:\Users and I delete the profile of the user that get created when I first installed Windows 8.1 on the Reference Machine. Then I go to Computer Management and I delete that user. This way, you will have only the default administrator and guest accounts.
  • Place some corporate internal portals in the IE favorites or tabs.
  • I delete the Event Viewer log files, by going to event viewer mmc, and right click Application, Security, and System categories and clear them. This way, the reference image will not have old events.
  • Open IE, and clear history, passwords and cookies. Close IE and do not open it again.
  • Go to Control panel> Credential Manager, and make sure no stored credentials are available there.
  • Place handy shortcuts on the desktop if you like. 

Tip: When you are in Audit Mode, any move you make will affect the customized profile that you are in. For example, when you are in audit mode, and you open c:\windows\web\ from windows explorer, then this path will get cached. When you deploy the image, users who start browsing the file system, will get suggestions to open c:\windows\web. So try not to browse any registry paths or file system paths while in audit mode to prevent windows to cache those paths and make them appear as a suggestion for all users. I usually use CMD and copy command to browse and copy files while in audit mode.

Note: I made a mistake once that while being in audit mode, I opened the registry editor, and I browsed to strange path and I closed the registry editor. After deploying the image to users, whenever someone tries to open the registry editor, he will find himself inside that strange path. So consider the previous tip seriously.

Now the final thing is to customize the start screen. It is very important to notice that since the machine is not licensed or activated yet, you cannot customize everything. Windows will show most of the customization options as grayed because Windows is not activated. It is absolutely OK. Do not try to be clever and tweak things. Just customize the look of things that can be customized.

Tip: I saw people and even myself, trying to search for the registry keys or file paths that allow us to do more customization and bypass the grayed settings that is caused by the fact that Windows is not activated yet. Sometimes, those files are located in hidden folders and even the SYSTEM or Built-in administrators cannot access. Only a special SID called (TRUSTED INSTALLER) have access to those files. Do not try to be smart and take ownership of those hidden folders and change things. Just do the customization of the look and feel of Windows that Windows allows you to do while it is not activated or you will screw things up, believe me.

Now it is time to customize the start screen. In my case I do the following:

  • The first thing that matters to users is to find the shutdown, restart and logoff keys, so I downloaded this PowerShell script to help creating those tiles for me.
    • From your personal machine, download a script zip file called (CreateWindowsTile) from here: http://gallery.technet.microsoft.com/scriptcenter/Create-a-ShutdownRestartLog-37c8111d
    • Take only the CreateWindowsTile.PS1 and copy it to a USB and move it to the reference machine while you are in Audit mode and past it to the desktop.
    • From the reference machine, open PowerShell using Run as administrator and type:
      • Set-ExecutionPolicy unrestricted
      • C:\users\administrator\desktop\ CreateWindowsTile.ps1
      • By running that script, three tiles will be created for you
        • Shutdown
        • Restart
        • Logoff
    • Set-ExecutionPolicy restricted.
    • Next, I populate the start screen with Office applications, control panel icon, and (Notepad, Paint, Sticky note, CMD, calculator, RDP)

Tip: do not try to be smart from your first try and download special tools to create customize tiles that look nice and put them in your image. Keep it simple and design the start screen with basic things that your users need only. You do not have to include everything here, after all, users can search for things but what we are trying to do here, is to make it one step easier by putting say the top 10 application shortcuts.

Finally, empty the recycle bin and move to the next step.

Sysprep while in Audit Mode

Now, it is time to sysprep every application that you have installed in your reference image. You have to check with the software provider how to sysprep their applications and if they support to have their software to be captured as an image to avoid duplicate IDs. I will list couple of applications that I have in my reference machine that needs sysprep:

How to sysprep SCCM?

If you have SCCM in your reference machine, you have to sysprep it while in audit mode. You do this by doing the following:

  • Stop the SMS Agent Host Service.
  • Go to computer certificate store and delete the two signing and encrypting certificates under SMS store.
  • If exists, delete the %SystemRoot%\SmsCfg.
  • Make sure to capture the image before the service starts or the system reboots.

Note: Tested with SCCM 2007 Agent

How to rearm Microsoft Office 2013?

  • We need to do something called REARM. When this happen, the grace period of office is frozen and the Office client machine ID (CMID) is reset. 
  • To rearm office, go to C:\Windows\Program Files\Microsoft Office\Office15 and run CMD as administrator on this path and run ospprearm.exe. Don’t open the office application after Rearm operation. Do not restart the machine. 

How to sysprep Symantec Antivirus?

  • To clone Symantec installation, we need to run a cloning exec before taking the image:

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706

  • It should be done as the last step in the image preparation process, before running sysprep and/or shutting down the system. If the system is rebooted or the Endpoint Protection client services are restarted then new identifiers will be generated and you must re-run the tool before cloning. 

 Booting the Reference Machine into Windows PE

After you have sysprep everything in audit mode, and while you are in audit mode, copy the CopyProfileunattend.xml that has been created on the ADK machine, to the reference machine D:\ drive. (remember that the reference machine has D drive with 20 GB capacity).

Now while in audit mode, and form the reference machine, open cmd as administrator, browse to c:\Windows\System32\sysprerp, and run this:

sysprep.exe /generalize /oobe /shutdown /unattend:D:\CopyProfileunattend.xml

Windows then will sysprep the operating system and shutdown.

Now connect the WinPE ISO image to the reference virtual machine DVD drive , and boot the machine from the DVD. If for any reason, you could not catch to press F2 to boot from the DVD and the machine booted from its hard disk, then you need to do all the application sysprep steps and run (sysprep.exe /generalize /oobe /shutdown /unattend:D:\CopyProfileunattend.xml) again.

Once you are in WinPE, note that all drive letters are changed most of the cases. For example, you may find that the G drive is now the C drive. So to identify the new volume names, we will use diskpart command line. So on the WinPE command prompt, type:

  • Diskpart
  • List disk
  • List volume
  • Exit

From the output you can map what drive letter is for your reference machine C drive and what drive letter is for your reference machine D drive. For simplicity, I will assume that the drive letters are not changed at this point.

Now run this command:

DISM /Capture-Image /CaptureDir:C:\ /ImageFile:D:\MyImage.wim /Name:”corporate win8.1 Image v1” /description: “Corporate Image user type”

Let us describe the options here:

  • CaptureDir: is the directory of the reference machine C drive. Again, you should use the previous diskpart to identify if C is still that drive or not.
  • ImageFile: is the drive to store the captured image. In my case it should be the D drive of the reference machine.
  • /Name : is the name of the image. When you browse the WIM file in the future, this name will appear.
  • /Description: sometimes if you do not supply this field, you will get errors in future steps.

Once the capture is done, reboot the reference machine and complete the wizard that windows will show because you are in the OOBE experience now, and then browse to the D drive and copy MyImage.wim to the ADK machine.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 4

[This is Part 4 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Working on the Reference Machine

Virtual Machine Preparation

Reference machine is the machine that you will use as a reference to capture your image. This is the machine that you will install your custom apps and profile tweaks.

Tip: I highly recommend using virtual machine as a reference machine, and not a physical machine. Why? Well, if you use a physical machine, then many graphic drivers get installed. I spent couple of days using physical machine as a reference machine, and I got the metro apps failing. I read a blog somewhere saying something about metro apps failing randomly because of those graphic drivers. I moved to virtual machine as a reference image and the problem is sorted out. This is a very expensive lesson!!!

Tip: When using Virtual machines, usually integration tools get installed like (Hyper-v integration tools or VMware Tools), after you are have installed all applications on the reference virtual machine, make sure to uninstall those integration tools before capturing the image.

So, I have created a virtual machine with 4 GB RAM, one processor, 40 GB C drive virtual disk, and 20 GB D drive that will be used to store the captured image. I then installed Windows 8.1 from the original ISO Image that I have. I recommend to use the original Windows 8.1 ISO to initially install Windows on the reference machine, not any custom ISO to install Windows 8.1 to the reference machine.

Tip: Make sure the reference virtual machine is connected to the internet. I cannot emphasis enough that you should not use proxy settings on the reference machine in order to be able to access internet. Instead, connect the machine to direct internet line if possible without any proxy requirements. Two reasons for that, the first one, is most of the time your proxy will need credentials or have restrictions on the type of web sites to visit, you do not want anything to interfere with the type of sites your reference machine can access, and you do not want to have password popup and the need to enter passwords that will be saved on the reference machine’s credential manager. The second reason, sometimes Metro apps connect to internet to activate and they may not work correctly with proxy. I am not sure how accurate this is, but this is how I got the image working.

Finally, make sure you have couple of USB drives in hand, as you may need them to copy things around, I usually always have two 16 GB USB drives around me just in case. You do not have to do the same, this is only me.

Software Installation

After installing Windows 8.1 on the reference machine, and logging in using the account that is created during the Windows 8.1 installation wizard, I make sure it is connected to the internet without any proxy configuration or the need to enter credentials to access the internet.

Do not join the reference machine or activate the Windows installation. I usually connect that machine on a separate dedicated network with unrestricted internet access.

Then I start installing my custom software (not in audit mode). Below is a brief list of the software I installed in my case:

  • Office 2013 including Visio
  • Adobe Reader
  • Silverlight
  • Microsoft SCCM Client
  • Antivirus solution and security clients
  • Chrome browser
  • .net 3.5

I it very helpful to include the .net 3.5, you can use this link to help you install 3.5 on Windows 8.1 (http://msdn.microsoft.com/en-us/library/hh506443(v=vs.110).aspx ). Usually I run  (DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:e:\sources\sxs) where E:\ is the DVD drive where the Windows 8.1 media is located.

I included Chrome browser as IE 11 that ships with Windows 8.1 sometimes has compatibility issues with some internal web sites or even public ones.

Tip: no need to install flash as IE11 handles flash sites like YouTube video without the need to do anything.

Tip: I see people installing Java Runtime here. I highly recommend not doing that. Java Runtime gets crucial updates every day and it is the main entry point for attacks. You do not want to deploy an image with outdated Java Runtime and compromise security of the machine. Instead, use SCCM or any other deployment tool that you have in place to install Java Runtime and updates after the image is deployed. In my case, I do not install Java Runtime to machines at all. When someone needs Java Runtime, the local IT will go and install the latest version on his machine. No need to have Java Runtime in all machines from day one because someday they may use it. Huge security tip.

Tip: in Microsoft documentation, software and patches are applied while in audit mode. I saw couple of blog posts reporting issues with that, so I only sysprep and customize things in audit mode, and I install everything before entering the audit mode. This is my way and I do not state that this is Microsoft way.

Tip: When installing Adobe, make sure you configure its update settings from now if you do not want the users to get a prompt to install a newer version or not. If users are not admin on their machines which is the normal case I hope, then you do not want them to get such notifications all the time about newer versions available, and no power to do anything.

Installing Updates

Once I have everything installed, I then connect to Windows Update and install all windows updates available there. I prefer not connecting to the internal WSUS server and connect directory to Microsoft portals to get updates. Then, I update the antivirus solution, adobe and any updates available for the software I installed previously.

Tools included

Once I have installed and updates everything, I usually create a folder called Tools under C:\. In this folder, I put all the administrative tools that can help local IT to do basic troubleshooting. My list is:

  • FIM CM Client installation files, in case we need to provision a smart card on this machine. FIM CM is Microsoft Forefront Identity Management/ Certificate Management Client.
  • Gemalto Smart Card mindriver files, which is the driver to support Gemalto Smart Cards.
  • Microsoft Message Analyzer: Network tracing tool from Microsoft.
  • Outlook Configuration Analyzer Tool: tool to help troubleshoot Outlook issues.
  • PortQuery and PortQueryGUI: Tools to help testing connectivity on a TCP or UDP ports. Very handy tool.
  • CMTrace: Configuration Manager log tracing tool. This tool is essential if you have SCCM in place and want to trace client side log files.
  • MOCLogin: Tool to troubleshoot Lync issues.
  • TCPView: Sysinternal GUI tool to track which processes are opening network connections.
  • ProcessExplorer: Sysinternal GUI tool to track processes.
  • Zoomit: Sysinternal tool.
  • SysInternal Package: Zip file containing all sysinternal tools.
  • Install the Telnet Client Feature.
  • Readme.txt file: file to describe and document the custom image

Note: If you are not familiar with Sysinternals tools, check this URL http://technet.microsoft.com/en-us/sysinternals/bb545021.aspx. It is a must knowledge.

Note: I mentioned that I put readme.txt on the C:\Tools folder, this is a very important text file I created in notepad that has the following information, to document the version, settings and software that this image contains. The text file contains the following sections in my case:

  • Header Section:
    • Image Name : Windows 8.1 x64 Enterprise Edition
    • Image version : v1.2
    • Image type : user edition (in case you have another custom image for finance people which has the financial application installed, so I classify my images to types)
    • Image creation date: 29th Jan 2014
    • Software included :

Here you mention all software included in the image + the version and build number + update and patch level for each item.

  • Windows Patches: I usually document here any special patches or service pack levels if any
  • Tools included: Here I document every tool that I included in the C:\Tools folder

Tip: during all this, I avoid opening or updating any metro apps. It is extremely not recommended to update any metro app in the custom image. In TechNet you can find all the reasons of that.

Final Touches

An interesting thing that I do here is to open the registry and browse to HKEY_LOCAL_MACHINE\SYSTEM, right click and choose New Key, name it “Corp”. Inside it, I create the following values:

  • String value (Image Name) : Windows 8.1 x64 EE
  • String value (Image Creation) : 29th Jan 2014
  • String value (Image Type) : User
  • DWORD 32bit (Image version) : 1

This is extremely handy, so you can walk to any computer, and open the registry, and you have all the information that you have about what image was used to install the O.S on that computer. I also use SCCM to collect this registry value on all machines and get reports about how many computers running this version of my image!

Next, I go to C:\Windows\Web\Wallpaper\Windows, and I put their many professional wallpapers, so that if any user wants to get corporate or nice wallpaper, he can right click his desktop, personalize, desktop backgrounds, and since Windows reads the directory that we have just populated, the end user will see now many options for wallpapers that we provided him with. Cool thing indeed.

I also make sure Windows Firewall is enabled and configured correctly, and I go to services.msc and do my final touches (i.e if you are using BranchCache technology, you can set the start mode for BranchCache as automatic and start it). Even if you can do those configuration via GPOs, I always like to configure everything in the base image, and rely on GPO to enforce things.

If you are in an extreme security environment, you can open GPEDIT.MSC and configure a security settings for the machine, so that from the moment that the O.S is installed and until it is joined to the domain, it remains secured. In my case, I do not configure group policy settings in my image reference.

Finally, I restart the reference machine and check for updates one last time just to make sure everything is fine. At this phase, the reference machine has never and will never be joined to any domain, nor is it licensed or activated.

Now, open CMD as Administrator, and browse to c:\Windows\system32\sysprep>, and type:

Sysprep /OOBE

Note: OOBE stands for Out Of Box Experience.

Windows then will reboot and show you the wizard that asks you questions when you install a new Windows Computer. Do not do anything or choose anything, just press (Control + Shift + F3) and Windows will enter something called Audit Mode.

Check out my YouTube Windows 8 Advertisement 2 minute Video : 

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 3

[This is Part 3 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

Create Windows PE media

Windows PE or pre-installed environment is the environment that you can boot from and do administrative tasks on your installed O.S.

  • On the ADK machine, go to start > Deployment and Imaging Tools Environment CMD as an administrator.
  • Type the following, Specify either x86, amd64, or arm:

copype amd64 C:\WinPE_amd64

  • This will create a folder on the ADK machine on the C:\ drive root called WinPE_amd64
  • Install Windows PE to the USB flash drive, specifying the drive letter:

MakeWinPEMedia /UFD C:\WinPE_amd64 F:

  • In our case, we are working with virtual machines, so we do not want to burn WinPE on a USB, we want to generate ISO, so we will type the following command to generate an ISO on the root of the C drive:

MakeWinPEMedia /ISO C:\winpe_amd64 c:\ winpe.iso

Reference links:

Now, you have an xml file called CopyProfileunattend.xml that you have generated from the ADK SIM tool. You also have the ADK machine ready and setup. Now it is time to move to the reference virtual machine and work on it.

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 2

[This is Part 2 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-1/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

 

Working on the ADK Machine

Introduction

The first thing that I do when performing any type of Windows Images, is to take my time preparing an isolated environment with all the tools I want. In this section, we will be working on the ADK machine.

ADK machine is a non-domain joined machine without any security baselines or antivirus or security solutions installed on it. Why this is important? This is not a requirement from Microsoft, but it is the way that I find very productive and reduce the possibility of errors. The need to have the machine without antivirus, can prevent offline image servicing errors. When the machine is not joined to the domain, then it will reduce the possibility of a restriction from GPO that can interfere with DISM commands that heavily access the file system and do complex stuff. After long time doing imaging, I found this way working well for me.

ADK machine is a Windows 8.1 machine, not joined to the domain, does not have any security products or antivirus installed, and has Microsoft ADK installed on it, hence the name ADK machine.

ADK stands for Assessment and Deployment Kit. Those are tools that can help you to deploy Windows in unattended way. Make sure you install the ADK version that supports Windows 8.1. Make sure to download the ADK and save the installation files in your file server as you may need to reinstall it.

Tip: I usually use a virtual machine for the ADK machine. I install Windows 8.1 on it and ADK for Windows 8.1, and I take a snapshot immediately after that with the name (ADK machine clean). You will find this handy when troubleshooting offline image servicing and the need to revert back to clean ADK machine state.

Prepare the ADK Machine

I prefer to have a virtual machine with 4 GB RAM (2 GB is possible), normal processing power and one system drive c:\. The C drive should be big enough to hold all imaging operations, so make sure you have at least 60 GB drive size.

Create the following folders on the C drive of the ADK machine:

  • Downloads
  • Software\Windows 8.1 Installation
  • Workplace
    • Mount
    • ImageWorkplace

Get your hands on the Windows 8.1 installation files, and place them under C:\Software\Windows 8.1 Installation folder on the ADK Machine.

Install Windows ADK for Windows 8.1 on the ADK Machine

Note: ADK Portal: (http://www.microsoft.com/en-us/download/confirmation.aspx?id=39982)

When you go to Microsoft portal to download the ADK for Windows 8.1, and you click Download, then a 1.402 MB get downloaded to your machine called (adksetup.exe). You have to run this adksetup.exe. When you do that, you will have two options:

  • Install
  • Download

Windows 8.1 custome image ID232

I recommend highly to choose the second option (Download), so you will have the installation files offline. Once the download is completed, you can run it and pick the following components to install:

  • Deployment Tools
  • Windows PreInstallation Environment (Windows PE)

Windows 8.1 custome image ID292

Now, if you go to the start screen, you can see the ADK tiles are available. We will be using two of the ADK tools:

  1. Windows System Image Manager (SIM)
  2. Deployment and Imaging Tools Environment CMD

Windows 8.1 custome image ID532

I highly recommend here to take a snapshot on the ADK machine after you have installed ADK, name the snapshot something like (ADK machine clean).

Create Answer File

  • We are still in the ADK machine.
  • Now go to Start > Windows System image Manager.
  • In the Windows System Image Manager window, right click the (Windows Image) sub window and click (Select Windows Image) , browse to:

C:\Software\Windows 8.1 Installation\Sources\install.wim

Windows 8.1 custome image ID992

  • You will get a warning that a catalog need to be created, click OK.

Windows 8.1 custome image ID892

  • Now, under the “Answer File” window, right click and choose “New Answer File”.
  • Once done, this will show a template for a new answer file.

Windows 8.1 custome image ID792

  • Now as you can notice, you have three important windows:
    • Windows Image Window: contains settings that you can pick from and add to the answer file.
    • Answer File Window: contains an answer file to be populated with settings.
    • Properties Window: contains the sub settings for a highlighted setting in the Answer File Window.
  • If interested, checkup the below link for information about all settings available under the “Windows Image” window.

Link:  http://technet.microsoft.com/en-us/library/ff715394.aspx

  • I have configured many settings in the answer file, so I will show you how to configure one setting with screenshots, and you will get the idea, then I will list the settings that I have added and you can do the same.
  • So let me show you now how to add a setting to the answer file:
    • In the “Windows Image” window, expand “Components” and search for “….Microsoft-Windows-Shell-Setup_……._neutral”. Right click the setting and click “Add setting to Pass 4 specialize”. This simply means that we are adding a setting that will specialize the image.

Windows 8.1 custome image ID492

  • Now look at the “Answer File” window, and expand “4 specialize” folder, and you can see the setting that we have added in the previous step. Click on it, and notice the “Properties” window at the right. Click “Copy Profile” in the “Properties” window and choose “true”, and also in the “TimeZone” setting, write down the time zone that you wish. In order to learn how to type the correct format of the time zone, check the URL mentioned previously.

Windows 8.1 custome image ID332

Now that you know how to add settings to, here is the settings I have added:

1.     “Microsoft-Windows-Shell-Setup”\pass: specialize

a.     CopyProfile = true

b.     TimeZone = China Standard Time

2.     “Microsoft-Windows-International-Core”\pass: “oobeSystem”

a.     InputLocale: en-us

b.     SystemLocale: en-us

c.     UILanguage: en-us

d.     UserLocale: en-us

e.     UILanguageFallback: en-us

3.     Microsoft-Windows-Shell-Setup\oobeSystem

  • RegisteredOrganization: Contoso International
  • RegisteredOwner: Contoso International
  • OOBE:
    • HideEULAPage:true
    • HideOnlineAccountScreens:true
    • NetworkLocation:work
    • ProtectYourPC:1
    • HideOEMRegistrationScreen:true
  • VisualEffects:
    • SystemDefaultBackgroundColor: 1            

Tips: Let me explain couple of those settings:

  • CopyProfile: the most important setting, this will give us the chance to customize the profile of each user using the image.
  • HideEULAPage: this will hide the accept license agreement
  • HideOnlineAccountScreens: this will remove the option to log on using Microsoft account during installation wizard.
  • SystemDefaultBackgroundColor: This setting simply set the default color for the start screen background. Refer here for the numeric values for colors. Those values are not the same for Windows 8 and Windows 8.1. Check the link below for more info about background color:

Link: http://technet.microsoft.com/en-us/library/jj570859.aspx

The result XML file will look like this:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">

  <settings pass="specialize">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <CopyProfile>true</CopyProfile>
      <TimeZone>Jordan Standard Time</TimeZone>
    </component>
  </settings>

  <settings pass="oobeSystem">
    <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <InputLocale>en-us</InputLocale>
      <SystemLocale>en-us</SystemLocale>
      <UILanguage>en-us</UILanguage>
      <UILanguageFallback>en-us</UILanguageFallback>
      <UserLocale>en-us</UserLocale>
    </component>

    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <OOBE>
        <HideEULAPage>true</HideEULAPage>
        <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
        <NetworkLocation>Work</NetworkLocation>
        <ProtectYourPC>1</ProtectYourPC>
        <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
      </OOBE>
      <VisualEffects>
        <SystemDefaultBackgroundColor>1</SystemDefaultBackgroundColor>
      </VisualEffects>
      <RegisteredOwner>Aramex International</RegisteredOwner>
      <RegisteredOrganization>Aramex International</RegisteredOrganization>
    </component>
  </settings>
  <cpi:offlineImage cpi:source="wim:c:/users/claudea/desktop/install.wim#Windows 8.1 Enterprise" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Finally, after adding all those settings to the answer file, go to Tools > Validate Answer File. Make sure you do not have errors, and then save the answer file as CopyProfileunattend.xml.


Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Custom Windows 8.1 Image – Part 1

[This is Part 1 of 7]

Check out other parts:
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-2/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-3/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-4/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-5/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-6/
http://ammarhasayen.com/2014/01/31/custom-windows-8-1-image-part-7/

I am writing this blog post to document the steps I went through to create a corporate Windows 8.1 Image.

I found a lot of ways and options in the internet talking about advance ways to do such image, like WDS, MDT, SCCM  Zero/Light touch deployments.

That’s cool actually, but the requirement I have is: Give me an ISO that has Windows 8.1 Image that is customized. Saying that, I have to do all customizations packaged inside that ISO.

One recommendation here is to create an updated custom image every 3 months, so that it contains all the windows and application updates. Keep a good version information in place so you can track your custom images.

I also avoid creating any custom refresh image with all apps installed in my image for a good reason. I want the IT teams to always check for newer version of my custom image that I produce every three months, instead of deploying the first release of my custom image and then use the custom refresh that ships with it to sort any problems. This way, if the local IT teams have a problem with one machine, they will check for the newest image version of Windows 8.1 that I have made and not rely on the outdated custom refresh image.

The steps described below is a collection of knowledge from Microsoft TechNet, webcasts, blogs and practical experience beside trial and error. Trial and error is my best friend when it comes to deployment, so here is how I did it.

Summary of steps:

  1. Prepare two virtual machines: “ADK Machine” and “Reference Machine”.
  2. Use ADK machine to prepare unattended xml file.
  3. Use ADK machine to prepare a bootable WinPE disk.
  4. Install all software and patches in “Reference Machine”.
  5. Place the unattended xml from step 2 in to the D drive of the “Reference Machine”
  6. Boot the reference machine in audit mode.
  7. Perform advance customization to the built in administrator profile on the “Reference Machine” and run sysprep. This will cause the “Reference Machine” to shutdown”.
  8. Inset the WinPE disk to the “Reference Machine” DVD virtual drive and boot the “Reference Machine” from it.
  9. While in the WinPE environment, capture an image from the “Reference machine” and save it to the “Reference Machine” D:\ drive.
  10. Boot the “Reference Machine” normally and copy the captured wim file to the ADK machine.
  11. Go to the ADK machine and use ADK tools to mount the wim file, inject a GVLK, remove any metro app packages, and unmounts the wim file again.
  12. Now, you can generate ISO file from the resulting wim file on the ADK machine.

Tip: you can use that wim file generated from step 11 on your WDS server and network deliver the customize Windows 8.1 image, or you can just use the ISO image generated from step 12 to burn it in to USB and deliver the image physically to target machines.

Overview about the setup needed:

You have to prepare two virtual machines. The figure below is a graphical presentation of those machines:

Windows 8.1 custom image

Check out my YouTube Windows 8 Advertisement 2 minute Video :

https://www.youtube.com/watch?v=Et5IgdKcuN4

Given a list of users, get distribution groups they manage !

Hi, I got a request to generate a powershell script.  So, say you have a list of users that you need to know which mailing group they manage, and output the results in an CSV file.

This script will take two input variables :

  • InputFile : required parameter, which is the text file containing all usernames that you want to see which mailing groups they manage. Example: c:\users.txt
  • Outfile : required parameter, which is the csv file to generate. Example is c:\output.csv

So, say you have a text file named c:\users.txt that contains three lines ( Johns, JeorgeM, AliceO), then you can type the following :

Get-SpecificDGManagers -inputfile c:\users.txt -outfile c:\output.csv 

So the output.csv will contain a list of those three users along with all mailing groups they manage.

Download the script

You can download the script from here:  Get-SpecificDGManagers

Note: the list of users in c:\users.txt should be the samaccountnames and not the displaynames of the users 🙂 this is to ensure uniqueness.

Note: If no output is available ( the users are not managing any groups, then no csv will get generated). Run the script in verbose mode to see more info 🙂

Note: run it from Exchange Management PowerShell with user that has read access only.

Get Exchange Distribution Groups Manager

Hi again,

I got a request to list all distribution groups and their managers in a csv file. This way, you can quickly see which groups that do not have a manager 🙂

The script is simple, just run it from Exchange Management Shell, and supply the following parameters:

  1. File : required the csv file name and path to save the output csv
  2. OU : optional. used to narrow the scope of the script to a certain OU.

.Example
Get managers of all groups and export results to c:\files.csv”
PS C:\>Get-ExchangeDGManagers -file “c:\file.csv”

.Example
Get managers of all groups under the specified OU.
PS C:\>Get-ExchangeDGManagers -OU “ou=mailing groups, dc = contoso, dc=com” -file “c:\file.csv”

Download the script 

You can find the script here: Get-ExchangeDistributionGroupManagers

 

Get-ExchangeDGManager Snapshot

 

2013 blogging in review

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 12,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 4 sold-out performances for that many people to see it.

Click here to see the complete report.