Skip navigation
1 2 Previous Next 5931 Views 18 Replies Latest reply: Jul 13, 2011 2:27 AM by RichardA RSS
Rookie 27 posts since
Jun 10, 2011

Has received 1 of 9 achievements.
Currently Being Moderated

Jul 11, 2011 6:16 PM

Sysprep Windows 7 Issues

I work for a public school district that is in the process of rolling over to Windows 7 from Windows Xp. I have been working on capture a working Windows 7 image for a few weeks now, and I am still having issues. We are using LD 9, SP2. We have a working image, that was sysprepped using oobe and generalize. I coworker of mine did it this way before we realized it won't work with the way Landesk Osd scripts work. This image will deploy just fine, except it will not join the domain.

 

Today, I totally started from scratch. I installed Windows 7 from a disk on a Dell Latitude e5500 laptop. I added all of my software that I needed, ran sysprep in Audit mode, set it to restart, let it do its things, and captured the image as soon as it restarted. After capturing, I set up my osd script to image using HII, and it will drop down just fine to another Latitude E5500 laptop. The problem is, if I try to install it on any other model laptop, when it is installing drivers, I get 2 prompts saying "This driver is not digitally signed." I can click either of the options, to allow it to install, or deny it from installing and the process will continue, and the image ends up installing and joining the domain just fine. I am really striving to get this image to drop down on any of our models of machines without getting any prompts. We manage too many machines to have to click this prompt evertime we go to image machines.

 

Any ideas on what could be causing this to happen. Thanks in advance.

 

Brett

  • Dave Holland SupportEmployee 801 posts since
    Jan 8, 2008

    Has received 9 of 9 achievements.
    Currently Being Moderated
    1. Jul 11, 2011 7:23 PM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    Did you download and add drivers to the Driver store yourself?

     

    I would think any drivers includes with Windows 7 itself would be digitally signed.

     

    The drivers that have not passed the WHQL testing will display this.

     

    You may want to consider getting the latest drivers from the vendor websites for the computers in your environment and added them into your image.

  • RichardA Apprentice 152 posts since
    Apr 14, 2010

    Has received 4 of 9 achievements.
    Currently Being Moderated
    3. Jul 12, 2011 6:03 AM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    When you add drivers to the HII store, you specify what OS editions are supported. If you only ticked XP, then LD HII should not inject those drivers into a Win 7 image.

     

    I've found a number of drivers, especially OEM repackages (which your Dell drivers may well be) are not digitally signed, and even some reference drivers for certain integrated audio codecs are unsigned.

     

    The only way I've been able to work around this, especially with the stricter signing in 64-bit Windows editions, it to use DISM with the /forceUnsigned option. But that requires a completely different approach to building and deploying the image, and the use of Provisionign over OSD scripts (lest you want to be manually editing them all the time) so may not be an option for you.

  • RichardA Apprentice 152 posts since
    Apr 14, 2010

    Has received 4 of 9 achievements.
    Currently Being Moderated
    5. Jul 12, 2011 6:31 AM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    Curious. Do you get that if you run a template with no HII action at all?

     

    I wonder if my experience of the same problem wasn't down to drivers (although my point about the frequency of "official" drivers not actually being WHQL-signed still stands) and was more down to some other broken functionality. Personally, I think the Audit-mode approach that LANDesk recommends for their HII implementation is untidy and results in, what, 5 reboots before you even get to the OOBE?

     

    Is it actually possible to permanenetly turn off driver signing requirements in 64-bit Windows? I didn't think this was possible... Fine if you're going to stick to 32-bit, but there will come a time when that's not an option.

  • RichardA Apprentice 152 posts since
    Apr 14, 2010

    Has received 4 of 9 achievements.
    Currently Being Moderated
    7. Jul 12, 2011 7:01 AM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    bbrownderville wrote:

     

    I haven't tried, not using HII. It's all we do here and I'm am pretty new to trying to manage this project. It is strange how landesk handles the sysprep process.

     

    I have read there is a way to have sysprep turn off driver signing, and then turn them back on after imaging is complete. I have not tried it yet.

    I have a ticket open with LD about this issue as well and the last tech I talked to told me to do the method described here.

    http://www.killertechtips.com/2009/05/05/disable-driver-signing-windows-7/

     

    Eugh. That method could probably work for both architectures, but feels like a real kludge. Still, needs must, I guess.

     

    If you have no luck, and if I have time, I'll do some more comprehensive testing that the DISM approach really does work with unsigned drivers and I could upload our template. You may need to rebuild your images though, so it depends how much time you want to invest down a particular avenue.

     

    Message was edited by: Richard Archer - My link didn't originally jump to the correct message

  • RichardA Apprentice 152 posts since
    Apr 14, 2010

    Has received 4 of 9 achievements.
    Currently Being Moderated
    9. Jul 12, 2011 7:16 AM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    If you right-click an OSD script and select Advanced Edit it will open both the INI and the XML answer file for that script.

     

    However, if your default association is to open XMLs in IE, you won't be able to edit.

     

    In which case try, \\<core\ldmain\landesk\files\<osdname>.xml

     

    If ever you make a change to the script using the GUI, you will most likely need to re-do your changes.

  • EMiranda Expert 681 posts since
    Aug 26, 2009

    Has received 7 of 9 achievements.
    Currently Being Moderated
    11. Jul 12, 2011 7:30 AM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    if your workaround does not work.  another workaround is to use dpinst.exe for pnp driver installs.  forcing unsigned drivers with that utility is a simple as adding one switch to the application:

     

    /lm - Sets the legacyMode flag to ON. In legacy mode, DPInst  accepts unsigned driver packages without performing signature  verification.

     

    http://msdn.microsoft.com/en-us/library/ff544775%28v=vs.85%29.aspx

  • RichardA Apprentice 152 posts since
    Apr 14, 2010

    Has received 4 of 9 achievements.
    Currently Being Moderated
    12. Jul 12, 2011 7:39 AM (in response to bbrownderville)
    Re: Sysprep Windows 7 Issues

    bbrownderville wrote:

     

    [...]

    Also, maybe you can help me with one more issue. When my computers get imaged, they auto join the domain. As soon as that happens they get their domain policy which enforces them to log on to the domain and not locally. The downside of this is, when they reboot right before they install the landesk agent and do the First Logon Commands, it tries to log on as administrator but to the domain and not the local machine. Do you know how to bypass this to make it go to the local machine instead?

     

    I've no direct experience, as we don't apply that particular restriction here (local admin is often our friend). However, we have had a need to bypass other Group Policies, and we've taken two approaches neither of which are perfect, I'm afraid:

     

    1. Have the computers AD account in a special OU during the process. This OU would either have inheritance blocked or a overriding GP applied.
      • Pros:
        • Generally does the job and requires no changes to the OSD script or Provisioning template
        • Works with OSD (where domain join is always handled by OOBE based on the unattend.xml)
      • Cons:
        • Technicians frequently forget to move the account into the OU at the beginnning or, more frequently, out of the OU at the end (which can obviously be a security risk)
        • There may be certainly GPO configuration that simply cannot be overridden.
    2. Have the computer join the domain after it's done everything else
      • Pros:
        • No manual steps for technicians to forget
        • Can bypass just about any policies as the machine isn't domain-governed until it's ready for use
      • Cons:
        • You can't use OOBE/unattend.xml to join the domain
        • As such, with OSD, you would need to edit the OSD INI script to add a command line to join the domain towards the end
        • Can inhibit any actions you might include in the process that depend on domain membership

     

    We've now moved to 2, as our techs are... forgetful... and our Provisioning OU was filling up with production machines that were never moved. As we use Provisioning, which features a Join Domain action, it was easy for me to move this step further down the process. The only issue we have now is that the Fingerprint software on our Lenovo laptops gets installed before the PC is domain joined, and therefore doesn't automatically enable fingerprint login for domain accounts. That's on my list of to-dos

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 20 points
  • Helpful Answers - 10 points
LANDESK Community powered by Jive SBS® 4.5.7.1  |  Legal Notices  |  Privacy Policy  |  Icon 

TweeterOn Twitter  |  Icon FacebookOn Facebook © 2007 LANDESK Software