1 2 Previous Next 18 Replies Latest reply: Jul 13, 2011 2:27 AM by RichardA RSS

    Sysprep Windows 7 Issues

    Rookie

      I work for a public school district that is in the process of rolling over to Windows 7 from Windows Xp. I have been working on capture a working Windows 7 image for a few weeks now, and I am still having issues. We are using LD 9, SP2. We have a working image, that was sysprepped using oobe and generalize. I coworker of mine did it this way before we realized it won't work with the way Landesk Osd scripts work. This image will deploy just fine, except it will not join the domain.

       

      Today, I totally started from scratch. I installed Windows 7 from a disk on a Dell Latitude e5500 laptop. I added all of my software that I needed, ran sysprep in Audit mode, set it to restart, let it do its things, and captured the image as soon as it restarted. After capturing, I set up my osd script to image using HII, and it will drop down just fine to another Latitude E5500 laptop. The problem is, if I try to install it on any other model laptop, when it is installing drivers, I get 2 prompts saying "This driver is not digitally signed." I can click either of the options, to allow it to install, or deny it from installing and the process will continue, and the image ends up installing and joining the domain just fine. I am really striving to get this image to drop down on any of our models of machines without getting any prompts. We manage too many machines to have to click this prompt evertime we go to image machines.

       

      Any ideas on what could be causing this to happen. Thanks in advance.

       

      Brett

        • 1. Re: Sysprep Windows 7 Issues
          LANDave SupportEmployee

          Did you download and add drivers to the Driver store yourself?

           

          I would think any drivers includes with Windows 7 itself would be digitally signed.

           

          The drivers that have not passed the WHQL testing will display this.

           

          You may want to consider getting the latest drivers from the vendor websites for the computers in your environment and added them into your image.

          • 2. Re: Sysprep Windows 7 Issues
            Rookie

            For one particular model, we have a latitude D530. We dont have any windows 7 drivers in the store. We have windows xp drivers in the store for this model. Would they be causing the issue. Can landesk differentiate windows xp drivers from windows 7 drivers? If not, I will try unchecking the xp drivers for this model, to see if they will go away.

            • 3. Re: Sysprep Windows 7 Issues
              RichardA Apprentice

              When you add drivers to the HII store, you specify what OS editions are supported. If you only ticked XP, then LD HII should not inject those drivers into a Win 7 image.

               

              I've found a number of drivers, especially OEM repackages (which your Dell drivers may well be) are not digitally signed, and even some reference drivers for certain integrated audio codecs are unsigned.

               

              The only way I've been able to work around this, especially with the stricter signing in 64-bit Windows editions, it to use DISM with the /forceUnsigned option. But that requires a completely different approach to building and deploying the image, and the use of Provisionign over OSD scripts (lest you want to be manually editing them all the time) so may not be an option for you.

              • 4. Re: Sysprep Windows 7 Issues
                Rookie

                Richard wrote:

                 

                 

                The only way I've been able to work around this, especially with the stricter signing in 64-bit Windows editions, it to use DISM with the /forceUnsigned option. But that requires a completely different approach to building and deploying the image, and the use of Provisionign over OSD scripts (lest you want to be manually editing them all the time) so may not be an option for you.

                 

                I am thinking about just turning off driver signing in the image. I know it isn't really the best way to do it, but I dont see it being too big of an issue. I just would think there should be a fix to this without doing that. For example, I dont have any drivers listed for the dell d530 laptop for windows 7. It is supposed to just use all of the default drivers. I still get the prompt for the unsigned drivers. Click except or deny, either one and it will continue on just fine.

                • 5. Re: Sysprep Windows 7 Issues
                  RichardA Apprentice

                  Curious. Do you get that if you run a template with no HII action at all?

                   

                  I wonder if my experience of the same problem wasn't down to drivers (although my point about the frequency of "official" drivers not actually being WHQL-signed still stands) and was more down to some other broken functionality. Personally, I think the Audit-mode approach that LANDesk recommends for their HII implementation is untidy and results in, what, 5 reboots before you even get to the OOBE?

                   

                  Is it actually possible to permanenetly turn off driver signing requirements in 64-bit Windows? I didn't think this was possible... Fine if you're going to stick to 32-bit, but there will come a time when that's not an option.

                  • 6. Re: Sysprep Windows 7 Issues
                    Rookie

                    I haven't tried, not using HII. It's all we do here and I'm am pretty new to trying to manage this project. It is strange how landesk handles the sysprep process.

                     

                    I have read there is a way to have sysprep turn off driver signing, and then turn them back on after imaging is complete. I have not tried it yet.

                    I have a ticket open with LD about this issue as well and the last tech I talked to told me to do the method described here.

                    http://www.killertechtips.com/2009/05/05/disable-driver-signing-windows-7/

                    • 7. Re: Sysprep Windows 7 Issues
                      RichardA Apprentice

                      bbrownderville wrote:

                       

                      I haven't tried, not using HII. It's all we do here and I'm am pretty new to trying to manage this project. It is strange how landesk handles the sysprep process.

                       

                      I have read there is a way to have sysprep turn off driver signing, and then turn them back on after imaging is complete. I have not tried it yet.

                      I have a ticket open with LD about this issue as well and the last tech I talked to told me to do the method described here.

                      http://www.killertechtips.com/2009/05/05/disable-driver-signing-windows-7/

                       

                      Eugh. That method could probably work for both architectures, but feels like a real kludge. Still, needs must, I guess.

                       

                      If you have no luck, and if I have time, I'll do some more comprehensive testing that the DISM approach really does work with unsigned drivers and I could upload our template. You may need to rebuild your images though, so it depends how much time you want to invest down a particular avenue.

                       

                      Message was edited by: Richard Archer - My link didn't originally jump to the correct message

                      • 8. Re: Sysprep Windows 7 Issues
                        Rookie

                        so I just found this post on another forum.

                         

                        1. Turn off driver signing, and reboot so the settings stick. (Use the driver signing off.bat below)

                        2. Turn UAC to the second from the bottom selection and reboot to make the settings stick. (Use the UAC Lower.bat below)

                        3. Place the UAC Raise.bat and Driver Signing On.bat files in the sysprep folder.

                        4. Call the scripts you placed in the sysprep folder in the last pass of the Answer File:

                        Unattend/Components/7 oobe System/AMD64_Microsoft-Windows-Shell-Setup_neutral\First Logon Commands

                        Sysprep your image as normal using oobe.

                         

                        Scripting Info:

                        UAC Lower.bat (use this script to drop UAC before you sysprep)

                        C:\Windows\System32\cmd.exe  /k %windir%\System32\reg.exe ADD  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v  PromptOnSecureDesktop /t REG_DWORD /d 0 /f

                        UAC Raise.bat (Put this in a .bat file and place in Sysprep folder)

                        C:\Windows\System32\cmd.exe  /k %windir%\System32\reg.exe ADD  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v  PromptOnSecureDesktop /t REG_DWORD /d 1 /f

                        Driver Signing Off.bat (Use this script to disable driver signing before you sysprep)

                        bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
                        bcdedit -set TESTSIGNING ON

                        Driver Signing On.bat (Place this in a .bat file and place in Sysprep folder)

                        bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
                        bcdedit.exe -set TESTSIGNING OFF

                         

                        Where is the answer file(is that just the unattend.xml?) located at for a normal osd script? This method looks like it should work just fine.

                        • 9. Re: Sysprep Windows 7 Issues
                          RichardA Apprentice

                          If you right-click an OSD script and select Advanced Edit it will open both the INI and the XML answer file for that script.

                           

                          However, if your default association is to open XMLs in IE, you won't be able to edit.

                           

                          In which case try, \\<core\ldmain\landesk\files\<osdname>.xml

                           

                          If ever you make a change to the script using the GUI, you will most likely need to re-do your changes.

                          • 10. Re: Sysprep Windows 7 Issues
                            Rookie

                            Richard Archer wrote:

                             

                            If you right-click an OSD script and select Advanced Edit it will open both the INI and the XML answer file for that script.

                             

                            However, if your default association is to open XMLs in IE, you won't be able to edit.

                             

                            In which case try, \\<core\ldmain\landesk\files\<osdname>.xml

                             

                            If ever you make a change to the script using the GUI, you will most likely need to re-do your changes.

                             

                            I am going to try this and see if it works.

                             

                            Also, maybe you can help me with one more issue. When my computers get imaged, they auto join the domain. As soon as that happens they get their domain policy which enforces them to log on to the domain and not locally. The downside of this is, when they reboot right before they install the landesk agent and do the First Logon Commands, it tries to log on as administrator but to the domain and not the local machine. Do you know how to bypass this to make it go to the local machine instead?

                            • 11. Re: Sysprep Windows 7 Issues
                              EMiranda Expert

                              if your workaround does not work.  another workaround is to use dpinst.exe for pnp driver installs.  forcing unsigned drivers with that utility is a simple as adding one switch to the application:

                               

                              /lm - Sets the legacyMode flag to ON. In legacy mode, DPInst  accepts unsigned driver packages without performing signature  verification.

                               

                              http://msdn.microsoft.com/en-us/library/ff544775%28v=vs.85%29.aspx

                              • 12. Re: Sysprep Windows 7 Issues
                                RichardA Apprentice

                                bbrownderville wrote:

                                 

                                [...]

                                 

                                Also, maybe you can help me with one more issue. When my computers get imaged, they auto join the domain. As soon as that happens they get their domain policy which enforces them to log on to the domain and not locally. The downside of this is, when they reboot right before they install the landesk agent and do the First Logon Commands, it tries to log on as administrator but to the domain and not the local machine. Do you know how to bypass this to make it go to the local machine instead?

                                 

                                I've no direct experience, as we don't apply that particular restriction here (local admin is often our friend). However, we have had a need to bypass other Group Policies, and we've taken two approaches neither of which are perfect, I'm afraid:

                                 

                                1. Have the computers AD account in a special OU during the process. This OU would either have inheritance blocked or a overriding GP applied.
                                  • Pros:
                                    • Generally does the job and requires no changes to the OSD script or Provisioning template
                                    • Works with OSD (where domain join is always handled by OOBE based on the unattend.xml)
                                  • Cons:
                                    • Technicians frequently forget to move the account into the OU at the beginnning or, more frequently, out of the OU at the end (which can obviously be a security risk)
                                    • There may be certainly GPO configuration that simply cannot be overridden.
                                2. Have the computer join the domain after it's done everything else
                                  • Pros:
                                    • No manual steps for technicians to forget
                                    • Can bypass just about any policies as the machine isn't domain-governed until it's ready for use
                                  • Cons:
                                    • You can't use OOBE/unattend.xml to join the domain
                                    • As such, with OSD, you would need to edit the OSD INI script to add a command line to join the domain towards the end
                                    • Can inhibit any actions you might include in the process that depend on domain membership

                                 

                                We've now moved to 2, as our techs are... forgetful... and our Provisioning OU was filling up with production machines that were never moved. As we use Provisioning, which features a Join Domain action, it was easy for me to move this step further down the process. The only issue we have now is that the Fingerprint software on our Lenovo laptops gets installed before the PC is domain joined, and therefore doesn't automatically enable fingerprint login for domain accounts. That's on my list of to-dos

                                • 13. Re: Sysprep Windows 7 Issues
                                  Rookie

                                  Richard Archer wrote:

                                   

                                  1. Have the computers AD account in a special OU during the process. This OU would either have inheritance blocked or a overriding GP applied.
                                    • Pros:
                                      • Generally does the job and requires no changes to the OSD script or Provisioning template
                                      • Works with OSD (where domain join is always handled by OOBE based on the unattend.xml)
                                    • Cons:
                                      • Technicians frequently forget to move the account into the OU at the beginnning or, more frequently, out of the OU at the end (which can obviously be a security risk)
                                      • There may be certainly GPO configuration that simply cannot be overridden.
                                  2. Have the computer join the domain after it's done everything else
                                    • Pros:
                                      • No manual steps for technicians to forget
                                      • Can bypass just about any policies as the machine isn't domain-governed until it's ready for use
                                    • Cons:
                                      • You can't use OOBE/unattend.xml to join the domain
                                      • As such, with OSD, you would need to edit the OSD INI script to add a command line to join the domain towards the end
                                      • Can inhibit any actions you might include in the process that depend on domain membership

                                   

                                  We have talked about using a method such as one, but we manage roughly 4500 machines, and its a pain to move each by hand. I like the thought of doing method 2 but I dont know where to begin.

                                   

                                  I am recapturing this image as I type with the driver signing turned off. Sadly, I think I might have figured out part of the issue. We install Roxio on our Xp images, so we decided to install it on our Windows 7 Images. Turns out the version we installed on it, was not made for Vista or newer so it gives a driver error. I have since updated it and we will see if the combination of the 2 fixes our issues as far as the drivers are concerned.

                                  • 14. Re: Sysprep Windows 7 Issues
                                    Rookie

                                    Brett Brownderville wrote:

                                     

                                    so I just found this post on another forum.

                                     

                                    1. Turn off driver signing, and reboot so the settings stick. (Use the driver signing off.bat below)

                                    2. Turn UAC to the second from the bottom selection and reboot to make the settings stick. (Use the UAC Lower.bat below)

                                    3. Place the UAC Raise.bat and Driver Signing On.bat files in the sysprep folder.

                                    4. Call the scripts you placed in the sysprep folder in the last pass of the Answer File:

                                    Unattend/Components/7 oobe System/AMD64_Microsoft-Windows-Shell-Setup_neutral\First Logon Commands

                                    Sysprep your image as normal using oobe.

                                     

                                    Scripting Info:

                                    UAC Lower.bat (use this script to drop UAC before you sysprep)

                                    C:\Windows\System32\cmd.exe  /k %windir%\System32\reg.exe ADD  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v  PromptOnSecureDesktop /t REG_DWORD /d 0 /f

                                    UAC Raise.bat (Put this in a .bat file and place in Sysprep folder)

                                    C:\Windows\System32\cmd.exe  /k %windir%\System32\reg.exe ADD  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v  PromptOnSecureDesktop /t REG_DWORD /d 1 /f

                                    Driver Signing Off.bat (Use this script to disable driver signing before you sysprep)

                                    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
                                    bcdedit -set TESTSIGNING ON

                                    Driver Signing On.bat (Place this in a .bat file and place in Sysprep folder)

                                    bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
                                    bcdedit.exe -set TESTSIGNING OFF

                                     

                                    Where is the answer file(is that just the unattend.xml?) located at for a normal osd script? This method looks like it should work just fine.

                                    So I tried this, except for not imaging using oobe, just audit like I should and I still get the same error message.

                                     

                                    272929_2034475454658_1027320044_2317208_6312946_o.jpg

                                    1 2 Previous Next