locked
Steadystate Imaging for multipule computers/HWII imaging RRS feed

  • Question

  • wondering if anyone has any luck imaging a computer with windows steadystate enabled.  Currently the issue I am getting is a problem with the filesystem once I reboot.  Also has anyone done any imaging with altiris or anything like that so we could make one image for multipule hardware sets? 

     


    Batchfile to enable disk protection once device is done imaging?

    Thanks a million.

     

    BTW here is the setup I am using:

    Steadystate

    User is local admin but cannot reset admin password

    User cannot shutdown computer

    User cannot access steadystate apps blocked using steadystate

    User CAN install programs

    Set to retain all changes indefinatley once base image is gathered

    once back from the user clear all changes is selected.

    Eric

    Friday, June 29, 2007 1:54 PM

Answers

  •  

    Hi,

     

    Q:What mode did you enable WPD in before capturing (retain or discard)?

     

    A: As VCFFltr.sys manages a list of file fragments that make up the cache file and a list of sectors to exclude from caching, we do not recommend that you enable WDP before capturing an image. WDP should be enabled in discard mode after your disk image has been installed on all shared computers.

    -----

     

    Q: Did you sysprep prior to capture?

     

    A:Yes, after Windows SteadyState is installed, user profiles have been created and security and critical updates have been installed, we use the System Preparation Tool (Sysprep) to prepare the computer for imaging (optional).

     

    Also it is important to note that when you run Sysprep on a computer with Windows SteadyState, ensure that all user profiles are unlocked before running the tool. Sysprep.exe does not recognize locked or mandatory profiles and will copy a new Ntuser.dat file into the <user> folder. Additionally, Sysprep.exe creates a new user SID. After running Sysprep.exe, existing Windows SteadyState user profiles (Ntuser.man) become invalid as they are no longer linked to the new SIDs.

     

    For more information on running Sysprep with SteadyState, please refer the “ Preparing the Reference Computer with the System Preparation Tool” section of the SteadyState Handbook. The handbook can be downloaded at: http://www.microsoft.com/downloads/details.aspx?FamilyID=d64af114-336c-4418-beb7-e074e813b498&DisplayLang=en

     

    For more information on the use of Sysprep, see Microsoft Knowledge Base Article #302577 at: http://go.microsoft.com/fwlink/?LinkId=83437.

     

    ----

     

    Q: Sysprep messing around with the drivers has no ill effect on the WPD driver?

     

    A: As mentioned in the first answer, WDP should not be turned on before Sysprep so it will not affect the VCFFltr.sys kernel driver.

     

    ----

    Q: I would still like to see some kind of command line utility/script added back into SteadyState to enable/disable WPD.

     

    A: Thank you for your great feedback. Unfortunately, this feature is still unavailable now. We understand that such a command line tool is desirable and we have forwarded this suggestion to our product group for consideration.

     

    Sincerely,

    Sammy Yu

    Wednesday, July 4, 2007 6:07 AM
  • Thursday, June 12, 2008 5:25 PM

All replies

  • Hi, 

     

    I understand that you encounter some problems in using Altiris to image the systems. 

     

     As Altiris is a third party application, we have little knowledge on this product. I am afraid that we are not the best resource. Other customers may share their experience with you. Meanwhile, you may contact the support engineer of Altiris for further support. Generally speaking, Microsoft supports computers on which Windows XP is installed by use of disk-duplication software and the System Preparation tool (Sysprep.exe).

     

    For the batch file, there is no batch file to enable disk protection since the enableing/disabling wdp entails installing or removing the driver. So we have to manually enable the wdp before creating our reference image. By the way, we do have a WMI interface allows you to retrieve and change the current status. For more information about wmi interface, please refer to : Description of the API for the Windows Disk Protection feature in Windows SteadyState(http://support.microsoft.com/kb/938335)

    Monday, July 2, 2007 5:20 AM
  • Sorry to bump this but there are several of us on the forum looking for this very information, thanks Sammy. 

     

    I have a few questions for clarification. 

     

    What mode did you enable WPD in before capturing (retain or discard)?

    Did you sysprep prior to capture?

    Sysprep messing around with the drivers has no ill effect on the WPD driver?

     

    Thanks again,

     

    While this helps with my immediate deployment issues, I know I would still like to see some kind of command line utility/script added back into SteadyState to enable/disable WPD.  I automate as much of the build, configuration and capture processes as I can.

    Tuesday, July 3, 2007 3:56 AM
  •  

    Hi,

     

    Q:What mode did you enable WPD in before capturing (retain or discard)?

     

    A: As VCFFltr.sys manages a list of file fragments that make up the cache file and a list of sectors to exclude from caching, we do not recommend that you enable WDP before capturing an image. WDP should be enabled in discard mode after your disk image has been installed on all shared computers.

    -----

     

    Q: Did you sysprep prior to capture?

     

    A:Yes, after Windows SteadyState is installed, user profiles have been created and security and critical updates have been installed, we use the System Preparation Tool (Sysprep) to prepare the computer for imaging (optional).

     

    Also it is important to note that when you run Sysprep on a computer with Windows SteadyState, ensure that all user profiles are unlocked before running the tool. Sysprep.exe does not recognize locked or mandatory profiles and will copy a new Ntuser.dat file into the <user> folder. Additionally, Sysprep.exe creates a new user SID. After running Sysprep.exe, existing Windows SteadyState user profiles (Ntuser.man) become invalid as they are no longer linked to the new SIDs.

     

    For more information on running Sysprep with SteadyState, please refer the “ Preparing the Reference Computer with the System Preparation Tool” section of the SteadyState Handbook. The handbook can be downloaded at: http://www.microsoft.com/downloads/details.aspx?FamilyID=d64af114-336c-4418-beb7-e074e813b498&DisplayLang=en

     

    For more information on the use of Sysprep, see Microsoft Knowledge Base Article #302577 at: http://go.microsoft.com/fwlink/?LinkId=83437.

     

    ----

     

    Q: Sysprep messing around with the drivers has no ill effect on the WPD driver?

     

    A: As mentioned in the first answer, WDP should not be turned on before Sysprep so it will not affect the VCFFltr.sys kernel driver.

     

    ----

    Q: I would still like to see some kind of command line utility/script added back into SteadyState to enable/disable WPD.

     

    A: Thank you for your great feedback. Unfortunately, this feature is still unavailable now. We understand that such a command line tool is desirable and we have forwarded this suggestion to our product group for consideration.

     

    Sincerely,

    Sammy Yu

    Wednesday, July 4, 2007 6:07 AM
  • "Additionally, Sysprep.exe creates a new user SID. After running Sysprep.exe, existing Windows SteadyState user profiles (Ntuser.man) become invalid as they are no longer linked to the new SIDsAdditionally, Sysprep.exe creates a new user SID. After running Sysprep.exe, existing Windows SteadyState user profiles (Ntuser.man) become invalid as they are no longer linked to the new SIDs"

     

    Sammy,

     

    Would this also apply to cloning software? I've been using Symantec Ghost to clone the machines I'm using Steady State on and was going to generate new SID's since they all would be the same otherwise. I ran into an issue in the past with using WSUS and cloned machines and had to generate new SID's to get them to start updating properly and to be seen on the WSUS admin page. If so, what would be the recommended action to take? Would I have to delete and recreate a user profile after generating the new SID or do I just have to temporarily unlock the user profile until the new SID is generated? Thanks

    Thursday, July 5, 2007 11:49 AM
  •  eparico wrote:
    Would I have to delete and recreate a user profile after generating the new SID or do I just have to temporarily unlock the user profile until the new SID is generated?


    Eparico,

    I've been using Ghost 8.0 to image a Microsoft Shared Computer Toolkit v. 1.x based non-Sysprep-ed system and then clone that image to dozens of machines. I assign a new Security Identifier (SID) after cloning by using Sysinternals' (now Microsoft) NewSID v. 4.10 without problems. To correctly propagate the new SID to the locked user profile I open the Registry Editor and load that user's NTUSER.MAN as a seperate hive in HKEY_USERS before running NewSID. I allow NewSID to reboot the machine automatically afterwards and this will also unload the previously loaded mandatory profile.

    Two caveats:

    1. NewSID is not supported by Microsoft
    2. the machines in question operate in a workgroup environment

    I've never experienced any problems whatsoever with NewSID and I'm planning to do excatly the same with Windows SteadyState v. 2.0 installed on these machines. I'll be testing this in the coming days and will keep you posted.

    You can find NewSID here:

    http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx

    HTH.

    Jan J.

    Thursday, July 5, 2007 12:46 PM
  • Jan,

     

    Thanks for the reply. I just finished up with deploying a new computer lab with Steady State and will try the same. Fortunately, the computers I'm speaking of are also in a workgroup environment. The one thing I'm unsure of is how to open the NTUSER.MAN file as a separate hive in the registry. Can you elaborate on this?

     

    Thanks Again

     

    E

    Friday, July 6, 2007 2:58 AM
  • Epicaro,

    I expect the results of the application of NewSID to be fully compatible with a domain environment, the people at Sysinternals are quite dependable guys.  I only meant to say that I haven't tested this in a domain environment.

    Your question on how to load a mandatory user profile (NTUSER.MAN) in the Registry Editor is a fairly simple one to answer: like you would load any user profile, i.e:

    * open the Registry Editor
    * select the HKEY_USERS hive
    * in the File menu, select option Load Hive
    * from the file selection menu, load file C:\Documents and Settings\<username of the locked profile>.orig\ntuser.man
    * enter a suitable key name under which the profile will be loaded, for instance "locked_user"

    The locked user profile will be visible in the registry editor under the key HKEY_USERS\locked_user and will stay there until unloaded or until the machine is rebooted.

    If you absolutely need to login as the user with the locked user profile after having applied NewSID, you need to unload the profile before doing so, otherwise you can't logon as that user:

    * go back to or re-open the Registry Editor
    * select HKEY_USERS\locked_user
    * in the File menu, select option Unload Hive

    Please beware: I don't know if it is advisable not to reboot immediately after NewSID has been run, even when you didn't use the rename computer option of NewSID.

    I am sure all this can be scripted, probably also in combination with NewSID, but I never have been able to make the time to find out how.  I sure would be interested in seeing a working script that does this, though!   :-)

    HTH,

    Jan J.

    Friday, July 6, 2007 6:34 AM
  • Hi,

    Thanks for Jan J’s knowledge sharing. The method to use newsid should work here. However, it is recommended that we use a supported method to avoid system security compromise. Also it is important to note that the Microsoft does not provide support for computers on which Windows XP is installed by duplication of fully installed copies of Windows XP. For more information, you can refer to:

    The Microsoft policy concerning disk duplication of Windows XP installations

    http://support.microsoft.com/kb/314828

    Friday, July 6, 2007 10:58 AM
  • Hello again Jan,

     

    I tried the new SID on two different machines. The first one I messed up on since I was trying to load the wrong NTUSER file into the registry and was getting an error message. In turn, I had to delete and recreate the user profile and well as reinstall Microsoft Office. Live and learn! The second one I did properly and it worked without any problems. Thanks for your assistance. I'm thinking that the next time I decide to create an image, I'll make sure I lock everything down after the new SID has been generated. Hopefully, this will prevent any issues like the the first computer I tried this on. Thanks again!

     

    E

    Friday, July 6, 2007 4:23 PM
  • Well, I’m afraid I have bad news!

    Cloning XP SP3 with Symantec Solution Suite 2.5(fresh new version of ghost 11.5), and WSS 2.5 Failed!

    Here is the scenario:

    1.       Prepare the model machine

    a.       install xp sp3 with updates

    b.      install wss 2.5

    2.       Activate WDP throught the User Interface

    3.       Set the WDP_MODE_COMMIT option active

    4.       Save the Image

    When cloning the image WDP is turned off.

    Since there is no way to remotely turn it on, we are tied up.

    I have to go to all my 800 computers manually, and turn on WDP!?

    Someone, please tell the developer engineers that we expect a URGENT solution for this case, we invest thousands of Euros and Dollars in Windows Licenses, Symantec Licenses and now we are tied to manage our entire computer park with XP sP2 with Shared toolkit.

    This summer we are receiving new computers to our 30 classrooms, HP xW4600T, that we expect to deploy with Dual Boot, Windows Vista and Linux System, but until we don’t find the solution for this problem, they are being deployed with XP sp2.

    Please, find the appropriate way of turning WDP On and Off, remotely!

    Thursday, June 5, 2008 8:46 AM
  • Thursday, June 12, 2008 5:25 PM
  • Hi Daniel,

     

    I'm glad you found the new command line parameters to enable and disable WDP.

     

    You mentioned that you intend to dual-boot your machines.  That's fine, but if you are using WDP, be sure that the partition containing the \Windows folder is not accessible from the other OSs you install.  This is critically important if you have set WDP to "retain changes for a duration" (aka persist mode) or "save changes permanently" (aka commit mode).  In these modes, changes made to the WDP partition while WDP is not running can cause disk corruption.

     

    Friday, June 13, 2008 3:58 AM