A few months back, we decided that +- 80% of our company’s computers really needed an update. A lot of our users where still working on machines such as the Dell Dimension 4300 with a 1.6GHz P4 & 512MB of 133MHz SDRam… Like I said, time for a change ! We orderded a bunch of new computers with Intel E8400 processors, each equiped with 4GB of RAM… The real deal !
But then came the question all IT guys need to pose themselves at a certain moment in time… Such horsepower… Are we going to install Windows XP Pro on those machines ??? Nooooooo ! Let’s order Windows 7 Pro to go with that !
And that’s what this posting is all about. The pains, the sadness and the joy (in the end) of preparing a Windows 7 Pro master image ! With nothing more than the Windows AIK and some lovely tool called sysprep – yep, still the same tool, although it DID evolve quite a bit… It now works with…… XML files… (stylish éh)
So, let’s kick of by listing the things you need :
- First of all, a copy of Windows 7 Pro (doh!)
- Secondly, download The Windows® Automated Installation Kit (AIK) for Windows® 7
- And most important of all, get yourself a good cup of coffee !
Now that you’ve got all that, start by installing the AIK. You will need this to use the xml editor for the sysprep configuration file. The AIK can safely be installed on machine running XP Pro, although Microsoft doesn’t list this OS as supported I had no problem in doing so.
Once the AIK is installed, make a copy of the contents of your Windows 7 DVD to your hard drive. This isn’t necessary, but will allow you to work faster with the xml editor.
You’ll find a new folder in Start -> Programs, called “Microsoft Windows AIK”. Launch the program called “Windows System Image Manager”. If you need to know more about how this program works, please RTFM. Basically, you need to open the correct .wim file of your Windows 7 copy by clicking “Select a windows image or catalog file”. This will provide you with the building blocks needed to construct a valid xml-file, tailored to your specific needs. Next, create a new answer file with the editor, by clicking on “Create or open an answer file”.
My Sysprep file : sysprep_xml
The above is a working sysprep.xml that configures numerous options, please take your time to discover all possibilities by using the building block provided in the editor. One thing : you should rename it to sysprep.xml and change some of the values inside to reflect your own situation and needs.
Some remarks :
- Assigning a computer name during the OOBE wizard and joining the domain isn’t as simple as it seems. Sure, you can leave out the computer name for the xml, and yes, the OOBE will present you a nice window, asking for the name you wish to assign, BUT : the computer won’t join the domain with the nice name you’ve given him. No, you’ll find that the old, random generated temporary name has been used - really- your computer itself will have the name you’ve chosen, but it will have another name in Active Directory… How come ? Well it seems that the OOBE wizard asks for a computer name, AFTER joining the domain. Go Microsoft.. Sure, there are solutions for this, installing certain deployment products from Microsoft that should solve all these problem (so I have read), but hey, we don’t want all that, now do we ? Is there a solution for this ? Sure, read on
- Second problem : you can easily create a local admin account during setup and specify it’s password in the xml, it will be encrypted, this works just fine. But hey, you want those computers to auto-join the domain, don’t you. Well, try putting a domain account in the sysprep.xml with permission to join the computer to a domain… No password encryption here. This is an old problem and was also there at the time of XP, but it is still not fixed by Microsoft. Is this a problem ? Well, it depends, if you make your images in-house and you do the cloning yourself, this isn’t really much of a problem. But in our case, the cloning was done by a third party and I don’t want them to know the admin-pass (or other user used to join the domain). Again, there is a fix for this, so read on…
- An third quirk : auto-joining the domain is a real pain in the ass. If this isn’t working, please read the sysprep logfiles ! (take a look around on the Internet to find out where they are located). In my case, all domain fields in the sysprep file could be in the simple, short netbios version, but it had to be the specified as FQDN between the “JoinDomain” tags in the UnattendedJoin section of the xml.
Now let’s fix those first two problems… After spending some precious time searching for the answer, I found a nice script on the Internet and a fine registry hack that allows you to modify some values in the xml file after sysprepping the machine and BEFORE the OOBE wizard uses the xml file.
The idea is quite simple, put some tags such as ReplaceMe1, ReplaceMe2 or equivalent in the xml file, and let them be replaced by a simple vbs script :
Here is the script : EditUnattend_vbs
Please, DO NOT CHANGE the location of the unattend file (line 4), this is where the sysprep command always copies the file for use by the OOBE wizard. I repeat, DO NOT CHANGE THIS, this hasn’t anything to do with the location where you put your own xml file ! Everything else in the script can be changed as needed.
In my version, the script asks for a computer name and the domain-admin password. Two variables that are afterwards used to replace the text in the placeholders in the xml file.
So now you have a sysprep.xml and a vbs script to change it before the OOBE wizard start, but how will this thing be started ? Well, that’s where the registry hack comes in. Put the following code in a batch file and run it, after sysprepping the machine (change the path of the vbs script if needed)
reg add HKLM\System\Setup /v CmdLine /t REG_SZ /d "cmd /c cscript //nologo C:\windows\system32\sysprep\EditUnattend.vbs" /f
As I said, run this reg-hack AFTER sysprepping the machine. How ? Sysprep has a commandline option that tells it not to shutdown or reboot but to just quit after running. This is what you should use :
c:\windows\system32\sysprep\sysprep /quit /generalize /oobe /unattend:yourxmlfile.xml
And run the reg-hack when the above command finishes.
If all goes well, you should be ready to go !
Just one final hint : Windows 7 features Aero… But to activate Aero, your computer needs to calculate it’s performance score. Do you want to do that on each and every machine ? No, well, if all machines have the same hardware, run this before syspreping your master-image :
winsat prepop
This will calculate the performance index and put it on your machine in xml-format. If the OOBE wizard finds these xml file, and the hardware hasn’t changed, it uses the pre-populate values and Aero works out of the box ! Enjoy !
UPDATES
- Take a look at this article at MS Support : How to customize default user profiles in Windows 7 and in Windows Server 2008 R2. It explains the CopyProfile switch that you should use to change the default user profile for new users. In fact, I did all customisations (start menu, icons, desktop, settings for IE etc…) to the master image with the local admin user (you have to enable it manually) and then used the CopyProfile switch to copy all settings to the default user profile. This brings us to the next remark…
- As Todd and Tim pointed out in their comments, the reg-hack apparently needs to be added using the local admin account. As I did all customisations using the local admin, this might very well be true.
- The sysprep file offered for download in this articles is for 32bit installations only. Users installing the 64bit version of Windows 7 will need to change all instances of processorArchitecture=”x86″ to processorArchitecture=”amd64″.
Feeling social ?
Mate, this was exactly what I needed to find at the end of quite a long afternoon of raising my voice at my first Win7 deployment attempt.
Isn’t Windows 7 meant to be Microsoft’s ticket to acheiving good corporate adoption of its latest OS? The sysprep basics should have been something they had working out of the box.
Thanks for the very complete description and support files. My deployment is off and away.
My friend, this is the magic solution I’ve been hunting for. I am beyond shocked that Microsoft would botch this part of the sysprep as badly as they have. Sysprep for Windows XP worked like a charm, no fuss, no muss.
This is a nightmare with Windows 7.
[...] Sysprep a Windows 7 Machine ? Start to Finish V2 – Blog.BrianLeeJackson.com And this guide: Windows 7 Sysprep – Tips & tricks TXT (dot) bitprocessor (dot) be It's basically a VBS script which runs after the machine has been sysprepped. On the first run a [...]
This is awesome! Thank you for your help. You might want to mention in your article that the reg key needs to be added using the “hidden” Windows 7 administrator user.
Thanks again!
This article is great. We found it friday afternoon after pulling our hair out, decided to try it over the weekend and got it to work on a workgroup and by editing the vbs i only had to change the computer name and the domain password would sort it’s self out. Came into work on the monday and tested it on the domain, i had to change some settings in the answer file but all is good. One thing to mention, if you are testing this on a 2003 domain, i have found that network admin will not add the reg hack, you have to be logged in with local admin which has to be enabled.
Thanks much for your work on this. Have made many attempts and am still having problems:
Am logged in as the working account created during initial setup of Windows. I use ‘Run As Administrator’ to launch sysprep. Upon launch of sysprep, I get:
1. a prompt from the system tray about setting up Windows Update (I ignore)
2. the Network Location dialog displayed to screen (I cancel)
After the sysprep utility completes, I try to execute the reg hack via a .cmd file, using “Run As Administrator” — This apparently fails, returning a critical error “The device is not ready” — same message I get if I try to manually run regedit.
From re-reading the post and responses, am thinking perhaps I need to be logged in as the local machine admin? Am not certain how to accomplish–Windows setup forces creation of this secondary account and seemingly does not want to let me log in interactively as local ‘Administrator’? Any assistance would be greatly appreciated.
This is absolutely amazing. Works a treat. I am then able to use ImageX and gather an image. However, on a network, how would you push the image out? I have looked at WDS, MDT and SCCM. Neither of them will simply push the image out. I could look at Ghost but I would rather stay with pure Windows technology.
You are genius!!!
Thankyou
this part about final hint (winsat prepop) helped me
Thankyou again
many thanks!
this is exactly what i needed to complete my unattend win7 installation!
Thank u very much!
I am searching for months for a workaround like this..
You are my personal hero in my eyes!!
Greetings from Austria
This works great, but 1 thing I can’t quite figure out, is if you want to only be prompted for a Computer Name and not the domain admin password, can I remove or replace something with my password used to join the domain. I basically only want to be prompted for a computer name only.
The nice way to do this is to edit both XML (remove placeholder and put real password in place) and vbs script (remove section where it prompts for the password and replaces the placeholder in the XML file with the password)
The quick and dirty way is to only edit the vbs file (don’t let it prompt for a password and set it to a fixed string, the XML will then be updated with this string)
Got it! Thanks so much for the quick reply!
6 months ago I was forced to teach myself MDT which basically replaces WDS. All because MS failed to address computer name edits during sysprep. This is a far easier solution!
Question – In your vb script, you have prompts for computer name & password. If I also required a prompt for the domain username (rather than administrator), what would the “strContents = Replace(strContents, “ReplaceMe3″, ????) be?
Thanks again.
To add a prompt for the domain username, you need to do 2 things :
Edit the VBS : add another Do While… loop where you ask for the domain user and assign it to a string variable. After that, add a strContents=Replace… line in the same style as the others that are already there
Edit the XML : look for ReplaceMe2, you’ll see <username>administrator</username> in the line below ; replace “administrator” by “ReplaceMe3″
Finally! Something that just works! Thank you for working on and making available this solution. I do have a question. Since we use an outside source to do our installations we don’t want to make the domain admin password available to them. I read the previous post from Alan about prompting for computer name only however when I make the changes the computer no longer joins the domain. Obviously I’m missing something. Can you help?
OK Moose,, here’s what you do. I got it working for me. On the XML file where you do unattended join, instead of putting ReplaceMe4 for domain admin password or whatever, you put the domain admin password and it stores it. That way all that pops up during install is computer name, domain to join, domain admin (we created a general account to do this). It logs into the domain and you are good to go. Tested on my work computers and it worked great. Takes a little longer to load image but it works.
I tested it further and you can put the domain admin and domain admin password in the XML file and the only thing that pops up is the request to put a computer name and asks to join a domain. It worked flawlessly, name showed up in AD and was able to log in to the domain with no issues. I tried putting the domain name in the XML file and it did not like it at all.
Thanks Tony, Sorry for the long delay. You’re right. It works flawlessly. It would’ve worked the first time if the domain admin hadn’t been disabled on our network. DOH! It’s the simple things that trip us up. The only other issue I’m trying to resolve is how to delete the sysprep.xml after it has finished running (which I assume happens after the domain join). Another sight suggested this cscript:
del /Q /F c:\windows\system32\sysprep\sysprep.xml
But it doesn’t go away after completion. Has anyone else had any success with this?
That’s weird, that script worked for me. I put the it in a folder called Scripts and put the folder in c:\windows\setup folder and it took care of it. Where did you put it?
Tony, I’m pretty sure I dropped it into scripts also. I’m about to build our 6th iteration of our production image. I’ll check to make sure I’m dropping it into the correct folder. Thanks again for your help!
Thanks for the tips.
I have tried using the VB script and reg hack to get my box onto the domain, but still it wont add.
I can add it manualy with the same account details, it’s getting to that stage now where if i had hair, it would be in my hands.
Can anyone help me get this working? I have my own xml file with my custom settings, I run sysprep with the quit command, then run the registry hack, and then reboot. I get the prompts for computer name and admin password, but the PC is never added to my domain.
Here is what my UnattendJoin looks like…
abc
ReplaceMe2
myadminusername
abc.com
cn=Computers,dc=abc,dc=com
Does the MachineObjectOU look correct to put the PC into the default Computers OU? I am pulling my hair out
If ANYONE can help me out, I would appreciate it. Thanks – Justin
Hi, I would suggest checking the sysprep logfiles – it helped me find some issues too. Remember, joining the domain happens after providing the answers to both computer name and password, so let the pc try to join the domain – after that, refer to the information below on where to find the logfiles (copied from Technet)
I figured out my issue. It was regarding the MachineObjectOU field. I was trying to add the computer to the default computers container, so I had this…
cn=Computers,dc=abc,dc=com
I changed cn to OU it works. I use cn=Computers for lansweeper, but Microsoft must want the OU not the container (CN) field. This probably doesn’t make sense, but I got it working great.
Thanks Marteen!
Justin
[...] [...]
Aloha,
I edited the “editunattend.vbs” to pull the serial number from the bios, which is how we name our computers. What I want to do is automatically populate the Popup “Computername” box with the serial number, but can not seem to figure this out!
Please review below and offer suggestions……………….
######################
Option Explicit
Dim answer, answer2, computerName, domainAdminPass, unattendFile, WshShell, fso, unattendFileObject, strContents, strComputer, objWMIService, colSMBIOS, objSMBIOS
unattendFile = “C:\Windows\Panther\unattend.xml”
Set WshShell = WScript.CreateObject(“WScript.Shell”)
Set fso = CreateObject(“Scripting.FileSystemObject”)
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” _
& strComputer & “\root\cimv2″)
Set colSMBIOS = objWMIService.ExecQuery _
(“Select * from Win32_SystemEnclosure”)
For Each objSMBIOS in colSMBIOS
Wscript.Echo “Serial Number: ” _
& “D”+objSMBIOS.SerialNumber
next
Do While answer vbYes
computerName = InputBox(“Enter the desired Computer Name:”, “Computer Name”)
answer = MsgBox(“Is this correct?” & vbCrLf & “Computer Name: ” & computerName, vbYesNo, “Verify Name”)
Loop
If fso.FileExists(unattendFile) = False Then
wscript.echo “ERROR: Could not find the unattend file”
Else
‘Read the unattend file in and replace apprpriate variables
Set unattendFileObject = fso.OpenTextFile(unattendFile, 1)
strContents = unattendFileObject.ReadAll
strContents = Replace(strContents, “ReplaceMe1″, computerName)
unattendFileObject.Close
‘Write the updated contents back to the unattend file
Set unattendFileObject = fso.OpenTextFile(unattendFile, 2)
unattendFileObject.Write(strContents)
unattendFileObject.Close
End If
‘ Launch setup (will use the modified unattend.xml)
WScript.Sleep 5000
WshShell.Run “%WINDIR%\System32\oobe\windeploy.exe”, 0, True
To all,
Revisiting my problem auto-joining domain. I figured out that my domain admin is getting disabled after mulitple attempts to join client computers to domain. I get a
4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Mon Mar 21 11:46:19 2011,No User,Kerberos pre-authentication failed.
I read somewhere that Server 2008 will disable an account if multiple attempts to authenticate fail within 30 minutes. Is there a way to stop my domain account from flooding the server with request?
Hi
I am trying to sysprep a Toshiba Tecra M11 on windows 7 but get the error ‘Windows Setup could not configure Windows to run on this computer’s hardware’.
I customized the laptop in audit mode with all the software and desktop layout, background etc.
I then placed my unattend.xml in the C:\Windows\System32\sysprep folder. Then I ran sysprep to generalize and reboot and got the error above.
I would be greatful for any help to solve this problem thanks.
My xml files is….
1
1
net user administrator /active:yes
true
true
false
GMT Standard Time
true
Thanks for the tips and tricks, I was learning the waik/w7 imaging today and one of my last changes to my sysprep testing was to add JD – ran into the random name joining my domain, found your article, makes perfect sense -already adjusted the scripts to my needs, i’m sure it will do the trick. Thanks much.
Thank you for the information, it it very helpful.
I wonder though, since I’m not a VBS programmer, is there a way to specify a user name and password (without prompting) to use to join the domain?
For example, I wish to be prompted for a Computer name, but once the computer name is entered and verified, I would like to use something like login name: Myadmin with password, Mypass to join the PC to the domain but not prompted to verify credentials. Is this possible?
Thank you in advance.
Check out my reply on September 22nd, 2010 to get more info about how to do this…
Quick, probably dumb, question. Script works to change computer name, but after changing the name via the dialog box prompt, the command prompt window remains open will windows proceeds with setup. Any way to make that command prompt window disappear after the new name is entered?
I’m with Moose
[mouse=quote]To all,
Revisiting my problem auto-joining domain. I figured out that my domain admin is getting disabled after mulitple attempts to join client computers to domain. I get a
4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Mon Mar 21 11:46:19 2011,No User,Kerberos pre-authentication failed.
I read somewhere that Server 2008 will disable an account if multiple attempts to authenticate fail within 30 minutes. Is there a way to stop my domain account from flooding the server with request?[/quote]
My account is also being disabled, throwing off my testing. Does anyone know how to keep my domain admin account from getting locked after trying to automate this process?
I finally got it set up to where it will sysprep and join the domain without asking for credentials. The only problem I have now is that I am trying to figure out how to get sysprep to strip the product key and prompt me for one like it used to in WXPP. The reseal feature of the old sysprep did this. I have not seen where to do this in this tutorial.
This works great and has jumpstarted my process of building images for my company. One problem I seem to be having is once the machine comes out of sysprep and logs in automatically as local administrator… the machine is joined to the domain automagically but the “System Preperation Tool 3.14″ pops up which I didn’t expect. I thought Sysprep had completed at this step of the process. Why is this box coming up?
thanks for this guide. everything went fine.
i have genuine volume license product key entered but windows doesn’t gets activated automatically. is there anyway that windows will get activated automatically.
Success!
Everything seems to work alright. The only issue I have run into is that either copyprofile is not working as when I log in the all my settings are gone. My XML is almost identical in the specialize pass and copyprofile is enabled. It is almost like the copyprofile command getting overlooked.
I have used this process (modified slightly) and it works like a champ. The only thing I’d like to see is a possibility of an active directory query to see if the machine name you’re trying to add already exists.
If you put in an existent machine account in XP Sysprep, you got an error back that the account already exists and try again.
Any thoughts?
Thanks!
Hi,
You say: “auto-joining the domain is a real pain in the ass”. How to disable this auto joining feature? Do you have an idea?
Thanks for help
I was curious would this work with Windows 7 Pro 64-bit? If not anyway I can get this working with Windows 7 Pro 64-bit?
Alex, this works on the 64 bit version. I am creating another image right now for a new machine we are rolling out on the exact version you are asking about. No worries, just follow the directions and go for it.
Hey guys,
I’m able to get to the point where it asks for computer and and domain admin password. Then it starts installing drivers. After that it reboots and i get this error message. Was wondering if anyone seen this message.
Windows could not parse or process unattend answer file [C:\windows\pather\unattend.xml] for pass [oobeSystem]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].
So i press OK and it reboots and then tells me WINDOWS CAN NOT COMPLETE THE INSTALLTION.
Not sure what this is. I have not made any changes other then domain and domain user name in the sysprep.xml file. I also changed all x86 to amd64 since this is for a Windows 7 PRO 64-bit build. Any help would be very appreciated. Thanks in advance.
Hey Rick i saw that you got it setup where it will join the doman without asking for password. Is there anyway i can take a look at your sysprep.xml. I was able to it running now but it will not join the domain. Here is my email if you don’t mind emailing it to me. Thanks.
arodriguez@agilis.com
Got it working. Works perfectly. Thank alot for the help and making this possible.
[...] I also recommend reading this article, “Windows 7 Sysprep – Tips & tricks.” [...]
Thank you for this. I hate that I have to learn and tweak VB script for what I could just do with a mini setup as in XP, but oh well. This will help me for other text fields I want to manually replace such as product key, etc.
I’m running into the same problem that Alex is…
Windows could not parse or process unattend answer file [C:\windows\pather\unattend.xml] for pass [oobeSystem]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].
…any idea on how to get past this. I’ve tried entering a vlaid key (from reading some of the earlier posts) and it is still not working…
Same as Kevin, I am unable to run the registry hack. I get a message “the device is not ready”
I tried to run it from another admin account but no luck…
Can someone help please?