866-754-3592

UIU Blog

rss
Technical issues deploying 32-bit operating systems to modern hardware

Technical issues deploying 32-bit operating systems to modern hardware

WinPE technical limitations – Memory Allocation

The UIU functions within WinPE in order to accomplish the daunting task of providing drivers on-the-fly to any make/model of business class PC. In order to accomplish this, the UIU requires access to the registry hive of the target PC from within WinPE. Occasionally, situations present themselves wherein the limitations of hardware architectures and components conspire to prevent proper execution of processes in WinPE.


Problem Description:
When attempting to mount an offline registry hive for a 32-bit OS image (at least through Win10 1703), (which requires WinPEx86), on hardware that has more than 4Gb of RAM installed, the allocation of memory blocks can be insufficient to mount the entire registry hive which causes part of the registry to be written to memory locations that cannot be properly addressed. Upon dismounting the offline registry hive, the part of the hive that was written to those locations will be truncated which results in a corrupted registry, and a BSOD upon reboot. The issue is seen on primarily (but not limited to) newer, 64-bit designed hardware.


What is really going on?
In particular instances, the following variables may combine to affect the mounting of an offline 32-bit OS registry hive into RAM while operating in WinPE:
  • RAM type
  • RAM quantity
  • RAM configuration
  • RAM block utilization


In effect, if there are insufficient contiguous blocks of RAM to hold the mounted offline registry hive, the data is truncated and no error is presented at the time. After reboot, when windows attempts to mount the registry, the corrupted registry causes a system halt and subsequent BSOD. In the case of the UIU, the truncated mount also inhibits the UIU’s ability to determine necessary details of the target machine required to function as designed, culminating in a failed UIU-prepared deployment of the 32-bit OS to the target hardware.


This is a known issue with WinPE:

Win2008R2/Win7: STOP 0xF4 during Task Sequence / OS Deployment

"This process is sometimes a problem when using an x86 boot image. Basically because WinPE has no page file, WinPE relies completely on what physical memory is available. The end result is that memory in WinPE gets very fragmented. With x64 WinPE this is not a big deal on most modern PCs because there is a lot of memory available. However with x86 boot images, there is a limit of how much memory can be addressed (around 3GB) regardless of how much memory the PC actually has. The end result is that when the memory gets very fragmented with an x86 boot image, there is less of a chance of there being a piece of contiguous memory that large enough to hold the registry that needs to be mounted. In these situations, when the registry gets mounted, it gets corrupted and part of the registry basically gets chopped off."



In the instances where this issue is encountered, given the limitations of the x86 architecture, the UIU can only offer the following resolutions at this time:

Potential Resolutions:
  • Remove all but 4Gb RAM from the offending hardware
  • Utilize native SCCM driver inclusion technology with customized UIU driver packages (provided by UIU Support)
  • Install/deploy a 64-bit OS version


Please contact UIU Support for additional details.


Audit Mode and the UIU

What is Audit Mode?

Although the feature has been an option since Windows 7, it has become increasingly necessary when deploying Windows 10 operating systems. Audit Mode allows the OS to enter a state using only the default, built-in Administrator profile so that system and application settings are only applied to the single instance of the profile. This becomes crucial in the preparation of a base image used in OS deployments, enterprise-wide.

Why is Audit Mode a thing?

Because Microsoft Sysprep is a thing… Windows 10 employs a method of Application Provisioning that can cause problems with Sysprep. During the OOBE (Out Of Box Experience) process, profiles (in addition to the built-in Administrator profile), will be created. As applications are installed, either as a function of the OS install or by the Technician, Windows 10 Application Provisioning will apply settings to available profiles which may cause Microsoft Sysprep to fail during execution.

For more information, please review: Sysprep fails after you remove or update Microsoft Store apps that include built-in Windows images

How do I use Audit Mode?

Step 1 – Boot the base image PC (Windows 10) to Audit Mode
Remove the base image PC from Internet Access.

Establish the base image; install the Windows 10 operating system, presumably from DVD media.

After Windows installs necessary operating system files, (potentially requiring several reboots), the administrator will be presented with customization options.



Settings Dialog Box


Disable Auto Updates


Do NOT select any options on this screen!




Instead, initiate Audit Mode with the key combination CTRL+SHIFT+F3. The machine will then reboot and enter Audit Mode. This will prevent the creation of user profiles and the built-in Administrator account will automatically sign-in. A Sysprep dialog window will launch and should be minimized.



Note: Once a machine has been booted into Audit Mode, it will remain in that mode, (regardless of reboots during software installation and configuration), until OOBE is explicitly initiated with Sysprep, either manually by executing Sysprep.exe or through the use of the Sysprep Assistant.



In Audit Mode, the built-in administrator account is enabled by the system and allows the administrator to make all changes desired. Once sysprep is executed (with OOBE), this account will be disabled by default. For more information, please review Enable and Disable the Built-in Administrator Account.


It should be stressed that Windows Store apps must not be allowed to automatically update (which they are set to do by default). It is strongly advised to leave the machine disconnected from any networks until Windows Store apps can be disabled from updating automatically, or leave it unplugged for the duration of setup.

To disable Windows Store automatic updates:
  • Run: gpedit.msc (elevated privileges)
  • Navigate to Computer Configuration > Administrative Templates > Windows Components > Store
  • ul>



    gpedit.msc


    Disable Auto Updates


    Select “Enabled” for the setting: “Turn off Automatic Download and Install of updates”





    After Windows Store Apps automatic updates are disabled, attach the base image PC to a network with Internet Access.

    Step 2 – Customize the Windows 10 image
    With Audit Mode enabled, all changes to system (OS) settings as well as application settings will be made to the Default User profile which will be used later to create local PC users. Consider two types of applications that may be installed. Applications that are installed from executable files (e.g. setup.exe) will be referred to as Application Installations. Applications that are part of the Microsoft Store (provisioned applications) will be referred to as Microsoft Provisioned Apps.

    Application Installations may be launched from Windows File Manager by browsing and launching the appropriate executable.

    In order to install Microsoft Provisioned Apps, it is recommended to utilize PowerShell with the integrated module, PackageManagement or OneGet. PowerShell may need to be launched manually from the Windows folder.

    Navigate to C:\Windows\syswow64\WindowsPowerShell\v1.0 and then execute the powershell.ise application.

    In order to enable the installation of software from a package provider, rights must be extended to run scripts:

    Set-ExecutionPolicy Unrestricted

    Next, a package manager or provider must be selected. The package manager requires unrestricted script execution policy, which is why it was set first thing after PowerShell is launched. Add the provider using the Get-Packageprovider <PROVIDER> command.

    More information on this command can be found here: Get-PackageProvider

    Step 3 – Install the software required on all machines
    In order to install Microsoft Provisioned Apps, apply the Install-Package script.

    For example, to install Google Chrome, Adobe Reader, 7Zip and Brave:

    Find-Package –Name GoogleChrome, AdobeReader, 7zip, Brave | Install-Package

    The system may require a reboot to install an application and will return to Audit Mode post-reboot.

    Step 4 – Installing Windows Update (if desired)
    The Windows Update Center is dependent upon OOBE mode in order to apply updates and will fail in Audit Mode for operating systems newer than Windows 8.1. In this case, the PoerShell module PSWindowsUpdate may be used.

    Windows Update PowerShell Module

    Excerpt from Technet:
    Module can be installed manualy (sic) by downloading Zip file and extract in two places:

    • %USERPROFILE%\Documents\WindowsPowerShell\Modules
    • %WINDIR%\System32\WindowsPowerShell\v1.0\Modules
    Be sure to run the PSWindowsUpdate.cmd, As Administrator. After all available Windows Updates have been applied, the extracted module may be removed from the Windows folder.

    Step 5 – Remove built-in applications (optional)
    If desired, built-in applications may be removed using the following scripts: (This may no longer be a complete list)

    Get-AppxPackage *Twitter* | Remove-AppxPackage
    Get-AppxPackage *CandyCrushSaga* | Remove-AppxPackage
    Get-AppxPackage *solitairecollection* | Remove-AppxPackage
    Get-AppxPackage *bingweather* | Remove-AppxPackage
    Get-AppxPackage *bingnews* | Remove-AppxPackage
    Get-AppxPackage *bingsports* | Remove-AppxPackage
    Get-AppxPackage *3dbuilder* | Remove-AppxPackage
    Get-AppxPackage *windowsalarms* | Remove-AppxPackage
    Get-AppxPackage *Appconnector* | Remove-AppxPackage
    Get-AppxPackage *windowscalculator* | Remove-AppxPackage
    Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage
    Get-AppxPackage *windowscamera* | Remove-AppxPackage
    Get-AppxPackage *officehub* | Remove-AppxPackage
    Get-AppxPackage *skypeapp* | Remove-AppxPackage
    Get-AppxPackage *getstarted* | Remove-AppxPackage
    Get-AppxPackage *zunemusic* | Remove-AppxPackage
    Get-AppxPackage *windowsmaps* | Remove-AppxPackage
    Get-AppxPackage *Messaging* | Remove-AppxPackage
    Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage
    Get-AppxPackage *bingfinance* | Remove-AppxPackage
    Get-AppxPackage *zunevideo* | Remove-AppxPackage
    Get-AppxPackage *onenote* | Remove-AppxPackage
    Get-AppxPackage *people* | Remove-AppxPackage
    Get-AppxPackage *CommsPhone* | Remove-AppxPackage
    Get-AppxPackage *windowsphone* | Remove-AppxPackage
    Get-AppxPackage *photos* | Remove-AppxPackage
    Get-AppxPackage *WindowsScan* | Remove-AppxPackage
    Get-AppxPackage *windowsstore* | Remove-AppxPackage
    Get-AppxPackage *Office.Sway* | Remove-AppxPackage
    Get-AppxPackage *soundrecorder* | Remove-AppxPackage
    Get-AppxPackage *xboxapp* | Remove-AppxPackage
    Get-AppxPackage *XboxOneSmartGlass* | Remove-AppxPackage


    Step 6 – Preparing to use the UIU

    UIU Classic

    Within Audit Mode: Run the UIU Classic (including the import of or creation of a Sysprep answer file)

    Shutdown and capture, then deploy.


    UIU5

    Within Audit Mode: Complete the base image setup by executing Sysprep with appropriate flags:

    C:\Windows\System32\Sysprep\Sysprep.exe /unattend:<path to file>\filename /generalize /oobe

    For more information, please review: Methods for Running Windows Setup

    Shutdown and capture, then deploy with the UIU 5 product:
    UIU 5 - Quick Steps


    UIU Plug-ins 2.0 for MDT/SCCM

    Assuming that a base image was created and imported into MDT or SCCM:

    Within Audit Mode: Complete the base image setup by executing Sysprep with appropriate flags:

    C:\Windows\System32\Sysprep\Sysprep.exe /unattend:<path to file>\filename /generalize /oobe

    For more information, please review: Methods for Running Windows Setup

    Shutdown and capture, then deploy with the UIU Plug-ins2.0 product:
    MDT UIU Plug-ins 2.0 for MDT - Quick Steps

    SCCM UIU Plug-ins 2.0 for SCCM - Quick Steps

What is this “Keylogger” business?
In an era where we are all sensitive to computing security issues, whether it be from foreign powers, internal leaks, or from nefarious hackers, we are increasingly bombarded with media reports about new and seemingly disastrous computer security vulnerabilities. Some of these threats are very real and some are a bit of a hyperbole. The reality of the situation is that each of these potential vulnerabilities must be assessed objectively for the impact that they may actually have on an organization or individual.

For example, in 2017 when Equifax was breached and 145.5 million Americans’ personal information was exposed, the alleged culprit was a flaw in a design tool used to build web sites. The flaw was reported months before the attack. This is an example of a very real vulnerability resulting in very real losses.

In another example, the KRACK wi-fi vulnerability, widely covered in the media, would allow malevolent parties to eavesdrop on the datastream when a device was connected to public wi-fi connections. This vulnerability seems very serious and indeed potentially could be. It must be stated that the reality of the situation is that devices are connected to various unknown or unsecured wi-fi routers on a regular basis without concern for the potential of exposed datastreams. Notably, the vulnerability could also be used to interject code, presumably malware, into unprepared websites in order to infect machines (think ransomware). However, an attacker would need to be within range of the targeted wi-fi network. This greatly diminishes the potential for damage in many cases. Also, the network traffic could be eavesdropped upon only if it is not encrypted (think HTTPS or VPN). So, is the vulnerability real? Yes. Is it serious? Well, it could be. If network services are sufficiently protected/encrypted, the risk is ultimately rather low.

That brings us to the “keylogger” issue. Its name and description would lead us to believe that it is very dangerous, particularly when combined with other attacks designed to transfer the logged results of the keylogging to a nefarious party. In May of 2017, HP released an audio driver that contained the keylogger vulnerability. Again in December of 2017 HP released a touchpad driver that contained the same or similar vulnerability. The same questions apply. Is the vulnerability real? Yes. Is it serious? It could be. Again, if network services, particularly access to the logged results, are sufficiently protected, the risk is low. In the case of the touchpad driver, Synaptics claims that the keylogger feature is part of a “debug tool”:

”The debug tool cannot be turned on or used except by a person with Admin access and special developer tools. When turned on, the debug tool collects data in a proprietary binary format for a rolling memory buffer that gets either overwritten or deleted every time a power event happens.”


That said, of course all of these vulnerabilities should be remediated. By the same token, steps should be taken, or in some cases should have been taken, to secure local access to machines and to secure communications over business (and public) networks. I know, I know… Mistakes happen; things get missed. We all do our best. On that note, Big Bang LLC takes each of these matters seriously when they are reported. We do our very best to insure that the drivers that are delivered with the UIU are the most recent and secure versions available from component manufacturers and OEMs. We encourage all of our customers to bring potentially vulnerable drivers to our attention so that we may update or eliminate them from consideration by the UIU.

Reports of potentially vulnerable drivers may be submitted to UIU Support.

Joining Lenovo Yoga laptops to a domain using an SCCM task sequence

Factors:

  • Yoga model laptops
  • Windows 7x64
  • SCCM Current Branch
  • Domain Join
  • USB3 Ethernet dongle

Summary:

When deploying Windows 7 x64, particular Lenovo Yoga models do not successfully initialize the USB3 Ethernet dongle driver in time for the Join Domain function to succeed during mini-setup, resulting in a failure to join the domain.

Testing:

Big Bang Support has run a myriad of tests to isolate the USB3 driver, the Lenovo dongle driver, other dongle drivers, SCCM (Current Branch) Task Sequence settings, and hardware/BIOS settings.

Results:

  • The drivers (USB3 and dongle) appear to install correctly in any case.
  • Non-Yoga models succeed in joining the domain (manually, through MDT, and through SCCM) each time.
  • Yoga models succeed in joining the domain when their BIOS (USB Boot) is set to disable USB3. (This is an expected result with Windows 7 as it is known to have some difficulties in general with USB3). Unfortunately, this disables USB3 support.
  • Incidental – the Yoga docking station will not PXE when the BIOS (USB Boot) is set to auto USB3. (Expected behavior according to Lenovo)
  • Various forums have revealed that this issue, (among others), appear to plague these models…

Conclusions:

Based on our findings, (for the Yoga series laptops specifically):
  • These models contain a proprietary set of on-board USB3 components, (presumably to accommodate the unique docking station connector).
  • These models appear to require an extended time period in order to install and initialize the USB3 hub and subsequently the USB Ethernet dongle.
    • In fact, when we manually installed the dongle driver (in WinPE), it took about 3½ minutes to simply install, which is an exceptionally long time to load. This is evidence that this is a hardware-related, timing issue.

Proposed Solution:

Add an additional Join Domain or Workgroup step to the SCCM task sequence (TS). Add the task post mini-setup; directly after the Setup Windows and Configuration task in the Setup Operating System group. This task will make an additional attempt to join the domain in the event that the mini-setup initiated join fails. Again, in the specific case of this hardware, it will attempt to join the domain after a sufficient amount of time has passed and the dongle driver (with its unusually long installation period) has successfully installed and initialized.

Other solutions researched purported to accomplish the desired effect though scripting and other complicated configurations that required creating packages specific to the Yoga hardware, (which may interfere with other makes/models).

Upon testing this procedure in SCCM Current Branch, we found that the Yoga tablet/laptop will successfully join the domain when the BIOS (USB Boot) is set to auto USB3.

Additional Information:

Furthermore, this additional Join Domain task appears to not cause an issue with other hardware, (which successfully join the domain during mini-setup), that is not susceptible to the proclivities of the Yoga hardware. Obviously, the procedure would need to be proven in any given customer environment and, if necessary, measures to isolate the additional Join Domain or Workgroup task could be scripted to isolate the process for the Yoga machines alone.

Fix a failed Application Install/Uninstall

So, you’re sitting at your PC (or a customer/user’s pc) minding your own beeswax, just installing an application, or perhaps uninstalling an application when… BAM! Something awful hits the fan! Now the bloody thing is all locked up and not responding to any key strokes or mouse clicks. It won’t even let you open up Task Manager to see what in the hell it might be up to, even though you’re pretty sure that it’s up to absolutely nothing…


Now, invariably, the user was standing, looking over your shoulder, absolutely clueless about the fact that you’re boned and about the fact that you too are absolutely clueless… (No, I’ve never been in that position!)


If you’ve been working with PCs for any appreciable amount of time, any good troubleshooter knows that sometimes, for one reason or another, an install or uninstall will get “borked” and that usually happens at just the wrong moment, of course. Thank you Murphy, for that little gem of a “law”…


What happens during application installation or uninstallation?

Lots of stuff, really: files get copied, registry settings are potentially altered or created, active directory information may be read or altered, schema extensions may be initiated, operating system variables may be set, and Programs and Features registration is typically instantiated. Of course, it varies widely based on application demands and requirements… When, for various reasons, one of the necessary steps for an app install or uninstall doesn’t complete or fails outright, it can leave the app in a state of limbo, inhibiting the required re-installation of the app or, in extreme circumstances, it can inhibit the usefulness of the entire system. At the very least, it leaves administrators with a loss of confidence in the system and a dread that the problem is indicative of future time-consuming troubleshooting.


What can you do when it all goes bad?

I’ve personally used many methods in the past including registry/file scraping where I try to find all references to the app and ruthlessly (albeit recklessly) remove all discovered instances, in a subtle homage to Orson Wells. I’ve also tried clearing temp files and have, of course, resorted to the time-tested “restart and see if that helps” method, usually followed immediately by, “Ok, let’s see if a hard boot helps”. What else? I’ve restored from Restore Points, run OS diagnostics; I’ve even run some very questionable, 3rd party applications to “reset” the registry. Basically, I’ve tried everything short of waving chicken bones, drenched in the blood of the vanquished, under a full moon at midnight on a solstice. I’m saving that one for a really critical situation!


Although some of these solutions have worked some of the time, most of them live in the “60% of the time, it works every time” category. Although there are not hard-and-fast, always effective methods, I’ve been made aware of some interesting tools from Microsoft and, so far, have had success with them. I thought others may appreciate knowing about them.


Microsoft FixIt – Fix problems with programs that cannot be installed or uninstalled

This tool is so simple to execute that I’m having difficulty elaborating, so perhaps for once, I won’t. Suffice it to say that the UI is intuitive.


Download MS Fix It - Fix Problems - Install/Uninstall

Choose desired level of automation:


MS Fix It Troubleshooter

Indicate when the problem occurs:


MS Fix It uninstall install

Select the affected product (this example = uninstall):


MS Fix It select affected program

When the process is complete, you’ll receive a results screen indicating that it was (or was not) able to resolve the problem. It’s that simple.

 

Microsoft MsiZap

This tool is a bit more involved and, I presume, a bit more risky — think of “malware detection programs reminding you that removing some discovered items may result in the untimely death of your OS” risky. The tool removes all Windows Installer information for one or more applications on a PC through the clever use of Product Codes. With command line options, you can also elect to remove rollback information, remove the “In-Progress” key, or even change ACL’s to Admin Full Control.

Download MsiZap

As the command line nature of the application can be a bit unwieldy, I’ve included a link to examples of its use as well. Heads-up! You’ll need to be able to determine Product Codes for applications that you’d like to target. Fun!


Syntax Examples:

MsiZap Examples


That's all for now


In summary, we all have our methods; some of those methods are more sound than others or at least more based in actual computer science and we’ll likely continue to employ what we perceive to have worked for us in the past. That’s great. Here are two more for your arsenal. Godspeed, John Glenn!




Deployment Solution Add-ons - Plug-in Integration vs. Stand Alone

Is it always beneficial to employ partially or fully-integrated add-on software with your deployment solution? Well, it depends on your process, and your process depends on the capabilities of your selected OS deployment solution.

Third-party applications can be useful in assisting in the management of drivers, application packaging, and patch management, among others. Your solution may include these functions, yet sometimes a third-party vendor, dedicated to one function, may do it better/offer more granularity/better features, etc.

If you have a process that does not include OS images derived from installation media, and you wish to employ third-party software to augment the preparation of your final deployed OS, you'll find that stand-alone add-ons are your best if not only option. You may also find that the selection of available stand-alone applications is not plentiful. The design of stand-alone applications must take into account the state of the operating system and be executed (usually manually) at a specific time during the OS deployment process, either prior to the image capture or after image deployment.

One of the big draws of solutions that utilize imported OS images is the capability to make changes to OS configurations during the application of a raw image when the OS is offline and able to accept changes to files and registry entries. Many of these solutions, such as Microsoft SCCM or MDT, not only allow for development of integrated applications though the support of software development kits (SDK), they also support the creation of automated answer files (with varying granularity) to assist in the configuration of the deployed, raw OS.

Integrated applications, when given access to sufficient features of the deployment solution, can execute the design of the add-on with great efficiency, using standardized, approved methodologies. This enables a high degree of stability and consistency, often reducing associated troubleshooting efforts.

So, if you're selecting a new OS deployment solution or considering a more efficient process, be sure to research what third-party applications are available and potentially useful in your environment. Save yourself some time and effort!

How important are third-party integrated applications within your deployment solution?

What are your favorite plug-ins?

 


Windows Aero Interface Affected During Deployment

Since Windows Vista, the user interface of Microsoft's operating systems has been greatly enhanced to provide for a smoother, more friendly-on-the-eyes look and feel. This is largely due to the creation of the Windows Aero interface. This interface and the guidelines to which it is restricted can affect the appearance and layout of text windows in applications. The visual effects may be set by the creative use of Group Policy Objects (GPO) or in a base image, prior to deployment.

In the case of UIU Standard, some customers have reported some aberrant GUI behavior which Big Bang Support has discovered to relate directly to these visual effects.

What are the Symptoms?

Checkmarks in UIU Standard user interface (during the Prepare Sysprep Configuration step) for Computer Name and Copy Profile quickly disappear and are therefore not verifiable after the box is checked. In fact, the checkbox is selected and the activated feature will perform as expected; the mark simply is not visible.


 
Note: The two checkboxes above have been checked

Why is this happening?

The reason for this behavior is directly linked to a specific Windows 7 Aero feature having been turned off or Visual Effects having been set to Adjust for best performance, which will disable all visual effects.

 


How can this be corrected?

In Control Panel; System; Advanced System settings, click on the Advanced tab and then select the Settings button in the Performance sub-section.  Make sure the checkbox for Use visual styles on windows and buttons is checked, (it may be necessary to scroll to the bottom of the list). Alternatively, Select Either Let Windows choose what's best for my computer or Adjust for best appearance


The Problem With Drivers That Include Executables

Some device drivers used in hardware include executables along with hardware drivers. Some devices (graphics and audio) include them more frequently, particularly drivers that have been modified and re-branded by major manufacturers. These executables can prove problematic when utilized during a full, unattended installation of an operating system by a PC imaging process. Some drivers insist on the use of their included installation program, which can usually be circumvented, and almost all of them are useful, applicable, or compatible with only one make or model configuration of PC.

If a business is applying a uniform image to PCs with disparate make or model configurations, the installation of the driver's executable will either:

  • fail
  • be applied to hardware for which it was not designed or is compatible
  • be installed on every PC in a business' inventory regardless of its usefulness

At best, this wastes PC resources with an unnecessarily running program. At worst, it can generate faults and deviate valuable human resources in its remediation.

Some of these drivers actually require an associated executable in order to be configured properly and completely. Their number is very small and if the driver is prepared well, will include instructions for the installation of the executable in its INI file, and the driver will be installable in an unattended fashion. Many of these executables take the form of a CPL or control panel add-in and possibly an associated system tray icon.

Are these hardware-specific applications necessary? Many of these types of applications relate to options for graphics controllers, Wi-Fi connectivity, sound controllers and hotkeys on laptops. The vast majority of the time, they supplant functions already represented by the operating system, with branding opportunities and user-friendly graphical interfaces. In a business setting, they are almost never necessary to operate the hardware, even if they may be desirable. For IT managers, it is favorable to minimize the quantity of applications that may require support, balanced with the actual benefit that those applications provide.

So, how should these hardware-specific applications be applied in the context of an operating system deployment (if they are necessary or sufficiently desirable)? The answer is simple even if the process can be complicated.

Use a bona-fide application deployment methodology. Most modern OS deployment packages either include or work with a separate application deployment feature. Products such as Microsoft's SCCM or Symantec's Ghost Solution Suite include such functions natively. As mentioned, there are third-party options available and many allow application packages to be generated in a several different styles for application to a Microsoft OS natively (such as MSI) or to utilize some installation method (such as EXE).

The bottom line is this: Don't try to force your operating system deployment methodology to do something that it's not designed to do well.


Using Sysprep to Extend Disk Partition in Windows 7

 

UIU Support Case Example - Using Sysprep to Extend Disk Partition in Windows 7.


Many features of Windows operating systems that are accomplished natively by Sysprep are included in the various imaging solutions available on the market. One example of these features is the extension of a partition to utilize the total amount on the disc to be imaged, regardless of specific size.  This particular feature is executed during mini-setup.

Some imaging solutions include features to perform this operation well. The trouble is that some do not.  In the case where this feature is not included in the employed imaging solution, an administrator must resort to using the native toolset by manipulating the Unattend.XML file, (in Windows Vista and newer). 

If third party software is used during imaging, consideration must be given to the potential ramifications of certain Sysprep commands.  Special attention should also be paid to the feature from the perspective of which pass in Sysprep the command should be interjected to facilitate its proper inclusion into the Windows setup process.

In the specific example mentioned above, the following section would need to be added to the Specialize pass (outside of the RunSynchronous command) of the Unattend.XML:

<extendospartition>
<extend>true</extend>
</extendospartition>



An example of its placement follows:

<settings pass="specialize">
   <component name="Microsoft-Windows-Deployment" processorarchitecture="x86" publickeytoken="31bf3856ad364e35" language="neutral" versionscope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<runsynchronous>
<runsynchronouscommand wcm:action="add">
<order>1</order>
<path>net user administrator /active:yes</path>
</runsynchronouscommand>
</runsynchronous>
<extendospartition>
<extend>true</extend>
</extendospartition>
   </component></settings>


Firm Up Your Firmware for Windows 8

UIU Support Case Example - Firm up your firmware.

With the release of Windows 8, now is an opportune time to revisit the software core to your PCs, namely the firmware (BIOS). This software controls the identification of components in a system along with corresponding features of those components and affects the very bootability of the PC itself.

Why is it a good idea to keep your BIOS up-to-date?

  • Faulty BIOS firmware can negatively affect a variety of components and systems.

  • Out-of-date BIOS firmware can result in security vulnerabilities.

  • Out-of-date BIOS firmware can result in OS incompatibilities, rendering the PC unbootable or unusable.

  • Out-of-date BIOS firmware can prevent or interfere with the installation of an OS.

While updating the BIOS might seem like a no-brainer, it's remarkable how often even we forget to upgrade our firmware. One example that we observed in our lab relates to the video display of a common Dell laptop. Upon deploying an image of Windows 8 to the laptop, we identified that the display presented only a black screen with no opportunity to provide input. Troubleshooting efforts revealed that the OS image did in fact deploy, but the machine could not handle calls Windows 8 was making to the display. As a matter of routine, the BIOS was upgraded and voila!, the display functioned as expected. This obviously encouraged us to review the firmware levels of all of our lab hardware and we thought we'd pass the reminder along to our customers/blog followers.

A note on UEFI:
What is it? Unified Extensible Firmware Interface is a 64-bit replacement for BIOS and provides many advantages over BIOS, including support of GPT or GUID Partition Table (replaces the MBR) schema allowing for large boot partitions, a pre-OS environment with networking, architecture supporting intuitive user interfaces and cryptography; all operating independent of the CPU architecture and drivers.

Why might this be important?
Windows 8 offers the integration of Secure Boot technology, available only with UEFI, which will allow systems to authenticate before the PC boots; virtually eliminating the impact of malicious software that attempts to load at boot, including those pesky rootkits. More on UEFI from MSDN

Summary:
If your organization is investigating or planning to migrate to Windows 8 in the future, now is a great time to reassess your firmware interface technology. Perhaps consider UEFI over BIOS or simply maintain your BIOS firmware levels and update them as necessary to avoid conflicts or difficulties when deploying Windows 8 within your environment.