Imaging Overview

Imaging Overview

Imaging services are provided through System Center Configuration Manager, SCCM.

Operating System deployment are done using Task Sequences. You can think of a Task Sequence as a script that SCCM executes from top to bottom. Logic can be added to steps to allow SCCM to make decisions on whether or not certain sections or steps should be executed.

Task Sequence Basics

A Task Sequence that deploys an Operating System consist of a number of components including.

Boot Image – The boot image is a WinPE environment used during the operating system deployment. It has minimal capabilities. We have added features to our boot images to run PowerShell and add the Active Directory PowerShell module. See SCCM Boot Image Management for more info.

Operating System Images – Operating System Images can be broken down into two classes: default and custom. Default images are taken from the original media from \Sources\install.wim. Custom images or reference images are images customized with applications, settings, etc., captured and deployed.

Operating System Upgrade Package – Contains a full copy of the original installation media.

Drivers/Driver Packages – A collection of drivers usually associated with one make and model of hardware. In a more standardized corporate environments having a Driver Package for each hardware configuration would be easy. Even with the CPI list, we still have a diverse range of machines which would make maintaining a Task Sequence with all of the appropriate Driver Packages time consuming. We do not have use Driver Packages, but other means of automating the driver download and installation process.

Updates – Windows and 3rd party updates can be installed at installation time. This can add significant time to the operating system deployment process. We update the Operating System Images and Packages at least quarterly to speed up the deployment process and reduce the amount time it takes for machines to be fully patched after deployment. See Image Patching for more info.

Supported Operating Systems

Every effort will be made to provide all currently support Microsoft Operating Systems for deployment, while not all supported operating systems will have a centrally managed campus available deployment, Colleges and Departments may request a Task Sequence to deploy currently support operating systems not available at the NCSU level.

Windows 10: Current version + one. Example: Windows 10 1809 is the mandatory Fall deployment, there will be NCSU level deployment available for 1809 and one back version, 1803. For those that want to stay up-to-date we will also be making the Spring Windows 10 releases available for deployment. Please refer to the patching policy for information about emergency or out-of-band Windows 10 Upgrades.

Server: By default we will only be making the Longer Term Servicing Channel, LTSC, available for deployment. If groups are interested in deploying the Semi-Annual Channel, SAC, release please submit a ticket to activedirectory_imaging@help.ncsu.edu

Drivers and BIOS/Firmware

We can only guarantee to support CPI purchased machines. The CPI list is updated on a regular basis and drivers and BIOS/Firmware will be updated as soon as possible there after. Drivers are updated at least quarterly. During operating system deployment the latest drivers will be installed. Drivers will also be upgraded during an operating system upgrade. There are plans to also upgrade BIOS/firmware during operating system deployments and upgrades.

Drivers and BIOS/firmware are downloaded using the modern driver management tools from https://www.scconfigmgr.com.

See Driver Package Management for more info.

Updates

Updates are applied to images using OSDBuilder. Images and Upgrade Packages are updated on a quarterly basis.

Default Task Sequence

Bare metal and Reinstall

The same Task Sequence is used for bare metal installs as well as reinstalls. Because of that there are a few steps that are necessary for reinstalls but not baremetal installs. All default NCSU level Operating System Task Sequence all contain the following steps:

Disable BitLocker – Needed for reinstalls. If a drive is BitLockered and it is not disabled before it reboots the Task Sequence will fail. If SCCM tries to disable BitLocker and BitLocker is not enabled the step will continue

Restart in Windows PE – If the Task Sequence is started from the Software Center, the computer will reboot into the WinPE image assigned to the Task Sequence. If a machine PXE boots, and the boot image is different from the version of WinPE assigned to the Task Sequence the machine will have to reboot into the correct WinPE image before starting the Task Sequence

Partition Disk 0 BIOS/UEFI – BIOS and UEFI machines have different disk layouts, and require different steps to detect how to format the disk. By default SCCM tries to format Disk 0, and it formats the entire disk. If you have multiple disk in a computer it is recommended to disconnect any data disk to avoid loss of data. If you have one disk that has been formatted with two partitions, one for the C: drive and a second for data, backup all data as SCCM will format the entire drive and any saved data will be lost. You can have a customized Task Sequence created that takes into consideration the presence of multiple drives or multiple partitions on a disk.

Set OSDComputerName – Custom script that uses the MAC address or UUID to search AD for a prestaged computer account, takes that name of that computer objects and sets it to the Task Sequence variable OSDComputerName. More information about the script can be found here.

Dump list of Task Sequence Variables – For troubleshooting purposes, this scripts writes all current Task Sequence variables to a log file called TSVariables-yyyy-MM-dd-HH-mm-ss.log. Can be found in the default SCCM log file locations

Apply Operating System – Applies wim file to hard drive

Apply Windows Settings – Brands operating system, sets time zone, and sets a randomized local administrator password, for departmental custom Task Sequences this can be set to a known value and will get over written after LAPS is installed.

Apply Network Settings – Joins machines to WolfTech domain

Auto Apply VMware Drivers – The only “traditional” SCCM driver package we use. Uses a WMI query to determine if the machine is an VMware VM and if so injects the VMware drivers into the operating system

Dynamic Driver Package Detection – Uses the previously mentioned modern driver management script to connect to SCCM web services and search for a driver package based on: operating system, architecture, make, and model. If a compatible driver package is found, it is downloaded and installed using either dism if done in WinPE or pnputil if in the full operating system.

SCCM Client Install GPO Settings – The SCCM client is installed using a GPO. The GPO writes a registry key so Windows doesn’t try to reinstall the client after it has already been deployed. Since the SCCM agent is installed during the Task Sequence, we prepopulate the registry key so Windows does not try to install the SCCM agent on first boot.

Setup Windows and Configuration Manager – Installs the SCCM agent

Install VMware Tools – Uses an Install Application step to install a version of the VMware tools. With a large number of groups on campus running services on VMware either through OIT or their own we thought it provided the best experience for end users to have this preinstalled.

Upgrades

All Upgrades are “in place upgrades” and all files and applications should be retained. Upgrade Task Sequences can only run from inside Windows. A deployment will either need to be Mandatory or made Available and started from the Software Center.

Check Readiness for Upgrade – Verifies the computer meets the minimum requirements to upgrade. A computer will need at least 32 GB of free space to download and install the upgrade.

Upgrade Operating System – Upgrade process takes place in the background. Users can continue to work.

Restart Computer – The reboot is required and the reboot cannot be suppressed or postponed.

Dynamic Driver Package Detection – Uses the previously mentioned modern driver management script to connect to SCCM web services and search for a driver package based on: operating system, architecture, make, and model. If a compatible driver package is found, it is downloaded and installed using either dism if done in WinPE or pnputil if in the full operating system.

If need be there can be checks and after action steps configured. Application, hardware, and driver compatibility can prevent a machine from upgrading. If there is a particular application that is preventing an upgrade from proceeding, a customized Upgrade Task Sequence can be created to uninstall the affected application before preforming the upgrade, then reinstall it afterwards.

Custom Images

Departments can continue to create their own custom “fat” images. An alternative to preinstalling applications into an image would be to have the Task Sequence install them at deployment by using an Install Application step. Each step can install up to 99 Applications. Keep in mind the applications that are getting installed and the size of the cache, and know the cache might need to be clear several times to get all of the desired applications installed. Adding Application deployments to the Task Sequence can add time, but it helps guarantee that the most up-to-date applications are being installed. Customized images can be uploaded to the deployment share. Submit a ticket to activedirectory_imaging@help.ncsu.edu with then UNC path of the image.

Basic Troubleshooting

I PXE boot the machine, the boot image starts to load but reboots before I can select a Task Sequence

One of two things is happening, the most likely issue is there is no Task Sequence deployed to that machine. The MAC address is already associated with a computer object in SCCM. Add the AD computer object to an OS groups, wait for SCCM to update, and try PXE booting again. You can use this report to search SCCM for the MAC address. If the computer acquired from surplus or another department contact that department to have them delete the expired computer object.

The other option issue might be the computer is not getting an IP address. Once the SCCM background shows you can hit F8 to open a command prompt to verify the machine is getting an IP address. Verify information in Infoblox. If everything is correct and computer is not getting an IP address: download the correct network driver, save them to the deployment share, and submit a ticket with the issue you are having, the make and model of the computer, and the location of the network drivers to activedirectory_imaging @help.ncsu.edu

My computer joined AD with the wrong name

Verify the computer was prestaged in AD using the correct MAC address, if you are using the UUID make sure the UUID was added in the proper format. All non-prestaged computers are joined to the domain in the Unassigned OU, only OU Admins have permissions to login to those machines. Login to the machine and check C:\Windows\CCM\Logs\TSVariables-yyyy-MM-dd-HH-mm-ss.log, there should be a variable called OSDComputerName, check the value. You can rename the computer object and move it to the correct OU. You can start over my moving the misnamed computer object to your OU, wait for SCCM to update, and delete the computer object. 

We have implemented a new script that checks for prestaged computer objects and warns users when one cannot be found. This should greatly reduced the number such incidents from happening.

The Task Sequence just errors out and fails during deployment

Upgrade Task Sequence Fails

Verify the computer meets the minimal requirements of 2 GB RAM and 32 GB of free space.

Logs to check

  • C:\Windows\Panther
  • C\Windows\Panther\NewOS\Panther
    •  setupact.log
    • <some message>_APPRAISER_HumanReadable.xml
    • ScanResult.xml
  • C:\$Windows.~BT\Sources\Panther

After an install or upgrade there are drivers missing

Verify drivers for you made and model are available in SCCM

  • In the SCCM console you can look in: \Software Library\Overview\Application Management\Packages\Driver Packages

Some drivers just cannot be installed using the method used during an upgrade or install

  • Installs use dism
  • Upgrades use pnputil