Sysprep, OEM installs experience and input wanted

[Gordon Fecyk]

I'm looking at starting a promotion to install XP Home OEM on
single-computer customer sites. This promo would bundle some hardware (new
HD, RAM) to satisfy the OEM licensing requirements. I want to speed up the
installation by sysprepping an image.

I guess I'm looking for a sanity check. Please read the steps I plan to do
and tell me about problems.

I've used Sysprep on Windows 2000 and am familiar enough with the tool that
I could achieve this on Win2K. On XP Home I have the following problems:

* Creating a "Default User" profile that will be copied to all new users
created during startup
* Re-scanning for devices (sysprep -pnp I recall from Win2K)
* Of course the dreaded Product Activation
* Advanced security settings - I'd have to set odd security up from Safe
Mode as Administrator
* These will be OEM product keys and the OEM version of XP Home.

Creating a default user profile in Win2K involved creating an Admin account,
setting things the way you wanted and then copying the user's profile to
\Documents and Settings\Default User. Normally that directory is
inaccessible to anyone except the built-in Administrator account so I guess
I could copy the profile in Safe Mode as Administrator. Before I waste a
bunch of time, what snags can I run into doing this?

The -pnp switch in Sysprep 1.2 caused Win2K to rescan for devices on initial
startup. Since the hardware will vary wildly between machines, I want to
use the corresponding switch on Sysprep 2.0. As an added precaution I can
switch all of the drivers to generic versions (ie: chipset drivers, IDE
drivers) and remove nonstandard devices from Device Manager before
sysprepping.

Ahh, Product Activation. I've read KB 299840 already which tells me the
restrictions of using Sysprep on an unactivated installation of XP. This
looks like it's telling me I'm allowed three sysprep runs on one image
before I'd have to rebuild the image from fresh. Am I reading that
correctly, and would rebuilding a fresh image give me another three goes?
Or maybe I should make an image before sysprepping it and use that to reset
my "grace period?" I'm not interested in cheating M$ out of paid licenses,
I just want the opportunity to make changes to the image as I run into
snags. Or can I activate my non-sysprepped image, sysprep it, and be able
to use a new product key and require a new activation?

I want to change some of the default security settings so legacy apps[1]
will run under limited user accounts. For instance I'd want to grant
"Modify" permissions to Users in \Program Files and \windows\temp.
Similarly I want to grant additional permissions on certain Registry keys to
limited users. My experience is Win2K Sysprep respects these changes and
keeps them. What of XP Home Sysprep? I can perform the security changes in
Safe Mode as Administrator.

OEM Product Keys and an OEM image will be used. We'll be using the settings
wizard to copy documents and settings from their old version of Windows. I
want XP Home Setup to prompt for the product key during Setup but not to try
to automatically activate the installation. I want a chance to set up their
Internet connection first and to enable the firewall.

[1] It's sad to think of Jedi Academy from Lucasarts as a "legacy app" since
it was released in September 2003, a year after Windows XP. But since it
stores settings in its install directory without regard for security
settings, that's what it is. And I have to deal with it.

 

[Darrell Gorter[MSFT]]

Hello Gordon,
A couple if thoughts.
1) Do not use the PNP switch. This should only be needed for legacy
hardware like ISAPNP hardware. We find a lot of people using this switch
but never needing it and when they use it they run into problems. So
unless you have legacy hardware on these systems you shouldn't use it.
2) Copying over the Default User Profile. Do not do this. This will cause
problem. This has always been an issue, but with Windows XP and Windows
2003, these issues are more exposed. Folders will get the name of the user
whose prof;e was copied over for one, permissions could be set incorrectly
allowing access to folders by multiple users, some of the initial run-once
when the profile is generated do not occur so individual settings may not
happen, This is just basically a bad idea.
3) Use Factory Mode to get around the 3 sysprep limitation.
4) There are unattended settings for whether to supply the product key or
not. If you do not supply, the user will be prompted for it.
5) Intenet connection and firewall can be set in the via unattended
settings, see the deploy.cab file.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|From: "Gordon Fecyk" <[email protected]>
|Subject: Sysprep, OEM installs experience and input wanted
|Date: Sat, 13 Mar 2004 00:35:24 -0600
|Lines: 69
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <#[email protected]>
|Newsgroups: microsoft.public.windowsxp.setup_deployment
|NNTP-Posting-Host: wnpgmb11dc1-167-71.dynamic.mts.net 142.161.167.71
|Path:
cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
..phx.gbl!tk2msftngp13.phx.gbl
|Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.setup_deployment:105335
|X-Tomcat-NG: microsoft.public.windowsxp.setup_deployment
|
|I'm looking at starting a promotion to install XP Home OEM on
|single-computer customer sites. This promo would bundle some hardware (new
|HD, RAM) to satisfy the OEM licensing requirements. I want to speed up the
|installation by sysprepping an image.
|
|I guess I'm looking for a sanity check. Please read the steps I plan to do
|and tell me about problems.
|
|I've used Sysprep on Windows 2000 and am familiar enough with the tool that
|I could achieve this on Win2K. On XP Home I have the following problems:
|
|* Creating a "Default User" profile that will be copied to all new users
|created during startup
|* Re-scanning for devices (sysprep -pnp I recall from Win2K)
|* Of course the dreaded Product Activation
|* Advanced security settings - I'd have to set odd security up from Safe
|Mode as Administrator
|* These will be OEM product keys and the OEM version of XP Home.
|
|Creating a default user profile in Win2K involved creating an Admin
account,
|setting things the way you wanted and then copying the user's profile to
|\Documents and Settings\Default User. Normally that directory is
|inaccessible to anyone except the built-in Administrator account so I guess
|I could copy the profile in Safe Mode as Administrator. Before I waste a
|bunch of time, what snags can I run into doing this?
|
|The -pnp switch in Sysprep 1.2 caused Win2K to rescan for devices on
initial
|startup. Since the hardware will vary wildly between machines, I want to
|use the corresponding switch on Sysprep 2.0. As an added precaution I can
|switch all of the drivers to generic versions (ie: chipset drivers, IDE
|drivers) and remove nonstandard devices from Device Manager before
|sysprepping.
|
|Ahh, Product Activation. I've read KB 299840 already which tells me the
|restrictions of using Sysprep on an unactivated installation of XP. This
|looks like it's telling me I'm allowed three sysprep runs on one image
|before I'd have to rebuild the image from fresh. Am I reading that
|correctly, and would rebuilding a fresh image give me another three goes?
|Or maybe I should make an image before sysprepping it and use that to reset
|my "grace period?" I'm not interested in cheating M$ out of paid licenses,
|I just want the opportunity to make changes to the image as I run into
|snags. Or can I activate my non-sysprepped image, sysprep it, and be able
|to use a new product key and require a new activation?
|
|I want to change some of the default security settings so legacy apps[1]
|will run under limited user accounts. For instance I'd want to grant
|"Modify" permissions to Users in \Program Files and \windows\temp.
|Similarly I want to grant additional permissions on certain Registry keys
to
|limited users. My experience is Win2K Sysprep respects these changes and
|keeps them. What of XP Home Sysprep? I can perform the security changes
in
|Safe Mode as Administrator.
|
|OEM Product Keys and an OEM image will be used. We'll be using the
settings
|wizard to copy documents and settings from their old version of Windows. I
|want XP Home Setup to prompt for the product key during Setup but not to
try
|to automatically activate the installation. I want a chance to set up
their
|Internet connection first and to enable the firewall.
|
|[1] It's sad to think of Jedi Academy from Lucasarts as a "legacy app"
since
|it was released in September 2003, a year after Windows XP. But since it
|stores settings in its install directory without regard for security
|settings, that's what it is. And I have to deal with it.
|
|--
|PGP key (0x0AFA039E): <http://www.pan-am.ca/[email protected]>
|What's a PGP Key? See <http://www.pan-am.ca/free.html>
|GOD BLESS AMER, er, THE INTERNET.
<http://vmyths.com/rant.cfm?id=401&page=4>
|
|
|

 

[Gordon Fecyk]

1) Do not use the PNP switch. This should only be needed for legacy

hardware like ISAPNP hardware. We find a lot of people using this switch
but never needing it and when they use it they run into problems. So
unless you have legacy hardware on these systems you shouldn't use it.

I'll be dealing with a lot of legacy hardware and multiple motherboard
chipsets. I'd prefer to have XP redetect all of the hardware. Are there
operational problems or is it just a matter of fixing hardware settings and
drivers after Setup?

I'll also likely have the image use "standard" drivers for as much as
possible, notably the chipset and IDE drivers, so they'll at least boot.
From there I'd want XP to use the "correct" driver for each.

2) Copying over the Default User Profile. Do not do this. This will cause
problem. This has always been an issue, but with Windows XP and Windows
2003, these issues are more exposed. Folders will get the name of the user
whose profie was copied over for one, permissions could be set incorrectly
allowing access to folders by multiple users, some of the initial run-once
when the profile is generated do not occur so individual settings may not
happen, This is just basically a bad idea.

I've had much success sysprepping Win2K with a modified default user
profile. I just have to be careful to avoid anything that personalizes an
application, ie: MS Office. For example, if MS Office 2003's installed and
as long as I don't touch an Office app when building the default profile, it
still personalizes itself per-user.

I've not known file system or Registry security ACLs to be adversely
affected by this. Win2K resets ACLs on newly created profiles. Is this an
XP-specific problem?

I'm only interested in changing some of the defaults for IE6 (like disabling
Install On Demand). I suppose I could edit HKEY_USERS\.DEFAULT directly
instead.

3) Use Factory Mode to get around the 3 sysprep limitation.
Great.

4) There are unattended settings for whether to supply the product key or
not. If you do not supply, the user will be prompted for it.

Just like Win2K, good. Will it also give 30 days to activate the new
installation as per normal?

5) Intenet connection and firewall can be set in the via unattended
settings, see the deploy.cab file.

Only the choice of LAN card won't be consistent and some ISPs use PPPoE
while others use DHCP. I'll read the contents of deploy.cab but I have a
feeling I'll prefer to set up the LAN card manually anyway.

 

[Darrell Gorter[MSFT]]

Hello Gorden,
1) With the PNP switch you will have install failures and setups that take
a very long time to complete.
Detection is done during mini-setup, it's just the older legacy hardware
that may need the switch. We have found that very little hardware needs
the switch if any. You have to install the mass storage drivers, read the
docs to build the list of what you need to install, then be sure to clean
out the ones you do not need.
2) People have always copied the profile over, there are porblems and
there always have been with this procedure starting with Windows 2000.
With Windows XP and Windows 2003 they are more pronouced, You have already
generated the account that you are coping over so the names and other items
are already set. Those profiles will be inconsistent.
4) the 30 days is what the three times resets, which is why you need to use
Factory Mode.
5) you may have to use utilies like netsh.exe to script some of the netcard
settings that may not be available in the unattended file.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|From: "Gordon Fecyk" <[email protected]>
|References: <#[email protected]>
<[email protected]>
|Subject: Re: Sysprep, OEM installs experience and input wanted
|Date: Sun, 14 Mar 2004 11:38:39 -0600
|Lines: 61
|X-Priority: 3
|X-MSMail-Priority: Normal
|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
|Message-ID: <ua#[email protected]>
|Newsgroups: microsoft.public.windowsxp.setup_deployment
|NNTP-Posting-Host: wnpgmb11dc1-167-71.dynamic.mts.net 142.161.167.71
|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
|Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.setup_deployment:105452
|X-Tomcat-NG: microsoft.public.windowsxp.setup_deployment
|
|> 1) Do not use the PNP switch. This should only be needed for legacy
|> hardware like ISAPNP hardware. We find a lot of people using this switch
|> but never needing it and when they use it they run into problems. So
|> unless you have legacy hardware on these systems you shouldn't use it.
|
|I'll be dealing with a lot of legacy hardware and multiple motherboard
|chipsets. I'd prefer to have XP redetect all of the hardware. Are there
|operational problems or is it just a matter of fixing hardware settings and
|drivers after Setup?
|
|I'll also likely have the image use "standard" drivers for as much as
|possible, notably the chipset and IDE drivers, so they'll at least boot.
|From there I'd want XP to use the "correct" driver for each.
|
|> 2) Copying over the Default User Profile. Do not do this. This will
|cause
|> problem. This has always been an issue, but with Windows XP and Windows
|> 2003, these issues are more exposed. Folders will get the name of the
|user
|> whose profie was copied over for one, permissions could be set
incorrectly
|> allowing access to folders by multiple users, some of the initial
run-once
|> when the profile is generated do not occur so individual settings may not
|> happen, This is just basically a bad idea.
|
|I've had much success sysprepping Win2K with a modified default user
|profile. I just have to be careful to avoid anything that personalizes an
|application, ie: MS Office. For example, if MS Office 2003's installed and
|as long as I don't touch an Office app when building the default profile,
it
|still personalizes itself per-user.
|
|I've not known file system or Registry security ACLs to be adversely
|affected by this. Win2K resets ACLs on newly created profiles. Is this an
|XP-specific problem?
|
|I'm only interested in changing some of the defaults for IE6 (like
disabling
|Install On Demand). I suppose I could edit HKEY_USERS\.DEFAULT directly
|instead.
|
|> 3) Use Factory Mode to get around the 3 sysprep limitation.
|
|Great.
|
|> 4) There are unattended settings for whether to supply the product key or
|> not. If you do not supply, the user will be prompted for it.
|
|Just like Win2K, good. Will it also give 30 days to activate the new
|installation as per normal?
|
|> 5) Intenet connection and firewall can be set in the via unattended
|> settings, see the deploy.cab file.
|
|Only the choice of LAN card won't be consistent and some ISPs use PPPoE
|while others use DHCP. I'll read the contents of deploy.cab but I have a
|feeling I'll prefer to set up the LAN card manually anyway.
|
|--
|PGP key (0x0AFA039E): <http://www.pan-am.ca/[email protected]>
|What's a PGP Key? See <http://www.pan-am.ca/free.html>
|GOD BLESS AMER, er, THE INTERNET.
<http://vmyths.com/rant.cfm?id=401&page=4>
|
|
|

 

[Gordon Fecyk]

4) the 30 days is what the three times resets, which is why you need to
use

Factory Mode.

I'm reading about this in the OPK (which I received from my vendor today).
From what I'm reading, I can use sysprep -factory to test but it doesn't
reset the 30 days or decrement the reseal count. If I want to reset the 30
days and store an image, I want sysprep -reseal.[1]

So, am I breaking any rules by having a "master" base image -reseal'd that I
can go back to any time and have two -reseals left to use? Building this
image took four hours including download time and I don't want to repeat
that. This would give me a starting point I could always retreat to
without getting "stuck" by the Product Activation by mistake.

As for pre-loading drivers for stuff, I've already changed the drivers to
use the "standard" versions for everything (IDE, CPU to PCI bridges, PCI to
ISA bridges, Standard PC HAL, etc). My experience in Win2K is, doing this
lets it boot on anything that uses IDE and then it goes and redetects the
"correct" drivers for all of this (except for the HAL which I can replace on
each target machine). None of the targets are going to use SCSI cards or
drives for running the OS.

Assuming a standard PC, does XP go and replace all these drivers with the
right ones for the hardware it finds by itself, or do I need to do that
myself afterward? Me doing it afterward is acceptable, and on ACPI machines
I'll be swapping the HAL which forces a redetect of everything anyway.[2]

[1] Geez, Win2K was so much easier to deal with - sysprep and image once.
Make changes, re-sysprep and re-image.

[2] Yes, I know I can have it select a HAL during Mini-Setup and such - this
is something I feel more comfortable changing myself though, given there are
BIOSes that will never be updated to the ACPI version that XP requires.

 

[Darrell Gorter[MSFT]]

Hello Gordon,
Nope you ar enot breaking the rules by creating the master image -resealed
that you can go back to anytime. That would be the correct procedure.
Hmm not sure if that works for all IDE drives, you may want to look into:
You may not be able to boot some of those machines if the IDE drivers are
not loaded, you can load all the ide drivers that you are using and then
disable the ones you do not need after the install.
HOW TO: Build a complete SysprepMassStorage section with Sysprep 2.0
WGID:453
ID: 320213.KB.EN-US
Selecting hals during mini-setup is very limited, uni-multi basically.
Changing it after the fact is not supported and there could be any number
of problems. You will not get full functionality and you may not boot,
plus you will have extra hardware information stored in the registry.
309283 HAL Options After Windows XP or Windows Server 2003 Setup
http://kb/article.asp?id=Q309283

If you have different machine types that require different hals, you need
different images.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| From: "Gordon Fecyk" <[email protected]>
| References: <#[email protected]>
<[email protected]>
<ua#[email protected]>
<[email protected]>
| Subject: Re: Sysprep, OEM installs experience and input wanted
| Date: Wed, 17 Mar 2004 23:26:52 -0600
| Lines: 41
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.windowsxp.setup_deployment
| NNTP-Posting-Host: wnpgmb11dc1-167-71.dynamic.mts.net 142.161.167.71
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.setup_deployment:105846
| X-Tomcat-NG: microsoft.public.windowsxp.setup_deployment
|
| > 4) the 30 days is what the three times resets, which is why you need to
| use
| > Factory Mode.
|
| I'm reading about this in the OPK (which I received from my vendor today).
| From what I'm reading, I can use sysprep -factory to test but it doesn't
| reset the 30 days or decrement the reseal count. If I want to reset the
30
| days and store an image, I want sysprep -reseal.[1]
|
| So, am I breaking any rules by having a "master" base image -reseal'd
that I
| can go back to any time and have two -reseals left to use? Building this
| image took four hours including download time and I don't want to repeat
| that. This would give me a starting point I could always retreat to
| without getting "stuck" by the Product Activation by mistake.
|
| As for pre-loading drivers for stuff, I've already changed the drivers to
| use the "standard" versions for everything (IDE, CPU to PCI bridges, PCI
to
| ISA bridges, Standard PC HAL, etc). My experience in Win2K is, doing this
| lets it boot on anything that uses IDE and then it goes and redetects the
| "correct" drivers for all of this (except for the HAL which I can replace
on
| each target machine). None of the targets are going to use SCSI cards or
| drives for running the OS.
|
| Assuming a standard PC, does XP go and replace all these drivers with the
| right ones for the hardware it finds by itself, or do I need to do that
| myself afterward? Me doing it afterward is acceptable, and on ACPI
machines
| I'll be swapping the HAL which forces a redetect of everything anyway.[2]
|
| [1] Geez, Win2K was so much easier to deal with - sysprep and image once.
| Make changes, re-sysprep and re-image.
|
| [2] Yes, I know I can have it select a HAL during Mini-Setup and such -
this
| is something I feel more comfortable changing myself though, given there
are
| BIOSes that will never be updated to the ACPI version that XP requires.
|
| --
| PGP key (0x0AFA039E): <http://www.pan-am.ca/[email protected]>
| What's a PGP Key? See <http://www.pan-am.ca/free.html>
| GOD BLESS AMER, er, THE INTERNET.
<http://vmyths.com/rant.cfm?id=401&page=4>
|
|
|