IT Connect
Information technology tools and resources at the UW

Lite Touch Installation: network based OS deployment

 

UW Managed Workstation Windows OS images

For use by Managed Workstation eligible users with Managed Workstation service computers.

Before you start:
  • If you are rebuilding an existing Managed Workstation computer, be sure to send email to help@uw.edu to request the removal of the existing computer name from the domain BEFORE you begin.
  • You must be connected to a wired Ethernet network connection.
  • If you are reusing the computer name, do a complete shut-down of the workstation before you begin the rebuild to prevent any problems.
Recommended system configuration:
  • To enable the best boot support and security features, you should apply the latest firmware for your system provided by the manufacturer.  See your manufacturer’s support page for instruction.
  • Use the UEFI boot mode instead of BIOS to enable faster boot times and modern security features.    Using UEFI enables several security features that will otherwise be unavailable.  Select UEFI or UEFI native, not UEFI hybrid or UEFI+CSM.
  • For Windows 8 and newer, enable Secure Boot to protect your system from certain types of malware called rootkits.
  • Enable the Trusted Platform Module and any TPM options to support BitLocker or other volume encryption.
  • Enable the virtualization options for your computer to support Device Guard, Credential Guard, and Measured Boot.

 

Step 1: Create a bootable Lite Touch Network Deployment USB drive [1]
Step 2: Boot from your Lite Touch Flash Drive [2]
  • Power off the computer and insert the Lite Touch Network Deployment USB drive.
  • On boot up, force the boot choice menu (usually F12 on Dell and Lenovo, F9 for HP).
  • Select and boot from your USB device.
Step 3: Choose the right OS option from the menu
  • When the Lite Touch menu has loaded, choose “Run the Deployment Wizard to install a new Operating System”
  • Remove the USB drive so it does not interfere during a reboot.
  • Select the Task Sequence that contains the Operating System and image version that you want to deploy.
    • See Task Sequence for image details to choose most appropriate one.
    • Task sequences marked TEST should be used with caution.
  • Computer Details:
    • Leave Computer Name field with the computer’s serial number. Or you may change this to a new, unique name with a maximum of 15 characters, including letters, numbers and the hyphen – character.
      NOTE: Do not use an underscore _ in computer names. It is not a valid character for MWS devices.
  • Select Sophos Antivirus install.
Step 4: Start the OS deployment
  • Process begins.  Installer takes about 15-40 minutes, depending on computer speed and network conditions. The computer may reboot several times.
  • Do not log in with your credentials or manually reboot until you see the Operating System Deployment (OSD) successful screen or an OSD warning message 
  • The computer will boot into the local Administrator profile
    • If you get an error that the username or password is incorrect, you can continue by changing the username to NebulaAdm and using the Administrator password above.
  • OSD continues to run silently for a few minutes.
Step 5: OS Deployment completion
  • You should get a message that OSD has completed successfully. If you get a yellow warning screen, it is often safe to continue.  If you get a pink error screen, usually the deploy has failed in a way that should not be used.  In either case copy down the error(s) and email the information to help@uw.edu
    • Common Failures that are safe to ignore:
      • Failure: ValidateDeployRootWithRecovery
  • Click Finish
  • You are now logged into the computer with the local administrator account
  • Before restarting, you should add NETID accounts or groups to the ‘Administrators’ group.  Use the format NETIDuwnetid when adding accounts.  When asked to authenticate, use your NETIDuwnetid credentials
Step 6: Claim Managed Workstation computer
  • Submit our form to Enable Computer for Managed Workstation Service  or you can submit a request to help@uw.edu that you have computer(s) that need to be assigned to the NetID domain. Include the following information:
    • Computer name
    • Department Name
    • Budget number for monthly billing support
    • Primary User (If known)
    • Managed by Contact
    • Any UW NetID’s that you wish to have assigned to the administrators group
  • Restart the computer.
Follow-up
Review this checklist before deploying to the end user:
  • Sophos: Sophos AntiVirus should automatically push out from the server and install on your computer within a couple of days.  Verify that Sophos is installed: check for white and blue “S” shield in the System Tray.  Right-click on shield and click “Update now”.
    • Windows 10 comes with built in antivirus software and it is safe to wait for Sophos to auto-install
    • Windows 7 does not come with any built in antivirus.  A shortcut to the manual installer for Managed Workstations has been included on the image desktop if it does not install quickly
  • Get Programs/Run Advertised Programs/Software Center should populate within 2-24 hours of being claimed by Managed Workstation.
  • Device Manager: open Device Manager and make sure there are no errors or missing drivers.
    • Microsoft Teredo Tunneling Adapter (IPv6 support) is disabled in Windows 7 by Group Policy
    • If the computer is missing drivers, or the build fails for lack of network drivers, contact help@uw.edu and we can help get those drivers imported into the deployment server
  • Windows Update: click “check on-line for updates from MS Update” to check for driver updates under Optional Updates.  (Don’t need the Optional language updates.)
  • For best performance: even though they are listed as installed, you may find that you need to reinstall TPM drivers, touchpad drivers, video drivers, and “hotkey/quick-key” software from the manufacturer (especially true of laptops.)
  • Update BIOS from vendor website when a newer version is available.

 

[1] How to create a bootable device:

  • UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.
  • Via Disk Management, reformat flash drive.  FAT32 strongly recommended, NTFS or exFAT may not boot successfully in all UEFI/BIOS configurations.
  • Mark partition ‘active’.
  • Copy all of the Lite-Touch Network Installer boot files from I:cac\nebula\sw\apps\LiteTouchNetwork

If that doesn’t work, completely clean the drive and prepare it for use with the following instructions:

  • Launch a cmd window: Run as Administrator
  • Windows 7, go to C:WindowsSystem32 and locate “cmd.exe”
  • Right click on “cmd.exe” and select “Run as Administrator”
  • Windows 10, right click on the Start button and select Command Prompt (Admin)
  • Launch the DiskPart utility by typing ”diskpart” at the Administrator elevated command prompt.
  • Run the command: “list disk” to check the status of your drive.
  • Run “select disk N” where the “N” is actually the corresponding number of your USB drive.
  • You can most easily tell which is the proper disk by looking at the capacity
  • Run “clean”.  CAUTION: This will erase everything on the disk!  Make sure you select the correct disk!
  • Once the thumb drive is clean, run “create partition primary”.
  • Select the new partition: “select partition 1”
  • Now make the partition active by entering “active”
  • Assign a drive letter with “assign”
  • Format the drive as FAT32 by running “format fs=fat32 quick”
  • Type “exit” to quit
  • If you are still having problems locate and use bootsect with the following command: bootsect /nt60 X: (where X is your flash drive letter)

[2] Boot your computer from a USB drive

In order to successfully boot your computer from a USB drive, you may need to ensure the following steps have been taken in the UEFI/BIOS configuration of the computer.  Each manufacturer and UEFI/BIOS can be different.

  • The best boot support will be available when you are using the latest system firmware for your device.
  • Native UEFI mode is preferred over BIOS emulation.
  • UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.
  • Your USB boot drive should be formatted with the FAT32 file system.
  • Avoid USB 3.0 ports, as the boot support is better for USB 2.0 on many systems.
  • If you have trouble booting from USB, you may instead use the Lite touch ISO to create a bootable optical disc, then boot from an internal or external DVD drive.
  • Only if necessary, switch back to Legacy or BIOS emulation mode from UEFI mode.  This will slow boot times and disable options such as Secure Boot protection, but may be necessary on some older systems without updated firmware support.
  • Remember to enable the TPM and TPM options to enable volume encryption.

 

Potential errors:

Error: Secure Boot Violation: Invalid signature detected. Check Secure Boot Policy in Setup
Problem: Trying to install Windows 7 with Secure Boot enabled.
Solution: Disable Secure Boot in UEFI/BIOS

 

Reference material: https://technet.microsoft.com/en-us/library/dn781086.aspx