IT Connect

Information technology tools and resources at the UW

Lite Touch Installation: network based OS deployment

 

Follow the steps in this document to deploy UW Managed Workstation Windows OS images onto your computer over the network.

Intended audience: For use by Managed Workstation eligible users with Managed Workstation service computers.

 

Before you start:
  • If you are rebuilding an existing Managed Workstation computer, be sure to send email to help@uw.edu to request the removal of the existing computer name from the domain BEFORE you begin.
  • You must be connected to a wired Ethernet network connection to use Lite Touch Deployment.
Recommended system configuration:
  • To enable the best boot support and security features, you should apply the latest firmware for your system provided by the manufacturer.  See your manufacturer’s support page for instruction.
  • Use the UEFI boot mode instead of BIOS to enable faster boot times and modern security features.  If your system has the UEFI option, then UEFI is the native mode and BIOS must run in emulation, so it is slower.  Using UEFI enables several security features that will otherwise be unavailable.  Select UEFI or UEFI native, not UEFI hybrid or UEFI+CSM.
  • For Windows 8 and newer, enable Secure Boot to protect your system from certain types of malware called rootkits.  Rootkits have been observed on the UW network.
  • Enable the Trusted Platform Module and any TPM options to support BitLocker or other volume encryption.
  • Enable the virtualization options for your computer to support Device Guard, Credential Guard, and Measured Boot.

 

Step 1: Create a bootable Lite Touch Network Deployment Flash drive [1]
Step 2: Boot from your Lite Touch Flash Drive [2]
  • Power down the computer, insert the Lite Touch Network Deployment USB drive.
  • On boot up, force the boot choice menu (usually F12 on Dell and Lenovo, F9 for HP).
  • Select and boot from your USB device.
Step 3: Choose the right OS option from the menu
  • When the Lite Touch menu has loaded, choose “Run the Deployment Wizard to install a new Operating System”
  • At this point you should remove the USB drive, so it does not interfere during a reboot.
  • Select the Task Sequence that contains the Operating System and image version that you want to deploy.
    • Take note of the description below the Task Sequence for image details.
    • WARNING: Task sequences marked TEST are undergoing testing and should be used with caution.
  • Computer Details:
    • The Computer Name field should be pre-populated with the computer’s serial number. You may change this to a new, unique name with a maximum of 15 characters, including letters, numbers and the hyphen – character.
      NOTE: Please do not use an underscore _ in computer names; while this is a valid character for Windows, it is not a valid character for MWS devices.
  • Join a Domain:
    • The Domain to join has been pre-populated with: nebula2.washington.edu
    • A special account for domain joining is also pre-populated, you do not need to make any changes
  • Join a Workgroup
    • If you need to join the computer to a Workgroup for any reason, contact Managed Workstation Support at help@uw.edu for the password.
Step 4: Start the OS deployment
  • Process begins.  Installer takes about 15-40 minutes, depending on computer speed and network conditions.
  • Do not log in with your credentials or manually reboot until you see the Operating System Deployment (OSD) successful screen or an OSD warning message 

Tip: During the install process, the computer may reboot several times. If your BIOS has the USB drive before your hard drive in the boot order, the computer may boot into the USB drive again, instead of the hard drive, and you will get an error message regarding an in progress deployment. Follow the instructions from the error message to remove the USB and reboot. You may also wish to ensure the USB drive is listed below the hard disk in the boot order.

  • After one or multiple reboots, you may get an unclaimed computer warning, click OK to continue.
  • The computer will boot into the local Administrator profile
    • If you get an error that the username or password is incorrect, you can continue by changing the username to NebulaAdm and using the Administrator password above.
  • OSD continues to run silently for a few minutes.
Step 5: OS Deployment completion
  • You should get a message that OSD has completed successfully. If you get a yellow warning screen, it is often safe to continue.  If you get a pink error screen, usually the deploy has failed in a way that should not be used.  In either case copy down the error(s) and email the information to help@uw.edu
    • Common Failures that are safe to ignore:
      • Failure: ValidateDeployRootWithRecovery
  • Click Finish
  • You are now logged into the computer with the local administrator account
  • Before restarting, you should add NETID accounts or groups to the ‘Administrators’ group.  Use the format NETID\uwnetid when adding accounts.  When asked to authenticate, use your NETID\uwnetid credentials
Step 6: Claim Managed Workstation computer
  • Notify help@uw.edu that you have computer(s) to claim, include the following information:
    • Computer name
    • Department Name
    • Budget number for monthly billing support
    • Primary User (If known)
    • Managed by Contact
    • Any UW NetID’s that you wish to have assigned to the administrators group
  • Restart the computer.
Follow-up
Review this checklist before deploying to the end user:
  • Sophos: Sophos AntiVirus should automatically push out from the server and install on your computer within a couple of days.  Verify that Sophos is installed: check for white and blue “S” shield in the System Tray.  Right-click on shield and click “Update now”.
    • Windows 10 comes with built in antivirus software and it is safe to wait for Sophos to auto-install
    • Windows 7 does not come with any built in antivirus.  A shortcut to the manual installer for Managed Workstations has been included on the image desktop if it does not install quickly
  • Get Programs/Run Advertised Programs/Software Center should populate within 2-24 hours of being claimed by Managed Workstation.
  • Device Manager: open Device Manager and make sure there are no errors or missing drivers.
    • Microsoft Teredo Tunneling Adapter (IPv6 support) is disabled in Windows 7 by Group Policy
    • If the computer is missing drivers, or the build fails for lack of network drivers, contact help@uw.edu and we can help get those drivers imported into the deployment server
  • Windows Update: click “check on-line for updates from MS Update” to check for driver updates under Optional Updates.  (Don’t need the Optional language updates.)
  • For best performance: even though they are listed as installed, you may find that you need to reinstall TPM drivers, touchpad drivers, video drivers, and “hotkey/quick-key” software from the manufacturer (especially true of laptops.)
  • Update BIOS from vendor website when a newer version is available.

 

[1] How to create a bootable device:

  • UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.
  • Via Disk Management, reformat flash drive.  FAT32 strongly recommended, NTFS or exFAT may not boot successfully in all UEFI/BIOS configurations.
  • Mark partition ‘active’.
  • Copy all of the Lite-Touch Network Installer boot files from I:\cac\nebula\sw\apps\LiteTouchNetwork

If that doesn’t work, completely clean the drive and prepare it for use with the following instructions:

  • Launch a cmd window: Run as Administrator
  • Windows 7, go to C:\Windows\System32 and locate “cmd.exe”
  • Right click on “cmd.exe” and select “Run as Administrator”
  • Windows 10, right click on the Start button and select Command Prompt (Admin)
  • Launch the DiskPart utility by typing ”diskpart” at the Administrator elevated command prompt.
  • Run the command: “list disk” to check the status of your drive.
  • Run “select disk N” where the “N” is actually the corresponding number of your USB drive.
  • You can most easily tell which is the proper disk by looking at the capacity
  • Run “clean”.  CAUTION: This will erase everything on the disk!  Make sure you select the correct disk!
  • Once the thumb drive is clean, run “create partition primary”.
  • Select the new partition: “select partition 1”
  • Now make the partition active by entering “active”
  • Assign a drive letter with “assign”
  • Format the drive as FAT32 by running “format fs=fat32 quick”
  • Type “exit” to quit
  • If you are still having problems locate and use bootsect with the following command: bootsect /nt60 X: (where X is your flash drive letter)

[2] Boot your computer from a USB drive

In order to successfully boot your computer from a USB drive, you may need to ensure the following steps have been taken in the UEFI/BIOS configuration of the computer.  Each manufacturer and UEFI/BIOS can be different.

  • The best boot support will be available when you are using the latest system firmware for your device.
  • Native UEFI mode is preferred over BIOS emulation.
  • UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.
  • Your USB boot drive should be formatted with the FAT32 file system.
  • Avoid USB 3.0 ports, as the boot support is better for USB 2.0 on many systems.
  • If you have trouble booting from USB, you may instead use the Lite touch ISO to create a bootable optical disc, then boot from an internal or external DVD drive.
  • Only if necessary, switch back to Legacy or BIOS emulation mode from UEFI mode.  This will slow boot times and disable options such as Secure Boot protection, but may be necessary on some older systems without updated firmware support.
  • Remember to enable the TPM and TPM options to enable volume encryption.

 

Potential errors:

Error: Secure Boot Violation: Invalid signature detected. Check Secure Boot Policy in Setup
Problem: Trying to install Windows 7 with Secure Boot enabled.
Solution: Disable Secure Boot in UEFI/BIOS

 

Reference material: https://technet.microsoft.com/en-us/library/dn781086.aspx