Consistent Zero-Touch Windows deployment using FastTrack

Today unattended deployment of Windows has matured. With free tools like Microsoft Deployment Tool (MDT) and Windows Deployment Services (WDS), getting to the point where you can deploy an operating system to a workstation uattendedly is easier than ever.

It is a known fact that WDS has two drawbacks: Image management and that is a bare-metal install only. With MDT, you have applications and Out-of-Box drivers, but it's difficult to control, unless you accept that all computers get everything. Add to this that this will be a snapshot of drivers and applications at OS install time and therefore client installs will be different every time you change the configuration. There is no long-term consistency.

This page will show you how to use FastTrack to solve these problems by reducing images with intelligent post-install driver and application deployment and also ensure driver and application consistency between new OS deployments and already deployed machines. In fact, you only need one basic hardware independent image that you never need to touch. If you are using a cloning tool, the same applies. You can use the same recipe and only have one hardware independent golden image with no custom drivers or software at all.

You can also add other post-install customizations, such as your own logic for computer naming.

Operating System Deployment

High-level concept

At a high-level, what you need to do is to set up software deployment with FastTrack. This is not intended for OS deployment, but for general purpose software distribution. Please review this page for instruction on how to set it up. The trick here is to include the current configuration (which includes a list of conditional drivers and applications) in the OS setup process. This ensures that the deployed client is exactly the same as all other computers at any given time.

The advantages of this approach are:
  • We only need a bare-metal install without additional drivers or applications.
  • Minimum number of images needed with either WDS, MDT or a cloning tool (only one image in fact).
  • Consistency between drivers and applications deployed as part of the OS deploy and existing machines.
  • Higher granularity in conditions for installation of drivers and applications (manufacturer, model, geographical location, computer OU, etc).
  • You can control computer naming logic (see advanced example at the bottom)
  • You can avoid having a plain-text domain admin password in your deployment files (see advanced example at the bottom)
In the simplest form, all you need to do is to set up software deployment, include install of the client MSI file (for future updates) and build a one-time installer and execute in the setup process and you're set. This way the client MSI will ensure that future changes hit the machine and the one-time install will ensure that everything is installed, before the user gets the machine. You could opt to not even use the one-time installer and let the client MSI handle everything after the user gets the computer to save install time, but this would not be a good service to the end user. Below are screenshots of the main page and drivers page of software deploy.

General Software Master Control

Software Removal

The details of how to install the MSI and run the EXE is up to you. The rest of this page will layout one possible way of doing this automatically as part of WDS deployment and also an advanced example of embedding advanced scripting into the process to control naming of computers and other customizations. If you have questions or problems setting it up, please contact support at the top menu and we will help you.



WDS version step 1 of 2: Hooking into the deployment process


In this section, we will deploy Windows 7 using WDS (formerly RIS, Remote Installation Services). This section is also valid for other means of distribution, such as using SCCM or sysprep'ed cloning technology. We will simply be using the $OEM$ folder of a Windows install image to for our custom files at the very end of the installation process. This is officially documented here on TechNet.

What we need it basically just to get the 4 files (see further down) into the %WinDir%\Setup\Scripts folder during the installation process, which is done by simply placing the 4 files in the source image under Sources\$OEM$\$$\Setup\Scripts. For example, if you are using SCCM, we would place the 4 files under \\AcmeServer\Images$\Win7x64Pro\sources\$OEM$\$$\Setup\Scripts, if the operating system image is located in \\AcmeServer\Images$\Win7x64Pro:

SCCM unattended install images folder


In this example we will use Windows Deployment Services (WDS) to push the image out. If you are unfamiliar with WDS or unattended Windows 7 deployments, please refer to the documentation from Microsoft on WDS or the Windows 7 Step-by-Step Deployment guide.

We need to get a FastTrack Script executed as part of the installation process. To do this, we will use the Windows feature that looks for a file called SetupComplete.cmd before the final reboot, as explained here. For this we need 4 files. To get them to the client before the installation is complete, we will use WDS' OEM structure to avoid having to modify any image files. If you have already setup unattended Windows 7 installations through WDS, you can simply follow this procedure to get a script executed without modifying your existing images.

Locate your "Images" folder under your WDS remote install folder. We will create a file structure for one of the images and then copy the same files to the other image directories. Create a structure for any one of your image files named: ImageFileNameWithoutExtension\$OEM$\$$\Setup\Scripts:

Win7 unattended install images folder

Under the "Scripts" folder, place these 4 files:
  • A copy of FSH.Exe (copy it from C:\Program Files (x86)\FastTrack Software\FastTrack Scripting Host)
  • A copy of FSH.Lic (copy it from C:\Program Files (x86)\FastTrack Software\FastTrack Scripting Host)
  • A batch file named SetupComplete.cmd (see content below - note that the file must be named SetupComplete.cmd and NOT SetupComplete.bat)
  • A script file named Preinstall.fsh (see example content in next section)
Any content under $OEM$\$$ will be copied by WDS to your clients' Windows directory during the installation process. As Windows setup looks for a file called SetupComplete.cmd, we will need to use that to get our script named Preinstall.fsh to execute. Thus the content of the file will be this:
Content of SetupComplete.cmd
%WINDIR%\Setup\Scripts\FSH.Exe %WINDIR%\Setup\Scripts\Preinstall.FSH
Your final structure will look like this:

Windows 7 automation scripts folder


Copy the directory structure to each of your installation images, each time replacing "ImageFileNameWithoutExtension" in the structure ImageFileNameWithoutExtension\$OEM$\$$\Setup\Scripts by the name of the image file without extension. At the end of the installation, the Preinstall.fsh script will execute before the final reboot. In our example script, we show a splash screen inside the script and the final step of the Windows 7 installation will look like this:

Unattended Windows 7 Installation



WDS version step 2 of 2: Intelligent driver and software installation


Driver and Application consistency

As shown in the previous section, we need to execute a FastTrack script after base OS install to install drivers and applications. There are basically two ways to deploy drivers and applications: We can put all driver and software files in subfolders and write a script (option 3 below). Or we can use the software deployment feature that was explained under the "High-level Concept" at the top. The only real benefit of the script approach is to contain all files within the process, in case some of the drivers are required to get network connectivity. In such case, a hybrid of the two could also be used, where option 3 is used to install basic network drivers and then let software deploy handle the rest.

At the top, we talked about consistency. This the main reason why the first option is best, is because we use the same drivers and software library for OS installation and general updates on clients. It's simply the same script that is used after OS installation that is also used for recurring updates on clients. This means that if you add or replace a driver in software deployment, it will both be updated on running machines AND be used in fresh OS installs, ensuring complete consistency on all machines.

Option 1 - install Software Deployment client and defer installs (quickest finish time)

The first two options take the approach of using the FastTrack Software Deployment wizard. Please review this page carefully to fully understand the concept. Basically, what you do is that you build an MSI file that must be installed on clients, which is in charge of installing drivers and software. You then simply use point'n'click to configure drivers and software without writing any code. This is what the driver part looks like:

Software Removal

The Software Deploy part must be set up first. If you deploy the client through group policies, you do not have do anything further, because the client (ftclient.msi) will automatically get deployed, once the machine restarts.

If you do not deploy the client through group policy, you can manually install it using the prelogon.fsh script. Copy the ftclient.msi file to the $oem$ folder (same folder as preinstall.fsh) and now we simply need to install this MSI file in our preinstall.fsh script and nothing else. All that happens is that we install the FastTrack software deployment client and we are done. When the computer is started first time after OS deployment, the client will start to install drivers and software. This approach has no extra waiting time for the IT guy, but it's a leap of faith that everything will be in order, once the user boots the computer for the first time and the software deployments kicks in to install drivers and application.
Preinstall.fsh Script

InstallMSI ftclient.msi


Option 2 - install Software Deployment client and install once (recommended)

Now, the ideal solution would be to get the software deployment configuration (drivers and software) executed once, to avoid the scripting approach. We can do this by building a "One-Time Installer" exe file and put it in the $oem$ directory along with the ftclient.msi file. You build the exe file on the general tab in software deployment:

General Software Master Control

Let's assume the exe file was saved as OneTimeInstaller.exe and put in the same directory ($oem$) as the preinstall.fsh script file. To successfully execute the whole configuration of software and drivers, the tricky part is that at this stage, the machine is not yet joint to the domain and therefore we need to establish credentials before executing the exe file. A complete script would look like below, where you have to replace the domain admin username and password (instead of the EncryptPassword function, you can encode a password in the Script Editor by pressing F8). A splash screen is set in first line, so we can see that there is some wait time at this stage, as shown in the screenshot in the previous section. Observe that we should still include the ftclient.msi file, because although it will have no effect right away (because the OneTimeInstaller.exe did the job), we would still want the client installed to handle future changes. Note that if you deploy the client through group policies, you should not include the last InstallMSI line, because the client will be installed after reboot.
Preinstall.fsh Script

Splash Configuring client,Please wait...

ImpersonateUser acme\installuser,[EncryptPassword theinstallpassword]

Run OneTimeInstaller.exe

InstallMSI ftclient.msi


Option 3 - nuts'n'bolts - a FastTrack script

You could also opt to put all the driver files and software in the $oem$ folder and write a script. This is reasonably simple, but requires you to understand the scripting language and write a script in the Script Editor. You can avoid using software deploy this way, but if you still use Software Deployment, you would still want to install the ftclient.msi as part of this script.

The below is a basic example, but it's a template for all you need. The first line will install a video driver, if the manufacturer of the hardware is "Lenovo". The second line combines to conditions; the machine must be an XPS 15 model manufactured by Dell. The third line will install Office 365 on all machines and forth line will install Adobe Reader. And this script can be expanded with as many lines as needed using these four types of lines.
Preinstall.fsh Script

Splash Configuring client,Please wait...

 

If ManufacturerIs Lenovo Then InstallDriver Lenovo\Video\Oemsetup.inf

If ManufacturerIs Dell And ModelIs Dell XPS 15 Then InstallDriver Dell\Video\Oemsetup.inf

 

InstallProgram Microsoft Office 365 Pro,16.0.7571.1326,Software\office\setup.exe,/configure configuration.xml

InstallMSI Software\Adobe\Reader.MSI




Advanced scripting - example script to rename computer (and more)


The rest of the page is not necessary to read - unless you have advanced needs for customization

The example script in this section does an array or customizations to demonstrate the power of using the scripting language for advanced customization. You can pick snippets of it to for example control computer naming. You would want to merge this script with the above driver and software deployment script.

Stripped of comments, the example script presented further down is only 30 script lines and will basically do the following:
  • Gives you control over client naming. The example script will use sequential names and formatting to your preference
  • Automatically re-use computer names by looking at the mac address when re-installing clients
  • Join the domain without having plain text passwords in answers files or opening up unsecure domain joins
  • Optionally put clients in a different organizational unit to avoid the manual step of prestaging computers
  • Create an extra local admin account for offline servicing, to protect the built in administrator password
  • Put an Active Directory group into the local administrators group, in the example a group called Help DeskUsers
  • Install additional files and settings from a single repository, to avoid having a copy for every install image
  • Create a local folder for local sharing and give all users full control over the folder
In this example script, we will take over the process of joining the domain and your Windows answer files must be stripped of domain join information. The password used in the example script to join the domain is encrypted, which removes the need for an easy-to-retrieve plain text admin password in Windows answer files, opening up unsecure domain joins or using manual prestaging.

Example script (Preinstall.fsh)

In the previous section we talked about how to get a script to execute before the final reboot and in this section, we will present an example script. The script is directly available in the script editor: Go to the "Documentation" tab, select "Windows 7 Deployment Script" under the "Insert Example Script" submenu. The script is explained in detail in the next section.

To construct and test a script of this type, it is not necessary to run a full Windows installation for every test iteration. Just execute it on a computer that is not in the domain. To test again, unjoin the domain and repeat this procedure until the script is finalized.

The script is an example, any undesired functionality can be removed and your own additional custom scripting can be inserted. The first 7 script lines in the example must be modified with your custom information:
  • Credentials for the executing domain admin user
  • UNC path to a share that contains client files (the script will create two files in the root first time executed)
  • Credentials of the additional local administrator account created
  • The name of an Active Directory group that will be put into the local administrators group
Both passwords must be encrypted in the script editor by selecting "Encrypt Password" in the "Tools" menu. For further details, look at the next section for the details in the example script.

Do NOT run the script on your own computer. Unless the script fails to connect the share, it will rename the executing computer.
Example Preinstall.fsh Script

'' STATICS

Set DomainName = Acme

Set DomainAdminUser = Administrator

Set DomainAdminPassword = lqlfPSO39yhTWQgofzBLWg==

Set DistSharePath = \\AcmeInst\reminst

Set ExtraLocalAdminUser = LocalServiceOperator

Set ExtraLocalAdminPassword = yESegDH6a2UK2GSrUkRBXA==

Set GroupToAddToAdminsGroup = Help DeskUsers

 

'' SHOW THAT WE ARE NOW IN THE FSH PART: DISPLAY A SPLASH SCREEN

Splash Configuring client,Please wait...

 

'' FORCE OBTAINING AN IP ADDRESS FROM DHCP. THE NIC(S) MAY NOT HAVE AN IP ADDRESS AT THIS POINT

RenewIP

 

'' CONNECT THE DISTRIBUTION SHARE AS W:

ConnectShare W:,[Var DistSharePath],[Var DomainName]\[Var DomainAdminUser],[Var DomainAdminPassword]

 

'' GET MAC ADDRESS AND REMOVE COLON (COLON CANNOT BE USED AS XML KEY)

Set MacAddress = [Replace [MacAddress],":",""]

 

'' CHECK IF THIS IS A RE-INSTALLATION. LOOK IN A FILE CALLED CLIENTS.XML IN THE DISTRIBUTION SHARE ROOT FOR A

'' NODE CALLED <MAC_xxxxxxxxxxxx> UNDER <CLIENTS>, WHERE X'S IS THE MAC ADDRESS OF THE FASTEST NETWORK ADAPTER

Set ComputerName = [XMLValue W:\Clients.XML,Clients/MAC_[Var MacAddress]]

 

'' IF THE XML LOOKUP DID NOT RETURN A PREVIOUS COMPUTER NAME, THE VARIABLE IS EMPTY AND IT'S NOT A RE-INSTALL

If VarIsEmpty ComputerName Then

 

  '' NEW MACHINE: GET THE SEQUENCE COUNTER FROM A FILE IN THE ROOT OF THE DISTRIBUTION SHARE CALLED CLIENTSEQUENCE.XML.

  '' IT CONTAINS <CURRENTCOUNT>X</CURRENTCOUNT> WHERE X IS THE CURRENT COUNTER. IF THE FILE DOES NOT EXIST, DEFAULT IS 1

  Set Counter = [XMLValue W:\ClientSequence.XML,CurrentCount,1]

 

  '' GENERATE A NEW COMPUTER NAME IN THE FORMAT "ACMExxxx" BY PADDING THE COUNTER TO 4 DIGITS AND PREFIX WITH "ACME"

  Set ComputerName = ACME[PadLeft [Var Counter],0,4]

 

  '' ADD 1 TO THE SEQUENCE COUNTER FOR THE NEXT INSTALLING COMPUTER

  IncVar Counter

 

  '' WRITE THE NEW COUNTER TO THE CLIENTSEQUENCE.XML FILE. IF THE FILE DOES NOT EXIST, IT WILL BE CREATED

  WriteXMLValue W:\ClientSequence.XML,CurrentCount,[Var Counter]

 

  '' SAVE MAC AND NEW NAME TO THE CLIENTS.XML FILE FOR FUTURE RE-INSTALLATIONS. THE FILE IS CREATED, IF IT DOES NOT EXIST

  WriteXMLValue W:\Clients.XML,Clients/MAC_[Var MacAddress],[Var ComputerName]

End If

 

'' RENAME THE COMPUTER NAME AND JOIN THE DOMAIN.

'' USE JoinDomainAndOU COMMAND TO PLACE THE COMPUTER IN A SPECIFIC OU

SetComputerName [Var ComputerName]

JoinDomain [Var DomainName],[Var DomainAdminUser],[Var DomainAdminPassword]

 

'' THE DOMAIN HAS JUST BEEN JOINED AND THE EXECUTING USER HAS NO ACCESS TO DOMAIN OBJECTS. TO

'' PUT DOMAIN USERS INTO LOCAL GROUPS AT THIS POINT, WE HAVE TO IMPERSONATE A DOMAIN USER

ImpersonateUser [Var DomainName]\[Var DomainAdminUser],[Var DomainAdminPassword]

 

'' ADD A DOMAIN GROUP TO THE LOCAL ADMINISTRATORS GROUP, FOR INSTANCE A GROUP OF HELP DESK USERS

AddGroupToLocalGroup [Var GroupToAddToAdminsGroup],[LocalAdminsGroup]

 

'' CREATE A LOCAL WRITABLE FOLDER IN CASE LOCAL USERS NEED TO SHARE DATA

MakeDir C:\AcmeShared

SetDirPermissions C:\AcmeShared,Everyone:Full Control

 

'' CREATE A CUSTOM LOCAL ADMINISTRATOR SERVICE ACCOUNT FOR OFFLINE SERVICING

CreateLocalUser [Var ExtraLocalAdminUser],[Var ExtraLocalAdminPassword]

AddLocalUserToLocalGroup [Var ExtraLocalAdminUser],[LocalAdminsGroup]

 

'' COPY CUSTOM CLIENT FILES AND DIRECTORY STRUCTURE FROM A FOLDER NAMED "CLIENTFILES" IN THE ROOT OF THE DISTRIBUTION SHARE

CopyDir W:\ClientFiles,C:\

 

'' LOG EVENT FOR TRACEABILITY

LogEvent OS Installation,Computer successfully joined domain [Var DomainName] as [Var ComputerName]

 

'' INSTALL FSH INTO PROGRAM FILES AND ASSOCIATE THE .FSH EXTENSION TO THE ENGINE

SelfInstall

 

'' REBOOT, INSTALLATION IS NOW COMPLETE

RebootForced

The script explained

The script will connect a network share called W: with the supplied credentials. This share can be any share on the network and must contain a folder named "ClientFiles", which contains files that will be copied to all clients. Furthermore, the first time the script is executed, two xml files will be created in the root, to keep track of client naming and for re-using computer names, when re-installing clients. There are no special requirements for this share. Just create a folder on a server, share it and place a "ClientFiles" directory in it. We will refer to this share as the distribution share from here on.

Computer naming

In the root of the distribution share, an xml file will be created the first time the script is executed and it contains a sequence counter that can be changed at any time. The name Acme, number of decimals, and other computer name formatting can be edited in the script itself.

If the computer must be placed in a specific organizational unit, simply use the JoinDomainAndOU instead of JoinDomain in the script. If there are multiple naming formats or multiple OU's to place computers in, you can create multiple copies of your install images with different Preinstall.fsh files. Alternatively, a menu could be shown, asking for a list of choices to feed to SetComputerName and JoinDomainAndOU. This would however break the idea of a completely unattended installation.

If you already have computers and want to start with a higher sequence count, simply create a ClientSequence.XML file in the root of the distribution share with a default content, as shown below, assuming first computer should be 400 in the sequence.
<CurrentCount>400</CurrentCount>

Re-using computer names

Each time a new computer name is created, the mac address and the computer name is stored in a file called Clients.XML in the root of the distribution share. The purpose of this file is for the script to detect when a computer is re-installed, to avoid having obsolete accounts in the domain. After installing the first client, the file would look like this (with a different MAC address):
<Clients>
   <MAC_00155D010136>ACME0001</MAC_00155D010136>
</Clients>
When the script is executed, the script looks in the file for a node called MAC_xxxxxxxxxxxx where the x's is the mac address of the fastest network adapter in the computer. If a value is returned (Acme0001 in the case the mac address is 00155D010136), this name is used and a new name is not created.

Putting an additional group into the local administrators group

The intention with this operation is to give a certain group, which is not a member of domain admins, local administrator permissions. This could typically be Help Desk users that need to service the computer.

The executing user is not a domain user, thus credentials to the domain must be established to get access to domain objects, in this case an Active Directory group. To establish credentials, the domain admin user is impersonated with the ImpersonateUser command. The next command, AddGroupToLocalGroup, will put a group into the local administrators group using the impersonated credentials.

Additional administrator account

An additional administrator account is created. The purpose of this is to avoid having to give the local administrator password to service operators, in case the computer needs to be serviced offline.

Local writable folder

A folder called C:\AcmeShared is created and any user will get full control over the folder. The purpose is to let users share files locally that are not needed to be backed up and take up network storage.

SelfInstall

The SelfInstall command will copy the executing engine (from %WinDir%\Setup\Scripts) and the license file to "FastTrack Software\FastTrack Scripting Host" under the Program Files directory and associate the .fsh extension to the exe file. This will allow execution of .fsh files on the computer without specifying where the exe file is located.

If you are using FastTrack Logon for logon scripts: It is important to understand that when using FastTrack Logon, it will copy its own copy of the engine to the user's profile, execute the login script with this copy and make a user association to .fsh files to this copy. If the user then executes an .fsh file, it will be this copy that is executing the script. If the system, a local user or a user that does not use FastTrack login executes a script, it will be the copy installed under Program Files. This is because a user file association superseds a system file association. And the reason why this is important to know, is that if at some point in the future a newer version is used for login scripts, this will not be a problem because FastTrack Logon's copy will supersed a system installed copy of the engine.

Copying of additional files

On the administrative share, any files under a folder named "ClientFiles" will be copied to the same locations on the client. If there for instance is a folder named Program Files\Acme, this will be placed in the same structure on the client.

This can also be accomplished by putting these files inside install images, but usually this means there are multiple copies of the same client files, increasing maintenance time and the chance of inconsistency.

Typically there would be further scripted manipulation related to your additional files, like creating shortcuts in the default user's profile, setting registry values related to the files, etc. These things can easily be inserted after the copying. Also, if you have scripted your installations, these could also be included with simple include commands. See unattended installation for more details on scripted installations.

SkyBox

One last note is relation to unattended installations of Windows. If you don't have a management system, you don't know what is installed on which computers, who has what computer or what hardware is in which computer.
Inventory
FastTrack comes with a cloud-based inventory system that has no setup steps and is free for licensed customers. You can just include this one simple command in your unattended script to upload inventory information:

UploadInventory

With this one command, you will have full hardware and software inventory of your computers. It is a good idea to include this same command in your regular logon script also, as the upload will then include information about who logged on to the computer the last time.

SkyBox has no additional cost; it just requires your clients to be licensed and within maintenance period. Refer to this page for more information on SkyBox.


Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or SCCM, then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. the Script Editor offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German