Introduction to Windows 8 Administration

Deploying Windows 8

With Windows 8, you can deploy custom builds to computers through manual and automated processes. To deploy Windows using manual processes, you need to create the required boot and installation images and optionally create recovery images. To automate the deployment process, you need to install Windows Deployment Services. Whether you use a completely manual process, a completely automated process, or some combination of the two, you’ll perform similar administrative tasks. These tasks require you to understand and use the Windows Assessment and Deployment Kit (Windows ADK) for Windows 8 and Windows Deployment Services.

The Windows Assessment and Deployment Kit for Windows 8 is available from the Microsoft Download Center (download.microsoft.com) and contains the tools for deploying Windows images, including

• Application Compatibility Toolkit (ACT)

• The standard deployment and imaging tools

• User State Migration Tool (USMT)

• Volume Activation Management Tool (VAMT)

• Windows Assessment Services

• Windows Assessment Toolkit

• Windows Performance Toolkit (WPT)

• Windows Preinstallation Environment (Windows PE)

You can use Windows Deployment Services to deploy Windows 8 over a network. You can add the Windows Deployment Services role to any server running Windows Server 2012.

Windows 8 and Windows Server 2012 use Windows PE 4.0. Windows PE 4.0 is a bootable startup environment that provides operating system features for the following:

• Installation When you install Windows 8, the graphical tools that collect system information during the setup phase are running within Windows PE.

• Deployment When a new computer performs a network boot, the built-in Preboot Execution Environment (PXE) client can connect to a Windows Deployment Services server, download a Windows PE image across the network, and then run deployment scripts within this environment.

• Recovery Windows PE enables you to access and run the Startup Repair tool if Windows 8 fails to start because of a corrupted system file.

• Troubleshooting You can manually start Windows PE to perform troubleshooting or diagnostics testing if Windows 8 is experiencing problems that can’t otherwise be diagnosed.

Windows PE is modular and extensible, and it provides full access to partitions formatted using the FAT or NTFS file system. Because Windows PE is built from a subset of Windows components, you can run many Windows applications, work with hardware devices, and communicate across IP networks. Several command-line tools are available in Windows PE, including:

• BCDBoot A tool that initializes the boot configuration data (BCD) store and allows you to copy boot environment files to the system partition.

• Bootsect A tool for creating and working with boot sectors on hard disks and flash drives.

• Copype A tool for creating a directory structure for Windows PE files and then copying the Windows PE media files. Running this tool is a prerequisite for creating bootable Windows PE media.

• DiskPart A tool for creating and working with disks, partitions, and volumes.

• DISM An advanced tool for servicing and maintaining images.

• Drvload A support tool for adding device drivers and dynamically loading a driver after Windows PE has started.

• ImageX A tool for capturing and applying Windows images.

• Lpksetup A tool for adding and removing a language pack.

• Makewinpemedia A tool for creating bootable Windows PE media.

• Net A set of support commands that enables you to manage local users, start and stop services, and connect to shared folders.

• Netcfg A tool that configures network access.

• Oscdimg A tool for creating CD and DVD ISO image files.

• Wpeinit A tool that initializes Windows PE every time it boots.

Copype and Makewinpemedia are new tools that allow you to more easily create bootable Windows PE media. You use Copype to set up the Windows PE build environment. After you optimize the build as necessary, you can use Makewinpemedia to create the bootable media, which can be a CD, DVD, USB flash drive, or external USB hard drive.

Using DISM

Deployment Image Servicing and Management (DISM) is one of the most important deployment tools. DISM is included with Windows 8 Pro and Windows 8 Enterprise.

Using DISM, you can manage online and offline images of the Windows operating system, including images for deployment and those for virtual machines. Windows Image (.wim) files are used to deploy Windows 8. Virtual hard disk (.vhd) files are used with virtual machines. The same commands work on WIM and VHD files.

You can use DISM to:

• Add and remove packages. Packages can include language packs, patches, utilities, and so on.

• Enable and disable Windows features.

• Add and remove third-party device drivers.

You can run DISM at an elevated administrator command prompt by following these steps:

1. On the Apps screen, Command Prompt is listed under the Windows System category. Or, if you are working with Start, type cmd.

2. Press and hold or right-click the Command Prompt shortcut on the Apps screen, and then tap or click Run As Administrator.

   If you see the User Account Control prompt, proceed as you normally would to allow the application to run with administrator privileges.

3. In the Command Prompt window, enter dism /? to view available options for DISM.

4. To view commands available for working with online images, enter dism /online /?.

Although DISM is designed to work primarily with offline images and images you’ve mounted, you can use some DISM commands to get important information about the live operating system running on a computer. Table 1-1 provides an overview of DISM Online subcommands you can use with live operating systems. For example, if you want to display a list of Windows editions to which a computer can be upgraded, you can enter the following command:

dism /online /get-targeteditions

Table 1-1. DISM Online Commands for Live Operating Systems

SUBCOMMAND	DESCRIPTION
/Disable-Feature /featurename:FeatureName	Disables a specified feature. Feature names are case sensitive.
/Enable-Feature /featurename:FeatureName	Enables a specified feature. Feature names are case sensitive.
/Get-CurrentEdition	Displays the currently installed edition of Windows.
/Get-DriverInfo /driver:DriverName.inf	Displays information about a specified third-party driver that is installed in the driver store. Driver names are not case sensitive.
/Get-Drivers	Displays information about all third-party drivers that are installed in the driver store.
/Get-FeatureInfo /featurename:FeatureName	Displays information about a specified feature. Feature names are case sensitive.
/Get-Features	Displays information about Windows features that are installed.
/Get-Intl	Displays information about the default system user interface language, system locale, default time zone, keyboard language, and installed languages.
/Get-PackageInfo /packagename:PackageName	Displays information about a specified package. Package names are case sensitive.
/Get-Packages	Displays information about Windows packages that are installed.
/Get-TargetEditions	Lists the Windows editions that the operating system can be upgraded to.

Understanding Windows Imaging

When you update Windows 8 by adding or removing features, applying hotfixes, or installing service packs, you are simply modifying the set of modules available. And because these modules are independent, you can make these changes without affecting the system as a whole. Because language packs are separate modules as well, you can easily implement different language configurations without needing separate installations for each language.

Microsoft distributes Windows 8 on media with WIM disk images. WIM uses compression and single-instance storage to dramatically reduce the size of image files. Compression reduces the size of the image in much the same way that zip compression reduces the size of files. Using single-instance storage reduces the size of the image because only one physical copy of a file is stored for each instance of that file in the disk image. Because WIM is hardware independent, Microsoft can ship one binary for 32-bit architectures and one binary for 64-bit architectures. A separate binary is available for Windows 8 RT.

Windows 8 can be installed through either automated or interactive setup. You can automate the installation of Windows 8 in several ways. You can:

• Create an unattended installation answer file Windows 8 uses a standards-based single-format answer file. This file, called Unattend.xml, is written in XML, making it easier to process using standard tools. By creating a custom answer file and then running Setup using this answer file, you can perform unattended installations of Windows 8. The Setup program can then install the operating system from a distribution share or from media.

• Use Sysprep image-based installation Requires running the System Preparation command-line tool (Sysprep.exe) on a computer that you want to use as the master deployment computer, and then creating a disk image of this computer’s configuration. Sysprep is stored in the %SystemRoot%\System32\Sysprep folder. The Windows Automated Installation Kit (Windows AIK) includes Windows System Image Manager and ImageX to help you use Sysprep for deployments. You use Windows System Image Manager to create answer files for unattended installations. You use ImageX to create and manage disk images.

By using WIM as its disk-imaging format and taking advantage of the modular design of Windows 8, ImageX significantly reduces the number of disk images that must be maintained. You don’t need to maintain multiple hardware-dependent disk images or multiple language-dependent disk images. Instead, you typically need only a single disk image for each chip architecture used in your organization. You can then use different installation scripts to customize the operating system installation as necessary.

WIM has other advantages over earlier disk image formats as well. WIM enables you to modify and maintain disk images offline, which means you can add or remove optional components and drivers or perform updates without having to create a new disk image. To do this, you mount the disk image as a folder and then use File Explorer or other tools to update, manage, or remove files as necessary.

Windows System Image Manager, ImageX, and Sysprep provide several different ways to automate deployment. Here are the basic steps:

1. Set up and configure Windows 8 on a computer not being used for normal operations, and then install and configure any necessary components and applications.

2. Run Sysprep to prepare the computer for capture. Sysprep removes unique identifiers from the computer and designates it as a master deployment computer. At the end of this process, the computer no longer has identifying information that allows it to be logged on to and used within a domain or workgroup.

3. Use the ImageX /Capture option to capture the disk image and store this image on media or in a distribution share. The image can be maintained offline by using the ImageX /Mountrw option to mount the image in read/write mode so that you can make any necessary changes. Use the ImageX /Unmount command to unmount the image when you are finished making changes.

   You also can mount images using DISM /Mount-WIM and unmount images using DISM /Unmount-WIM. DISM provides functionality for manipulating images. You can set product keys, perform upgrades, add or remove drivers, set language and locale information, add or remove packages and features, and clean up images.

4. Use Windows System Image Manager to create your unattended installation answer files. You can then create deployment scripts that configure the computer, run Setup using the answer file, and apply the disk image you’ve previously created.

5. Run your deployment script to configure the computer and install the operating system.

Managing Access and Prestaging Computers

You can manage images using DISM. To prevent unauthorized users from installing images, you can:

• Prestage computers and allow only known computers to be deployed.

• Modify the security settings of image files so that only appropriate personnel can access them.

• Enable administrator approval for client installation.

Prestaging Computers

Prestaging computers involves creating computer accounts in Active Directory prior to their use. By prestaging a computer, you control exactly which clients and servers can communicate with each other. Before you prestage computers, you should be sure that Windows Deployment Services is configured to accept requests only from known computers. To do this, follow these steps:

1. In the Windows Deployment Services console, expand the Servers node. Press and hold or right-click the server you want to work with, and then select Properties.

2. On the PXE Response Settings tab, tap or click Respond Only To Known Client Computers, and then tap or click OK.

To prestage a computer, you need to know the computer’s globally unique identifier (GUID). A computer’s GUID comes from the active network adapter on the computer and must be entered in the format {dddddddd-dddd-dddd-dddd-dddddddddddd}, where d is a hexadecimal digit, such as {AEFED345-BC13-22CD-ABCD-11BB11342112}.

You can obtain the required identifier in several ways. In some cases, manufacturers print a label with the GUID and attach the label to the computer. However, don’t forget that the GUID is valid only for the network adapter that shipped with the computer. If you replace the adapter, the new adapter will have a new GUID.

To obtain the GUID for the installed network adapter, you can check the computer’s firmware. If a remote computer is started, you can enter the following command at a Windows PowerShell prompt:

get-wmiobject win32_networkadapter | format-list guid

Write down or copy the GUID associated with the network adapter connected to the local area network.

To prestage computers, follow these steps:

1. In Active Directory Users And Computers, press and hold or right-click the OU or container where the computer will be staged, tap or click New, and then tap or click Computer.

2. Type a name for the computer, and then tap or click Next. Alternatively, tap or click Change to choose the user or group with permission to join this computer to the domain, and then tap or click Next.

3. On the Managed page, select This Is A Managed Computer, type the computer’s GUID, and then tap or click Next. The GUID can be found in the system firmware or it might be posted on the computer case.

4. On the Host Server page, choose the Windows Deployment Services server that will service this client. Tap or click Next, and then tap or click Finish.

Modifying Image File Security

To modify the security settings on an image file, open File Explorer. Press and hold or right-click the image file, and then click Properties. In the Properties dialog box, use the options on the Security tab to configure the security settings you want to use. Alternatively, you can configure security settings on the Image Group folder in which the image file is stored. These settings will then be inherited by the images in the Image Group folder.

Requiring Administrator Approval

Instead of prestaging computers or using image file security, you can require administrator approval before allowing computers to be installed from images. To require administrator approval rather than modify security settings on image files, you can do the following:

1. In the Windows Deployment Services console, expand the Servers node. Press and hold or right-click the server you want to work with, and then tap or click Properties.

2. On the PXE Response Settings tab, select Respond To All (Known And Unknown) Client Computers.

3. Select For Unknown Clients, Notify Administrator And Respond After Approval, and then tap or click OK.

Now computers that are booted from the network will enter a pending state. Before the installation can proceed, an administrator can approve or reject the request.

To approve a request, complete the following steps:

1. In the Windows Deployment Services console, select the server you want to work with. Next, tap or click the server’s Pending Devices folder to select it and display a list of computers waiting for approval.

2. Press and hold or right-click the computer, and then tap or click Approve.

To reject a request, complete the following steps:

1. In the Windows Deployment Services console, select the server you want to work with. Next, tap or click the server’s Pending Devices folder to select it and display a list of computers waiting for approval.

2. Press and hold or right-click the computer, and then tap or click Reject.

Customizing Windows Images

You can customize a mounted boot or install an image using the DISM utility. Available options for DISM are summarized in Table 1-2. All components in an image are managed via the component store.

Table 1-2. Key Options for the DISM Utility

COMMAND TYPE/COMMAND	DESCRIPTION
GENERAL COMMANDS
/Cleanup-Wim	Deletes resources associated with mounted Windows images that are corrupt
/Commit-Wim	Saves changes to a mounted Windows image
/Get-MountedWimInfo	Displays information about mounted Windows images
/Get-WimInfo	Displays information about images in a Windows image file
/Image	Specifies the path to the root directory of an offline Windows image
/Mount-Wim	Mounts an image from a Windows image file
/Online	Targets the running operating system
/Remount-Wim	Recovers an orphaned Windows mount directory
/Unmount-Wim	Unmounts a mounted Windows image
ADDITIONAL OPTIONS
/English	Displays command-line output in English
/Format	Specifies the report output format
/LogLevel	Specifies the output level shown in the log (1–4)
/LogPath	Specifies the log file path
/NoRestart	Suppresses automatic reboots and reboot prompts
/Quiet	Suppresses all output except for error messages
/ScratchDir	Specifies the path to a scratch directory
/SysDriveDir	Specifies the path to the system loader file named BootMgr
/WinDir	Specifies the path to the Windows directory

Once you mount an image, you are able to work with the mounted image using the Dism /Image subcommands listed in Table 1-3. These subcommands allow you to upgrade the image to a higher edition, add and remove device drivers, specify time zones and language user interface (UI) options, display patches and installed message signaled interrupt (MSI) applications, add and remove packages, and more.

Table 1-3. Important Subcommands for Mounted and Offline Images

SUBCOMMANDS	DESCRIPTION
/Add-Driver	Adds driver packages to an offline image
/Add-Package	Adds packages to the image
/Apply-Unattend	Applies an AnswerFile.xml file to an image
/Check-AppPatch	Displays information if the multiple customization patches (MSP files) are applicable to the mounted image
/Cleanup-Image	Performs cleanup and recovery operations on the image
/Disable-Feature	Disables a specific feature in the image
/Enable-Feature	Enables a specific feature in the image
/Gen-LangIni	Generates a new Lang.ini file
/Get-AppInfo	Displays information about a specific installed MSI application
/Get-AppPatches	Displays information about all applied MSP patches for all installed applications
/Get-AppPatchInfo	Displays information about installed MSP patches
/Get-Apps	Displays information about all installed MSI applications
/Get-CurrentEdition	Displays the edition of the specified image
/Get-DriverInfo	Displays information about a specific driver in an offline image or a running operating system
/Get-Drivers	Displays information about all drivers in an offline image or a running operating system
/Get-FeatureInfo	Displays information about a specific feature
/Get-Features	Displays information about all features in a package
/Get-Intl	Displays information about the international settings and languages
/Get-PackageInfo	Displays information about a specific package
/Get-Packages	Displays information about all packages in the image
/Get-TargetEditions	Displays a list of Windows editions that an image can be upgraded to
/Remove-Driver	Removes driver packages from an offline image
/Remove-Package	Removes packages from the image
/Set-AllIntl	Sets all international settings in the mounted offline image
/Set-Edition	Upgrades the Windows image to a higher edition
/Set-InputLocale	Sets the input locales and keyboard layouts to use in the mounted offline image
/Set-LayeredDriver	Sets the keyboard layered driver
/Set-ProductKey	Populates the product key into the offline image
/Set-SetupUILang	Defines the default language that will be used by Setup
/Set-SKUIntlDefaults	Sets all international settings to the default values for the specified SKU language in the mounted offline image
/Set-SysLocale	Sets the language for non-Unicode programs (also called system locale) and font settings in the mounted offline image
/Set-TimeZone	Sets the default time zone in the mounted offline image
/Set-UILang	Sets the default system UI language that is used in the mounted offline image
/Set-UILangFallback	Sets the fallback default language for the system UI in the mounted offline image
/Set-UserLocale	Sets the user locale in the mounted offline image

The Deployment Image Servicing and Management tool provides commands for working with WIM images. The syntax for mounting images is

dism /mount-wim /wimfile:Path /index: Index /mountdir: MountPath

where Path is the full path to the WIM image, Index is the index position of the image number of the image within the .wim file to apply, and MountPath is the directory location where you’d like to mount the image, such as

dism /mount-wim /wimfile:c:\winpe_x86\iso\sources\boot.wim /index:1
/mountdir:C:\Win8

You can then modify the image as necessary. To commit your changes at any time, you can use Dism /Commit-Wim, as shown in the following example:

dism /commit-wim /mountdir:C:\Win8

where you commit changes to the WIM images mounted in the C:\Win8 directory.

To unmount a WIM file, you can use Dism /Unmount-Wim, as shown in the following example:

dism /unmount-wim /mountdir:C:\Win8

Here, you unmount the WIM image that was mounted and committed in the C:\Win8 directory. If there are uncommitted changes, you must commit or discard changes when you unmount a WIM image. Add /Commit to commit changes or /Discard to discard changes. This affects only the changes you haven’t previously committed.