System Imaging Best Practices for Windows (4243115)

KACE recommended best practices for creating a Windows Golden System Image.

• Keep 20 percent of available space (or more) on the appliance.
• Back up and remove un-used images, then copy and remove those images from the restore share directory.
• Remove test images, or images that have been updated. (Updated or outdated)
• Never run a "Delete Unused System Images Files" or delete an image while capturing an image.

• Create the golden image in a virtual machine to keep it clean of extra drivers. This also is helpful in updating the image on a regular basis (scripted install from appliance or ISO with CD drive pointed to install).
• Do not image or create a golden master image of a machine that comes directly from the manufacturer. Only use volume license media. Avoid using OEM Media. Please see KB article 138252 on Microsoft Imaging Rights. 
• If applying updates that occurred after capturing the image, only deploy a non-sysprepped image back to original machine.
• Update images every couple of months and run a cleanup on the images.

• UEFI vs Legacy BIOS Imaging KB Article 190265
• Single Partition Golden Image KB Article 187971 
• UEFI Imaging KB Article 186950 (If running Server 2012 OS for DHCP services or newer, policy can be configured for UEFI PXE KB217556.
• If not following the above KB articles, please note the following:

• If working from a machine that was deployed with the KACE SDA (Scripted Install or Image), make sure to delete the KACE directory on the root of the drive and delete %allusersprofile%\Quest\KACE.
• If working with a machine that had previously been sysprepped, make sure to delete sysprep_succeeded.tag from windows\system32\sysprep.
• Install all patches and updates.
• Create an administrator profile and customize the profile that is to be set up as default.
• KACE recommends creating a base image, and using post-installation tasks to deploy your software at a later time. This will make your images more flexible when having to deploy to numerous departments, or different types of users.
• If creating a "full" image, avoid installing software that is updated regularly (flash, reader, etc.), make these into post install tasks and leverage the KACE SMA for updates.
• It is NOT recommended to install applications such as anti-virus, encryption (example Dell Data Protection), security, virtual CD software, any software that emulates hardware, or the KACE SMA agent in the image. These can often interfere with the image deployment process.
• If the image will be captured in WIM format, keep at least 60% of the drive space on each partition as free/available.

• Capture the image without sysprepping OR if using a VM - use the "snapshot" feature to have a copy of the non-sysprepped OS and customization's. If capturing a non-sysprepped image, remember this must be deployed back to the exact same hardware.
• Note - Creating a golden master on a virtual machine leverages creating snapshots at different stages, such as prior to sysprepping. This allows a restore to a previous snapshot much quicker than re-deploying a system.  This also allows for easy testing of deployments to another virtual machine.  Testing driver injection would require deployment to the specific model(s) in question.
• If there is an issue with sysprep, and these happen often, it is best to restore a non-sysprepped image to the original machine, which will also avoid rearm issues. With the VM option, reverting back to a snapshot will allow updates to the system.
• If capturing the non-sysprepped image to the KACE SDA, be descriptive in your naming of captured images; include whether the machine is sysprepped, and include the version or date of the capture.
• Descriptive names enable system administrators to choose the correct image to deploy from the drop-down list in KBE. 
• Use the notes field in the KACE SDA Administrator Interface as a change and audit log.

• Sysprep is a Microsoft tool that they require for capturing an OS image to deploy to a different system.  You can either use the Microsoft Sysprep tools and command line or use KACE Sysprep Creator Wizard (http://www.itninja.com/blog/view/sysprep-creator-wizard) if you don't have an unattend.xml file.
• If you configured a "default" account, ensure to set True in the unattend.xml file. The sysprep creator wizard has an option to copy the current profile to the default profile.
• When running sysprep by command line and not the Sysprep Creator/Executor, use /generalize /oobe /shutdown and the /unattend switch.  
• Shutdown is preferred so that the PXE boot isn't missed on a reboot.  If using the option, sysprep must be run from the customized account.
• System booted to KBE navigate to Recovery>Command Prompt and with command window navigate to C:\windows\system32\sysprep\panther\setuperr.log for sysprep errors.

• Verify that enough space is available on the KACE SDA and then capture the sysprepped image.
• After the capture, reboot the sysprepped machine to verify that mini setup runs correctly.
• Test to make sure everything in the image works as desired.
• Capturing an image across the WAN is not recommended.  Please limit image capturing to only the local LAN where the KACE SDA is physically located.

• Add Pre/Mid/Post Installation tasks to your image on the KACE SDA.

Legacy Image minimum tasks: Partition Disks, Format and MBR
UEFI Image minimum tasks: Create UEFI Partitions, Apply UEFI Partitions

• Test your deployment on a different workstation for verification.
• If deploying an image to a remote location, please consider using a Remote Site Appliance (RSA) for best performance.  Deploying an image across the WAN is not recommended.

• Consider the ordering of your postinstallation tasks in terms of placing prerequisites before the applications that require them.
• Use cscript with vb scripts; cscript myscript.vbs
• When creating a zip file for an application task, select the contents to zip so that the file you call is in the root of the .zip file
• For .msi deployments, use the install switch last, for example, msiexec /qn /norestart /i agent.msi
• If using 3.5 SP1 or earlier:
  -  Use the "start /wait" command when deploying software via KACE SDA Postinstallation Tasks
  -  Use call when using .bat scripts in application tasks; call myscript.bat