Imaging Procedures

Step 1: Identify the asset

Search the asset tag in AD (and in the ticketing system if applicable), verifying the name printed on the device matches AD, and it is not a device that could contain important data. If this is a new device, verify with whomever is administrating the MDT server that the drivers for the device have been loaded on the server.

Step 2: Adjust the device in Active Directory

Move the device into the “walserag.com/Inventory/MN/Ready/” organizational unit, remove any users from the managed by field, and set the description to “Stock (Imaged X/X/XX)” . Devices should rarely need to be deleted out of AD, as they will adopt the existing object in AD if named properly.

Every freshly imaged device will follow the same moniker. The name of every Walser computer should be the model of the device followed by the asset tag, separated with a hyphen. Some examples:

SURP-20873 T440-10950 M720Q-20911 M900-05369 T540-00298

Any detail notated in the description that is not within parentheses () is only relevant to the current deployment of the device. Anything contained within parentheses is information that stays with the device, regardless of deployment. For example, an asset may have the following description:

Doe, John – TOY (Imaged 8/26/19) (500GB SSD) (Left USB Dead)

The first part of the description lists the user and the location the device is deployed to. When imaging, these should always be removed and replaced with Stock when imaging. The parts in parentheses should not be deleted from a device at any time unless a modification was made to justify a change, such as a reimage, or a hardware change.

Step 3: Clean the device

Every device should be thoroughly cleaned with glass cleaner and goo gone prior to imaging. There should be no decals, labels, or stickers left on any device other than the Walser asset tag. If it has a vendor specific tag, such as a Nissan Assist sticker, that may also be left on.

Step 4: Verify Hardware

Make sure the device is equipped with the correct amount of RAM, hard drive type and size. Current standard hardware is 8 GB of RAM and 120 GB SSD. This can be done by opening the device, or through the BIOS. This step can be done after the OS install to speed up the process but is easiest to correct at this stage.

Step 4: Boot to MDT via PXE boot

Connect the device to power and to the MDT network, identified by a red Ethernet cable. Power on the device and keep pressing F12 to enter the boot selection menu. You may need to power cycle the device multiple times before it will go into the boot selection menu (For Surfaces, the boot selection menu can be reached by holding the power button and the volume up button for 15 seconds. The existing Windows Boot Manger should be deleted at this time). Once there, select the LAN/PXE device listed. The device will take several seconds to search for a DHCP lease then prompt the user to press F12 or enter when a lease is obtained. Press enter to select the Deploy Windows (x64). The device will then take a couple of minutes to boot into MDT.

Step 5: Start the image

Select the top option for Windows 10 Pro x64. Create the device name using the proper naming scheme, making sure to double check it is correct. This can be corrected later if done wrong, but it is well worth the time to do it right the first time. Once entered, it will prompt to select applications to install. By default, no selection changes are required. If the device will be deployed to a user who needs Office, this would be an ideal time to select it for install. The device will start the imaging process, which takes about an hour. Once it says finished, click okay for it to restart, and switch the network to the black LAN.

Step 6b: Driver install (Lenovo only)

Open the System Update application. Click no thanks when prompted. Click “Get new updates” or “next” and it will begin searching for updates. Once finished, click “OK” on the popup (6d). Select any applicable updates from the 3 tabs (6e). This will most often be every update but if unsure, consult a team member. This step can be run concurrently with steps 7 and 8.

Step 6b: Device encryption (Surface only)

Go into Windows Settings -> Update & Security -> Device encryption and turn off device encryption. The device can be safely rebooted while this is running.

Step 7: Join the domain

Open the System window in control panel. This can be done several ways such as Window Key + Pause Break or right click on This PC in file explorer and selecting properties. Click on change settings on the right to open the System Properties windows. A faster way to open this window is to search sysdm.cpl in the start menu. From there, click the change button, then switch the member of box to domain. Enter walserag.com as the domain. Enter your bang account credentials. Click okay through the prompts, one of them will ask you to restart now or later. If updates from step 6 are still running, decline the restart, otherwise it should be restarted. At this point, the device should have either created a new object or inherited an existing one in AD.

Step 8: Activate Windows

This step is only necessary on some older computers. For all Surfaces and any Lenovo T*60 or higher this step may be skipped. Open Windows settings and select Update & Security. Then select the active tab on the left. If it says “Windows is activated with a digital license” proceed to step 9. Otherwise, click on the troubleshoot button. A window will open and detect problems for about a minute. It will then show a button saying “Activate Windows” that once pressed will activate Windows. If the button does not show up or does not work, consult another team member.

Step 9: Verify policy

After rebooting the device, sign into it with your domain account. Open command prompt and run the gpupdate /force command (9a). This should take less than a minute to run but can often get stuck. Using the escape sequence Ctrl + C allows you to enter the command again. If it still refuses to complete after 2 or 3 retries, power cycle the device. This process should be repeated until group policy is working, which will be apparent as the background will change to the inventory OU background on sign in (9b).

Step 10: Update Windows

Once policy is updated, go into Windows settings -> Update & Security and click check for updates. Allow any updates to install and reboot. Do this until it says no updates found.

Step 11: Put on shelf

Power off the device completely, making sure it does not go into sleep, as the battery will be dead when attempting to deploy. Put it on the appropriate shelf.

Common Issues:

Device will error out during step 5 and fail to image. If it fails after repeated attempts, the hard drive is likely the issue. You can attempt to fix this by pressing F8 at any point just after step 4. This will open a command prompt window. Enter the diskpart command. Use the list disk command to view each attached storage device. Use the select disk (number) command, then enter the clean command. Do this for each disk. Then power cycle the device and follow the steps as normal. If the issue persists, replace the drive and try again.

Device refuses to open the boot selection menu, or menu does not have LAN/PXE listed. Enter the device BIOS, and make sure than LAN/PXE is listed as an enabled boot option. If it is, check the secure boot settings to make sure they are not blocking LAN/PXE. If on a Surface, make sure that under the security tab, secure boot configuration is set to Microsoft & 3^rd Party CA.

Device is very slow to post and to LAN/PXE boot. This is almost always caused by a bad drive, most times they are SSHD’s. Replace the drive with an SSD.

Beeps and does not post. There is a whole host of beeps codes with different meanings, but most of the time they are related to RAM issues. Try reseating the RAM first, then try new RAM.