≡ Menu

Cloning/Imaging Windows 10 Upgrade Retail Computers Workflow

Here’s another technical blog post. I wanted to document this here in case it helps someone else, or in case I have to do this again at another school. Here’s the scenario:

A school has purchased a rather large quantity of Windows 7 or Windows 8.1 computers via a retail channel. The school has NOT purchased eopen (site) licensing for quick and easy deployment, but wishes to upgrade all of their retail machines to Windows 10.

With Windows 7 or 8.1, the solution was relatively simple, despite being somewhat painful… You would prep one machine, sysprep it without a license key, and then image the rest of the machines using something like Fog or Clonezilla. Upon boot, you’d enter the product key, activate, and any other cleanup steps that needed to be taken.  If you try to follow those same steps with a windows 10 upgrade machine, you’ll run into 2 problems.

The first problem is imaging the windows 10 install. Windows 10 install via the upgrade tool will not allow you to sysprep it. Supposidly there is a workaround out there for this, but in my experience, it’s not worth it anyway (and even if you did, you’ll run into the second issue)… The simple fix to this problem is to do a clean install of windows 10…   But…

That brings us to the second problem: Windows Activation. Windows 10 upgrade activates based on some version of the hardware ID. So if you simple do a clean install of windows 10, sysprep, then image it, you’ll end up in a situation where all the machines you image will not allow you to enter any valid product key. The reason being, is the hardware hasn’t been activated yet via the special upgrade process windows has created for this.

So that leaves you wish 3 possible solutions:

  • Buy the eopen site licensing (best solution if you have the money)
  • Manually run the windows 10 upgrade process on every machine, activate, then image again to get your software on it. This method works, but if you have a large number of computers, it could take DAYS to manually run the upgrade process on every machine and activate it (The Windows 10 installer is slow, and it even with a perfect assembly line of machines… it’s a lot of key presses and a lot of waiting.) It gets even slower if you have pending windows updates.
  • Or you can do what I’m about to mention.

It turns out, there is a way to do a clean install of Windows 10, without doing the upgrade first. It does involve getting a “GenuineTicket” for each machine first, but that is FAR faster than running the windows 10 upgrade process on every machine. Here are the workflow steps:

Part 1 – Get The Licensing

  1. Download the Windows 10 ISO from Microsoft and mount it in your favorite iso mounting software.
  2. In the ISO File, locate a file called “gatherosstate.exe”. This file is located in drive:\Windows\x64\source or drive:\Windows\x32\sources. Copy this file to a jump drive. You’ll want it on a portable, writable device to assist with doing multiple computers. This process however does work for a single machine by simply copying it someplace locally.
  3. On the Windows 7/8.1 Machine you wish to upgrade, insert the jump drive. Run gatherosstate.exe on the jump drive. Assuming the windows 7/8.1 machine was activated, it will create a GenuineTicket.xml on your jump drive.
  4. Now, assuming you have multiple computers you need to upgrade, this is where organization matters. In my case, I number all my machines, so what I did was create a folder on the jump drive with the machines number. I then dropped the GeniuneTicket.xml file I just made into that folder. You need to make sure you keep track somehow of which GeniuneTicket.xml goes with which machine. Failure to do this will make the later steps impossible.
  5. Repeat Step’s 3 and 4 until you have a GeniuneTicket for EVERY machine. In my case, I had 30 machines. So I ended up with 30 folders numbers 1 to 30, each with a GeniuneTicket.xml in them.

Part 2 – Build The Image

  1. Now, take one of the machines, and perform a clean install of Windows 10 on it.
  2. Install the software you need installed, just as if you were building an image for Windows 7 or Windows 8. Perform any windows updates you want in the image, etc.
  3. I don’t believe you NEED to activate the image for that machine prior to sysprepping, but if for some reason you do, do the part 3 steps on this machine to activate it.
  4. At this point, sysprep the image (for me this is normally sysprep /oobe /generalize /shutdown /unattend:unattend.xml from the c:\windows\system32\sysprep\ folder). I won’t go into this to much, as I assume if you are doing this your probably already familiar with how to sysprep an image.
  5. Image the machine using your favorite imaging software (I generally image to Clonezilla First, then do the same image to a Fog Machine, as USB for me test to be faster for testing).

Part 3 – Deploying The Image

  1. At this point, I then install the image onto the machines.
  2. When you get to the enter the license key system, hit “skip this step”
  3. Once the system is up, log in as administrator and insert the jump drive that was created in Part 1.
  4. Copy the GenuineTicket.xml from the folder for the machine your on, to C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\. In my case, I wrote a simple batch script to do this that took in the computer number, and then copied the file.  That way I didn’t have to find the folder each time, i just had to double click my script and type the computer number. The script also took care of a few other 1-time things that I needed after imaging (creating user accounts, adding icons, etc)
  5. Reboot the machine, and confirm the machine is now activated. If you put the wrong GeniuneTicket on the machine, it will not activate! If you put it in the wrong folder, it will not activate!
  6. Repeat Steps 1 to 5 until all machines are done.

The other cool thing about this setup is that once it’s done on every machine, I believe that you no longer need to do all of the steps. In theory, the next time I will need to imagine to windows 10, it will *should* behave much more like my enterprise licensing, and activate without needing me to copy the GeniuneTicket again (or even including it). My understanding is that this is because the hardware id *should* already be on file with Microsoft, so it should auto-activate. That said, I have not confirmed this yet, as I haven’t had a need to reimage any machines. As a precaution, I am keeping my GeniuneTickets for every machine so that I don’t need to do part 1 ever again.  I’d do pretty much anything to never have to type a product key again.

Final Disclaimer: I’m not sure any of this is how Microsoft wants things done. In fact, I’m pretty sure it’s not. If your client/school/whatever can afford it, I’ll always encourage finding a Microsoft Rep and getting the enterprise licensing to allow you to do this without the activation headaches. KMS/AD activation is so much easier to use in a larger environment :-).

Let me know in the comments if this helped you or your organization!


{ 1 comment }

Windows 10 Adventure Part 2 – 5 Days With a New OS

So I wasn’t sure I’d write a part 2, but so far, I’ve been pleasantly surprised at how smooth windows 10 has been for me since the clean install.  Here’s a quick synopsis of what I’ve found so far:

1) I like the faster boot ups. Windows 8 was faster than Windows 7 when it came to booting. Windows 10 seems to be just a tad bit faster yet.  Given that my motherboard’s POST cycle bootup is about 30 seconds on it’s own (Raid cards take a bit to boot), having windows only take 5 to 10 seconds to get up is a nice thing to have for those times I need to scramble to get back into a game or webinar.

2) It’s stable. I didn’t have very many stability issues with Windows 7, but Windows 10 seems to be just as stable on my machine. That’s a good thing. It doesn’t seem to have the hiccups that Windows Vista brought when I first upgraded to it.

3) Some of the new features are rather nice… The ability to record a game without needing my nVidia recorder, or Bandicam is kind of interesting. Quality seems good. Gaming also seemed to magically work over RDP, which was something that never seemed to work very well in Windows 7.

Cortana is also very interesting. I have her setup to respond, but she doesn’t quite do some of things that might be able to save me some time… For example, I would love to be able to say “Start Warcraft” and have it open… However, program shortcuts don’t really seem to work yet. If they get Cortana working as well as Siri or Alexa, I could get used to talking to her.

I haven’t made use of much else that is truely “new”. I probably won’t use the multi-desktop stuff. Some of the legacy windows 8 menus are still getting in my way, but it’s not that bad. I did have to disable some notification sounds to get my computer to stop beeping every 10 seconds.

All in all though, I would consider this one of the most successful OS upgrades I’ve had, minus the day 1 difficulties I had with drivers and getting it installed.



I’m not sure if I will have enough time to document all of my adventure with upgrading to Windows 10. Needless to say, it wasn’t as painless as I would have hoped.

There is one thing I want to document in the hopes that it might help someone else who has an Roland/Edirol M16-DX sound board. At the time of writing this, Roland hasn’t released a Windows 10 driver, and at the moment it’s unclear if they will. That said, the 8.1 driver works just fine, but does require 2 “hacks” to achieve it.

The first hack is to the INF file:

1. Change the %MfgName% to be %MfgName%=Roland,NTamd64.6.2
2. Remove the section with the header [Roland.NTamd64.7]

Doing this will allow Windows 10 to see the driver, however, it will no longer install it as the INF file and the HASH associated with the cat file no longer match (security issue). To get around this problem, you have to perform a second hack that disables the driver security check. To do that, you have to boot into a special mode. Click here to read how to do that.

Once the Driver Signature Verification is turned off, it should install the board without issue (and it appears to work just fine… I haven’t tested the ASIO yet, but all my inputs and outputs are showing up in Windows 10, and sound is flowing.

I’ll make this last note in case I don’t get back to my adventures in upgrading to windows 10:

I strongly encourage a clean install… Which if your going to do.. YOU NEED to get the key first (assuming your doing the free upgrade). Doing an in-place install left me in a non-bootable state where I had to do a clean install (most likely due to my wide array of weird drivers). That said, clean installs means fast OS’s… I don’t think my computer has been this fast since 2010…

And for those of you who are wondering: other than the launch day hiccups… Windows 10 seems great to me so far. No complaints (other than the install/driver issues which were to be expected day 1).



Color Profiles and PDF to JPEG conversion

Again, just documenting some code for myself in case I find myself in this situation 10 years from now, and happen to be googling my blog for how to convert a PDF to a JPG/JPEG/anything really.

Let’s start off where this ordeal started… with this simple line of code:

convert source.pdf output.jpg

Jam that into a php exec statement, and you got yourself some basic PDF to jpg conversion going on… However, there will be some issues. The first one I ran into was quality (okay, so honestly the first one was the mistake of trying to use Imagick() object in php and assuming it had all the power easily accessible that existing in the command line version. It doesn’t as far as I can tell). Quality was easy enough to fix. The setting that made the difference for me was density:

convert -density 300 source.pdf output.jpg

That worked great… Until the client uploaded a PDF they had cropped in Adobe Acrobat. Strangely, when being converted using imagemagick, it was still showing white where the client had cropped. Rather than explain to the client how PDF’s have a trimbox, cropbox, bleedbox, and artbox that can all be “cropped”, I decided the best course of action was to modify imagemagick to us the cropbox instead of the trimbox:

convert -define pdf:use-cropbox=true -density 300 source.pdf output.jpg

And, again, the people rejoiced… Until the client manged to find a way to really stump me. They uploaded a pdf that contained a particular shade of green. This green went from being a nice, tree like green, to a insanely bright neon green when converted from a PDF to a JPG. I knew this was most likely a color profile issue… which in the past has always proved to be a problem for me.

Color profiles have this fun way of not always behaving the way you want them to. I tried various things to get the color profiles to behave consistently upon conversion, but no matter what I did, nothing seemed to work in all cases of conversion. So got a little more creative… I decided to try some inbetween conversions… I ended up finding something that worked by sending it through a post script (PS) file. Here’s the final 2 lines I’m now using:

pdftops -paper letter -expand source.pdf inbetween.ps
convert -density 300 inbetween.ps output.jpg

pdftops handles the cropbox on it’s own, so no need for those flags anymore. I’m not sure the density line is needed, but I left it in anyway.



{ 1 comment }

MySQL SSL Setup Debugging

For my own sanity, I’m writing down the steps I took to get SSL working between 2 servers today. I ran into some frustration following the step-by-step instructions on both mysql.com as well as on 1 or two other websites on the web. To add to the fun, it seems sometimes I would get different, no descriptive, errors such as:

  • ERROR 2026 (HY000): SSL connection error (no additional details)
  • ERROR 2026 (HY000): SSL connection error: Unable to get certificate
  • ERROR 2026 (HY000): SSL connection error: protocol version mismatch

So here is what I did, step by step, with multiple test points…

On The MYSQL SERVER  that I wanted to connect to, I logged in and created a self signing Certificate Authority (CA) and then used that to sign a key for my mysql server. The commands looked like this:

openssl genrsa 1024 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem

openssl req -newkey rsa:1024 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

You’ll note that I used 1024 for my key instead of 2048. While 2048 would be more secure, and is what is provided in the example here, it causes my version of OpenSSL to generate in a slightly weird format that the mysql client doesn’t seem to like in some cases. A number of example online said there was a simple work around involving adding “RSA” to the header and footer of the keys, but no matter what I seemed to do, this never worked for me… so I just lowered the key strength to 1024 to get it to generate it the old way. There was also a suggestion to merge the server and client certs into one “CA”… but I didn’t like that either… in fact… I didn’t want a Client cert if if I could avoid it… as I wasn’t authenticating against it… I just wanted the SSL tunnel.

Once I had my certs created, I added these 3 lines to my.cnf. In theory I could have put them in the startup command for the server, but this was the better long term solution:


Note: when I created all my certs above, I was in the folder /etc/mysql/ (in case you didn’t guess that already).

At this point, I restarted the mysql server and ran the following query on it:

show variables like “%ssl%”;

The server came back and would say that it “have_ssl” and “have_openssl” along with the paths to the certs I just loaded in. This was a good sign.

I think modified one of my users to only allow connections using SSL:

grant usage on *.* to example_user require ssl;

I than began testing from client devices. The first stop was the mysql workbench for windows. I loaded it up and tried to log in, and on the first try it failed (this I took to be a good sign, as I hadn’t told it anything about the SSL). I then grabbed the ca-cert.pem file I created on my server, and brought it over to my client box. I then told mysql workbench to use this file for the CA. You’ll note I DID NOT specify a client key or certificate for this. I then tried to connect, and wha-la, it let me in.

To confirm I was in fact transmitting over SSL at this point, I ran this query:

show status like ‘Ssl_cipher’;

and then insured it came back with a value (if it’s blank, your NOT connected over SSL)

I then moved on to my second client, which a LAMP setup. I tried connecting using phpmyadmin, and of course, it failed again as I had told it nothing about the certificate authority. So again, I copied the file over, this time adding the following to my my.cnf:


I first tested with my mysql client on the machine and it worked great. I did run into a little trouble with phpmyadmin, but I found the connect lines in my config file and basically added this one line before the connection was made, but after the init:

mysqli_ssl_set ($link , NULL , NULL , “/path/to/ca-cert.pem” ,NULL , NULL );

I think this may not have been needed if my version of phpmyadmin had been newer… but not sure. (I was in 3.4.5 at the time, the documentation I was reading would have been for 4.2.7).

Regardless, when I signed off for the night, all my mysql connections that I cared about between my older “clients” and my new mysql server were running over SSL. Tomorrow, I hope to setup some replication between servers over SSL. This may require that I create a client certificate, but until then, I’m happy to not have needed one.






A Culture of Pressure

The USA has turned into a culture of pressure. We never “ease up”. We are always “connected”. Etc.

I’m sure I’m one of the worst at this… between my job, my email, and my family, there’s barely enough time to check out the latest humble bundle.

And when I do, I feel guilty, for not doing other things that need doing.

And there is always something that needs doing.

The bible says we should have a day of rest, and up until the last 20 to 30 years, history seems to agree.

I feel like if there was some way to force a “Sunday” on everyone again, or at least get culture to really allow it, that we might see a lot of problems in our world vanish.

Maybe less students and adults snapping on Mondays…

Maybe less people suffering from anxiety.

Maybe a reduction a people addicted to drugs to help them unwind.

I’m sure this has all been said before… but it seems Christmas is a good time to mention it again.

Jesus wasn’t born in the middle of a busy city. He was born pretty much alone with his family (until the visitors started to show up). Different.

Maybe it’s time to reflect both on the peace that the one baby can bring us, and start making some changes in 2014 as a culture…

I guess that starts with changing myself first.