The software installed on the reference machine becomes part of the base layer that you capture. When you deploy the base layer to other endpoints, those software and settings are delivered to those endpoints as well.

Consider the following items before you decide on the software to include in your base layers:

Do not include software that is licensed specifically to individual pieces of hardware, or whose licenses are tied to the hardware.

If the reference machine contains OEM software, you can deploy that base layer only to endpoints of the same hardware family. This restriction is because OEM software is tied to specific hardware vendors, makes and models.

The following items are examples of core corporate software that is typically the most commonly included software in a base layer:

Antivirus

VPN client

Microsoft Office

Corporate applications to be used by all target users

Departmental applications should generally be distributed through app layers.

You can install disk encryption software on the reference machine, but it must not be part of the base layer. Always deploy disk encryption software to the endpoints after.

For additional software considerations, see Image Management Planning.

System-wide settings are transferred from the reference machine to all machines that receive the base layer.

Check which settings are required and configure them accordingly.

In special cases, you can add specific exclusion rules to the Base Layer Rules policy. See Working with Base Layer Rules.

For more detailed control outside the base layer configuration, you can use Active Directory Group Policy Objects (GPOs) to configure settings.

Examples of settings in the reference machine are power management, remote desktop settings, and service startup options.

If the target endpoints assigned to the base layer are members of a domain, verify that the following conditions are in place:

The reference machine used for this base layer is a member of the same domain. Otherwise, users of the target endpoints are prevented from logging in to the domain and only local users can log in.

The Net Login service is set to start automatically.