SCCM.pdf

Windows IT Pro 

Using SCCM to Migrate Migrate to Windows 7 Mel Beckman

sponsored by  Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 2

Contents Prfigh chckli r sCCM Widw 7 Dplym

3

sCCM Widw Dplym tip: Uig UsB Iallai Mdia 4 sCCM Widw Dplym tip: U a Ky Maagm srvr 5 sCCM 2007 sP2 rquird r Widw 7/2008 os Dplym 5 DircAcc giv Ir-bad sCCM cli aml rm crl 6 Cra a Widw 7-bad WiPe cmpaibl wih sCCM 6 Dply Micr App-V v i App-V I’ i Ba os Imag 8 Widw Iu Limiai Cmpard  sCCM 10 Widw 7 BrachCach shar Fil Bw Pr  a sub 11 Widw 7 b sCCM BDP Cci rm 10  20 12 nx vri  sCCM mbrac Rl Bad Acc Crl ad BrachCach 12

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 3

Preight checklist or SCCM Windows 7 Deployment By Ml Bckma Whether you’re migrating to Windows 7 or deploying it “green eld,” you’ll want to use SCCM 2007’s Operating System Deploy ment (OSD) tools to install a customized Windows 7 for your environment. SCCM 2007’s capture-and-deploy process lets you deploy Windows 7 in massive quantities with no intervention— a totally touch-free installation! To pull that o, however, you’ll need to follow this preight checklist, which outlines the steps required for setting up capture-and-deploy, and prepositions you for pushing Windows 7 to new machines or to upgrade existing ones. If you’re like most of us, you won’t be performing this process frequently—perhaps once or twice a year. So keep a log of what you’ve done for future reference; you’ll thank yourself later!

templates. We all have a few 32-bit-only applications that keep us chained to the smaller bit size.  The creation process is simple: install Windows 7, apply all Windows updates (which may take several iterations), and apply optional Windows updates, such as .NET 4, that may be required for your environment. Any Windows IT admin worth his or her salt knows this drill. A couple tips: (1), use USB installation media (see detailed article following this one), and (2) avoid adding any device-specic Windows updates, such as new sound card drivers and the like. You want this Windows 7 installation to be as clean as possible. You’ll add drivers later—this Windows 7 installation is  just a template for further customization. 3. Customize the reerence machine. You’re now ready to

1. Create a provisioning account. Microsoft’s best practice

for SCCM OSD is to always use a separate account for provision ing, rather than using your administrator account. So create a dedicated account in Active Directory to use only for SCCM OS deployment processes. Grant the provisioning account the following rights:

•

Access rights to the Active Directory OU(s) to contain the computer account objects

• •

Add rights for resource objects to the SCCM database Read rights to the location where the OS image les (.WIMs) will be stored

As part of this step, you’ll also want to create a folder to hold OS image les—for example, C:\CapturedOSimages, and share this folder out. It will be used to receive the nal OS image. 2. Create a reerence machine. You need a piece of real hard-

ware template Windows 7 installation customized to your taste.  This can be any old machine—a cast-o laptop, a maintenance spare, whatever—that is capable of running Windows 7. Of  course, the faster the hardware, the less time you’ll spend in the reference machine build process, so don’t scrimp on CPU speed and memory if you don’t have to. The machine should be 64-bit capable, so that you can create both 32-bit and 64-bit Windows 7

“put the tune on” your reference installation. Log into your newly minted Windows 7 box, go to Control Panel->Programs->Turn Windows Features On or O and activate additional compo nents, such as SNMP or Telnet, needed for your environment. Make sure the machine stays in a workgroup and does not join your domain, and leave the administrator account password  blank . Setting an administrator password needlessly complicates subsequent steps. If you need to congure any regional settings, do that now as well. Go to Control Panel->Clock, Language, and Region, and set your time zone, date and time format (such as 24-hour time), and any language customizations you desire. You could also install some common “default” applications at this point, such as Adobe Acrobat Reader. But it’s better to hold o on those—you’ll be happier having SCCM manage applications separately from the OSD image. Separating application installation also means you won’t have to re-image should a critical update be needed for those apps. 4. Create USB capture media. The “USB capture media”is just

a USB key—with only a few hundred K capacity—containing the runtime code and script that performs the image capture, pushing the image to the share you created in Checklist Item 1. You’ll run it later on the reference machine and stand back—the capture

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 4

process is fully automated. In SCCM, navigate to SCCM Computer Management->Operating System Deployment->Task  Sequences->Create Task Sequence media. Select your USB key

and then unmount it at completion. 5. Perorm the image capture. Insert the USB key on ref 

machine, run the .exe it contains. The reference machine will execute the task sequence stored on the key, reboot the machine, and start the capture process. It will boot into WinPE, change to the Out of Box Experience (OBE), then transfer the image to the SCCM server share as a .WIM (Windows Image) le. You’ll be prompted to enter a few values, including the destination share for the image. The whole process takes less than 15 minutes on an uncongested gigabit network. 6. Import the captured image into SCCM. You’ve nished

build-and-capture. Now you’re ready to prep SCCM for deploy ment. Navigate to SCCM Computer Management->Operating

System Deployment->Operating System Images, and select Add an Operating System Image. Choose the .WIM le from

the build-and-capture folder, and SCCM will import it. You’re now ready for deployment. For many shops, you can deploy the image as-is. Some client platforms, however, may require special drivers for non-generic NIC, disk, and video hardware. If that’s the case, you’ll need to add drivers to your deployment process, which is its own complex topic outside the scope of this preight checklist. A great source for guidance is Hayes Jupe’s blog entry “SCCM OSD – Driver best practices”: http://hayesjupe.wordpress.com/sccm-osd-driver-best-practices You’re now ready to begin the deployment process best suited to your needs, which involves creating a task sequence and adver tising it, and selecting various installation or migration options.

SCCM Windows Deployment Tip: Using USB Installation Media By Ml Bckma Although you can build a reference machine the old fashioned way, using CD or DVD installation media, installing Windows 7 us ing USB bootable media is way faster. Create one USB thumb drive for 32-bit, one for 64-bit. The process is straightforward and widely documented. The steps are well documented in Paul Thurrott’s excellent article “Install Windows 7 With a USB Memory Key”:

http://www.winsupersite.com/article/windows-7/install-windows-7-with-a-usb-memory-key USB installation is many times faster than disc-based installs because the media itself has no moving parts. You’re essentially installing at system memory speed.

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 5

SCCM Windows Deployment Tip: Use a Key Management Server By Ml Bckma Windows 7 has two kinds of Enterprise product keys: the Multiple Activation Key (MAK), which hard-codes the license key on the destination machine and will never require re-activation, and the Key Management System (KMS) key. Using a MAK key requires running through the manual activation process, which is a touch to the workstation for you, or a pain in the neck for the user. If  you forget to perform the activation, the user logging in as nonadministrator won’t be able to perform that step. You’ve then created a time bomb: The computer will shut down at some future date, demanding activation, causing user heartburn and you tech support pain. Instead, it’s better to deploy a Key Management Server in your organization and use the KMS license method. Setting up a KMS

is trivial and widely documented; Microsoft even has a movie illustrating the process (http://tinyurl.com/kmsmovie). You need not run the KMS on an actual server—it’s simple to run even on a Windows 7 client box. Once the server is up and running, all future Win7 machines will nd it on your network  automatically and self-activate, even without Internet access. A bonus security feature of KMS is that the Win7 clients must reactivate with the KMS every few months, which automatically limits the usability of lost or stolen computers. In a shared virtualization (e.g., private cloud) environment, KMS also prevents cloud users from absconding with your Windows licenses by dint of copying its VHD.

SCCM 2007 SP2 required or Windows 7/2008 OS Deployment By Jh savill

Q. What versions o System Center Confguration Manager (SCCM) 2007 support Windows 7 and Windows Server 2008 R2 SP1? A. On March 24, 2011, Microsoft announced that SCCM 2007 SP2, R2, and R3 all support Windows 7 SP1 and Windows Server 2008 R2 SP1 operating systems for client installation. This includes deployment of these OSes and hosting of roles and consoles where supported by the OS. This announcement on  TechNet (http://tinyurl.com/sccmwin7) provides full details, along with two updates required for full SP1 support.

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 6

DirectAccess gives Internet-based SCCM clients seamless remote control By Jh savill

Q. All my System Center Confguration Manager (SCCM) Internet-based clients are running Windows 7 and are Direct Access enabled. Do I still need to use the SCCM Internet-Based Client Management eature? A. The Internet-Based Client Management feature of SCCM allows clients that are connected to the Internet without a VPN connection into the corporate network to be managed by SCCM through the use of certicates to protect the communications.  There are certain SCCM features that aren’t supported when using the Internet-based management features, including Remote Control, OS Deployment, and Network Access Protection. DirectAccess lets clients connected to the Internet have full connectivity to corporate resources and also allows corporate

infrastructure services, including SCCM, to have access to the In ternet-based machines. With DirectAccess, clients on the Internet are treated as though they’re still on the corporate network, and therefore SCCM can manage them as such. So if all your Internet clients are DirectAccess enabled, you’re not required to use SCCM Internet-Based Client Management. Because the clients are treated as if they’re on the corporate network, certain features (such as Remote Control) that aren’t available for SCCM Internet-Based Client Management computers will be avail able when you use DirectAccess. Note that OS Deployment still won’t function, because DirectAccess relies on certicates and domain membership, and those won’t be available on a newly deployed OS. Here’s a great Microsoft blog entry that goes into more detail on DirectAccess and SCCM: http://tinyurl.com/sccmdirectaccess.

Create a Windows 7-based WinPE compatible with SCCM By John Savill

Q. How can I create a Windows 7-based Windows Preinstallation Environment (WinPE) that’s compatible with System Center Confguration Manager (SCCM)?

machine that has the latest Windows Automated Installation Kit (WAIK) installed. Make sure you open the WAIK command prompt to run the commands below that are in bold. In my example, I’m creating the image in the folder d:\temp\winpe_amd64, so if you use a dierent path, update your commands appropriately.

A. SCCM 2007 comes with two PE images—one 32-bit and one 64-bit—that are used to capture and deploy OSes. You can create our own WinPE environments with additional utilities and conguration and use them with SCCM, you just need to make sure you add the scripting and WMI packages. Below is a transcript of the Windows command line instructions I used to create a new amd64 (64-bit) WinPE environment on a

C:\Program Files\Windows AIK\Tools\PETools> copype.cmd amd64 d:\temp\winpe_amd64 ========================================= Creating Windows PE customization working directory d:\temp\winpe_amd64 =========================================

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 7

1 file(s) copied. 1 file(s) copied.

]

C:\Program Files\Windows AIK\Tools\PETools\ amd64\EFI\microsoft\boot\fonts\wgl4_boot.ttf 7 File(s) copied 1 file(s) copied. Success Updating path to include peimg, cdimage, imagex C:\Program Files\Windows AIK\Tools\ PETools\ C:\Program Files\Windows AIK\Tools\ PETools\..\AMD64 d:\temp\winpe_amd64> dism /mount-wim / wimfile:d:\temp\winpe_amd64\winpe.wim / index:1 /mountdir:d:\temp\winpe_amd64\mount Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Mounting image [ ================ 100.0% ================ ] The operation completed successfully. d:\temp\winpe_amd64> dism /image:d:\ temp\winpe_amd64\mount /add-package / packagepath:"c:\Program Files\Windows AIK\tools\petools\amd64\winpe_fps\winpescripting.cab" Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Image Version: 6.1.7600.16385 Processing 1 of 1 - Adding package WinPEScripting-Package~31bf3856ad364e35~amd6 4~~6.1.7600.16385 [ ================ 100.0% ================

The operation completed successfully. d:\temp\winpe_amd64> dism /image:d:\ temp\winpe_amd64\mount /add-package / packagepath:"c:\Program Files\Windows AIK\tools\petools\amd64\winpe_fps\winpewmi.cab" Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Image Version: 6.1.7600.16385 Processing 1 of 1 - Adding package WinPE-WMIPackage~31bf3856ad364e35~amd64~~6.1 .7600.16385 [ ================ 100.0% ================ ] The operation completed successfully. d:\temp\winpe_amd64> dism /unmount-wim / mountdir:d:\temp\winpe_amd64\mount /commit Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Image File : d:\temp\winpe_amd64\winpe.wim Image Index : 1 Saving image [ ================ 100.0% ================ ] Unmounting image [ ================ 100.0% =====================] The operation completed successfully.

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 8

Deploy Microsot App-V even i App-V Isn’t in Base OS Image By John Savill

Q. How can I deploy the Microsot Application Virtualization (App-V) client using System Center Confguration Manager (SCCM) i App-V isn’t in my base OS image? A. If you’re using SCCM task sequences to deploy your OS,

tion, and so might the host name, etc. The switches shown are for demonstration only.

Client\x64\setup.exe /s /v" /qn SWIPUBSVRHOST=\"savdalappv01.savilltech. net\" SWIPUBSVRTYPE=\"RTSP\" SWIPUBSVRPORT=\"554\" SWIPUBSVRDISPLAY=\"SAV DALAPPV01\" SWIFSDRIVE=\"Q\" SWICACHESIZE=\"4096\""

it’s very easy to add in a step to also deploy the App-V client.  There are two main approaches. The rst is to just copy the App-V  client setup les to a folder and create a new package. Then, You need all the repeat double quotes, and note that in my within that package create a program that calls the setup.exe distribution, I have a Client folder under the main App-V source for the App-V client (you need one for x64 and one for x32). The folder that contains the actual main les. That’s why I have setup.exe will install, as will prerequisite requirements such as Vi Client\\setup.exe. Make sure you use Browse to sual C++ SP1 Redistributable 2005 and 2008 and the Application check that the path is correct. Error Reporting. Within your program, add the various switches to congure the App-V client with App-V Server (such as cache size),  The above is kind of a lazy approach (but it works).The alternative as shown here: is to actually install the prerequisites manually, then run setup. msi (instead of setup.exe) to install the actual App-V client. Once again, you pass switches to the setup.msi to perform the con guration. If you’re deploying to Windows Vista and Windows 7, you need to deploy the Visual C++ SP1 2005 and 2008 redistrib utables (you need the linked versions because they have the ATL security update). The application error reporting is in the Support folder of each architectures setup les and is installed from there. If you’re deploying to Windows XP, you also need to deploy the Microsoft Core XML Services 6.0 SP1. You could deploy these by creating a package for each of the components and adding a program to deploy with dependen cies (the best option to re-use components). Or you can put them all in one package and use a script to call each component one at a time, such as the following (which I saved as x64install. bat):

My full command line from above is shown below. Note that I use RTSP (hence port 554)—this might be dierent in your organiza-

start /wait %~dp0Client\prereq\vc2005\ vcredist_x86.exe /Q start /wait %~dp0Client\prereq\vc2008\ vcredist_x86.exe /Q

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 9

start /wait msiexec /i %~dp0Client\x64\Support\Watson\dw20shared. msi APPGUID={342C9BB8-65A0-46DEAB7A-8031E151AF69} REBOOT=Suppress REINSTALL=ALL REINSTALLMODE=vomus start /wait msiexec.exe /i %~dp0Client\x64\setup.msi SWIPUBSVRHOST="savdalappv01. savilltech.net" SWIPUBSVRTYPE="RTSP" SWIPUBSVRPORT="554" SWIPUBSVRDISPLAY="SAVDALAPPV01" SWIFSDRIVE="Q" SWICACHESIZE="4096" /q Note that I have switches to congure the App-V client. Also note for the Watson (Application Error Reporting) install, the APPBUID is AppV client version-specic. In the above, that’s the right GUID for the 4.6 SP1 client install. The full list can be found on this TechNet page, in case you want to install a dierent version of App-V client, but this FAQ is based on installing the 4.6 SP1 client. I also created a batch le for the x86 install:

start /wait %~dp0Client\prereq\vc2005\ vcredist_x86.exe /q start /wait %~dp0Client\prereq\vc2008\ vcredist_x86.exe /q start /wait msiexec /i %~dp0Client\x86\Support\Watson\dw20shared. msi APPGUID={342C9BB8-65A0-46DEAB7A-8031E151AF69} REBOOT=Suppress REINSTALL=ALL REINSTALLMODE=vomus start /wait msiexec.exe /i %~dp0Client\x86\setup.msi SWIPUBSVRHOST="savdalappv01. savilltech.net" SWIPUBSVRTYPE="RTSP" SWIPUBSVRPORT="554" SWIPUBSVRDISPLAY="SAVDALAPPV01" SWIFSDRIVE="Q" SWICACHESIZE="4096" /q

My full hierarchy of les is shown below for easy reference to match my conguration and install les:

App-V Client 4.6 SP1\x64install.bat App-V Client 4.6 SP1\x86install.bat App-V Client 4.6 SP1\Client\Prereq\ vc2005\vcredist_x86.exe App-V Client 4.6 SP1\Client\Prereq\ vc2008\vcredist_x86.exe App-V Client 4.6 SP1\Client\x64\setup.exe App-V Client 4.6 SP1\Client\x64\setup.msi App-V Client 4.6 SP1\Client\x64\Support\ Watson\dw20shared.msi App-V Client 4.6 SP1\Client\x86\setup.exe App-V Client 4.6 SP1\Client\x86\setup.msi App-V Client 4.6 SP1\Client\x86\Support\ Watson\dw20shared.msi

I use the same 32-bit Visual C++ install for both 32-bit and 64bit installs. Only the Watson version and App-V client change between architectures.

Ideally, put each part into its own package with its own install program. Doing it that way gives you the most reuse and selfrepair functionality. The batch le approach is a nice middle option, while just calling setup.exe is certainly the fastest and easiest way but will gives a slower installation (the prerequisites have to be extracted from the setup.exe for Visual C++ then installed).

I then create a program within the App-V client package that just calls the x64install.bat (or x32install.bat), as shown (called BitByBit for mine, compared to the regular x64 install that uses setup.exe):

No matter which method you choose, you should place the actual App-V client deployment near the end of the task sequence, where you normally deploy applications such as your malware

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 10

protection and Microsoft Oce (if it ’s not virtualized), as shown below. Note that in mine, I’m also deploying the O ce Deployment Kit for App-V, because I virtualize Oce 2010 with App-V:

Windows Intune Limitations Compared to SCCM By John Savill

Q. Is it true that i I cover my machines with Windows Intune, I can upgrade those machines to Windows 7 Enterprise and get access to the Microsot Desktop Optimization Pack (MDOP)? A. Windows Intune is Microsoft’s cloud-based PC manage

-

ment solution. It oers some capabilities similar to the on-premise System Center Conguration Manager (SCCM) solution, including Microsoft update management, malware protection, inventory, remote assistance, and alerts and monitoring. Intune, in its current, rst version, doesn’t oer software or OS deployment. Intune can be great for organizations that can’t deploy SCCM or that have

pockets of users outside of their corporate environment who they still want to manage. Intune is a per-computer, per-month subscription. As part of that subscription, as long as the computer has Windows 7 Professional or Business, the Intune subscription gives the right to upgrade that machine to Windows 7 Enterprise. For an additional $1 a month per computer, MDOP can also be added, giving access to all of MDOP’s features, including Microsoft Ap plication Virtualization, Microsoft Enterprise Desktop Virtualiza tion, Advanced Group Policy Management, Diagnostics and Recovery Toolset, Desktop Error Monitoring, and Asset Inventory Service.

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 11

Windows 7 BranchCache Shares Files Between Peers on a Subnet By John Savill

Q. Can System Center Confguration Manager (SCCM) clients take advantage o BranchCache? A. Windows 7 and Windows Server 2008 R2 introduced a new feature that allowed data downloaded by one person to be shared with peers on the same local subnet, a feature known as distributed mode BranchCache. (An alternative is dedicated mode, which is where a Server 2008 R2 server is specied to cache content for an entire group of computers). I t looks some thing like this (diagram courtesy of Microsoft):

As the name, and this diagram, suggests, this is primarily aimed at distributed environments that may have a slow (high latency) link to the main datacenter, where having 50 users download the same 10MB le is a waste of bandwidth that will mean a poor end-user experience. With BranchCache enabled, the le would be downloaded by the rst person to access the le, and the other 49 people will pull it from the machine that already downloaded it.  To use BranchCache, you need Windows Server 2008 R2 to host your content. Your clients must be running Windows 7 or Server 2008 R2, and BranchCache must be enabled on both the server and clients.  The good news is that SCCM can take advantage of this func tionality, providing you’re running SCCM 2007 SP2 or above. You must check the option to allow clients to transfer content from this distribution point using BITS, HTTP and HTTPS on the distribution point properties in the General tab of SCCM. You also need to configure the advertisements to download and execute, instead of running directly from the distribution point. Here’s a great MSDN blog that goes into more detail on this topic: http://tinyurl.com/win7branchcache

Brought to you by Windows IT Pro

 Tech Advisor • Windows IT Pro | p. 12

Windows 7 boosts SCCM BDP Connections rom 10 to 20 By John Savill

Q. I I use a Windows 7 client as a System Center Confguration Manager (SCCM) 2007 branch distribution point, can I have 20 simultaneous connections instead o 10? A. BDPs are a new feature in SCCM 2007 that enable a nonserver OS (you can still use a server OS) to act as a distribution point for a location. Windows XP SP2 and above were originally supported as BDPs, provided the computer is part of an Active Directory domain, is an SCCM client, and isn’t congured to use an Internet-based management point. Because the BDP shares

information using a le share, the server service must be running on the BDP computer.

A. Windows XP SP2 client OS only supports a maximum of  10 concurrent connections to its le shares, so if you have more than 10 machines at a location, understand that only 10 will be able to connect at any one time. Windows 7 increases the number of simultaneous connections to a le share from ve or 10 (depending on your OS version) in previous versions of Windows to 20 in all versions of Windows 7. This means if you use a Windows 7 client as a branch distribution point with SCCM 2007, it will support 20 simultaneous connections instead of the ve or 10 you received with previous versions.

Next version o SCCM embraces Role Based Access Control and BranchCache By Orin Thomas

Following on from Exchange Server 2010, the next version of SCCM, SCCM 2012 due out in 2012 H1, embraces the concept of Role Based Access Control (RBAC). RBAC is a more advanced model for allocating administrative permissions. Not only do you designate what the permission is (for example, the right to meter software usage) you designate where the permission applies (in the case of  SCCM this might be to a particular collection of computers).

a peer-caching technology that allows organizations running Windows 7 to more eectively use WAN bandwidth. In the case of the next version of SCCM, deployed les will be peer cached out at the branch oce on the clients—meaning that you will be able to eciently get software out to branch oces without having to go through the rigmarole of conguring a branch oce deployment point.

 The next version of SCCM brings a signicant number of advancements, including full integration with Windows Server 2008 R2 and Windows 7 BranchCache technologies. BranchCache is

Find out more about SCCM 2012 at Microsoft’s System Center 2012 Release Candidate portal: www.microsoft.com/en-us/  server-cloud/system-center.

Brought to you by Windows IT Pro