IBM Endpoint Manager

IBM Endpoint Manager for OS Deployment – Windows Server OS provisioning using a Server Automation Plan

Document version 1.0 Michele Tomassi

© Copyright International Business Machines Corporation 2014. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

CONTENTS

Contents........................................................................................................................... iv

1 Purpose of this document......................................................................................5

1.1 Summary of changes 5

1.2 Software requirements 5

1.3 System Requirements 5

2 Preparing the deployment objects .........................................................................6

2.1 Step 1: Create the Windows Profile 6

2.1.1Creating a Windows cloned profile 7

2.2 Step 2: Create the Windows software modules 14

2.2.1Create a software module containing the IBM Endpoint Manager client .... 14

2.3 Step 3: Create or edit the deployment scheme (optional)............................19

2.4 Export the deployment objects in .rad format 20

2.5 Import the .rad file to the IBM Endpoint Manager Server.............................21

2.6 Step 4: Deploy the Windows .rad profile from the IBM Endpoint Manager Console. 24

2.6.1 OS provisioning through direct invocation of RAD Fixlets......................... 24 2.6.2 OS Provisioning through an Automation Plan ........................................... 25

1 Purpose of this document This document describes how to configure your IBM Endpoint Manager Environment for the deployment of Windows Server operating systems using IBM Endpoint Manager for OS Deployment, Tivoli Provisioning Manager for OS Deployment, and IBM Endpoint Manager for Server Automation. Most of the emphasis is dedicated to the preparation steps

1.1 Summary of changes

Date Notes May 2014 First version of the document

1.2 Software requirements

The following software must be installed in your environment:

IBM Endpoint Manager Platform Version 9.0 or later

OS Deployment Version 3.4 or later

Tivoli Provisioning Manager for OS Deployment Version 7.1.1.15 or later

1.3 System Requirements

From an architectural perspective, you must have the following components:

1. A Tivoli Provisioning Manager for OS Deployment Server on a dedicated machine

2. An IBM Endpoint Manager Server that must be subscribed to both “OS Deployment and Bare Metal Imaging” and “Server Automation” sites

3. An IBM Endpoint Manager relay, connected to the IEM server, with a Tivoli Provision-ing Manager for OS deployment server installed locally.

4. At least one bare metal target

5. A DHCP server providing IP addresses and (optionally) other network parameters to boot machines. It is important that DNS be included in the set to resolve the IEM server hostname.

6. An MDT Bundle containing a Windows PE version compatible with the Windows Server flavors you plan to deploy. The following table displays the Windows Server versions and the corresponding required Win PE versions:

Windows Server Version Windows PE version in the MDT Bundle

2003 3

2008 3

2008 R2 3

2012 4

2012 R2 5

The following graphic describes the main components and their roles:

2 Preparing the deployment objects

To prepare a Windows image for deployment in a System Automation plan, you must perform the fol-lowing steps in order:

1. Create the Windows profile

2. Create the software modules

3. Create or edit the deployment scheme (optional)

4. Export the objects created or edited in the previous steps in a .rad format

Important: You must run the preparation steps on a dedicated Tivoli Provisioning Manager for OS Deployment server. This machine must NOT have IBM Endpoint Manager client running, or else it will be listed among the available Bare Metal Servers in the "Bare Metal Server Manager" dashboard in your Endpoint Management environment.

5. Import the .rad file to the IBM Endpoint Manager Server

6. Deploy the Windows Profile

2.1 Step 1: Create the Windows Profile

You can create the Windows profile by generating it from a DVD image or from a reference machine. In the first case, it is referred to as unattended setup. In the second case, it is a cloned profile. This document describes how to create a cloned profile.

2.1.1 Creating a Windows cloned profile

This section describes the creation of a Windows 2008 R2 cloned profile. Proceed as follows:

1. On the reference machine, uninstall the IBM Endpoint Manager client.

2. Run Sysprep on the reference machine to prepare your system for cloning. For further infor-mation about running Sysprep and preparing the reference machine, see “Running Sysprep” (http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/index.jsp?topic=%2Fcom.ibm.tivoli.tpm.osd.doc%2Fdeploy%2Ftosd_ref-compwinvista.htm)

3. When the machine reboots, force to network boot to connect it to the IBM Tivoli Provisioning Manager for OS Deployment standalone server. Depending on the specific configuration of the server, the following panel may vary:

4. Log in to the Tivoli Provisioning Manager for OS Deployment web user interface and browse to Server -> OS Deployment -> System Profiles

.

5. Click New Profile. The Profile wizard opens. Choose “Cloning from a reference machine” option

6. Specify the IP address of the reference machine

7. Wait while the operating system is being detected. You can check on the reference machine whether Windows PE is loaded

8. When OS detection is complete, click Next

9. Do NOT select to prepare the disk for BitLocker encryption. Click Next

10. Enter the Windows product key if needed (or set to Volume Licensing)

11. Set the Administrator password, time zone, and language

12. If needed, add a Windows custom response file

13. Wait for the profile creation and for the upload to the Tivoli Provisioning Manager for OS De-ployment to complete.

14. Shut down the reference machine if needed.

Windows Profile details view

If the profile is selected in the Tivoli Provisioning Manager for OS Deployment web user interface, the following page opens. You can modify the partition layout and other settings by selecting the OS configuration at the bottom of the page

WARNING: Tivoli Provisioning Manager for OS Deployment allows the binding of multiple OS configurations to the same system profile. However, to export the system profile and then import it to IBM Endpoint Man-ager, your system profile MUST have only one OS configuration linked to it.

2.2 Step 2: Create the Windows software modules

You must add the IBM Endpoint Manager client as software module to the .rad archive that is imported to the IBM Endpoint Manager server. The instructions for manually installing IBM Endpoint Manager client for Windows platform, are available here: install IBM Endpoint Manager client on Windows (http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.1/Platform/Adm/c_installing_the_client_with_msi.html).

To successfully register the IBM Endpoint Manager Client to IBM Endpoint Manager Server, the Endpoint Manager client must have the certificate file actionsite.afxm, related to the IBM Endpoint Manager it wants to register to. You should create a dedicated software module for each certificate file. However, if you generate the software module pointing to the folder in <IEM_install_path>\BES Installers\ClientMSI\ the .msi package already contains the masthead file and you do not need to copy it later.

The official Tivoli Provisioning Manager for OS Deployment documentation provides the guidelines needed to create a software modules for Windows .msi files at this page: creation of Windows software module from msi package (http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tpm.osd.doc/deploy/tosd_msiexample.htm)

2.2.1 Create a software module containing the IBM Endpoint Manager client

The IBM Endpoint Manager client for Windows is provided as .msi package for silent installation, hence you must create a software module to handle .msi files. Follow these steps:

1. Log in to the Tivoli Provisioning Manager for OS Deployment web user interface and browse to Server -> OS Deployment -> Software modules

2. Click on new Software button (bottom left of the page). The following wizard opens; Select the appropriate Windows versions for the software module

3. Select type msi

4. Select the machine where the source folder was copied:

5. Browse to the source folder:

6. Wait for the msi introspection to complete

7. Set the description value

8. Edit the command to install the .msi package (specify /qn for silent installation

9. Wait for the software module creation to complete

WARNING: Tivoli Provisioning Manager for OS Deployment requires mass storage and network device drivers to successfully install the server. You may need to add, in the software module set to be exported, the drivers for the operating system you want to provision. To create software modules of type drivers, see creating software module of type drivers (http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tpm.osd.doc/deploy/tosd_mkdrivers.htm)

2.3 Step 3: Create or edit the deployment scheme (optional)

The Deployment scheme contains settings that affect how the deployment of the operating system is done. When you install the Tivoli Provisioning Manager for OS Deployment server, a deployment scheme with name "Default" is always created. You can edit the settings in the default scheme or create a new deployment scheme. More details about creating and editing deployment schemes are available here (http://pic.dhe.ibm.com/infocenter/tivihelp/v3r1/topic/com.ibm.tivoli.tpm.osd.doc/deploy/tosd_deplscheme_linux.htm)

To edit an existing deployment scheme, perform these steps:

1. Log in to the Tivoli Provisioning Manager for OS Deployment web user interface and browse to Server -> OS Deployment -> Task Templates

2. Select the deployment schemes folder

3. Select a deployment scheme and click the “View deployment parameters” link

4. Make the changes you want and click ok. The recommended final action is reboot.

2.4 Step 4: Export the deployment objects in .rad format

The Export in .rad format is a step you perform from the Tivoli Provisioning Manager for OS Deployment web user interface. The .rad format is a proprietary archive format of the Tivoli Provisioning Manager for OS Deployment product.

1. Log in to the Tivoli Provisioning Manager for OS Deployment web user interface and browse to Server -> OS Deployment -> Software modules.

2. Click on RAD export button at the bottom of the page. The export wizard opens

3. Select the IBM Endpoint Manager client, a deployment scheme, and the Windows system profile. Then click next. You don't need to select any Windows Deployment Engine (aka Windows PE) because the deployment of the profile uses the Windows PE engines in the MDT bundles. Save the .rad file and make it available to the IBM Endpoint Manager server.

2.5 Step 5: Import the .rad file to the IBM Endpoint Manager Server

To import the .rad file to IBM Endpoint Manager server, log in to the IEM console and access the Image Library dashboard. Click " Import Image"

A wizard opens. Browse to the folder where the .rad file was transferred. Select .rad format at the bottom right of the wizard, and select the .rad image file.

Select the file and click open; then click Analyze. The import step starts with an image introspection and then proceeds in the background (green arrow visible on the console). It may take some time, depending on the IBM Endpoint Manager server performance and other factors (IBM Endpoint Man-ager console on a different machine from the IBM Endpoint Manager Server). At the end of the import process, the image will be available in the Image Library dashboard. Select it and click "Send to Server" to copy it to the Bare Metal Server.

The copy action can take time, due to network bandwidth beetween IBM Endpoint Manager Server and IBM Endpoint Manager relay. When the action is complete, you can check that the image is available at the Bare Metal Server sfrom both the Image Library and Bare Metal Server Manager dashboards. The Server with profile column now displays 1 as value

Now you can provision the OS using the Server Automation fixlets. More information about the be-havior of these fixlets is available here: deploy of .rad profiles (http://pic.dhe.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_9.1/Lifecycle_Man/OSD_Users_Guide/c_Deploy_using_RAD.html)

2.6 Step 6: Deploy the Windows .rad profile from the IBM Endpoint Manager Console.

2.6.1 OS provisioning through direct invocation of RAD Fixlets

You can now deploy the .rad profile through the fixlets available in the "OS Deployment and Bare Metal Imaging" site. From the set of available fixlets, select number 133 or number 107.

The main difference between the two fixlets is that Fxlet 133 first registers the target of the OS provisioning to the Bare Metal Server, then asks for the hostname of the target. On the contrary, Fixlet 107 uses the hostname that is already registered in the Bare Metal Server database. You must specify the target and .rad profile values in the Fixlet fields, then you run the Fixlet on the Bare Metal Server

Even if the fixlet is marked as complete on the IBM Endpoint Manager console, it does not necessarily mean that the actual OS provisioning has completed too. You can monitor the progress of the OS provisioning from the Deployment Activity Dashboard. This also applies to OS provisioning through an automation plan.

2.6.2 OS Provisioning through an Automation Plan

You can create custom Automation Plans that have OS provisioning as a first step, by using one of the Fixlets described in the previous paragraphs

Click on Take Action, and select the .rad profile that you want to deploy.

At the end of the OS provisioning, the new machine is registered to the IBM Endpoint Manager Server

® © Copyright IBM Corporation 2014 IBM United States of America US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 4205 South Miami Boulevard Research Triangle Park, NC 27709 U.S.A. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. If you are viewing this information softcopy, the photographs and color illustrations may not appear.

Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other coun-tries. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.

Other company, product, or service names may be trademarks or service marks of others.