Microsoft® Workstation/ImageManagement
Module 0
Outline & Introduction
Session Overview
Day 1• Built-In Tools
• Deployment Options• File Server Resource Manager (FSRM)• Home Directory• Group Policy• Windows Server Update Services (WSUS)• Windows Deployment Server (WDS)• Windows Automated Installation Kit &
Assessment and Deployment Kit (WAIK / WADK)• Windows Deployment Tool kit
Session Overview
Day 2• System Center Configuration Manager
• Overview• Manage Software Deployments• Create and Deploy Applications• Deploy and Manage Software Updates• Managing Operating System Deployments• Managing Compliance Settings
Microsoft® Workstation/ImageManagement
Module 1
File Server Resource Manager (FSRM)
Module Overview
• Issues Surrounding Workstation Management
• Overview of FSRM• Using FSRM to Manage Quotas, File Screens, and Storage Reports
What Is an In-Place Deployment?
Wipe-and-load: replace the computers’ current configuration with new ones, selectively migrating portions of their previous configurations
Source and destination computer
Intermediate store
Collect user state
Restore user state
In-place upgrade: upgrade existing computers to Windows 7 and maintain their configurations
Upgrade
Existing computer
Deployment scenario where source and destination computer are two different computers
What Is a Side-by-Side Deployment?
Source Computer
Intermediate store
Destination computer
Restore user state
Collect user state
When will you use the following deployment scenarios?
Determining a Deployment Scenario
In-place (upgrade)1Wipe-and-load (refresh)2
Side-by-side (replace)3
When will you use the following deployment scenarios?
Determining a Deployment Scenario
In-place (upgrade)1Wipe-and-load (refresh)2
Side-by-side (replace)3
What Is Lite-Touch Deployment?
What is Lite-Touch Deployment?
What Is Zero-Touch Deployment?
What is Zero-Touch Deployment?
What Is FSRM?
• FSRM Enables the following functionality:• Storage quota management• File screening management• Storage reports management• Classification management• File management tasks
What Is File Screening Management?
File screen management provides a method for controlling the types of files that can be saved on file servers
• File screen management consists of:• Creating file screens• Defining file screen templates• Creating file screen exceptions• Creating file groups
What Are Storage Reports?
Storage reports provide information about file usage on a file server
• Types of storage reports include:• Duplicate Files• File Screening Audit• Files by File Group, Owner, or Property• Folders by Property• Large Files• Quota Usage• Least and most recently accessed files
Microsoft® Workstation/ImageManagement
Module 2
Deploying and Maintaining Images
Module Overview
Overview of Windows Deployment ServicesImplementing Deployment with Windows Deployment Services• Administering Windows Deployment Services
Tools Used to Support the Planning Phase
Microsoft Deployment Toolkit (MDT) 4.2
PLAN
Enterprise Learning Framework (ELF)
Microsoft Assessment and Planning Toolkit (MAP) 4.0
Microsoft Desktop Optimization Pack (MDOP) for Asset Inventory Planning 1.0
Microsoft Application Compatibility Toolkit (ACT) 5.5
System Center Configuration Manager 2007
Tools Used to Support the Building Phase
MDT Deployment Workbench
BUILD
Windows Automated Installation Kit (WAIK)
User State Migration Tool (USMT)
Tools Used to Support the Deploying Phase
D E P L O Y
Windows Deployment Services (WDS)
System Center Configuration Manager
MDT Deployment Workbench
User State Migration Tool (USMT)
A file-based disk image format that contains compressed files used to install operating systems
What Is Windows Imaging File Format?
Windows Image (.wim) File
WIMHeader
MetadataResource(Image 1)
MetadataResource(Image 2)
File
Reso
urce
File
Reso
urce
File
Reso
urce
Look
up Ta
ble
XML
Data
Inte
grity
Tabl
eFil
e Re
sour
ceFil
e Re
sour
ceFil
e Re
sour
ce
Look
up Ta
ble
XML
Data
Inte
grity
Tabl
e
Image 1 Image 2
How Windows Uses Modularization
Modularization allows you to:
Add multiple device drivers and updates to the image files
Customize optional Windows features
Update individual elements in the image files
Deploy multiple language versions of Windows using a single image file
ü
ü
ü
ü
The Deployment processes
The Imaging Process
EnvisioningPlanningDevelopingStabilizingDeploying
Types of Images
Three different type of images:
Thin images • Few applications• Few language
packs
Thick images• Core application• Language packs• Other files
Hybrid images
Mix thin and thick image strategies
What Is an Image Strategy?
Type of imagesü
Number of imagesü
Number of WIM filesüPre-configured settings in an imageü
Additional operating system elementsü
An image strategy must include the following elements:
An image strategy defines the standard configuration of each common operating system image that is created by an organization.
Image Strategy Flowchart
Thin ImageHybrid ImageThick Image
AreMultiple Builds
Required?
SCCMAvailable?
IsNetwork Traffic a
Factor?
IsStorage Cost a
Factor?
Yes
Yes
YesYes
No
No
No
No
MDT Initial Setup Create New Deployment Share
Add Packages (for master image)
Add Applications (for master image)
Add Operating System (for master image)
Create and stock the Deployment Share
Add Task Sequence to Build and Capture Master Image
Configure Deployment Properties in CS.ini
Task Sequence
Configure Master Image Settings
Add Drivers (for master image)
Build Reference Machine, Sysprep and Capture WIMBuild Master Image and Capture
Onsite Image Engineering Process
Sharing Best Practices for Designing Images
Identify and discuss several best practices for image-based deployment.
Sharing Best Practices for Designing Images
The following list outlines several best practices for image-based deployment:
• Use a single image strategy to reduce the number of images to maintain and service.
• Use a multilingual strategy to add multiple language packs to your image to reduce the number of language-specific images that you support.
• Run the sysprep /generalize command when preparing the Windows image to be captured, even if all computers have the same hardware configuration.
• Do not deploy the default image (install.wim) file that is included with the Windows product DVD directly by using ImageX. You can use the default image only with Windows Setup (setup.exe).
• Use the imagex /flags option when capturing a Windows image to create the metadata to apply to the image that you are capturing.
• Do not duplicate features for different architecture types in an answer file, if you are performing cross-platform deployments.
• Create architecture-specific settings for each configuration pass in an answer file for cross-platform deployments.
What Is Windows Deployment Services?
Windows Deployment Services is a server role that is provided with Windows Server 2012
• Windows Deployment Services:• Enables you to perform network-based installations
• Simplifies the deployment process• Supports deployment to computers with no operating system
• Provides end-to-end operating system deployment
• Uses existing technologies, such as Windows PE, .wim and .vhd files, and image-based deployment.
Windows Deployment Services ComponentsWindows Deployment Services provides several functions through these components:
• Windows Deployment Services PXE Server• Windows Deployment Services Client• Additional Server Components
• TFTP server• Shared folder• Image repository
• Multicasting Engine
Why Use Windows Deployment Services?
Consider the following scenarios:1. In a small network consisting of a single
server and around 25 Windows XP computers, you want to expedite the upgrade process of the client computers to Windows 8
2. A medium-sized organization wants to deploy multiple servers in branch offices that are geographically dispersed. It would be time-consuming and expensive to send experienced IT staff to each location to deploy the servers
Understanding Windows Deployment Services ComponentsWindows Deployment Services prerequisites include:
• AD DS• DHCP• DNS• NTFS volume
Use Windows Automated Deployment Tool Kit to create answer files for automated deployment
Installing and Configuring Windows Deployment Services• Install and configure Windows Deployment Services by:• Installing the Windows Deployment Services server role
• Install the Deployment Server or Transport Server role service
• Perform post-installation configuration of Windows Deployment Services by:
• Specifying an image store location• Configuring the DHCP server options, if required• Configuring PXE server configuration
Managing Deployments with Windows Deployment ServicesTo service client computers with Windows Deployment Services, you must:
• Configure boot settings• Configure install settings• Configure transmission settings• Configure drivers
Common Administration Tasks
There are several common administrative tasks and tools for Windows Deployment ServicesTasks
Configure DHCPCreate and service imagesManage the boot menuPrestage client computersAutomate deploymentConfigure transmission
ToolsWindows Deployment Services consoleWDSUtil.exeDism.exeSysprep.exeImageX.exeWindows SIM
Automating Deployments
To automate the Windows Setup process:1. Create the Unattend.xml file2. Copy the file to the Windows Deployment
Services server3. View the properties of the appropriate
install image4. Enable unattended mode and select the
answer file
Demo
• Install the Windows Automated Installation Kit• Identify resources and tools included with the Windows Automated Installation Kit
• Build a custom Answer File by using Windows SIM• Install a reference computer from a DVD using a custom Answer File
• Generalize a reference computer by using Sysprep• Add packages to Windows PE• Create a bootable Windows PE ISO image• Start the Windows PE Operating System environment
• Capture an image using ImageX• Apply an image using ImageX• Service an offline WIM image
Microsoft® Workstation/ImageManagement
Module 3
Implementing Update Management
Overview of WSUS
What Is WSUS?The WSUS Update Management Process• Server Requirements for WSUS
What Is WSUS?
Automatic updates
Server running Windows Server Update Services
Automatic updates
LAN
Internet
Test clients
Microsoft Update website
The WSUS Update Management Process
Update Management Identify
Evaluate and Plan
Deploy
Assess
Configuring Automatic Updates
• You must configure the client computers to use the WSUS server as the source for updates
• You can use Group Policy to configure clients, including the following settings:• Update frequency• Update installation schedule• Automatic restart behavior• Default computer group in WSUS
WSUS Administration
You can use the WSUS Administration console to:
• Manage updates• Configure computer groups• View computer status• View synchronization information• Configure and view WSUS reports• Configure WSUS settings and options
In Windows Server 2012, WSUS also includes Windows PowerShell cmdlets for administration
What Are Computer Groups?
• You can use computer groups to organize WSUS clients
• The default computer groups include:
• You can create custom computer groups to control how updates are applied
All Computers Unassigned Computers
Approving Updates
• Updates can be approved automatically, but it is not recommended
• Updates should be tested before they are approved for production
• Updates can be declined if they are not needed
• Updates can be removed if they cause problems
Microsoft® Workstation/ImageManagement
Module 4
Overview of System Center 2012 Configuration Manager
Overview of the System Center 2012 Family of Products
System Center Product UsageSystem Center 2012App Controller
• Self-service access for private cloud and public cloud applications
System Center 2012 Configuration Manager
• Change and configuration management
System Center 2012 Data Protection Manager (DPM)
• Data protection for application servers
System Center 2012 Endpoint Protection
• Malware protection for client systems
System Center 2012 Operations Manager
• Monitor applications, services, and devices
System Center 2012Orchestrator
• Automation of IT processes• Integration with other management solutions
System Center 2012 Service Manager
• Integrated service desk• Automation of IT processes
System Center 2012 Virtual Machine Manager
• Manage virtualized infrastructures• Build private clouds
Overview of Configuration Manager 2012Deployment
Application Management
Software Update Management
Operating System
Deployment
ContentManagement
Asset Management
Hardware and Software Inventory
Asset Intelligence
Software Metering
Remote Management
Reporting
Monitoring
Role-based Administration
NAP
Security
Endpoint Protection
Compliance Settings
Power Management
Compliance Management
ClientHealth
Benefits of Implementing System Center 2012 Configuration Manager in an Organization
Key Benefits of Configuration Manager 2012
• Empower user productivity• Using the application catalog to allow users to
request software when they need it• Unify management and security infrastructure
• Compliance settings allows you to ensure your clients are configured in a secure manner
• Simplify IT administration• Provides a unified infrastructure that gives a
single pane of glass to manage physical, virtual, and mobile clients
Overview of the Configuration Manager 2012 Hierarchy
• Each site is identified by a a unique 3-character code
• Central administration site can be used for reporting and management only
• Primary sites can only be parents of secondary sites
• Secondary sites now have their own database
SQL DatabaseCentral Administration Site
SQL Database
Primary Site
SQL Database SQL Database
SQL Database
Secondary Site
Primary Site Primary Site
What Is a Central Administration Site?
A central administration site:
• Is required to use a multi-site hierarchy• Must be the first site built if you use a multi-site hierarchy • Is used for administration and reporting• Requires a SQL database• Does not process client data• Does not support client assignment• Has a limited number of site system roles
What Is a Primary Site?
Primary sites:• Can be in a child relationship to a Central Administration site,
which can only be set during installation• Cannot be a child to another primary site• Manage clients in well-connected networks• Require a SQL database• Replicate their data to a Central Administration site if part of a
hierarchy• Supports client assignment• Consist of one or more systems hosting various site system roles
To use Configuration Manager, you must have at least one primary site
What Is a Secondary Site?
A secondary site:
• Is optional• Must be in a child relationship to a primary site, which is set in the
secondary site during installation• Is used when network bandwidth usage needs to be controlled• Requires SQL Server Express or a SQL Server database to store
configuration information• Replicates its collected client data to its parent site using file-
based replication• Does not support client assignment• Consists of one or more systems hosting various site system roles
Optional Site System Roles
Configuration Manager Site System Roles
Default Site System Roles
• Site server• Site system• Component site server• Site database server• SMS Provider – not
displayed in the console
• Distribution point• Management point• Reporting services point• Software update point• State migration point
• Default site system roles are installed when System Center Configuration Manager setup is run
• Optional site systems roles are added post installation to support specific features
How Data Flows and Replicates in a Hierarchy
Site data is operational information
Global data is configuration information
Primary Site
Central Administration Site
Secondary Site
Parent-child file-based replication
Secondary-to-secondary file-based replication
• SQL Replication is automatically configured at installation• Secondary sites receive a subset of global data• Secondary sites do not generate SQL data
Primary Site
Secondary Site
The Configuration Manager Console Panes Ribbon
Navi
gatio
n Pa
ne
Results Pane
PreviewPaneW
orks
pace
s
The Assets and Compliance Workspace
• Has nodes for the users and devices discovered in your hierarchy
• Has nodes for the collections used to organize the users and devices in your hierarchy
• Has other nodes that are used to monitor and manage the software and configuration settings on the client devices in the hierarchy
The Software Library Workspace
• Is split into three main nodes• Application Management is used to
create and manage the software that will be deployed in your hierarchy
• Software Updates is used to manage the updates for operating systems and software
• Operating Systems is used to mange the operating systems being deployed through Configuration Manager
The Monitoring Workspace
• Centralizes all the features used to extract information from the database about the operations in you hierarchy
• Alerts are administrator configurable and provide pop-up in the management console
• Queries can find any information stored in the database
• Reporting helps provide management friendly reports about the stored data
• The status based nodes report information reported by clients and system processes about ongoing operations
The Administration Workspace
• Provides management capability for the Configuration Manager components
• Hierarchy configuration contains the settings for discovering users and devices in your hierarchy
• Site configuration contains the settings for the sites and the servers in the sites
• Security contains the settings for the security applied to you hierarchy
Using Console Organization Features• Some nodes allow you to create folders
• Folders can be nested to create a hierarchy of objects
• Objects can only be in one folder
• Configuration Items, Baselines, Drivers, and Applications can be categorized
• Categories are not stored in a hierarchy• Categories are used with the Search
feature• Objects can be tagged with multiple
categories
Monitoring Site and Component Status
Overview of Status Message Queries
• You can view status messages sent to a site from client devices by using a status message query
• You can run default queries or create customized queries
Microsoft® Workstation/ImageManagement
Module 5
Deploying and Managing Software Updates
Module Overview
• Overview of Software Updates• Preparing the Configuration Manager Site for Software Updates
• Managing Software Updates• Configuring Automatic Deployment Rules• Monitoring and Troubleshooting Software Updates
Lesson 1: Overview of Software Updates
• Overview of the Software Updates Feature• Prerequisites for the Software Updates Feature
• The Software Update Point Site System Role
• Synchronizing the Software Update Catalog Metadata
• Scanning for Compliance• Compliance States• The Software Updates Deployment Process
Overview of the Software Updates Feature
Configuration Manager supports the following: Seamless and flexible update deployment
Internet-based client management
Wake-On-LAN and power management support
Enhanced monitoring and reporting
Support for NAP System Center Updates Publisher
Automatic deployment rules
The software updates feature scans, analyzes, and then deployssoftware updates to client computers
Prerequisites for the Software Updates Feature
Prerequisites include: WSUS 3.0 SP2 or newer ü WSUS 3.0 Administration Console (SP2 or newer)ü Windows Update Agent 3.0 installed on clients ü Network Load Balancing (for >100,000 clients)ü Reporting services pointü Security permissionsü
The Software Update Point Site System Role
Deployment scenarios: Installation within a Configuration Manager hierarchy
Deployment as an NLB cluster
Configuration as an Internet-based software update point
Installation as an active role in a secondary site
The Software update point system role works with WSUS for software update configuration and management
Synchronizing the Software Update Catalog Metadata
Site Database
Site Server
WSUS Database
WSUS Server
Microsoft Update
SoftwareUpdate Point
Admin Console
Management Point
Distribution Point
1
1
2 2
2
3
3
3
Scanning for Compliance
Site Database
Site Server
WSUS Database
WSUS Server
SoftwareUpdate Point
Admin Console
Management Point
Distribution Point
5
Reports
Managed Computer
WMI Repository
5
1
1
2
2
3 4
4
6
Compliance States
Compliance states include: Required
Not Required
Installed
Unknown
The Software Updates Deployment Process
Site Server
Admin Console
Management Point
Distribution Point
Site Database
Managed Computer
Microsoft Update Software Updates Local Source
1
2
2 22
3
4
4
5
5
6 7
6
7
6 7
Lesson 2: Preparing the Configuration Manager Site for Software Updates• Installing the Software Update Point• Configuring Software Updates Client Settings
• Software Update Client Actions • Demonstration: Installing and Configuring the Software Update Point
Installing the Software Update PointInstall WSUS 3.0 SP2
Choose to locally store updatesü
Configure NLB if required ü Install the WSUS administration console on the site server if using a remote WSUS installation
ü
Choose between the default or custom website ü
Install the Software Update Point Site System Choose to create a new site system or modify an existing site system ü
Provide the appropriate port configuration if a custom WSUS website is used
ü
Review SUPSetup.log for details ü
Configuring Software Updates Client Settings
The Software Updates section provides configuration optionsto enable software updates and configure settings on client computers
Software Update Client Actions
The Configuration Manager Properties dialog box provides actions to manually run evaluation and scan cycles
Managing Software Updates
• Methods for Determining Software Update Status
• What are Software Update Groups?• Downloading Content and Distributing Deployment Packages
• Demonstration: Creating Software Update Groups and Deployment Packages
• Deploying Software Updates to Client Computers
• Demonstration: Deploying Software Updates
Methods for Determining Software Update Status
To identify when software updates are required: Sort, filter, or search the All Software Updates listü Review Software Updates compliance reportsü
What Are Software Update Groups?
Advantages to using a software update group:
• Easier to track compliance status
•Provides a method to delegate software update administration
A software update group organizes multiple software updates into a single object
Downloading Content and Distributing Deployment Packages
Wizard pages include:
Distribution Points Distribution Settings Download Location Language Selection
Deployment Package
Deployment packages are created by using the Download Software Updates Wizard
To deploy software updates:
Deploying Software Updates to Client Computers
Provide the name and target collection1
Specify the type of deployment (Required or Available)
2
Specify the schedule3
Configure user notifications and restart behavior
4
Configure alert settings5
Specify installation behavior based upon boundary connection type
6
What Are Automatic Deployment Rules?
Automatic Deployment Rules automate the process of:
Creating a software update group containing the updates Distributing the software updates content Deploying the software updates to clients
Selecting specific software updates based upon criteriaü
üüü
Process for Creating Automatic Deployment RulesTo create and configure an automatic deployment rule:
Specify general settings such as the name, target collection, software update group, and enabling deployment Specify deployment settings such as Wake-On-LAN and detail level
Define software update filters and search criteria
Define the schedules for the evaluation and deployment
Define the user experience and console alerts
Specify how to run the program according to the type of boundary the client is connected to
ü
ü
üüüü
Specify deployment package settingsü
Monitoring Software Updates Deployments
Methods used to monitor the software update deployment process include:
Alerts Monitoring workspace
Status messages
Software Updates Reports
Report categories related to software updates include:
Software Updates – B Deployment Management Software Updates – C Deployment States
Software Updates – A Compliance
Software Updates – E Troubleshooting
Software Updates – D Scan
Microsoft® Workstation/ImageManagement
Module 6
Managing Operating System Deployments
Module Overview
• Overview of Operating System Deployment• Preparing the Site for Operating System Deployment
• Capturing an Operating System Image• Deploying an Operating System
What Is Operating System Deployment?
Operating system deployment includes the following: • Operating system image capture
• User state migration
• Operating system image deployment
• Task sequences
• Windows® Automated Installation Kit (Windows AIK)
Operating system deployment refers to the combined technologies used to install a complete operating system to workstations and servers. You can include additional hardware drivers and software packages in an operating system deployment task sequence.
Operating System Deployment Terminology
Category Term
Image
• Boot image• Operating system
image• Windows Image File
Format (.wim)
Task• Task sequence step• Task sequence group• Task sequence
Driver
• Windows device driver (or driver)
• Drivers node• Driver package
Category Term
Computer
• Reference computer• Source computer• Target computer• Unknown computer
Other
• Operating system installer
• Preboot Execution Environment (PXE) Boot
• Windows PE• Sysprep
Overview of Operating System Deployment Scenarios
The various methods that initiate an operating system deployment include:
• PXE • Bootable media • Stand-alone media • Prestaged media
The operating system deployment scenarios include: • Bare-metal installation • In-place upgrade
• Operating system refresh • Side-by-side migration
• Configuration Manager software distribution
Server Roles Used in Operating System Deployment Processes
Management point
Primary Site Create image for installation and distribute to distribution pointCreate deployment for clients
Uses existing ClientCreates an association with a new computer
Client downloads policy from management point and uploads state information to state migration pointNew computer perform PXE boot from distribution pointClient reads instructions from management point and installs operating system from distribution pointClient downloads state information from state migration pointResults reported to management point
Distribution pointState Migrationpoint
Systems Used for a Side-by-side Migration
Management pointPrimary Site
Create image for installation and distribute to distribution pointCreate deployment for clients
Uses existing clients
Client downloads policy from management pointClient uploads state information to state migration pointClient installs operating system from distribution pointClient downloads state information from state migration pointResults reported to management point
Distribution point
State migration point
Systems Used for an In-place Upgrade
Management pointPrimary Site
Create image for installation and distribute to distribution pointCreate deployment for clients
Uses existing clients
Client downloads policy from management pointClient installs operating system from distribution pointResults reported to management point
Distribution point
Systems Used for an Operating System Refresh
Management point
Primary Site
Create image for installation and distribute to distribution pointCreate deployment for clients
Import computer information orEnable unknown computer support
Client performs a PXE boot from distribution pointClient reads instructions from management pointClient installs operating system from distribution pointResults reported to management point
Distribution point
Systems Used for a Bare-Metal Installation
Prerequisites for Operating System Deployment
Prerequisite Description
Primary site server
• Install the Windows AIK for Windows 7 to:• Install WinPE boot Images• Install the Windows User State Migration Tool
(USMT) 4.0
Distribution point • Enabling PXE and/or Multicast support install the Windows Deployment Services (WDS) role
State migration point • Supports User State Migration
DHCP • Supports PXE and multicast
Firewalls need to allow PXE traffic
The prerequisites for operating system deployment are :
Drivers andDriver Packages• You can import any Windows drivers
• You must add a driver to a driver package to use it
• You can enable or disable drivers
• You can categorize drivers
• You can add drivers to boot images
The Network Access account:
• Allows site-wide setting• Is used to access
distribution point during operating system deployment operations
• Must have read access to shares containing the images and the drivers node
Configuration Manager Settings and Component Requirements
The boot image properties include:
• Enable prestart command Specify commands to
run before the task sequence; for example, set a Task Sequence variable
Use to add files to boot image; for example, CMTrace
• Set custom background• Enable command
support to view logs
Preparing the Boot Images
Default x64 and x86 boot images based on Windows PE
You can import additional boot images
Operating System Images and Operating System Installers
• Is typically used to deploy to target computers
• Is created from a reference computer
• Stores as a single .wim file, a compressed file format
• Can contain captured operating system images that include installed applications and patches
• Is typically used to build a reference computer
• Copies the installation media
• Does not compress the files
• Does not preinstall applications and patches in the operating system image
There are two methods to store the operating system files that will be used for operating system deployment
Image file: Installer package:
Additional Packages Used by Operating System Deployment• The Configuration Manager client software
• Is created by default during the Configuration Manager site installation; the name of the software is Configuration Manager Client Package
• Is used in the Setup Windows and ConfigMgr task• USMT package (optional package)
• Is created by using the Create Package wizard• Can be used with a state migration point
• Application packages (optional)• Can be included in an operating system deployment task
sequence• Must run in the local system context without user
intervention
Configuring a Reference Computer
Regardless of the method used, the reference computer cannot be a member of a domain
Build Method Advantages DisadvantagesAutomated configuration
• Unattended • Reusable task sequence • Task sequence can be
modified
• Time required to validate automated build
• Changes often require revalidation of entire build
• Effort involved in building packages such as the operating system install package
Manual configuration
• Does not need to create a task sequence
• Can install directly from removable media
• Depends on the administrator for accuracy
• Requires a test and verification method
• Cannot reuse the configuration method
• Requires active user involvement
Task Sequence Overview
A series of steps or tasks that are performed automatically
The following terms are used when describing task sequences:
• Action• Built-in action• Custom action
• Condition • Step • Group
Creating a Build and Capture Task Sequence
Some steps in the task sequence are not exposed in the wizard
When deploying a build and capture task sequence:
Deploying a Build and Capture Task Sequence
1. Determine whether you plan to use PXE boot or boot media; if using PXE boot, determine how PXE will respond by using the following options:• Enable unknown computer support• Import computer information
2. Determine the collection to use; options include:• All Unknown Computers• Administrator created collection
3. Use the Deploy Software Wizard to deploy the task sequence:• Select the Make available to boot media and PXE check
box
• Use capture media from within the reference computer to start the capture process
Capturing a Reference Computer by Using Task Sequence Media
To deploy an operating system image, perform the following steps:
The Process for Deploying an Operating System Image
1. Import the operating system image metadata to Configuration Manager:• Import the information about the captured .wim file
2. Distribute the operating system image content to distribution points:• The content must be on a distribution point to be usable
3. Create the task sequence to install the operating system:• Select a deployment scenario
4. Deploy the task sequence:• Select an initiation method that is congruent with the
chosen scenario
Adding an Operating System Image to Configuration Manager
• Before you can use an operating system image, the metadata must be imported into Configuration Manager• Includes information
about the source location
• After the operating system metadata is imported, the operating system content can be distributed to a distribution point • Is copied from the
source location to the distribution point
Content stored on a distribution point
Site database stores operating system image metadata
Operating system .wim file
• Start the Deploy Software Wizard and select the collection to deploy to
• Configure one or more distribution points for the task sequence
• Configure the deployment settings
Creating and Deploying a Task Sequence to Install an Existing Image
• Start the Create Task Sequence Wizard, and select the Install an existing image package option
• Complete the wizard with the appropriate information
• Modify the task sequence as necessary
Methods for Running the Installation Task Sequence
• Configuration Manager deployment• Deploy to collection with existing clients
• PXE boot• Start the system and press the F12 key to start the PXE boot process
• Boot media• Create the boot media; CD/DVD set or USB flash drive with the files
needed to start a system and connect to Configuration Manager• Stand-alone media
• Create the boot media, CD/DVD set, with all the files needed for operating system installation
• Prestaged media • Used by original equipment manufacturers (OEM) to prestage hard
drives for new systems
The methods for running the installation task sequence are:
Maintaining Updates for System Images• Use the Update Operating System Image wizard to schedule updates to keep the images in your .wim file patched and current
Microsoft® Workstation/ImageManagement
Module 7
Managing Software Deployments
Module Overview
• Configuring Software Distribution• Configuring Packages and Programs• Distributing Content to Distribution Points• Deploying Programs to Configuration Manager Clients
Benefits of Software Distribution
Software distribution helps reduce total cost of ownership for application deployment by:
Eliminating the need to provide software CDs/DVDs and installation instructions to users
Providing users the ability to install software without
requiring administrative rights
Allowing you to control how and when software is distributed to clients
Software distribution does not package the executables or source files to be delivered
Offering a mechanism for running any executable or command on the client
Packages contain the files to be distributed
Source Media
“setup exe /silent /unattended”
Software Distribution Concepts
Programs instruct the computer how to process the package
Source Media
Package Definition
Files
Package definition files automate the creation of packages and programs
Distribution points store packages for distribution to clients Access accounts are used to manage permissions
Deployments instruct members of a collection to access a package and run one of the package’s programs
Deployments
DistributionPoints
TargetCollections
Programs
Packages containingfiles to be distributed
Source Media
The Software Distribution Process
Distribution point
Management point
Client
Create software distribution objects2
Monitor and troubleshoot software distribution 4
Client runs deployed programs and returns status
3
Prepare site for software distribution1
Site Configuration Tasks for Software Deployment
Site configuration tasks may include configuring: Software Distribution Component to specify concurrent distribution settings
Client Settings such as: • Client policy polling interval• Notification settings• State message reporting
Distribution point and content management settings
Network Access Account
Package Configuration Options
To create a package, use the Create Package and Program Wizard to specify:
Package: General and data source information
Program Type: Standard program, Program for device, and Do not create a program
Standard program\Program for device: Name, Command Line, and Run options
Requirements: Run another program first, Platform Requirements, Estimated disk space, and Maximum allowed run time
üü
ü
ü
To create a package and programs from a package definition file, use the Create Package from Definition Wizard
Program Configuration Options
To create a program: Specify a unique name for the program Specify the command line
Define the requirements
Define the environment Define the advanced settings
Specify the Windows Installer product information
Specify the OpsMgr Maintenance Mode settings
üüüüüüü
To install a distribution point:
Process for Installing and Configuring a Distribution Point
Provide the name and site code1
Select the Distribution point system role2
On the Distribution Point page, configure communication settings
3
Configure locations for the content library and package share
4
Configure PXE and Multicast settings5
Configure a Content Validation schedule, if required6
Configure Boundary Group associations7
Monitoring Distribution Point Configuration Status
Methods to monitor distribution point status include:
Distribution Manager component Distmgr.log
Smsdpprov.log
Distribution Point Configuration Status
Content Management Tasks for Distribution Points
Content management tasks include:
Updating content on distribution points
Redistributing, validating, or removing content Prestaging content on distribution points
Distributing content to distribution points
Monitoring Content Status
Methods to monitor content distribution include:
Package Transfer Manager PkgXferMgr.log
Software Distribution – Content reports
Content status
Configuring Program Deployments
To create and configure a deployment: Specify the program and target collection Verify content destination
Define deployment settings such as Purpose and Priority
Define the schedule for the deployment Define the user experience Specify how to run the program according to the type of boundary the client is connected to
üüüüüü
How Clients Run Deployments
Users choose when to run the deployed programAvailable
Description Method
Program is run after an event (for example, onlogon or logoff, or at a specific date and time) Required
One method to manually run an available program:
From the Start menu, run Software Centerü
Download content from distribution point and run locally: Client uses BITS to download the package and then runs the program locally. Run program from distribution point: Client uses SMB to download the package.
Monitoring Software Deployment Status
Methods to monitor software deployment include:
Software Distribution – Packages and Program Deployment
Deployment status
Software Distribution – Packages and Program Deployment Status
Microsoft® Workstation/ImageManagement
Module 8
Creating and Deploying Applications
Module Overview
• Overview of Application Management• Creating Applications• Deploying Applications• Configuring the Application Catalog
Overview of the Configuration Manager Application Model
For Example: When deploying an application to a user
Application is installed locally on a computer with affinity relationship
• When the user logs on to another computer, the application, installed as a virtual application, follows the user
• When the user logs off, the virtual application is not retained
The Configuration Manager application model is user centric
Applications vs. Packages
• Applications:• Contain extensive information about the software
• Can use multiple deployment types; the deployment type used is determined by rules at run time
• Packages:• Contain limited information about the software
• Can use multiple programs, and the one to deploy has to be specified at the time of deployment
Prerequisites for the Application Catalog
• App-V 4.6 SP1 or later if deploying App-V deployment types
Server Role If Required DescriptionManagement point Required Clients download policy and content location
information and upload state messagesDistribution point
Required Clients download deployed content from the distribution point
Application Catalog website point
Optional Provides users with a list of available software
Application Catalog web service point
Optional Provides information from Software Library to the Application Catalog website
Reporting services point
Optional Used for reporting on application management tasks
• The server role requirements for application management include:
• The client system requirement for application management include:
Deployment Types
The Create Application Wizard presents you with the following deployment types when creating an application:
• Windows Installer (Native) • Microsoft Application Virtualization • Windows Mobile Cabinet • Nokia (SIS or SISx files)
The Create Deployment Type Wizard presents you with the following deployment type in addition to the other deployment types:
• Script Installer (Native)
• Specify the deployment action as Install or Uninstall• Specify the purpose as Available or Required
• Are configured in the Global Conditions node or through adeployment type when creating a custom requirement rule
• Are used as the basis for requirement rules
• Require that client devices match requirements• Are configured on a deployment type and only apply to that
deployment type
Application Management Features
• You can associate users with a specific device or multiple devices
Requirement rules:
Global conditions:
User device affinity:
Deployment action and purpose:
What Is Software Center?
• Users can install software that was:
• Deployed as Required and has not reached the deadline
• Deployed as Available to a device-based collection of which the system is a member
• Users can configure personal settings such as
• Business hours• Work days
Software Center is the users’ default interface for managing software deployments that have been deployed to the computer as Available
The Application CatalogThe Application Catalog is an optional website that provides users with advanced features for software management
The User and Device Affinity settings control the:• Automatic affinity assignment settings• User defined affinityThe Software Deployment settings control how often deployments are re-evaluated
Client Settings for Application ManagementThe Computer Agent settings control many aspects of application management
Lesson 2: Creating Applications
• Creating an Application by Using Automatically Detected Settings
• Demonstration: Creating an Application from an MSI file
• Creating Applications Manually• Creating Deployment Types Manually• What Is a Detection Method?• Overview of User Experience Settings• Demonstration: Creating an Application and a Deployment Type Manually
Creating an Application by Using Automatically Detected Settings
• Use the Create Application Wizard to create a new application; when using the automatic configuration, only some properties are configured
• Modify the application after creation to set Application Catalog properties and other settings
• Modify the deployment type to add requirement rules
Creating Applications Manually
• Application information is entered manually on the General page
• Application Catalog and Deployment types pages appear in the wizard only when manually creating applications
• Deployment types can also be created manually or automatically
Creating Deployment Types Manually
When manually creating a deployment type:• On the General Information
page, you must supply a name
• On the Content page, you must provide the installation command line
• On the Detection Method page, you must specify a detection method for the deployment type
• On the User Experience page, there are no mandatory fields
You can add a deployment type by using the automatic method or the manual method
What Is a Detection Method?
Detection methods:• Perform evaluation before an application installs
• Are evaluated periodically on the client to detect uninstalled applications
• Can examine the registry, file system, and Windows Installer database
A procedure that enables the deployment process to determine whether or not an application is already present on a system
Overview of User Experience SettingsUser Experience Settings control what the user is allowed to view and do when the deployment type is used
By default, reboots are controlled by the return codes
Determines if application must complete without user interaction
Shows or hides the application
Logon requirement depends on the target
Lesson 3: Deploying Applications
• Deploying an Application to a User or a Device
• The Process for Deploying Applications• Demonstration: Distributing Content to Distribution Points
• Options for Deploying Applications• Demonstration: Deploying an Application• Monitoring Application Deployment
Deploying an Application to a User or a Device
• If you deploy an application to users, the application shortcuts are only created for the targeted users regardless of who logs onto the system
• If you deploy the application to a system, the application is installed for all users of the system
You can deploy applications to users or devices
The Process for Deploying Applications
The process for deploying an application is as follows:
• An administrator creates a new application and distributes the content to distribution point
• An administrator creates a deployment for the application
• The client system checks for policy updates
• The client system contacts the management point for content location
• The client system downloads the content from the distribution point and installs the application
Site server in a primary siteManagement
point
Distribution point
Options for Deploying ApplicationsWhen deploying applications, you can:
• Target a user or device collection
• Specify an action:• Install or Uninstall
• Specify a purpose:• Required or Available
• Specify a schedule:• Available Time in UTC
or local• Installation Deadline
can be UTC or local; default is As soon as possible
Monitoring Application Deployment
In the Monitoring workspace, under the Deployments node, there is an object for each deployment
Each state category can have subcategories
All devices send state messages about deployments that have run locally regardless of whether they were deployed to the device or the user
Lesson 4: Configuring the Application Catalog• Overview of the Application Catalog• System Roles Required for the Application Catalog
• Demonstration: Installing the Application Catalog System Roles
• Making Applications Appear in the Application Catalog
• Demonstration: Deploying and Requesting Applications in the Application Catalog
Overview of the Application Catalog
With the Application Catalog, users can:• Install software that was deployed as Available to a user-based collection
• Request software that was deployed as Available to a user-based collection; but this requires administrator approval for installation
• Specify systems as their primary devices• Wipe their mobile devices
• Application Catalog consists of two roles:• Application Catalog website point
• Users connect to this role• Application Catalog web service
point• Supports the website point
System Roles Required for the Application Catalog
Site server in a primary site
HTTP orHTTPS
HTTPS only
Intranet Client Internet Client
ApplicationCatalog website points
• Install the roles on a Web Server with a certificate to provide HTTPS support
• Customize the Application Catalog website point with:• Organization name• Theme color
ApplicationCatalog web service points
Making Applications Appear in the Application Catalog• To deploy applications through the Application Catalog, deploy
the application to user-based collections with the purpose set as Available; users can then request the applications from the Application Catalog
• To require administrator approval for a user’s request for an application, select the Require administrator approval if users request this application check box
Configuring Requirements and Dependencies for Deployment Types• What Are Global Conditions?• Demonstration: Creating a Global Condition• What Are Requirement Rules?• Categories for Requirement Rules• Demonstration: Adding a Device Requirement
• Dependencies for Deployment Types
Global conditions:
Some global conditions available for Windows Devices are:
What Are Global Conditions?
Setting Type DescriptionActive Directory query
You can use this type to construct a query to find values in AD DS
File system You can use this type to specify a file or folder to assess for compliance on computers
Registry key You can use this type to specify a registry key to assess for compliance on computers
Registry value You can use this type to specify a registry value to assess for compliance on computers
• Defines conditions to be tested• Can be used in multiple deployment types and across multiple
applications• Allow you to customize the settings you use to determine whether
a deployment type is available to a user or device• Vary between Windows devices, Windows Mobile devices, and
Nokia devices
What Are Requirement Rules?
• Requirement rules specify the conditions that must be met before an application can be installed
• Requirement rules are defined in a deployment type
• When a deployment type is evaluated, the requirement rule must be satisfied to be run or made available
• Requirement rules can be created for many different reasons such as:
• Hardware requirements• Drive space
requirements
• Meets requirements?
Requirement Rules:
The categories and some example Requirement Rules:
Categories for Requirement Rules
• Are classified based on the types of settings they are used to evaluate
• In general, there are two way to evaluate a rule• Value. A value based rule allows you to specify a value and an
operator to use for comparison• Existential. A existential based rule checks the existence of the
specified condition
Category
Conditions Operators Possible Values
Custom Administrator created
Varies Varies
User Primary Device Equals TrueFalse
Device Active Directory site One ofNone of
One or more Active Directory site(s)
Dependencies for Deployment Types
• Dependencies are defined on a deployment type
• Dependencies allow you to ensure that application requirements can be enforced or remediated
• Dependencies define the application deployment types that must be installed before the deployed deployment type can be installed
• After the dependencies are fulfilled, the application will install
• Dependent applications can be configured to install automatically
Configuring Multiple Deployment Types and User Device Affinity• Reasons for Implementing Multiple Deployment Types
• The Process for Creating Multiple Deployment Types
• What Is a Simulated Deployment?• What Is User Device Affinity?• Methods for Configuring User Device Affinity• Demonstration: Configuring User Device Affinity
Reasons for Implementing Multiple Deployment Types
• Using multiple deployment types lets you customize the installation based on the target computer
• The deployment type is determined by requirements and priority of deployment types
• For example• One deployment type locally installs the application on a desktop computer
• A different deployment type installs the application as a virtual application on a laptop
The Process for Creating Multiple Deployment Types
Automatic Deployment Type Creation• Information is imported
from an installation file Name Installation program Installation behavior Detection method Uninstall program
• Optional information: Requirements Dependencies Additional information
Manual Deployment Type Creation• You must provide all
required information Name Installation program Detection method
• Optional information Installation behavior Uninstall program Requirements Dependencies Additional information
What Is a Simulated Deployment? Simulated deployment allows you to test a deployment withoutdistributing files
The status shows you the number of systems that would have attempted to install a deployment type and which one it would haveattempted to use for the installation
The results of the simulation are found in the Monitoring workspace under the Deployments node with other deployments
The status also shows which systems did not meet the requirements such as detection rules and dependencies including the requirementsthey did not meet
Deploy to device collections for best results when using device based requirements
A simulated deployment is treated like a normal deployment for evaluation purposes
What Is User Device Affinity?• User device affinity allows a user to be associated with a device
• Users can have an affinity with multiple devices
• User device affinity can be used as a requirement in an application so that applications are automatically installed on users’ systems if the system meets any other requirement rules
• When a user accesses a device without an affinity relationship:
• Applications could be configured not to install
• Applications could use a different deployment type such as deploying a virtualized application
Methods for Configuring User Device Affinity
• If Automatically configure user device affinity from user data is set to False, the usage data is still recorded and administrators can approve or deny the request for relationship
• If Allow user to define their primary devices is set to True, users use Application Catalog to set the UDA relationship
• Client Settings:
Managing Applications
• What Is Application Revision History?• Retiring Applications• Uninstalling Applications• What Is Application Supersedence?• Demonstration: Configuring Application Supersedence
What Is Application Revision History?
• Whenever an application is modified, the changes are tracked and stored in the Configuration Manager database
• You can view a previous version using the View button
• You can restore previous versions of an application if you need to
• Restoring a previous version creates a new revision of the application
Retiring Applications
• You cannot create new deployments with retired applications
• You cannot modify a retired application
• You can reinstate a retired application at any time
Uninstalling Applications• You can uninstall an application by
creating a deployment with the uninstall action
• An uninstall will not execute if the client is the target of a deployment with the install action
What is Application Supersedence?
• Application supersedence allows you to specify an upgrade path for applications
• When you configure application supersedence, the old application is no longer available
• You can leave the old application on the system, upgrade it, or completely uninstall it
• You can view the relationships with the View Relationships button in the ribbon
Microsoft® Workstation/ImageManagement
Module 9
Managing Compliance Settings
Overview of Compliance Settings
• Introduction to Compliance Settings • What Are Configuration Items?• What Are Configuration Baselines?• What Are Configuration Packs?• The Process for Deploying Compliance Settings
• Scenarios for Using Compliance Settings
Introduction to Compliance SettingsCompliance settings:• Provide an interface to monitor client configuration and remediate noncompliant settings
• Can be used for business requirements such as:
• Verifying configuration of devices• Identifying compliance issues• Reporting compliance for regulatory reasons
Specify the compliance rule Define the severity levels for noncompliance Specify remediation, if supported
A child configuration item is a linked copyof a parent configuration item
An administrator cannot edit copied settingsbut can add additional settings
What Are Configuration Items?
In a configuration item, you can:
Configuration items define one or more settings that you wish to assess for compliance
Configuration Item
Configuration baselines:
• You can deploy multiple configuration baselinesto a single collection
• Can contain: Configuration items Software updates Other configuration baselines
• Can be configured for remediation• Are deployed to collections• Use a default schedule for evaluations; you can customize the schedule
What Are Configuration Baselines?A configuration baseline is a group of configuration items
Configuration Baseline
What Are Configuration Packs?
You can import configuration packs from:
• Microsoft or third-party sources that define best practices • Online communities on the Internet • Custom configuration baselines from your organization • Another Configuration Manager site
Configuration packs are preconfigured configuration itemsor configuration baselines
• Microsoft System Center Management Pack Catalog • Existing Configuration Manager 2007 Packs
The Process for Deploying Compliance Settings
Configuration Management Packs
Configuration items imported or created1
Configuration baseline deployed 3
Configuration baseline imported or created2
ConfigurationBaseline
Compliance state messages sent from the client
6
Compliancedata stored in database
Configuration baseline downloaded with policy
4
Configuration Manager Server
Configuration Manager Database
Managed Client
Evaluation run on schedule5
Compliance reports are run7
Scenarios for Using Compliance SettingsThe Compliance Settings feature can help you solve different kinds of issues such as:• To find misconfigured systems, you can:
1. Download best practice baseline2. Evaluate systems against best practices3. Remediate identified issues
• To remediate noncompliance of settings, you can:1. Configure compliance checking2. Create configuration items for autoremediation of
settings3. Configure applications with requirements rules and
dependencies
Configuring Client Settings to Support Compliance
• Default settings allows you to:• Enable or disable compliance evaluation• Configure the schedule
• Custom setting allows you only to:• Enable or disable compliance evaluation
Create compliance rules for the configuration item
Creating Configuration Items
Create settings that needto be monitored
Specify all or specific versions of supported clients
Specify a name and description for the configuration item
Specify the type of configuration item:• Windows clients • Mobile devices
Types of Configuration Item Settings
The operators in a compliance rule: Equals, Not equal to, Greater than, Greater than or equal to, Less than, Less than or equal to, Between, One of or None of.
The mobile device setting groups include:
There are 10 setting types for Windows configuration items:
• Create the value if it doesn’t exist• Set the value if it exists but is not compliant• Run a remediation script• Set the value for the phone settings if supported
• Registry values• Scripts• WMI Query Language (WQL) Query configuration items • All mobile phones
Configuring Remediation• Remediation is only available for the following settings:
• For remediation to occur, you need to configure remediation on both the configuration item and the deployment
• Remediation can be in the form of:
Create a configuration baseline in one of the following ways:
•Use the Create Configuration Baseline dialog box (most common method)
• Import configuration data
•Copy an existing configuration baseline
Creating Configuration Baselines
Deploying Configuration Baselines
• Use the default schedule as in the Client Agent settings or create a custom schedule
• Select this option to allow configuration items with remediation enabled to apply the appropriate remediation action
• Select the user or device collection in which this baseline will be deployed
You can perform the following actions on the Configurations tab:
Viewing Compliance in the Configuration Manager Client
• Evaluate. This option causes the selected baseline to be evaluated on demand
• View Report. This option generates a report of the selected baseline if you have local administrator rights
• Refresh. This option causes the view to be refreshed
Viewing Compliance Results in the Configuration Manager Console
You can use the compliance results reported by the client for:• Monitoring. View
and monitor results in the Deployments node
• Creating collections. Create collections by using the compliance state of configuration items
• Viewing reports. There are several reports for viewing compliance results