SCCM.pdf

Brought to you by Windows IT Pro

Mel Beckman

SCCM

sponsored by

Windows IT Pro

to Migrate to Windows 7Using


Tech Advisor Windows IT Pro | p. 2

C o n t e n t sPreflight checklist for sCCM Windows 7 Deployment 3

sCCM Windows Deployment tip: Using UsB Installation Media 4

sCCM Windows Deployment tip: Use a Key Management server 5

sCCM 2007 sP2 required for Windows 7/2008 os Deployment 5

DirectAccess gives Internet-based sCCM clients seamless remote control 6

Create a Windows 7-based WinPe compatible with sCCM 6

Deploy Microsoft App-V even if App-V Isnt in Base os Image 8

Windows Intune Limitations Compared to sCCM 10

Windows 7 BranchCache shares Files Between Peers on a subnet 11

Windows 7 boosts sCCM BDP Connections from 10 to 20 12

next version of sCCM embraces Role Based Access Control and BranchCache 12



Preflight checklist for SCCM Windows 7 Deployment By Mel BeckmanWhether youre migrating to Windows 7 or deploying it green field, youll want to use SCCM 2007s Operating System Deploy-ment (OSD) tools to install a customized Windows 7 for your environment. SCCM 2007s capture-and-deploy process lets you deploy Windows 7 in massive quantities with no interventiona totally touch-free installation! To pull that off, however, youll need to follow this preflight checklist, which outlines the steps required for setting up capture-and-deploy, and prepositions you for pushing Windows 7 to new machines or to upgrade existing ones.

If youre like most of us, you wont be performing this process frequentlyperhaps once or twice a year. So keep a log of what youve done for future reference; youll thank yourself later!

1. Create a provisioning account. Microsofts best practice for SCCM OSD is to always use a separate account for provision-ing, rather than using your administrator account. So create a dedicated account in Active Directory to use only for SCCM OS deployment processes. Grant the provisioning account the fol-lowing rights:

Access rights to the Active Directory OU(s) to contain the computer account objects

Add rights for resource objects to the SCCM database Read rights to the location where the OS image files (.WIMs) will be stored

As part of this step, youll also want to create a folder to hold OS image filesfor example, C:\CapturedOSimages, and share this folder out. It will be used to receive the final OS image.

2. Create a reference machine. You need a piece of real hard-ware template Windows 7 installation customized to your taste. This can be any old machinea cast-off laptop, a maintenance spare, whateverthat is capable of running Windows 7. Of course, the faster the hardware, the less time youll spend in the reference machine build process, so dont scrimp on CPU speed and memory if you dont have to. The machine should be 64-bit capable, so that you can create both 32-bit and 64-bit Windows 7

templates. We all have a few 32-bit-only applications that keep us chained to the smaller bit size.

The creation process is simple: install Windows 7, apply all Windows updates (which may take several iterations), and apply optional Windows updates, such as .NET 4, that may be required for your environment. Any Windows IT admin worth his or her salt knows this drill. A couple tips: (1), use USB installation media (see detailed article following this one), and (2) avoid adding any device-specific Windows updates, such as new sound card drivers and the like. You want this Windows 7 installation to be as clean as possible. Youll add drivers laterthis Windows 7 installation is just a template for further customization.

3. Customize the reference machine. Youre now ready to put the tune on your reference installation. Log into your newly minted Windows 7 box, go to Control Panel->Programs->Turn Windows Features On or Off and activate additional compo-nents, such as SNMP or Telnet, needed for your environment. Make sure the machine stays in a workgroup and does not join your domain, and leave the administrator account password blank. Setting an administrator password needlessly complicates subsequent steps.

If you need to configure any regional settings, do that now as well. Go to Control Panel->Clock, Language, and Region, and set your time zone, date and time format (such as 24-hour time), and any language customizations you desire. You could also install some common default applications at this point, such as Adobe Acrobat Reader. But its better to hold off on thoseyoull be happier having SCCM manage applications separately from the OSD image. Separating application installation also means you wont have to re-image should a critical update be needed for those apps.

4. Create USB capture media. The USB capture media is just a USB keywith only a few hundred K capacitycontaining the runtime code and script that performs the image capture, pushing the image to the share you created in Checklist Item 1. Youll run it later on the reference machine and stand backthe capture



process is fully automated. In SCCM, navigate to SCCM Com-puter Management->Operating System Deployment->Task Sequences->Create Task Sequence media. Select your USB key and then unmount it at completion.

5. Perform the image capture. Insert the USB key on ref machine, run the .exe it contains. The reference machine will ex-ecute the task sequence stored on the key, reboot the machine, and start the capture process. It will boot into WinPE, change to the Out of Box Experience (OBE), then transfer the image to the SCCM server share as a .WIM (Windows Image) file. Youll be prompted to enter a few values, including the destination share for the image. The whole process takes less than 15 minutes on an uncongested gigabit network.

6. Import the captured image into SCCM. Youve finished build-and-capture. Now youre ready to prep SCCM for deploy-ment. Navigate to SCCM Computer Management->Operating

System Deployment->Operating System Images, and select Add an Operating System Image. Choose the .WIM file from the build-and-capture folder, and SCCM will import it. Youre now ready for deployment.

For many shops, you can deploy the image as-is. Some client platforms, however, may require special drivers for non-generic NIC, disk, and video hardware. If thats the case, youll need to add drivers to your deployment process, which is its own complex topic outside the scope of this preflight checklist. A great source for guidance is Hayes Jupes blog entry SCCM OSD Driver best practices:

http://hayesjupe.wordpress.com/sccm-osd-driver-best-practices

Youre now ready to begin the deployment process best suited to your needs, which involves creating a task sequence and adver-tising it, and selecting various installation or migration options.

SCCM Windows Deployment Tip: Using USB Installation Media By Mel Beckman

Although you can build a reference machine the old fashioned way, using CD or DVD installation media, installing Windows 7 us-ing USB bootable media is way faster. Create one USB thumb drive for 32-bit, one for 64-bit. The process is straightforward and widely documented. The steps are well documented in Paul Thurrotts excellent article Install Windows 7 With a USB Memory Key:

http://www.winsupersite.com/article/windows-7/install-win-dows-7-with-a-usb-memory-key

USB installation is many times faster than disc-based installs because the media itself has no moving parts. Youre essentially installing at system memory speed.



SCCM Windows Deployment Tip: Use a Key Management Server By Mel Beckman

is trivial and widely documented; Microsoft even has a movie illustrating the process (http://tinyurl.com/kmsmovie).

You need not run the KMS on an actual serverits simple to run even on a Windows 7 client box. Once the server is up and running, all future Win7 machines will find it on your network automatically and self-activate, even without Internet access. A bonus security feature of KMS is that the Win7 clients must reac-tivate with the KMS every few months, which automatically limits the usability of lost or stolen computers. In a shared virtualization (e.g., private cloud) environment, KMS also prevents cloud users from absconding with your Windows licenses by dint of copying its VHD.

Windows 7 has two kinds of Enterprise product keys: the Multiple Activation Key (MAK), which hard-codes the license key on the destination machine and will never require re-activation, and the Key Management System (KMS) key. Using a MAK key requires running through the manual activation process, which is a touch to the workstation for you, or a pain in the neck for the user. If you forget to perform the activation, the user logging in as non-administrator wont be able to perform that step. Youve then created a time bomb: The computer will shut down at some future date, demanding activation, causing user heartburn and you tech support pain.

Instead, its better to deploy a Key Management Server in your organization and use the KMS license method. Setting up a KMS

SCCM 2007 SP2 required for Windows 7/2008 OS DeploymentBy John savill

Q. What versions of System Center Configuration Manager (SCCM) 2007 support Windows 7 and Windows Server 2008 R2 SP1?

A. On March 24, 2011, Microsoft announced that SCCM 2007 SP2, R2, and R3 all support Windows 7 SP1 and Windows Server 2008 R2 SP1 operating systems for client installation. This includes deployment of these OSes and hosting of roles and consoles where supported by the OS. This announcement on TechNet (http://tinyurl.com/sccmwin7) provides full details, along with two updates required for full SP1 support.



infrastructure services, including SCCM, to have access to the In-ternet-based machines. With DirectAccess, clients on the Inter-net are treated as though theyre still on the corporate network, and therefore SCCM can manage them as such. So if all your Internet clients are DirectAccess enabled, youre not required to use SCCM Internet-Based Client Management. Because the clients are treated as if theyre on the corporate network, certain features (such as Remote Control) that arent available for SCCM Internet-Based Client Management computers will be avail-able when you use DirectAccess. Note that OS Deployment still wont function, because DirectAccess relies on certificates and domain membership, and those wont be available on a newly deployed OS.

Heres a great Microsoft blog entry that goes into more detail on DirectAccess and SCCM: http://tinyurl.com/sccmdirectaccess.

Q. All my System Center Configuration Manager (SCCM) Internet-based clients are running Windows 7 and are Direct Access enabled. Do I still need to use the SCCM Internet-Based Client Management feature?

A. The Internet-Based Client Management feature of SCCM allows clients that are connected to the Internet without a VPN connection into the corporate network to be managed by SCCM through the use of certificates to protect the communications. There are certain SCCM features that arent supported when us-ing the Internet-based management features, including Remote Control, OS Deployment, and Network Access Protection.

DirectAccess lets clients connected to the Internet have full connectivity to corporate resources and also allows corporate

DirectAccess gives Internet-based SCCM clients seamless remote controlBy John savill

Create a Windows 7-based WinPE compatible with SCCMBy John Savill

Q. How can I create a Windows 7-based Windows Preinstallation Environment (WinPE) thats compatible with System Center Configuration Manager (SCCM)?

A. SCCM 2007 comes with two PE imagesone 32-bit and one 64-bitthat are used to capture and deploy OSes. You can create our own WinPE environments with additional utilities and configuration and use them with SCCM, you just need to make sure you add the scripting and WMI packages.

Below is a transcript of the Windows command line instructions I used to create a new amd64 (64-bit) WinPE environment on a

machine that has the latest Windows Automated Installation Kit (WAIK) installed. Make sure you open the WAIK command prompt to run the commands below that are in bold. In my example, Im creating the image in the folder d:\temp\winpe_amd64, so if you use a different path, update your commands appropriately.

C:\Program Files\Windows AIK\Tools\PETools> copype.cmd amd64 d:\temp\winpe_amd64========================================= Creating Windows PE customization working directory d:\temp\winpe_amd64 =========================================



1 file(s) copied. 1 file(s) copied.

C:\Program Files\Windows AIK\Tools\PETools\amd64\EFI\microsoft\boot\fonts\wgl4_boot.ttf 7 File(s) copied 1 file(s) copied. Success Updating path to include peimg, cdim-age, imagex C:\Program Files\Windows AIK\Tools\PETools\ C:\Program Files\Windows AIK\Tools\PETools\..\AMD64 d:\temp\winpe_amd64> dism /mount-wim /wimfile:d:\temp\winpe_amd64\winpe.wim /index:1 /mountdir:d:\temp\winpe_amd64\mount Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Mounting image [================100.0%================] The operation completed successfully. d:\temp\winpe_amd64> dism /image:d:\temp\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\tools\petools\amd64\winpe_fps\winpe-scripting.cab" Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Image Version: 6.1.7600.16385 Processing 1 of 1 - Adding package WinPE-Scripting-Package~31bf3856ad364e35~amd6 4~~6.1.7600.16385 [================100.0%================

] The operation completed successfully. d:\temp\winpe_amd64> dism /image:d:\temp\winpe_amd64\mount /add-package /packagepath:"c:\Program Files\Windows AIK\tools\petools\amd64\winpe_fps\winpe-wmi.cab" Deployment Image Servicing and Management tool Version: 6.1.7600.16385 Image Version: 6.1.7600.16385 Processing 1 of 1 - Add-ing package WinPE-WMI-Package~31bf3856ad364e35~amd64~~6.1 .7600.16385 [================100.0%================]

The operation completed successfully. d:\temp\winpe_amd64> dism /unmount-wim /mountdir:d:\temp\winpe_amd64\mount /commit Deployment Image Servicing and Manage-ment tool Version: 6.1.7600.16385 Image File : d:\temp\winpe_amd64\winpe.wim Image Index : 1 Saving image [================100.0%================] Unmounting image [================100.0%=====================] The operation completed successfully.



Deploy Microsoft App-V even if App-V Isnt in Base OS ImageBy John Savill

Q. How can I deploy the Microsoft Application Virtualization (App-V) client using System Center Configuration Man-ager (SCCM) if App-V isnt in my base OS image?

A. If youre using SCCM task sequences to deploy your OS, its very easy to add in a step to also deploy the App-V client. There are two main approaches. The first is to just copy the App-V client setup files to a folder and create a new package. Then, within that package create a program that calls the setup.exe for the App-V client (you need one for x64 and one for x32). The setup.exe will install, as will prerequisite requirements such as Vi-sual C++ SP1 Redistributable 2005 and 2008 and the Application Error Reporting. Within your program, add the various switches to configure the App-V client with App-V Server (such as cache size), as shown here:

My full command line from above is shown below. Note that I use RTSP (hence port 554)this might be different in your organiza-

tion, and so might the host name, etc. The switches shown are for demonstration only.

Client\x64\setup.exe /s /v" /qn SWIPUBSVRHOST=\"savdalappv01.savilltech.net\" SWIPUBSVRTYPE=\"RTSP\" SWIPUB-SVRPORT=\"554\" SWIPUBSVRDISPLAY=\"SAVDALAPPV01\" SWIFSDRIVE=\"Q\" SWICACHE-SIZE=\"4096\""

You need all the repeat double quotes, and note that in my distribution, I have a Client folder under the main App-V source folder that contains the actual main files. Thats why I have Client\\setup.exe. Make sure you use Browse to check that the path is correct.

The above is kind of a lazy approach (but it works).The alternative is to actually install the prerequisites manually, then run setup.msi (instead of setup.exe) to install the actual App-V client. Once again, you pass switches to the setup.msi to perform the con-figuration. If youre deploying to Windows Vista and Windows 7, you need to deploy the Visual C++ SP1 2005 and 2008 redistrib-utables (you need the linked versions because they have the ATL security update). The application error reporting is in the Support folder of each architectures setup files and is installed from there. If youre deploying to Windows XP, you also need to deploy the Microsoft Core XML Services 6.0 SP1.

You could deploy these by creating a package for each of the components and adding a program to deploy with dependen-cies (the best option to re-use components). Or you can put them all in one package and use a script to call each component one at a time, such as the following (which I saved as x64install.bat):

start /wait %~dp0Client\prereq\vc2005\vcredist_x86.exe /Qstart /wait %~dp0Client\prereq\vc2008\vcredist_x86.exe /Q



start /wait msiexec /i %~dp0Cli-ent\x64\Support\Watson\dw20shared.msi APPGUID={342C9BB8-65A0-46DE-AB7A-8031E151AF69} REBOOT=Suppress REINSTALL=ALL REINSTALLMODE=vomusstart /wait msiexec.exe /i %~dp0Client\x64\setup.msi SWIPUBSVRHOST="savdalappv01.savilltech.net" SWIPUBSVRTYPE="RTSP" SWIPUBSVRPORT="554" SWIPUBSVRDISPLAY="SAVDALAPPV01" SWIFSDRIVE="Q" SWICACHESIZE="4096" /q

Note that I have switches to configure the App-V client. Also note for the Watson (Application Error Reporting) install, the APPBUID is App-V client version-specific. In the above, thats the right GUID for the 4.6 SP1 client install. The full list can be found on this TechNet page, in case you want to install a different version of App-V client, but this FAQ is based on installing the 4.6 SP1 client.I also created a batch file for the x86 install:

start /wait %~dp0Client\prereq\vc2005\vcredist_x86.exe /qstart /wait %~dp0Client\prereq\vc2008\vcredist_x86.exe /qstart /wait msiexec /i %~dp0Cli-ent\x86\Support\Watson\dw20shared.msi APPGUID={342C9BB8-65A0-46DE-AB7A-8031E151AF69} REBOOT=Suppress REINSTALL=ALL REINSTALLMODE=vomusstart /wait msiexec.exe /i %~dp0Client\x86\setup.msi SWIPUBSVRHOST="savdalappv01.savilltech.net" SWIPUBSVRTYPE="RTSP" SWIPUBSVRPORT="554" SWIPUBSVRDISPLAY="SAVDALAPPV01" SWIFSDRIVE="Q" SWICACHESIZE="4096" /q

I use the same 32-bit Visual C++ install for both 32-bit and 64-bit installs. Only the Watson version and App-V client change between architectures.

I then create a program within the App-V client package that just calls the x64install.bat (or x32install.bat), as shown (called BitByBit for mine, compared to the regular x64 install that uses setup.exe):

My full hierarchy of files is shown below for easy reference to match my configuration and install files:

App-V Client 4.6 SP1\x64install.batApp-V Client 4.6 SP1\x86install.batApp-V Client 4.6 SP1\Client\Prereq\vc2005\vcredist_x86.exeApp-V Client 4.6 SP1\Client\Prereq\vc2008\vcredist_x86.exeApp-V Client 4.6 SP1\Client\x64\setup.exeApp-V Client 4.6 SP1\Client\x64\setup.msiApp-V Client 4.6 SP1\Client\x64\Support\Watson\dw20shared.msiApp-V Client 4.6 SP1\Client\x86\setup.exeApp-V Client 4.6 SP1\Client\x86\setup.msiApp-V Client 4.6 SP1\Client\x86\Support\Watson\dw20shared.msi

Ideally, put each part into its own package with its own install program. Doing it that way gives you the most reuse and self-repair functionality. The batch file approach is a nice middle option, while just calling setup.exe is certainly the fastest and easiest way but will gives a slower installation (the prerequisites have to be extracted from the setup.exe for Visual C++ then installed).

No matter which method you choose, you should place the ac-tual App-V client deployment near the end of the task sequence, where you normally deploy applications such as your malware



Q. Is it true that if I cover my machines with Windows Intune, I can upgrade those machines to Windows 7 Enterprise and get access to the Microsoft Desktop Optimization Pack (MDOP)?

A. Windows Intune is Microsofts cloud-based PC manage-ment solution. It offers some capabilities similar to the on-premise System Center Configuration Manager (SCCM) solution, including Microsoft update management, malware protection, inventory, remote assistance, and alerts and monitoring. Intune, in its current, first version, doesnt offer software or OS deployment. Intune can be great for organizations that cant deploy SCCM or that have

protection and Microsoft Office (if its not virtualized), as shown below. Note that in mine, Im also deploying the Office Deploy-ment Kit for App-V, because I virtualize Office 2010 with App-V:

Windows Intune Limitations Compared to SCCMBy John Savill

pockets of users outside of their corporate environment who they still want to manage.

Intune is a per-computer, per-month subscription. As part of that subscription, as long as the computer has Windows 7 Professional or Business, the Intune subscription gives the right to upgrade that machine to Windows 7 Enterprise. For an additional $1 a month per computer, MDOP can also be added, giving access to all of MDOPs features, including Microsoft Ap-plication Virtualization, Microsoft Enterprise Desktop Virtualiza-tion, Advanced Group Policy Management, Diagnostics and Recovery Toolset, Desktop Error Monitoring, and Asset Inventory Service.



Q. Can System Center Configuration Manager (SCCM) clients take advantage of BranchCache?

A. Windows 7 and Windows Server 2008 R2 introduced a new feature that allowed data downloaded by one person to be shared with peers on the same local subnet, a feature known as distributed mode BranchCache. (An alternative is dedicated mode, which is where a Server 2008 R2 server is specified to cache content for an entire group of computers). It looks some-thing like this (diagram courtesy of Microsoft):

As the name, and this diagram, suggests, this is primarily aimed at distributed environments that may have a slow (high latency) link to the main datacenter, where having 50 users download the same 10MB file is a waste of bandwidth that will mean a poor end-user experience. With BranchCache enabled, the file would be downloaded by the first person to access the file, and the other 49 people will pull it from the machine that already downloaded it.

To use BranchCache, you need Windows Server 2008 R2 to host your content. Your clients must be running Windows 7 or Server 2008 R2, and BranchCache must be enabled on both the server and clients.

The good news is that SCCM can take advantage of this func-tionality, providing youre running SCCM 2007 SP2 or above. You must check the option to allow clients to transfer content from this distribution point using BITS, HTTP and HTTPS on the distribution point properties in the General tab of SCCM. You also need to configure the advertisements to download and execute, instead of running directly from the distribution point.

Heres a great MSDN blog that goes into more detail on this topic: http://tinyurl.com/win7branchcache

Windows 7 BranchCache Shares Files Between Peers on a SubnetBy John Savill



Windows 7 boosts SCCM BDP Connections from 10 to 20By John Savill

Q. If I use a Windows 7 client as a System Center Configuration Manager (SCCM) 2007 branch distribution point, can I have 20 simultaneous connections instead of 10?

A. BDPs are a new feature in SCCM 2007 that enable a non-server OS (you can still use a server OS) to act as a distribution point for a location. Windows XP SP2 and above were originally supported as BDPs, provided the computer is part of an Active Directory domain, is an SCCM client, and isnt configured to use an Internet-based management point. Because the BDP shares

information using a file share, the server service must be running on the BDP computer.

A. Windows XP SP2 client OS only supports a maximum of 10 concurrent connections to its file shares, so if you have more than 10 machines at a location, understand that only 10 will be able to connect at any one time. Windows 7 increases the number of simultaneous connections to a file share from five or 10 (depending on your OS version) in previous versions of Win-dows to 20 in all versions of Windows 7. This means if you use a Windows 7 client as a branch distribution point with SCCM 2007, it will support 20 simultaneous connections instead of the five or 10 you received with previous versions.

Next version of SCCM embraces Role Based Access Control and BranchCacheBy Orin Thomas

Following on from Exchange Server 2010, the next version of SCCM, SCCM 2012 due out in 2012 H1, embraces the concept of Role Based Access Control (RBAC). RBAC is a more advanced model for allocating administrative permissions. Not only do you designate what the permission is (for example, the right to meter software usage) you designate where the permission applies (in the case of SCCM this might be to a particular collection of computers).

The next version of SCCM brings a significant number of ad-vancements, including full integration with Windows Server 2008 R2 and Windows 7 BranchCache technologies. BranchCache is

a peer-caching technology that allows organizations running Windows 7 to more effectively use WAN bandwidth. In the case of the next version of SCCM, deployed files will be peer cached out at the branch office on the clientsmeaning that you will be able to efficiently get software out to branch offices without hav-ing to go through the rigmarole of configuring a branch office deployment point.

Find out more about SCCM 2012 at Microsofts System Center 2012 Release Candidate portal: www.microsoft.com/en-us/server-cloud/system-center.

Preflight checklist for SCCM Windows 7 Deployment SCCM Windows Deployment Tip: Using USB Installation Media SCCM Windows Deployment Tip: Use a Key Management Server SCCM 2007 SP2 required for Windows 7/2008 OS DeploymentDirectAccess gives Internet-based SCCM clients seamless remote controlCreate a Windows 7-based WinPE compatible with SCCMDeploy Microsoft App-V even if App-V Isnt in Base OS ImageWindows Intune Limitations Compared to SCCMWindows 7 BranchCache Shares Files Between Peers on a SubnetWindows 7 boosts SCCM BDP Connections from 10 to 20Next version of SCCM embraces Role Based Access Control and BranchCache

Documents

SCCM.pdf