SCCM PDF
SCCM PDF
Using SCCM
to Migrate to Windows 7
Mel Beckman
sponsored by
Brought to you by Windows IT Pro
Tech Advisor • Windows IT Pro | p. 2
Contents
Preflight checklist for SCCM Windows 7 Deployment 3
SCCM Windows Deployment Tip: Using USB Installation
Media 4
SCCM Windows Deployment Tip: Use a Key Management
Server 5
SCCM 2007 SP2 required for Windows 7/2008
OS Deployment 5
DirectAccess gives Internet-based SCCM clients seamless
remote control 6
Create a Windows 7-based WinPE compatible with
SCCM 6
Deploy Microsoft App-V even if App-V Isn’t in Base
OS Image 8
Windows Intune Limitations Compared to SCCM 10
Windows 7 BranchCache Shares Files Between Peers on a
Subnet 11
Windows 7 boosts SCCM BDP Connections from
10 to 20 12
Next version of SCCM embraces Role Based Access Control
and BranchCache 12
process is fully automated. In SCCM, navigate to SCCM Com- System Deployment->Operating System Images, and select
puter Management->Operating System Deployment->Task Add an Operating System Image. Choose the .WIM file from
Sequences->Create Task Sequence media. Select your USB key the build-and-capture folder, and SCCM will import it. You’re now
and then unmount it at completion. ready for deployment.
5. Perform the image capture. Insert the USB key on ref For many shops, you can deploy the image as-is. Some client
machine, run the .exe it contains. The reference machine will ex- platforms, however, may require special drivers for non-generic
ecute the task sequence stored on the key, reboot the machine, NIC, disk, and video hardware. If that’s the case, you’ll need to add
and start the capture process. It will boot into WinPE, change drivers to your deployment process, which is its own complex
to the Out of Box Experience (OBE), then transfer the image to topic outside the scope of this preflight checklist. A great source
the SCCM server share as a .WIM (Windows Image) file. You’ll be for guidance is Hayes Jupe’s blog entry “SCCM OSD – Driver best
prompted to enter a few values, including the destination share practices”:
for the image. The whole process takes less than 15 minutes on
an uncongested gigabit network. http://hayesjupe.wordpress.com/sccm-osd-driver-best-practices
6. Import the captured image into SCCM. You’ve finished You’re now ready to begin the deployment process best suited to
build-and-capture. Now you’re ready to prep SCCM for deploy- your needs, which involves creating a task sequence and adver-
ment. Navigate to SCCM Computer Management->Operating tising it, and selecting various installation or migration options.
Q. All my System Center Configuration infrastructure services, including SCCM, to have access to the In-
ternet-based machines. With DirectAccess, clients on the Inter-
Manager (SCCM) Internet-based clients
net are treated as though they’re still on the corporate network,
are running Windows 7 and are Direct
and therefore SCCM can manage them as such. So if all your
Access enabled. Do I still need to use the
Internet clients are DirectAccess enabled, you’re not required
SCCM Internet-Based Client Management
to use SCCM Internet-Based Client Management. Because the
feature?
clients are treated as if they’re on the corporate network, certain
A. The Internet-Based Client Management feature of SCCM features (such as Remote Control) that aren’t available for SCCM
allows clients that are connected to the Internet without a VPN Internet-Based Client Management computers will be avail-
connection into the corporate network to be managed by SCCM able when you use DirectAccess. Note that OS Deployment still
through the use of certificates to protect the communications. won’t function, because DirectAccess relies on certificates and
There are certain SCCM features that aren’t supported when us- domain membership, and those won’t be available on a newly
ing the Internet-based management features, including Remote deployed OS.
Control, OS Deployment, and Network Access Protection.
Here’s a great Microsoft blog entry that goes into more detail on
DirectAccess lets clients connected to the Internet have full DirectAccess and SCCM: http://tinyurl.com/sccmdirectaccess.
connectivity to corporate resources and also allows corporate
Q. How can I create a Windows 7-based machine that has the latest Windows Automated Installation Kit
(WAIK) installed. Make sure you open the WAIK command prompt
Windows Preinstallation Environment
to run the commands below that are in bold. In my example, I’m
(WinPE) that’s compatible with System
creating the image in the folder d:\temp\winpe_amd64, so if you
Center Configuration Manager (SCCM)?
use a different path, update your commands appropriately.
A. SCCM 2007 comes with two PE images—one 32-bit and
one 64-bit—that are used to capture and deploy OSes. You can C:\Program Files\Windows AIK\Tools\PETools>
create our own WinPE environments with additional utilities and copype.cmd amd64 d:\temp\winpe_amd64
configuration and use them with SCCM, you just need to make =========================================
sure you add the scripting and WMI packages. Creating Windows PE customization working
directory
Below is a transcript of the Windows command line instructions d:\temp\winpe_amd64
I used to create a new amd64 (64-bit) WinPE environment on a =========================================
1 file(s) copied. ]
1 file(s) copied. The operation completed successfully.
d:\temp\winpe_amd64> dism /image:d:\
C:\Program Files\Windows AIK\Tools\PETools\ temp\winpe_amd64\mount /add-package /
amd64\EFI\microsoft\boot\fonts\wgl4_boot.ttf packagepath:"c:\Program Files\Windows
7 File(s) copied AIK\tools\petools\amd64\winpe_fps\winpe-
1 file(s) copied. wmi.cab"
Success Deployment Image Servicing and Management
Updating path to include peimg, cdim- tool
age, imagex Version: 6.1.7600.16385
C:\Program Files\Windows AIK\Tools\ Image Version: 6.1.7600.16385
PETools\ Processing 1 of 1 - Add-
C:\Program Files\Windows AIK\Tools\ ing package WinPE-WMI-
PETools\..\AMD64 Package~31bf3856ad364e35~amd64~~6.1
d:\temp\winpe_amd64> dism /mount-wim / .7600.16385
wimfile:d:\temp\winpe_amd64\winpe.wim / [
index:1 /mountdir:d:\temp\winpe_amd64\mount ================
Deployment Image Servicing and Management 100.0%
tool ================
Version: 6.1.7600.16385 ]
Mounting image The operation completed successfully.
[ d:\temp\winpe_amd64> dism /unmount-wim /
================ mountdir:d:\temp\winpe_amd64\mount /commit
100.0% Deployment Image Servicing and Manage-
================ ment tool
] Version: 6.1.7600.16385
The operation completed successfully. Image File : d:\temp\winpe_amd64\winpe.wim
d:\temp\winpe_amd64> dism /image:d:\ Image Index : 1
temp\winpe_amd64\mount /add-package / Saving image
packagepath:"c:\Program Files\Windows [
AIK\tools\petools\amd64\winpe_fps\winpe- ================
scripting.cab" 100.0%
Deployment Image Servicing and Management ================
tool ]
Version: 6.1.7600.16385 Unmounting image
Image Version: 6.1.7600.16385 [
Processing 1 of 1 - Adding package WinPE- ================
Scripting-Package~31bf3856ad364e35~amd6 100.0%
4~~6.1.7600.16385 =====================]
[ The operation completed successfully.
================
100.0%
================
Q. How can I deploy the Microsoft tion, and so might the host name, etc. The switches shown are for
demonstration only.
Application Virtualization (App-V) client
using System Center Configuration Man- Client\x64\setup.exe /s /v" /qn
ager (SCCM) if App-V isn’t in my base OS SWIPUBSVRHOST=\"savdalappv01.savilltech.
image? net\" SWIPUBSVRTYPE=\"RTSP\" SWIPUB-
A. If you’re using SCCM task sequences to deploy your OS, SVRPORT=\"554\" SWIPUBSVRDISPLAY=\"SAV
DALAPPV01\" SWIFSDRIVE=\"Q\" SWICACHE-
it’s very easy to add in a step to also deploy the App-V client.
SIZE=\"4096\""
There are two main approaches. The first is to just copy the App-V
client setup files to a folder and create a new package. Then, You need all the repeat double quotes, and note that in my
within that package create a program that calls the setup.exe distribution, I have a Client folder under the main App-V source
for the App-V client (you need one for x64 and one for x32). The folder that contains the actual main files. That’s why I have
setup.exe will install, as will prerequisite requirements such as Vi- Client\<architecture>\setup.exe. Make sure you use Browse to
sual C++ SP1 Redistributable 2005 and 2008 and the Application check that the path is correct.
Error Reporting. Within your program, add the various switches to
configure the App-V client with App-V Server (such as cache size), The above is kind of a lazy approach (but it works).The alternative
as shown here: is to actually install the prerequisites manually, then run setup.
msi (instead of setup.exe) to install the actual App-V client. Once
again, you pass switches to the setup.msi to perform the con-
figuration. If you’re deploying to Windows Vista and Windows 7,
you need to deploy the Visual C++ SP1 2005 and 2008 redistrib-
utables (you need the linked versions because they have the ATL
security update). The application error reporting is in the Support
folder of each architectures setup files and is installed from there.
If you’re deploying to Windows XP, you also need to deploy the
Microsoft Core XML Services 6.0 SP1.
Note that I have switches to configure the App-V client. Also note for
the Watson (Application Error Reporting) install, the APPBUID is App-
V client version-specific. In the above, that’s the right GUID for the
4.6 SP1 client install. The full list can be found on this TechNet page, My full hierarchy of files is shown below for easy reference to
in case you want to install a different version of App-V client, but this match my configuration and install files:
FAQ is based on installing the 4.6 SP1 client.
App-V Client 4.6 SP1\x64install.bat
I also created a batch file for the x86 install:
App-V Client 4.6 SP1\x86install.bat
start /wait %~dp0Client\prereq\vc2005\ App-V Client 4.6 SP1\Client\Prereq\
vcredist_x86.exe /q vc2005\vcredist_x86.exe
start /wait %~dp0Client\prereq\vc2008\ App-V Client 4.6 SP1\Client\Prereq\
vcredist_x86.exe /q vc2008\vcredist_x86.exe
start /wait msiexec /i %~dp0Cli- App-V Client 4.6 SP1\Client\x64\setup.exe
ent\x86\Support\Watson\dw20shared. App-V Client 4.6 SP1\Client\x64\setup.msi
msi APPGUID={342C9BB8-65A0-46DE- App-V Client 4.6 SP1\Client\x64\Support\
AB7A-8031E151AF69} REBOOT=Suppress Watson\dw20shared.msi
REINSTALL=ALL REINSTALLMODE=vomus App-V Client 4.6 SP1\Client\x86\setup.exe
start /wait msiexec.exe /i App-V Client 4.6 SP1\Client\x86\setup.msi
%~dp0Client\x86\setup.msi App-V Client 4.6 SP1\Client\x86\Support\
SWIPUBSVRHOST="savdalappv01. Watson\dw20shared.msi
savilltech.net" SWIPUBSVRTYPE="RTSP"
Ideally, put each part into its own package with its own install
SWIPUBSVRPORT="554"
program. Doing it that way gives you the most reuse and self-
SWIPUBSVRDISPLAY="SAVDALAPPV01"
repair functionality. The batch file approach is a nice middle
SWIFSDRIVE="Q" SWICACHESIZE="4096" /q
option, while just calling setup.exe is certainly the fastest and
I use the same 32-bit Visual C++ install for both 32-bit and 64- easiest way but will gives a slower installation (the prerequisites
bit installs. Only the Watson version and App-V client change have to be extracted from the setup.exe for Visual C++ then
between architectures. installed).
I then create a program within the App-V client package that just No matter which method you choose, you should place the ac-
calls the x64install.bat (or x32install.bat), as shown (called BitByBit tual App-V client deployment near the end of the task sequence,
for mine, compared to the regular x64 install that uses setup.exe): where you normally deploy applications such as your malware
Q. Is it true that if I cover my machines pockets of users outside of their corporate environment who they
still want to manage.
with Windows Intune, I can upgrade
those machines to Windows 7 Enterprise
and get access to the Microsoft Desktop Intune is a per-computer, per-month subscription. As part
Optimization Pack (MDOP)? of that subscription, as long as the computer has Windows
7 Professional or Business, the Intune subscription gives the
A. Windows Intune is Microsoft’s cloud-based PC manage- right to upgrade that machine to Windows 7 Enterprise. For an
ment solution. It offers some capabilities similar to the on-premise additional $1 a month per computer, MDOP can also be added,
System Center Configuration Manager (SCCM) solution, including giving access to all of MDOP’s features, including Microsoft Ap-
Microsoft update management, malware protection, inventory, plication Virtualization, Microsoft Enterprise Desktop Virtualiza-
remote assistance, and alerts and monitoring. Intune, in its current, tion, Advanced Group Policy Management, Diagnostics and
first version, doesn’t offer software or OS deployment. Intune can Recovery Toolset, Desktop Error Monitoring, and Asset Inventory
be great for organizations that can’t deploy SCCM or that have Service.
Q. Can System Center Configuration As the name, and this diagram, suggests, this is primarily aimed
at distributed environments that may have a slow (high latency)
Manager (SCCM) clients take advantage
link to the main datacenter, where having 50 users download
of BranchCache?
the same 10MB file is a waste of bandwidth that will mean a
A. Windows 7 and Windows Server 2008 R2 introduced a poor end-user experience. With BranchCache enabled, the file
new feature that allowed data downloaded by one person to would be downloaded by the first person to access the file, and
be shared with peers on the same local subnet, a feature known the other 49 people will pull it from the machine that already
as distributed mode BranchCache. (An alternative is dedicated downloaded it.
mode, which is where a Server 2008 R2 server is specified to
To use BranchCache, you need Windows Server 2008 R2 to host
cache content for an entire group of computers). It looks some-
your content. Your clients must be running Windows 7 or Server
thing like this (diagram courtesy of Microsoft):
2008 R2, and BranchCache must be enabled on both the server
and clients.
The good news is that SCCM can take advantage of this func-
tionality, providing you’re running SCCM 2007 SP2 or above.
You must check the option to allow clients to transfer content
from this distribution point using BITS, HTTP and HTTPS on
the distribution point properties in the General tab of SCCM.
You also need to configure the advertisements to download
and execute, instead of running directly from the distribution
point.
Here’s a great MSDN blog that goes into more detail on this topic:
http://tinyurl.com/win7branchcache
Q. If I use a Windows 7 client as a information using a file share, the server service must be running
on the BDP computer.
System Center Configuration Manager
(SCCM) 2007 branch distribution point,
can I have 20 simultaneous connections
A. Windows XP SP2 client OS only supports a maximum of
10 concurrent connections to its file shares, so if you have more
instead of 10? than 10 machines at a location, understand that only 10 will
A. BDPs are a new feature in SCCM 2007 that enable a non- be able to connect at any one time. Windows 7 increases the
number of simultaneous connections to a file share from five or
server OS (you can still use a server OS) to act as a distribution
10 (depending on your OS version) in previous versions of Win-
point for a location. Windows XP SP2 and above were originally
dows to 20 in all versions of Windows 7. This means if you use a
supported as BDPs, provided the computer is part of an Active
Windows 7 client as a branch distribution point with SCCM 2007,
Directory domain, is an SCCM client, and isn’t configured to use
it will support 20 simultaneous connections instead of the five or
an Internet-based management point. Because the BDP shares
10 you received with previous versions.
Following on from Exchange Server 2010, the next version of SCCM, a peer-caching technology that allows organizations running
SCCM 2012 due out in 2012 H1, embraces the concept of Role Windows 7 to more effectively use WAN bandwidth. In the case
Based Access Control (RBAC). RBAC is a more advanced model for of the next version of SCCM, deployed files will be peer cached
allocating administrative permissions. Not only do you designate out at the branch office on the clients—meaning that you will be
what the permission is (for example, the right to meter software able to efficiently get software out to branch offices without hav-
usage) you designate where the permission applies (in the case of ing to go through the rigmarole of configuring a branch office
SCCM this might be to a particular collection of computers). deployment point.
The next version of SCCM brings a significant number of ad- Find out more about SCCM 2012 at Microsoft’s System Center
vancements, including full integration with Windows Server 2008 2012 Release Candidate portal: www.microsoft.com/en-us/
R2 and Windows 7 BranchCache technologies. BranchCache is server-cloud/system-center.