SCCM is a great tool to roll out Windows 7. Microsoft provides a large amount of documentation, in fact so much documentation that it becomes hard to actually know what should and should not be done. To keep things simple, I’ll concentrate on a very simple, but also very common scenario:
Windows 7 is installed on new hardware, or hardware which is re-used. In the process the whole PC is wiped clean and a new OS is installed. I am not focusing on data migration. I am working on the assumption that all data is backed up to the network (because of roaming profiles or folder redirection).
Here is explain a fairly simple and effective method to use SCCM to roll out Windows 7.
For this you need:
Windows 7 enterprise (this the volume license version. While most of this works with retail versions as well, the activation and license issues are different).
a working SCCM installation (you can use PXE boot points, etc but I won’t go into details how to set this up)
Microsoft Deployment Toolkit 2010. You can download this from Microsoft. You don’t strictly need this, but some of the tools are really quite useful. The methods explained here do not rely on the MDT 2010.
The required drivers for all hardware
All software installation packages ready and tested.
When doing Windows 7 rollouts, keep the following in mind:
standardisation is key: try to avoid creating to many different configurations. It will save time and effort in the rollout, as well as reduce support burdens if everyone (as much as possible) has the same set of applications and configurations.
group policies: if you can configure something using group policy, configure it that way. It is easier to manage and can be changed in the future.
hardware: make sure all hardware is recent, has at least 2GB of RAM. Also, avoid having too many different models. Again, standardisation is key. Also, hardware from major manufacturers will be easier to use as they have better driver support.
base image: create the base image on the most basic piece of hardware (or even better a VM in VMWare) you have access to. Also, this image should only contain the OS, some patches and perhaps some customizations. Nothing more.
User state migration. While the USMT is a great tool to migrate user’s data and settings it also has a bug with a particular hotfix (which is installed on properly patched XP, Vista and Windows 7 machines), which requires another hotfix on each computer, on the server and during the installation. On top of that USMT is configured using XML files so this is something which requires a lot testing to get it to work the way you want it to. If you can avoid it, preserve your sanity and do that.
documentation: Any change you make to the default image should be documented. Every step in the process should be documented. I try to keep things simple, but for manageability purposes it’s important that the whole system is fully documented. I cannot stress this enough.
Creation of the base image
I like creating the base image on VMware because it allows me to take snapshots along the way and I can actually keep it on the server as a basis for future images (for example and updated image with SP1 on etc).
While the MDT provides a task sequence to build and capture. I prefer the following method. It’s not that much more work, more flexible and has in generally proven to be more stable as well. As stated before, I like to do this on VMware, but that’s not a requirement. It’s best to use the most simple hardware (preferably desktop, something without a lot of exotic hardware requiring drivers) for this.
Install Windows 7 from installation media. During the selection of the partition, delete all existing partitions and create NEW partition. Do not have the installer create the partition for you (by selecting the free space to install). In that last case, Windows 7 will create 2 partitions and this will complicate the whole process. It’s simpler with one partition and for that you have to create it.
Follow normal installation. Do not join to domain. After the installation is completed, enable the admin account and log in with it.
delete the initial user account that was created during the set up process.
install security updates, service packs etc.
If required, clean up the start menu. This is done in 2 places. c:programdataStart Menu contains the “All Users” start menu. You will need to remove the deny permissions to be able to edit it (put them back afterwards). Also edit the C:usersdefaultstart menu. This contains the default user start menu and whatever is listed here will be included for every new user who logs in. You want to delete the shortcuts to programs that you don’t want in the start menu. Don’t delete the whole folder structure! For example you may want want to remove the shortcut for “Windows Media Center”, “Windows fax and scan” etc.
Create a text file in the Windows folder. For example: imgv1.0.txt. This would be my version 1 image. Why do this? This file can be inventoried by SCCM and that way you can run reports and find out which version of the image is used. When you make changes to the image, you should also increment the version number on the image. It’s not required, but very helpful.
We are now ready to capture. For that we use the SCCM capture disk. Here is how to create it:
login to SCCM, and open the ConfigMgr console.
right-click “task sequence” under Computer Management – Operation system deployment. Select “create task sequence media”.
select “capture media” as the media type. Click next.
select whether you want a CD/DVD or USB stick. In case of USB stick you’ll need a recent, completely empty USB. In case of CD/DVD you will need to specify where the ISO file will be stored. Click next
Select the boot image. It shouldn’t matter whether you pick x64 or i386 for this. The boot image will need to have the required drivers to run the network on your image computer. If you use VMware, the standard boot image as it is supplied with SCCM works just fine. For distribution point, just pick the closest.
Next, a couple of times and you’ll have a CD (or USB stick). If you are using VMware, mount the ISO file (as if it was a CD), otherwise, insert the disk into your image PC. Normally, you should be offered to run the capture wizard.
This wizard is pretty basic and easy to understand. Just one thing, where you are asked for the path for the image provide a full UNC path to the server AND include the image name (use.wim as the extension for the image). Obviously provide a username and password with access to the share on the server. Finish the wizard and it will capture the image. This usually takes at least about 1 hour and involves sysprep and a reboot. Just let it do its thing. Don’t touch the machine. It’s also a good idea to create a dedicated folder on the server specifically for these OS images.
Creating the OS image package
After you have captured the image you need to turn it into an actual package.
go to “computer manager – operation system deployment – operating system images”. Select “add operating system image
provide the path to the wim file. This should a UNC path. The file should have a.wim extension and file name should be included in the path.
next next a couple of times and you have an OS image. Don’t forget to replicate this to your distribution points. (no need to add this to the PXE points in case you are using those. The PXE points only need the boot images).
Creating a task sequence
Now we are getting to the most important part: creation of the task sequence to install the image. The MDT manual instructs you to create an MDT taks sequence which is very powerful and handle a very wide range of scenarios. It’s also difficult to understand and troubleshoot unless you actually know what each step does. Hence, I prefer to keep it simpler because it makes it a lot easier to troubleshoot.
under “computer management – operation system deployment – task sequences”. Right click “new – task sequence”. Do not use the “create Microsoft Deployment Task sequence” (you can do that in the future, once you are a master at task sequences).
Select “install and existing image package”.
Give it a name: “standard Windows 7 deployment”. Add a meaningful comment explaining what this is for.
select the boot image. In many cases the built-in SCCM boot image will work fine. Make sure you select the same architecture as the image you are installing. If you captured a x64 image, make sure to select a x64 boot image as well. The boot image needs to have the drivers for network and disk (SATA) or it will fail. The current one included with SCCM works fine with most brand hardware and will only give you problems if you have something really new. You’ll find out soon enough in testing whether it works or not. Click Next
Select the image. You should also specify the license key and if you want to test an administration password you can set it here as well. (you can change all these settings later on as well). Click Next
Here you can join to a domain, so specify where to add the account and specify a username and password to join the computer. Best practise is to add the computer account in a an OU that has all require policies assigned (the final OU so to speak). Do not add to the “computer” folder, that is a legacy folder that in a modern Active Directory installation should be empty. For the user account, avoid using an admin account. It’s best to create a dedicated account that only has the required permissions to add computers to AD but doesn’t even have permissions to login to any machine. Click Next
Select the installation package for the SCCM client. (if you dont’ have this package you will need to create it. However installing SP2, R2 or R3 on the SCCM server will also create this package.) Click next.
uncheck all the capture check boxes. This is only run in case you would advertise this sequence to existing computers. This requires a lot of extra testing and is outside of scope of what I am trying to do here. Click next
Select “don’t install any software updates”. This may seem contradictory, but it actually will make the build faster (also most likely your current settings for updates wouldn’t work with this anyway.). Make sure the updates are installed soon after the build is finished though. Click Next.
Select the software you want installed. You can only select programs that have the tick box ticked for “Allow this program to be installed from the Install Software task sequence without being advertised” and can run whether or not a user is logged in or not. Click Next
Click Next. The task sequence is now created.
Right-click the task sequence and select EDIT. You should see a fairly short task sequence and it will be quite clear what each item actually does.
The items in bold are group entries and don’t actually do anything themselves. However, you can disable all tasks in a group by disabling the group entry. More useful is that you can have group entries run based on particular conditions. For example, you could create a a group called “laptop software”, under options add a condition that this should only apply on laptops (which is a chassis type) and add all laptop specific software in that section. Similarly you can use that install software to a particular model of hardware, computers in a particular subnet (regional differences), etc. It’s very powerful, outside of scope of this article, but by using groups and conditions you can create a task sequence that can address most situations.
Another thing to keep in mind is the following: the “Setup Windows and ConfigMrg” installs the SCCM client. After that, your OS is mostly installed and thus the software installation actions should come after this point.
Deploying the task sequence
Let’s get this onto a computer.
Again, I’ll focus on the easiest method:
create a new collection. I call it “image deployment”, but you can call it whatever you want. Make sure it’s empty.
select the task sequence and advertise it to this collection. You can make a mandatory advertisement but you don’t have to. If it’s not mandatory then you’ll have to select it during the build process (which is an extra step). This is useful if you have multiple task sequences (for example during testing). Otherwise, once the roll out starts, you should make it mandatory.
right click “computer management – operating system deployment – computer association” and select “import computer information”. You will need the MAC address or GUID of the computer and add it to your collection you just created.
right click “computer management – operating system deployment – task sequences” and select “create task sequence media”. Select create “bootable media” and follow the instructions.
Boot the new PC using the task sequence media or USB stick. If the advertisement is mandatory it should be completely unattended. After about 30 to 45 min you should have a fully built PC.
you may use a PXE boot point. In that case, you do not need to create task sequence media, but you will need to select the “Make this task sequence available to boot media and PXE” when advertising.
use the “unknown computer support”. For this you enable the “unknown computer support” in the PXE point settings, and advertise the task sequence to the “unknown computers” collection. In this case, you will be asked to provide a PC name.
you can change the background picture in your boot image to something branded for your computer. It’s not much, but it’s cool nonetheless. You’ll find the setting in the properties of the boot image. You’ll need to provide a bmp type file.
All of this should get your started. It is very useful to learn how to use conditions in your task sequence. There is a lot of information about the hardware that is provided during the installation and this can be used to further refine your installation. I may address that in a future post, however it’s easy enough to find by Googling it.
In case you wonder what the MDT 2010 is used for. Well, for starters not everyone has SCCM in their environment. So, together with Windows Deployment Services, MDT can be a solution in those cases. MDT will also be useful when you want to pass specific information to your build process. This is important when for example creating complex sequences that need to address regional and language differences, language pack installations etc. MDT is also used to create OEM builds.
I’ve tried to keep things as simple as possible. This walk-through will get you an image and allow you to install it on a machine and that in just a couple of hours. Most likely you will need a lot of customizations and it’s all in the task sequence.