Microsoft Surface 3 User Manual

Download

Published: December 2014

Surface Pro 3

Deployment and Administration Guide

Version 1.0

Surface is a trademark of Microsoft Corporation.

Computrace is a trademark of Absolute Software Corporation

Reader is a trademark of Adobe Systems Incorporated

Java is a trademark of Oracle Corporation

This document is provided “as-is.” Information in this document, including URL and other Internet website references, may change without notice.

Contents

PART I – DEPLOYMENT OVERVIEW

Chapter 1 – Overview ................................................................................................................................................ 9

Purpose of This Guide ............................................................................................................................................ 9

Audience ................................................................................................................................................................ 9

How This Guide is Organized ............................................................................................................................... 10

Document Conventions ....................................................................................................................................... 11

What’s Not in This Guide ..................................................................................................................................... 11

Chapter 2 – Deployment Introduction .................................................................................................................... 12

Deployment Concepts .......................................................................................................................................... 12

Deployment and Imaging ................................................................................................................................ 12

Sysprep and Generalization ............................................................................................................................. 13

Image Servicing ................................................................................................................................................ 14

Licensing .......................................................................................................................................................... 15

Deployment Types ........................................................................................................................................... 16

Deployment Tools ................................................................................................................................................ 17

Factors and Considerations ............................................................................................................................. 17

Third Party Tools .............................................................................................................................................. 18

Microsoft Tools ................................................................................................................................................ 18

Microsoft Deployment Toolkit ............................................................................................................................. 22

The Deployment Workbench .......................................................................................................................... 22

Deployment Shares ......................................................................................................................................... 23

Windows Deployment Wizard ......................................................................................................................... 25

Driver Management ........................................................................................................................................ 26

Application Management ................................................................................................................................ 26

Package Management ..................................................................................................................................... 27

Task Sequences ................................................................................................................................................ 28

Considerations for Images ................................................................................................................................... 29

The Single Image Goal ..................................................................................................................................... 29

Using a Virtual Machine as a Reference System ............................................................................................. 30

Selecting Applications for the Base Image ...................................................................................................... 30

Planning for Deployment ..................................................................................................................................... 31

Laboratory Testing ........................................................................................................................................... 31

Pilot Deployments ........................................................................................................................................... 32

Staggered Deployments .................................................................................................................................. 33

“White Glove” Delivery ................................................................................................................................... 33

PART II – DEPLOYMENT STEP-BY-STEP

Chapter 3 – Manual Deployment with MDT............................................................................................................ 36

Installing Deployment Tools................................................................................................................................. 37

Windows Assessment and Deployment Kit ..................................................................................................... 37

Microsoft Deployment Toolkit ........................................................................................................................ 39

Windows Deployment Services ....................................................................................................................... 41

Creating a Deployment Share .............................................................................................................................. 45

Importing an Operating System ...................................................................................................................... 48

Importing Drivers ............................................................................................................................................. 50

Creating the Task Sequence ............................................................................................................................ 58

Preparing Boot Media .......................................................................................................................................... 61

Generating Boot Media ................................................................................................................................... 61

Importing Boot Media into WDS ..................................................................................................................... 62

Deploying the Basic Scenario ............................................................................................................................... 63

Booting from the Network .............................................................................................................................. 63

Windows Deployment Wizard ......................................................................................................................... 65

Chapter 4 – Reference Deployment with MDT ....................................................................................................... 68

Configuring Deployment Share Rules .................................................................................................................. 70

Configuring Windows Deployment Wizard Rules ........................................................................................... 71

Configuring Boot Media Rules ......................................................................................................................... 74

Creating a Reference Deployment Task Sequence .............................................................................................. 75

Enabling Windows Updates ............................................................................................................................. 76

Deploying to the Reference System ..................................................................................................................... 77

Customizations to the Reference Image .............................................................................................................. 80

Customizing the Wallpaper ............................................................................................................................. 80

Customizing the Default User Account Picture ............................................................................................... 81

Customizing Windows Store Apps ................................................................................................................... 83

Customizing the Start Screen .......................................................................................................................... 86

Creating a Capture Task Sequence....................................................................................................................... 88

Creating an Image from the Reference System ................................................................................................... 90

Testing the Image ................................................................................................................................................. 92

Importing the Captured Image ........................................................................................................................ 92

Creating the Test Deployment Task Sequence ................................................................................................ 92

Deploying the Captured Image ........................................................................................................................ 95

Chapter 5 – Automated Deployment with MDT...................................................................................................... 96

Disabling WDS PXE Boot ...................................................................................................................................... 97

Creating the Production Deployment Share ........................................................................................................ 98

Customizing Rules for Automation .................................................................................................................. 98

Customizing Task Sequence Selection by Model........................................................................................... 100

Importing the Custom Image ............................................................................................................................. 103

Importing Drivers ............................................................................................................................................... 104

Importing Applications ....................................................................................................................................... 104

Importing Adobe Reader ............................................................................................................................... 105

Importing Oracle Java .................................................................................................................................... 106

Importing Microsoft Office ............................................................................................................................ 107

Creating the Production Deployment Task Sequence ....................................................................................... 112

Testing the Production Deployment .................................................................................................................. 114

Creating the Offline Deployment Share ............................................................................................................. 115

Linking the Deployment Shares ..................................................................................................................... 116

Preparing a USB Stick for Boot ...................................................................................................................... 119

Generating Offline Media Files ...................................................................................................................... 120

Configuring Offline Media Rules .................................................................................................................... 121

Finalizing the Offline Media ........................................................................................................................... 123

Deploying from Offline Media ........................................................................................................................... 124

Chapter 6 – Automated Deployment with SCCM .................................................................................................. 126

Integrating MDT with SCCM............................................................................................................................... 128

Importing Surface Pro 3 Drivers ......................................................................................................................... 129

Importing the Drivers for the Boot Image ..................................................................................................... 129

Importing the Drivers for Windows 8.1 ......................................................................................................... 133

Importing the Operating System Image ............................................................................................................. 135

Creating the Deployment Task Sequence .......................................................................................................... 136

Specifying Drivers to Use in the Deployment Task Sequence ....................................................................... 140

Specifying the CopyProfile setting in the Answer Profile .............................................................................. 141

Deploying the Operating System Task Sequence to the Client .......................................................................... 143

Updating Distribution Point Components ..................................................................................................... 143

Deploying to Existing SCCM Clients ............................................................................................................... 143

Deploying to New or Unknown Computers .................................................................................................. 148

PART III – ADMINISTRATION

Chapter 7 – Administration Overview ................................................................................................................... 153

Management Tools ............................................................................................................................................ 153

System Center Configuration Manager ......................................................................................................... 153

Windows Intune ............................................................................................................................................ 154

Group Policy .................................................................................................................................................. 154

Features ............................................................................................................................................................. 154

Firmware ........................................................................................................................................................ 154

Asset Tagging ................................................................................................................................................. 154

BitLocker Encryption ...................................................................................................................................... 155

Computrace Persistence ................................................................................................................................ 155

Miracast Wireless Display .............................................................................................................................. 155

Accessories ......................................................................................................................................................... 155

Surface Pen .................................................................................................................................................... 155

Surface Ethernet Adapter .............................................................................................................................. 155

Surface Pro 3 Docking Station ....................................................................................................................... 156

Surface Pro Type Cover ................................................................................................................................. 156

User Serviceability ......................................................................................................................................... 156

Business Support Channels ............................................................................................................................ 156

Chapter 8 – Administration Scenarios ................................................................................................................... 157

Asset Tagging ..................................................................................................................................................... 157

BitLocker Encryption .......................................................................................................................................... 157

Enabling PIN Authentication on Surface Pro 3 .............................................................................................. 158

Encrypting During MDT Deployment ............................................................................................................ 158

Pen Pairing ......................................................................................................................................................... 159

Migrating User Data ........................................................................................................................................... 160

Migrating Data in Replace Scenarios ............................................................................................................. 160

Migrating Data in Refresh Scenarios ............................................................................................................. 162

System Tracking ................................................................................................................................................. 163

Deploying Computrace with MDT ................................................................................................................. 163

PART IV – APPENDIX

References ............................................................................................................................................................ 165

PART I

DEPLOYMENT

OVERVIEW

Chapter 1 – Overview

Purpose of This Guide

This guide was constructed to show you best practices for deploying Windows to Surface Pro 3 devices. This may sound like a simple enough statement, but due to the vast number of scenarios and concepts, deployment can be quite complex. This guide is organized in a way that minimizes the learning curve for you to understand how to deploy Windows to the Surface Pro 3 devices to your organization. It presents step-by-step procedures that provide essential building blocks for successive chapters. Therefore, it is a good idea to read the chapters in order.

The deployment concepts discussed in this guide are valid for all Windows computers, but specifically targets scenarios for Surface Pro 3 devices.

You’ll see many screenshots in this document, but in an effort to keep the document as short as possible, some images

for basic options are described, but not shown.

Audience

This guide is intended for IT Professionals (IT Pros) that are responsible for managing and conducting rollouts of Windows devices within an organization. This guide is written specifically to account for scenarios that are typically experienced by organizations of all sizes, since many of the deployment concepts are not specific to organization size. However, there are some scenarios, tips, and other guidance that is likely to be experienced specifically by a small or medium business (SMB), or by a large business (enterprise). When the guidance differs by organization size, this is specifically called out in this guide. This guide does not assume specific software is available only to a specific size organization. For example, it does not assume only a large enterprise uses System Center.

If you have deployed Windows using a 3rd-party tool (a.k.a non-Microsoft tool), this guide provides a comprehensive

introduction into best practices for deploying Windows to Microsoft Surface Pro 3 devices. As you’ll learn, the best

practice for deployments of all sizes is to use the free Microsoft Deployment Toolkit (MDT). New users and experience deployment professionals alike will gain insights from reading this guide. The Microsoft Deployment Toolkit is explored in more detail in the Microsoft Deployment Toolkit section of Chapter 2 and is featured throughout the step-by-step guidance in Part II of this guide.

Although the Microsoft Deployment Toolkit is the primary technology used throughout this guide, it is used in conjunction with other Microsoft technologies as part of the overall solution. For example, in Chapter 6: Automated

Deployment with SCCM, the Microsoft Deployment Toolkit is integrated with Microsoft System Center Configuration

Management to leverage the functionality of both tools.

For administrators who are experienced with Windows deployment and the Microsoft Deployment Toolkit, specific information is provided that addresses many of the key tasks for Surface Pro 3 and Windows deployment. To help identify the locations where these concepts are discussed, a brief list has been provided here:

 Application Deployment – Chapter 5  Windows Updates – Chapter 4, Chapter 5, and Chapter 6  Surface Pro 3 Firmware – Chapter 5, Chapter 6, and Chapter 7

 BitLocker Encryption – Chapter 8  Asset Tagging – Chapter 8  Network Boot – Chapter 3, Chapter 4, Chapter 5, Chapter 6, and Chapter 8  Deployment Planning – Chapter 2  Offline Deployment – Chapter 5  System Tracking – Chapter 8  Surface Pro 3 Features – Chapter 7  Windows Store Apps – Chapter 4  Surface Pro 3 Administration – Chapter 7 and Chapter 8

How This Guide is Organized

This guide is organized in a series of parts and chapters that present increasingly complex concepts that build upon each other. Therefore, it is recommended to read this document in sequential order. Even if you are familiar with deployment concepts, there are some important tips you’ll learn along the way.

This guide is organized as follows:

 PART I: DEPLOYMENT OVERVIEW

o Chapter 1: Overview – This chapter. o Chapter 2: Deployment Introduction – Outlines basic concepts and terms needed as a prerequisite for

performing the step-by-step walkthroughs shown in Part II. Experienced deployment professionals may be able to skip this chapter, but novice deployment professionals should read this chapter.

 PART II: DEPLOYMENT STEP-BY-STEP

o Chapter 3: Manual Deployment with MDT - Provides a walkthrough of a basic, standalone deployment

of the operating system. This is a manual deployment because it provides no automation, thereby forcing the user to enter required setup data throughout the process. The resulting operating system contains no applications or configuration, so these will need to be installed or configured on each computer.

o Chapter 4: Reference Deployment with MDT – Builds upon the manual deployment scenario, but starts

to introduce some automation. User interaction required during deployment is less than the manual deployment, but more than a fully automated deployment. This scenario is used to prepare a reference system and create an image for use in Chapter 5 and Chapter 6. Deployment of the image to a test computer is also covered, but this test computer contains no drivers or applications.

o Chapter 5: Automated Deployment with MDT– Builds upon the reference deployment scenario with

additional automation, requiring minimal user interaction during deployment. This scenario uses the image created in Chapter 4 and also deploys applications and drivers. The resulting operating system is ready for use when the deployment completes. This scenario also addresses both online deployment for network joined systems and offline deployment for systems without network connectivity.

o Chapter 6: Automated Deployment with SCCM – Adds System Center Configuration Manager and

support for zero-touch installation (ZTI) to produce an automated deployment requiring no interaction from the user. This scenario uses the image created in Chapter 4 and includes applications and drivers that are managed by System Center Configuration Manager. The resulting operating system is complete

with applications and drivers, is configured for central management through SCCM, and is ready for use by the end user.

 PART III: ADMINISTRATION

o Chapter 7: Administration Overview – Describes Surface Pro 3 administration and concepts. o Chapter 8: Surface Pro 3 Administration Scenarios – Outlines Surface Pro 3 administration by showing

how to manage these settings and features:

 Asset Tagging  BitLocker Encryption  Pen Pairing  User Data Migration  System Tracking

 PART IV: APPENDIX

Document Conventions

The conventions used in this document are as follows:

 Bold text – Indicates a literal name of an object on a screen, such as a button, link, option, or menu.  Italicized text – Indicates the first time a term is used.  Monospace text – Indicates code or script that can be copied/pasted and used in your environment.  Ctrl+F – Indicates the Ctrl and F keys are pressed simultaneously.  FileSave – Indicates a series of menu clicks.  Note – Indicates some additional information or considerations for a concept, option, or configuration.  Caution – Indicates special warning or tip to consider that may adversely affect your computer.

What’s Not in This Guide

This guide focuses on a variety of scenarios for Windows deployments. However, this guide assumes you already have knowledge of these specific areas of administration and IT:

 Windows Networking  Windows Server  Windows Firewall  Hyper-V  System Center Configuration Manager

Chapter 2 – Deployment Introduction

Deployment Concepts

This section discusses the concepts you’ll need to gain an overall understanding of the deployment process for the Windows operating system and the tools available to your organization. Please read this section before continuing with the rest of this deployment guide.

Deployment and Imaging

The simplest way to transfer an operating system onto a single computer is known as installation. Installation simply refers to running a setup application supplied with the original media and following the prompts on the screen. For one computer (or a small number of computers), this can be an ideal way to upgrade a computer’s operating system, or for single bare metal machines. The setup application prompts for basic information to be manually entered and once the default environment is prepared, the system can be manually customized with applications, drivers, and settings.

As the number of computers in your organization increases, it becomes less efficient (or even impossible) to install an operating system on all computers by using a setup application. It becomes essential to employ methods of installation that not only reduce the time and effort, but standardize the resulting systems. For more than one computer, you need an efficient process to distribute the operating system and configuration to each, a process known as deployment.

The simplest method of deploying to multiple computers is cloning, whereby the process of installation and configuration is performed on a single computer and the disk drive is mirrored to the other computers. This produces multiple identical computers. One key problem with this approach is that you need to physically remove the storage media, such as the hard drive(s), connect them to the system you are cloning, clone the drive, then reinstall the devices. Another is that the hardware configuration of the computers must be identical. Even minor variations in hardware can result in a computer that will not boot or function as intended.

These limitations are addressed by the process of imaging. Imaging works similar to cloning in that the target computer contains the source computer’s files, but rather than directly transferring all files to the destination disk, the configuration of the source disk is stored as a data file. Because this file represents an exact copy of the source, it is known as an image. The image file can be transferred, or distributed, through a variety of means including removable media (USB hard drive), optical disks (DVD, BluRay, etc.), or over standard network connectivity.

The first step in an image-based deployment is configuring the computer that is used as the source environment for generating an image to be deployed. This source environment is often referred to as the reference system. Once the reference system is configured, it is stored as an image file through a process known as capturing an image. The process of capturing an image cannot be performed while files are in use, so before capturing can begin, you must boot the reference computer to an alternative operating system. The device that contains the alternative operating system is known as the boot media.

Note: The image created from the reference system is commonly known as the reference image or base image. This image serves as the core configuration on which the environment for every deployed computer is built.

Boot media can reside on removable storage (such as a USB stick or optical media), but can also be located on your network. If you use your network as boot media (also known as PXE boot), your computer’s network card must support

the Preboot Execution Environment (PXE) standard. The Surface Pro 3 supports PXE boot through the docking station or Surface Ethernet Adapter. Your reference computer is likely to boot to the hard disk first, so you often need to change the boot order in the system firmware to boot to the boot media containing the alternative operating system. Most computers, including Surface Pro 3, provide a boot menu that enables a device to be selected at startup. Details of how you select your boot media on Surface Pro 3 are shown in Chapter 3.

Once an image file is created, it is stored on local or network storage so that it can later be transferred, or deployed, to the destination computers. This step also involves the alternative operating system provided by boot media, but is effectively the reverse of a capture step, whereby the data in the image file is read and then written to the disk on the new computer.

Sysprep and Generalization

The result of both the imaging and cloning procedures is a set of virtually identical computers. While in many ways you

want the destination computers to be identical to the reference computer, you don’t want everything to be identical. For example, you don’t want the same computer identification and possibly the license/product keys (depending on the

type of license) on multiple computers.

The Windows operating system maintains an identifier which enables each Windows computer to appear as a unique and individual computer when connected to the network. This Security Identifier, or SID, if identical between two systems can produce conflicts with networking software. This is similar to the way you cannot have two computers with the same IP address on the same network. A notable example of software that conflicts with an environment with identical SIDs is Windows Server Update Services (WSUS).

Another scenario where a destination computer and reference computer differ is where there is a variation or change in the hardware configuration. This variation can be a small change, such as using a discrete graphics card rather than the onboard graphics card, or it can be two completely different models of computer where almost every device differs. Drivers from the reference computer could cause conflicts in the destination computer or even result in the computer being unable to boot.

Since a captured image will be identical to the reference system (including SID and licensing data), this data must be removed before it can be deployed. The solution is to use the System Preparation Tool (Sysprep), which is a utility designed to assist with deployment and creation of images. Sysprep works in conjunction with Windows Setup to reset an existing Windows environment to a state in which this information can be regenerated for each new system to which the environment is deployed. This process is known as Generalization. When Sysprep runs, it removes the undesired configuration and information from the system, then reboots to a phase of Windows Setup known as Windows Welcome or the Out of Box Experience (OOBE).

Note: If you don’t run Sysprep, the system is not considered unique, and therefore is not compliant with Microsoft support policy.

The purpose of the OOBE is to present the user with the same welcome screen and prompts as he/she would experience during a typical Windows installation/setup. As expected, the OOBE experience prompts for basic information like computer name, workgroup or domain, and product key.

In some cases you want your users to experience OOBE. An example is those cases where the domain or workgroup of the deployed computers may vary, or where the product key will change for each computer and will require it to be

entered manually. Another example is the pairing wizard for the Surface Pen for Surface Pro 3, which is covered in more

Sector-Based Images

File-Based Images

 Not Serviceable  By drive  Destructive  Not Flexible

 Serviceable  By partition  Non-Destructive  Flexible

detail in the Pen Pairing section of Chapter 8.

In other cases, many of the answers to question prompts are known in advance and are therefore predetermined. In these cases Windows Setup can be configured to supply these predetermined answers to avoid prompting the user. Answers to the setup questions are stored in an Answer File. In addition to supplying answers for the prompts which are presented by the OOBE experience, a wide variety of additional settings are available which instruct Windows Setup to perform additional tasks or to alter its behavior. A complete reference of the available settings for an answer file and Windows Setup is linked in the References section of the Appendix.

Image Servicing

Some 3rd-party imaging tools capture images by reading each sector of the storage media and creating an exact duplicate of the storage media. This type of image is referred to as a sector-based image. Sector-based images have two disadvantages: lack of granularity and poor serviceability.

When a sector-based image is applied to a system, it overwrites the configuration of the storage media that includes partitioning, file systems, etc. As such, it is impossible to apply only part of the image or to apply the image in a way that is non-destructive to the files that reside on the storage media.

As sector-based images lack the ability to distinguish between individual files within the image, they are also difficult to modify, or service, after creation. To explore the files within a sector-based image, a mounting solution is required that emulates a hardware device and presents the data to the operating system sector-by-sector. Due to this level of complexity required for sector-based images to access the files within an image, making modifications or alterations to the files within an image is often less efficient than deploying that image to a system, modifying it, then recapturing.

On the other hand, file-based images, such as those created in the Windows Imaging format (WIM), are not subject to the limitations of sector-based images. File-based images are captured at the file system level and thus are aware of the individual files within them. They can be thought of as a large ZIP or archive file in which all of the files for the environment are stored. They can be deployed to an existing file system without destruction of the data in that file system, which is beneficial for migration scenarios where preservation of user data is required.

File-based images can also be edited directly using tools for servicing the image. For example, an existing file-based image that is configured for a specific make and model of computer can have the drivers and files required for another computer injected or inserted into the image so that it can be deployed to a platform for which it was not originally intended. Another example is where Windows Updates can be applied to a Windows image to ensure that the deployed computer is fully up-to-date.

Table 2.1 outlines the benefits of the different types of image technologies.

Table 2.1: Benefits of Imaging Technologies.

Licensing

An important consideration when deploying the Windows operating system is how licensing will be managed for the deployed devices. There are four standard solutions for the management of licenses and each has implications for the deployment process. These four solutions, described in the following sections, are:

 Single license key  Multiple Activation Key (MAK)  Key Management Service (KMS)  Active Directory-Based Activation (ADBA)

Single License Key

Single license keys are available in several varieties, including Original Equipment Manufacturer (OEM), retail or Fully Packaged Product (FPP), and retail upgrade. In a deployment scenario where the devices are licensed through OEM or FPP channels, the license key will need to be manually entered on each computer individually to properly facilitate activation. Some computers can have operating system product keys embedded into the system firmware through OEM Activation 3.0 (OA 3.0). This includes the product key supplied with the Windows 8.1 Professional installation included with the Surface Pro 3. The order of precedence for product key activation is:

1. Answer file

2. OA 3.0 product key in the system firmware

3. Product key prompt

As such, in order to ensure the OA 3.0 key is used in a deployment to the Surface Pro 3, no answer key should be specified in an answer file or included in the image.

Multiple Activation Key (MAK)

For organizations with Volume Licensing agreements, there are three methods managing licenses. The first is Multiple Activation Key (MAK), which is a license key that can be used on more than one computer, though it must be activated on each. To deploy Windows with a MAK, include the key in the deployment task sequence or specify they key with the answer file. For more information about task sequences, see the Task Sequences section in this chapter.

Key Management Services (KMS)

Another method of managing volume licenses is Key Management Services (KMS). With KMS, an organization maintains a server that manages activation of the clients and communicates the activation data back to Microsoft. To deploy Windows using KMS, no key is required during deployment. Volume License versions of the Windows Client are preconfigured as KMS clients and will attempt to discover a KMS host if no other qualifying license is discovered.

Note: The deployment of images in organizations with Volume Licensing agreements for Windows 8.1 Professional is governed by the Reimaging Rights conferred with that Volume Licensing agreement. This agreement enables reimaging from volume license media to devices with preinstalled versions of the same product. For example, an organization with a pre-existing Windows 8.1 Professional image created from volume license media can deploy that image to the Surface Pro 3 licensed for Windows 8.1 Professional using the license for Windows 8.1 Professional (OEM) included with the system. These rights apply only to the same edition and version of Windows. For example, a Windows 8.1 Enterprise image cannot be used with a Windows 8.1 Professional license. It is recommended to use Volume License Media for deployment to Surface Pro 3.

Active Directory-Based Activation (ADBA)

Beginning with Windows 8, a new activation method was introduced that allows activation through an Active Directory domain. This method enables central activation and management of licensing without requiring the infrastructure necessary for KMS. Active Directory-Based Activation is managed through the Volume License Activation and Management Tool (VAMT), a component of the Windows Assessment and Deployment Kit (Windows ADK) covered in the Microsoft Tools section later in this chapter.

Deployment Types

A deployment can be categorized by the amount of interaction required of a user during the deployment process. The three types of deployment are:

 High-Touch Installation  Lite-Touch Installation  Zero-Touch Installation

It is possible to deploy using more than one deployment type. For example, to deploy to a new computer which is not configured for a management solution or internal network, some level of interaction is required to cause the system to initiate the deployment process, though the process of deployment could be entirely automated as a zero-touch deployment. Each deployment type is discussed in the following sections.

High-Touch Installation

High-touch deployments are characterized by a large degree of user interaction during deployment. A typical high-touch deployment requires the user to perform each separate task manually, often from the command-line. Usually drivers, applications, and customization are all performed manually by the user as well, often on each deployed system. Hightouch deployments are rarely used in scenarios with multiple computers due to the inefficiency and time involved.

Note: A sub-category of high-touch deployment is full-touch installation, a term that is usually used to describe installation from the original installation media and manual installation of applications and drivers.

Lite-Touch Installation

Lite-touch installation (LTI) is a deployment strategy that requires a user to manage and monitor the deployment process, but eliminates many of the repetitive steps and processes, which increases the efficiency of the deployment. The user is often required to boot to the deployment media and to answer basic questions such as the name of the computer and to join a workgroup or domain, but the environment is pre-configured with applications and drivers

which eliminates the need for separate installation or configuration. The deployment can be fully automated but still have to be manually initiated. The Microsoft Deployment Toolkit (MDT) is the recommended tool for LTI deployments. The scenarios covered in Chapter 3, Chapter 4, and Chapter 5 are all lite-touch deployments.

Zero-Touch Installation

In a zero-touch installation (ZTI) deployment there is no human interaction on the client computer. The deployment is performed entirely from the deployment server. Zero-touch deployments usually require a refresh or migration scenario, where the target computers can be instructed to initiate the deployment and utilizes a management solution like System Center Configuration Manager. Zero-touch deployment is covered in Chapter 6.

Deployment Tools

There are many factors to consider when selecting the deployment tools you will use in your organization. This section outlines those tools and helps you understand the factors and considerations to make the appropriate decision for your deployments.

Factors and Considerations

When selecting deployment tools and technologies for application in your organization and environment, there are several factors which bear consideration:

 Ease of use  Serviceability  Scalability  Automation  Compatibility  Price

Ease of use

Ease of use must be seen from two perspectives: the experience of the user or team setting up the infrastructure and the individual or team doing the deployment.

Investing in some automation may initially take some time and require specialized skills, but will make device deployment easier, faster and more consistent in the long run for those actually doing the deployment.

Serviceability

Serviceability was briefly covered earlier in this chapter. Using a file-based imaging technology makes it possible to service the image, whereas sector-based technologies does not. Serviceability ensures the ability to modify an image to keep software updates current, as well as the ability to modify components such as drivers and applications to address new platforms and scenarios. Sector-based imaging by contrast often requires that an image be deployed to a reference machine, manually updated or modified, and then re-captured whenever updates or changes are required.

Scalability

Scalability refers to the ability to use your selected technologies for deployment as your organization grows or you rollout to larger parts of your company. A solution which supports network deployment is a must for scalability.

For larger deployments, there are additional scalability considerations, such as:

 Selecting technologies that maximize performance by minimizing network traffic  Do the technologies cover multiple scenarios, such as:

o Deployment to field or disconnected workers o Distribution across sites or subnets o Bring Your Own Device (BYOD) scenarios o Virtual Desktop Infrastructure (VDI) scenarios

Automation

Automation refers to the ability of a deployment task to be performed without human interaction. Some key considerations in determining the level of automation provided by a deployment tool are:

 Minimizing time and effort required to configure and deploy to your organization.  Ability to reduce repetitive tasks, such as application installation, user data migration, etc.  Ability to configure using graphical, on-screen wizards, instead of complex command-lines. The more complex

and manual a process is, the more the possibility exists that errors will be introduced.

Compatibility

A key requirement of any deployment technology is the compatibility of the solution with the hardware and operating systems in your environment. For example, some deployment tools lack the ability to deploy to latest generation hardware due to changes in the way that storage and firmware are managed. For example, Surface Pro 3 is a UEFI 2.3.1 class 3 device, so many older technologies may not be compatible.

Price

The cost of a deployment solution is an important consideration. You may have some deployment solutions already implemented or licensed in your environment. For example, Windows Deployment Services is a feature included with Windows Server or you may have System Center Configuration Manager already implemented as a management solution. Some of the technologies discussed in this guide, such as Microsoft Deployment Toolkit and Windows Automated Deployment Kit are available at no charge.

Third Party Tools

This guide is written to highlight Microsoft technologies, but it is possible to use some third-party tools and technologies to deploy Surface Pro 3 devices. While this guide is unable to address specific third-party tools, there are two factors to consider:

1. Many third-party tools use sector-based imaging, which makes servicing and automation difficult or impossible.

2. Some third-party tools simply serve as a wrapper around Microsoft tools and technologies. These third-party

tools may leverage boot media provided by Microsoft tools, or employ a mounting solution for servicing sectorbased images, but use Microsoft technologies to do so.

Microsoft Tools

There are many deployment tools and technologies provided by Microsoft for Windows deployment. These tools provide a variety of solutions that range in complexity and functionality. Some tools are very specific utilities designed

to perform only a single task, others are complete solutions that can perform every step of a deployment. Most of the

Tool/Technology

Purpose

Windows System Image Manager (Windows SIM)

Creates and verifies answer files

Deployment Image and Servicing and Management (DISM)

Services and modifies images and environments

tools can be integrated into a complete solution accessed through a single interface, providing a combination of functionality and ease of administration. More details about these tools and solutions are provided in the following sections.

Windows Deployment Services

Included with Windows Server, Windows Deployment Services (WDS) is a solution for the network distribution of images and boot media. WDS provides support for PXE booting which helps to eliminate the need for physical boot media when performing lite-touch deployments. It also natively supports the deployment of images in the file-based Windows Imaging Format (WIM), which is common to all modern Microsoft deployment solutions.

WDS supports management of drivers and the creation of images and can serve as a powerful deployment solution by itself, but works best when combined with the Microsoft Deployment Toolkit covered later in this chapter to provide additional capacity for automation and customization during the deployment process. The version of WDS included with Windows Server 2012 or newer is required for support of UEFI 2.3.1 devices like Surface Pro 3.

Note: For smaller environments without access to Windows Server, the cost of implementing Windows Server to use WDS may be prohibitive. However, Microsoft Deployment Toolkit (MDT) is available at no cost and will operate on a client computer. Even if you are using Windows Server, installing MDT on a client computer can reduce workload by enabling the deployment storage location to be hosted by a Windows client while still supporting the network boot capability of WDS. MDT is described in more detail later in this section.

Windows Assessment and Deployment Kit

The Windows Assessment and Deployment Kit (Windows ADK) is a collection of several tools and utilities that perform specific tasks required during different parts of a deployment. If you are familiar with the Windows Automated Installation Kit (Windows AIK), the Windows ADK is the replacement toolset for Windows 8 and newer operating systems. When downloading the Windows ADK, it is important to ensure that you are downloading the latest update because prior versions of the Windows ADK may not work on later operating systems. Most of this tools are command line only, and are used behind the scenes by other tools such as the Microsoft Deployment Toolkit (MDT).

Inside the Windows ADK there are several components, each described in subsequent sections:

 Windows System Image Manager (Windows SIM)  Deployment Image and Servicing and Management (DISM)  Windows Preinstallation Environment (WinPE)  User State Migration Tool (USMT)  Volume Activation Management Tool (VAMT)

Table 2.2 summarizes the purpose of each Windows ADK tool.

Windows Preinstallation Environment (WinPE)

Alternate boot operating system used to perform deployments and imaging

User State Migration Tool (USMT)

Migrates user data from one environment to another

Volume Activation Management Tool (VAMT)

Centrally manages Microsoft licenses and activation

Application Compatibility Toolkit (ACT)

Mitigates application incompatibilities

Table 2.2: Windows ADK Tools.

Note: The Application Compatibility Toolkit is a powerful tool used to provide compatibility fixes, or shims, to resolve

application compatibility issues. Although it is included in the Windows ADK, it is not covered in this guide.

The Windows Assessment and Deployment Kit can be downloaded from the Microsoft Download Center by following this link:

http://go.microsoft.com/fwlink/?LinkId=293840

Windows System Image Manager

The Windows System Image Manager (Windows SIM) is the utility that creates and manages the answer files used with Sysprep and Windows Setup. Answer files are stored in an XML format, so it is possible to manually edit these files. However, using WISM to manage answer files ensures the resulting file is built from settings confirmed to be valid for the target operating system. Using the Windows SIM helps to ward against human error when performing a deployment with configurations set by the answer file.

Deployment Image Servicing and Management

The Deployment Image Servicing and Management tool (DISM) is one of the most important tools included with the Windows ADK. It is used to mount and service Windows images and replaces the previous imaging solution called ImageX. ImageX was used by the Windows AIK in Windows 7 and Windows Vista. DISM is a command-line utility that supports file and package management in images and can be used to apply updates, drivers, apps, and other configurations to an image. DISM has the ability to service an operating system environment while it is currently running on a computer, or an offline image.

Even with third party tools where servicing is supported, management of a Windows image is typically performed with DISM. DISM is also commonly used in system maintenance and repair. In Windows 8 and later versions of Windows, the DISM utility replaces the deprecated System File Checker (SFC) to verify and repair Windows core operating system files. DISM is also commonly used to add or remove Windows features.

Windows Preinstallation Environment

The Windows Preinstallation Environment (WinPE) is the alternative operating system executed on the boot media used by Windows Deployment Services, the Microsoft Deployment Toolkit, System Center Configuration Manager, and several third party deployment solutions. As a minimalistic environment based on the kernel of the Windows operating system, WinPE supports the same drivers and many of the same commands as the operating system being deployed. This ensures compatibility with the destination computers and provides a highly configurable environment which is able

to meet a wide variety of tasks. Windows PE is runs exclusively from RAM to make sure no files are locked in the disk to which we are deploying a new Operating System.

User State Migration Tool

The User State Migration Tool (USMT) is a command line utility that is used to back up and restore user-specific data and settings. USMT includes two processes, ScanState and LoadState. ScanState is used to backup user settings, either to the network, an external device, or locally on the system in a way that will be preserved through a file-based image deployment using Microsoft tools. LoadState is then used in the deployed operating system to restore the user data and settings for a seamless transition to the new computer.

Volume Activation Management Tool

The Volume Activation Management Tool (VAMT) collects activation data for large deployments by serving as a central relay for communication with the Windows activation servers. It also provides a secure central management solution for product keys and inventory and monitoring services for licensing and activation. VAMT also facilitates management of licensing through Active Directory-Based Activation (ADBA).

System Center Configuration Manager

One of the most feature-rich solutions for the deployment and management of computers within an organization is Microsoft System Center Configuration Manager, also known as SCCM. This enterprise tool serves not only as a utility for facilitating operating system deployment, but also for managing active systems across an enterprise. SCCM enables the deployment of applications, management of updates, and complex reporting of the environment. SCCM is capable of managing not only Windows computers, but also those running non-Microsoft operating systems and mobile devices.

SCCM enables package and update management, so not only can a new environment be pushed to client computers such as Surface Pro 3, but also driver and firmware updates. See Chapter 6 for more information about driver and firmware deployment for Surface Pro 3 scenarios.

SCCM also supports a fully-automated, zero-touch deployment scenario. As a management solution, it is able to seamlessly initiate deployment in a refresh scenario and perform the distribution of the environment without any user interaction. SCCM integrates with the Microsoft Deployment Toolkit integration (see next section for more information), to enable even more functionality, such as support for User Driven Installation (UDI). UDI is a framework that enables an IT department to create a custom deployment wizard to guide users through a specific installation or customization task.

Microsoft Deployment Toolkit

Each of the tools and technologies discussed thus far enable some deployment functionality, but the Microsoft Deployment Toolkit (MDT) pulls all those technologies together, acting as a wrapper to consolidate the configuration and unify the deployment experience.

Note: Early versions of the Microsoft Deployment Toolkit were known as Business Desktop Deployment, or BDD.

The Microsoft Deployment Toolkit is a highly scalable deployment solution. It can be used in deployments for small and medium sized businesses (SMB), or large enterprises alike. MDT can handle small deployments where no servers are available and the deployment files are hosted on a user’s workstation. Likewise, MDT can be used for distributed deployments to multiple sites and thousands of computers across data centers, networks, and domains.

MDT is also highly automated, with an extensive set of preconfigured scripts and a process for scripting each step of a

Tool/Technology

Serviceability

Scalability

Automation

Compatibility

Price

WDS









Included with Windows Server

Windows ADK







No cost

SCCM



May have additional cost

MDT







No cost

Explanation

SCCM and MDT offer the greatest serviceability

SCCM and MDT offer the greatest scalability

SCCM and MDT offer the greatest automation

SCCM and MDT offer the greatest compatibility

MDT and Windows ADK are available at no cost.

deployment through task sequences. Task sequences are series of steps, where each step is performed by a command or script that advances the deployment process. It even lends this automation to the serviceability of the images it manages. It automates the management of drivers, applications, and packages to regulate updates and changes to the image for the easiest maintenance of images and the greatest adaptability to new requirements and situations.

Note: Regardless of your business size or scenario, MDT is the recommended solution for Windows deployment. If your organization uses SCCM or WDS, MDT can be easily integrated without interfering with existing configurations to provide the additional functionality and automation. For organizations already using SCCM as a management and deployment solution, MDT extends the deployment functionality by providing wizards, scripts, templates, and a customizable User Driven Installation (UDI) solution. For environments with WDS, MDT adds the ability to automate image creation and servicing, management of applications during deployment, and greatly reduces the amount of manual labor required to perform simple and regular imaging tasks.

Table 2.3 represents the factors for each of the Microsoft deployment solutions and the ranking within each on a scale of 1 to 5.

Table 2.3: Comparison of Microsoft Deployment Solutions.

Microsoft Deployment Toolkit

As you learned in the Deployment Tools section earlier in this chapter, the recommended solution for Windows deployment for any size organization is the Microsoft Deployment Toolkit (MDT). With its capacity for scalability, MDT is the right tool for the job because it enables you to manage a single image for multiple configurations of hardware and software. Therefore, it is capable of meeting the requirements of any type of deployment. This section gives an overview of the components in MDT and the concepts you’ll need to understand before taking a hands-on tour of MDT in Chapter 3.

The Deployment Workbench

The main user interface in MDT is known as the Deployment Workbench. The Deployment Workbench is presented as a snap-in for Microsoft Management Console (MMC). MMC is a familiar interface that IT Pros are likely to be familiar with, as it is used for other often used tools, such as Disk Management, Services, Event Viewer, and more.

Caution: The first item under the Deployment Workbench is the Information Center, where you will find the documentation for MDT, a getting started guide, and a list of components. It is not recommended to update MDT from the list of components because the incorrect version of the components may be installed. To ensure the latest tools are available to MDT, ensure that the latest version of the Windows ADK is installed.

Deployment Shares

A deployment share is a collection of the major components of MDT which are configured together as a collective unit. It can contain images, applications, drivers, task sequences, boot media, configuration files, and any other deployment component required. A deployment share is essentially a network share in which these components are located. It is hosted as a standard network share and secured through the same permissions and settings as any other folder shared on the network.

After having installed MDT and opening the Deployment Workbench, the Deployment Shares section will be empty, so you’ll need to connect to an existing deployment share or create a new deployment share. When creating a deployment share there are several considerations, as follows:

 Isolation  Scope  Performance  Security

Note: It is important to remember that it is possible to have more than one deployment share, and in many cases it is ideal to have at least two for the reasons outlined in this section. The number of deployment shares that are used in any given environment can vary, but it is common to have more than one.

Isolation

One of the most important reasons to have more than one deployment share is isolation. There are two primary reasons to isolate one deployment share from another:

 The two deployment shares utilize different, incompatible configurations.  Scenarios where deployment shares require different security and permissions.

One common scenario that reflects the need for multiple deployment shares is when one deployment share is configured for a laboratory or testing environment. This deployment share is configured with permissions that permit full access to IT pros and does not contain organizational information such as instructions for the joining of the domain. It is used to prepare base images, test deployment configurations, settings, and applications, and to develop solutions which can be deployed to production deployment shares. Production shares are used to deploy images that are configured to join the domain, permissions are much more restricted, and the deployment solutions may be more automated.

Scope

An important question to ask when considering the number and purpose of separate deployment shares is what those shares are intended to address. In some cases, the scope of a deployment project may be all-encompassing, so the

deployment share must be capable of deploying to an entire organization. In other cases, deployment shares may be only a limited deployment desired for a handful of users or a new set of hardware.

Consider the scenario where a fully developed and implemented solution is available for deploying notebooks and desktops in the organization, but where a handful of Surface Pro 3 devices are being purchased for select users. With these new devices comes the need to ensure that as they reach end users they are configured with select settings required in the organization, but which reflect the new device capabilities, such as touch and Windows 8.1. In this case, you may need to develop a deployment share specific to this new task and initiative.

If you create a new deployment share, you don’t necessarily need to create new images and configure the deployment

from scratch. If you already have images, applications, driver packs, and packages configured, a new deployment share can use those by either copying or linking. This prevents needing to recreate the wheel for your deployments.

It would also be possible to copy the all-encompassing corporate share to a separate server and configured as a new deployment share in which the images, applications, and any other components can be edited, modified, or even removed without disturbing the production share. In this way, an existing corporate image can be quickly modified to apply to new systems without affecting a critical production share.

Performance

In large enterprises, the performance of deployment is a crucial consideration. A deployment share improperly located or configured can result in extended downtime which can translate to work stoppage or loss of productivity. As deployment shares operate over the network, the same performance factors which affect standard file sharing and network communication also apply to deployments through MDT. The same solutions also apply.

For example, in a data center environment for Virtual Desktop Infrastructure (VDI), high performance network connectivity is common to meet the highly demanding nature of the systems in the environment. It would make logical sense in this scenario to ensure that the Deployment Share for those virtual environments was located in the data center for optimum performance. However, even if you have a data center deployment share, it may be better to create a separate deployment share for computers that are in another building or location. The bottom line is that you need to consider the performance of your network in relation to the location of the deployment shares.

Note: Some VDI solutions, such as System Center Virtual Machine Manager, include the ability to manage the creation or replacement of virtual machines.

There may also be scenarios in which offline media is the ideal solution, as MDT is fully capable of generating USB or optical media for physical distribution. Workers who operate remotely from home or contract workers who travel from site-to-site are two examples of where this might apply. Deployment with offline media is covered in the step-by-step process in Chapter 5.

Security

As mentioned before when discussing isolation, security is another important facet in determining how deployment shares should be configured. Beyond the simple concept of a fully open deployment share for system administrators working on the deployment project and another for production users with fully configured security, there are also scenarios where multiple shares can be utilized to provide granular security for targeted deployments.

For example, an organization could operate a deployment share which is available full time to one select set of users who might have the need to refresh their systems at will, but only a limited configuration for deployment is available.

Another deployment share could be used to provide a full-featured deployment across the organization, but is secured so that it is only available to the IT department. Even a third share could be configured with another select deployment configuration and made available only to select groups or users to help facilitate a staggered deployment.

Windows Deployment Wizard

The Windows Deployment Wizard, also known as simply the deployment wizard, is the user interface through which MDT is presented on client or target systems. It can be launched directly through network access to the deployment share or it is the interface presented when launching MDT boot media. The deployment wizard is used to select

between task sequences to run on the client system and to provide any user interaction that wasn’t automated to

complete the deployment process. For example, the deployment wizard can request a computer name or to select between time zones. It can also prompt whether to generate a backup of the computer before deploying the new operating system and whether to encrypt the environment during deployment. An example of a deployment wizard prompt is shown in Figure 2.1.

Figure 2.1. Windows Deployment Wizard Showing Prompt.

The experience provided by the deployment wizard is controlled by a selected task sequence and a configuration file, named customsettings.ini. Customsettings.ini contains settings for technician prompts and supplied answers. For example, automating the process of joining to a domain during deployment can be configured in customsettings.ini. Editing and configuring the customsettings.ini file is shown in Chapter 4 and Chapter 5.

Connectivity to the deployment share is secured by Windows credentials to the network share. When the deployment wizard launches, it will prompt the technician for user credentials each time it is run. However, it is possible to prevent being prompted each time by storing credentials in a configuration file, named bootstrap.ini.

Driver Management

As the Microsoft Deployment Toolkit is able to manage drivers independently of the operating system image, there is a separate section for Drivers in each deployment share. In some scenarios, like a share designed only to deploy to one make and model of computer, you can simply place the available drivers in this section and MDT will automatically select the most up to date applicable drivers for use at the time of deployment.

Note: It is not recommended to leave the drivers section of the deployment share unorganized. Even for a single make and model of computer, different drivers may be required for different environments, such as Windows PE and Windows 8.1. It is always recommended to organize drivers by make/model and operating system.

A deployment share might be used to deploy to many makes and models of computers, or the drivers for a make and model might have incompatibilities with the boot environment. It is recommended to organize your drivers into folders, based on make/model of computer, then by operating system. Within the Drivers section of the deployment workbench folders can be created in which to organize the available drivers and Selection Profiles can be created that target these folders under certain conditions, such as the use of a specific Task Sequence or when certain variables are met.

Selection Profiles are governed by simple configuration files in which a set of components can be selected and identified. Through them the process of selecting application sets, driver sets, and packages can be greatly simplified and automated.

For more details about downloading and configuring Surface Pro 3 drivers and firmware, see Chapter 3 and Chapter 6.

Application Management

Similar to the way drivers are managed, MDT can manage the deployment of applications separate from the operating system image. In order to allow MDT to manage an application, the installation files must first be brought into the deployment share by selecting New Application and specifying the installation files and the commands which apply to the installer. It is also possible to deploy files which are located outside the deployment share, such as if an application installer repository already exists on the network. This is covered in more detail in the Importing Applications section of

Chapter 5.

As outlined in the Considerations for Images section later in this chapter, it is highly recommended to allow MDT to manage as many applications as possible. The reference image should contain only the applications that will never change because they cannot be easily altered after the image is created. For example, you would not build an image with the latest version of Adobe Flash or Oracle Java required for browsing an internal site, because when deploying to another set of computers in the future, you may discover newer versions of those frameworks have become available. When the applications are managed by MDT, you can simply add the updated applications and remove the outdated ones to ensure the latest versions are deployed.

MDT also supports post-deployment only task sequences that facilitate application deployment and operating system configuration. Through these task sequences, the operating system is not re-deployed, but applications can be installed on systems which did not originally receive them. MDT is not a full-fledged application deployment solution as it does not provide management of the deployed systems or applications. For that you would need to implement System Center Configuration Manager. With that said, MDT does support applications to be installed in a base image. Whether this type of configuration is in the best interest of your environment is dependent on the applications in your organization.

Note: MDT provides full support for the management and sideloading of Windows Store apps (APPX). Sideloading is the process of installing modern apps without downloading from the Windows Store. Chapter 4 shows how to manage Windows Store apps with your Windows deployments.

Package Management

Note: The MDT deployment share package management section is, perhaps surprisingly, not provided for management of application packages. Application management is performed by the applications section of the deployment share.

The package management section of a deployment share is provided for management of files provided in the Windows Update Standalone Installer format, .MSU. This can include Windows Updates, language packs, and features such as Remote Server Administration Tools (RSAT) or Internet Explorer. For management of Windows Updates, there are four potential solutions:

1. Windows Update

2. Windows Server Update Service (WSUS)

3. MDT package management

4. Up-to-date images

The least complex method for update management is to allow updates to be provided directly through Windows Update to each computer. This ensures that each environment will receive the full set of applicable updates and management of the process is not required. Though the management effort is reduced when using Windows Update directly on the client computer, the update traffic for each computer is separate and can tax internet connectivity. Downloading updates at the end of the deployment will also increase the deployment time and may require several reboots.

Windows Server Update Services (WSUS) is a feature of Windows Server that provides central management for updates in your organization. This method is recommended in most environments as it provides benefit not only for computers during deployment, but ongoing maintenance. The default deployment process through MDT includes steps that will ensure that updates are applied. Although WSUS aggregates Windows Update traffic on the local network, each computer will still seek to individually communicate with the WSUS server, which does increase demand on the network.

An alternative is to use the package management functionality supplied by MDT to inject the updates into the reference image at the time of deployment. This includes the update packages in the image when it is transferred to the target computer(s) and therefore reduces network traffic. Upon booting of the image the offline injected packages are processed and installed.

The enhance performance, you may want to avoid the installation of offline packages. Instead, the updates can be installed and incorporated into the image by allowing the update process to run and then capturing the image along with updates. This avoids the installation process for each update package, eliminating the time required to run each installation, and reduces network traffic by eliminating duplicate files.

MDT can also be used to manage packages that contain features or packs. Through the selection profile functionality available in MDT, these packages can be targeted to specific computers. An example usage would be to deploy Remote Server Administration Tools (RSAT) for system administrators.

Task Sequences

One of the key mechanisms by which actions are performed by MDT are task sequences. Task sequences are a series of steps that together comprise the actions performed in a deployment and the conditions that control which steps are performed. MDT provides nine out-of-the-box task sequence templates to get you started with task sequences. They are:

 Sysprep and Capture – Task sequences created by this template begins with a reference system, prepares it for

deployment, captures an image, and writes it to the deployment share.

 Standard Client Task Sequence – This template creates a task sequence that includes the default steps for

deploying a Windows client operating system to a new computer or system.

 Standard Client Replace Task Sequence – Task sequences generated from this template are for preparing an

existing operating system for replacement.

 Custom Task Sequence – This template is used to generate a blank task sequence that can be customized.  Litetouch OEM Task Sequence – This template is used by system manufacturers to place an operating system on

a computer for distribution to customers.

 Standard Server Task Sequence – This template is used to create a task sequence for deploying Windows

Server.

 Post OS Installation Task Sequence – Task sequences created from this template can be used to performing any

required task after the operating system is installed. For example, task sequences created from this template can be used to install applications from the deployment share to an already existing Windows environment.

 Deploy to VHD Client Task Sequence – Task sequences created from this template can be used to deploy a

Windows client to a computer using boot to VHD.

 Deploy to VHD Server Task Sequence – Task sequences created from this template can be used to deploy a

Windows Server to a computer using boot to VHD.

Task sequences provide pre-configured processes for deployment tasks that can be controlled or run from the deployment wizard. They can be configured to be manual (allowing the technician to control the process through the supplied prompts and choices), or automated (where the answers to prompts or choices are pre-selected in the task sequence). Task sequences enable the deployment wizard to be configured to prompt the technician for only the essential information, thereby minimizing effort.

Task sequences are often configured to address specific goals or scenarios required during deployment. Here are some examples that show how separate task sequences can be created for each department to address the requirements of that department specifically. The examples below illustrate how it is possible to control the deployment wizard through task sequences to present only preselected options during deployment. Task sequences are shown in more detail in

Chapter 3, Chapter 4, and Chapter 5.

 Financial Department Task Sequence

o Image: Windows 7 Enterprise, required for compatibility with a custom developed application

o Applications: A pre-selected set of applications including Office, accounting software, and the custom

developed application

o Drivers: Drivers are provided for multiple makes/models o BitLocker: Encryption enabled during deployment and enforced by group policy

 Design Department Task Sequence

o Image: Windows 8.1 Update Enterprise o Applications: A choice of available applications including Office and various options for graphics

software

o Drivers: Drivers are provided for multiple makes/models o BitLocker: Encryption is optional during this task sequence

 Sales Department Task Sequence (Surface Pro 3)

o Image: Windows 8.1 Update Enterprise o Applications: A pre-selected set of applications including Office o Drives: A selection profile in which only Surface Pro 3 drivers are available to avoid conflict o BitLocker: Encryption enabled during deployment

Considerations for Images

Creation of the images for use in your deployment environment is one of the most critical tasks for a successful deployment. The configuration of the base image will apply to every machine on which it is deployed. This section discusses best practices for image creation.

The Single Image Goal

In the traditional industry-standard approach for imaging technologies was to create one image for each combination of hardware and software. Even for a single computer make/model in an organization, this can result in a dozen or more images for each possible combination of software. For a dozen computer makes/models, the number of images can climb to well over one hundred. As the number of images increases, so too does the demand on the administrators who manage those images and the infrastructure on which the images reside.

In response to these increasing demands, a solution to increase the efficiency of image management and to help reduce the duplication of tasks was needed. The solution was file-based imaging. Through file-based imaging, a single image can be produced that can be modified to fit multiple scenarios or requirements. For example, for a single computer make/model, a single image can be used with offline servicing and automated application installation to eliminate the need for separate images for each combination of software.

With a deployment solution also supporting automated management of drivers, the need for multiple images can be reduced even further. In an ideal scenario, the use of automated management for applications and drivers can allow an entire organization with varied hardware makes/models and installed applications to be served by a single image. This ideal scenario is commonly known as the single image goal.

Note: This automated management of applications and drivers is provided by the Microsoft Deployment Toolkit (MDT).

To accomplish the single image goal, the image must be configured to be as basic as possible. Only components which are used in all computers and configurations in the organization should be included. The ideal, universal single image is

actually included on the original installation media (either OEM or volume license media) for the operating system. This image file name is install.wim, and is sometimes referred to as the vanilla image.

Although the vanilla install.wim image is the ideal single image, there are a variety of reasons why an organization might elect to create a customized image, such as:

 Customizations only available through Sysprep and image creation

For example: Customization of the local default user profile can only be performed by using Sysprep and an answer file configured with the CopyProfile setting. This instructs Windows Setup to copy the configuration of the Administrator profile to the default user profile before resetting the Administrator profile.

 Deployments of limited scope

For example: If tasked with deploying only to Surface Pro 3 devices with an identical set of applications as quickly as possible, creating a fully-customized image complete with drivers and applications may be quicker than automating application installation.

 Incompatibility with automated installation

For example: Applications that feature only an installation wizard but do not support installation via the command line cannot be deployed outside an image.

 Policy requirements

For example: If an organization’s policy is in place that requires all systems be protected and secured by a third party product, it may be required that this product be included in a custom image to ensure those requirements are met.

Using a Virtual Machine as a Reference System

Though the process of creating a system image includes running Sysprep with the Generalize option (which is designed to remove system specific information and configuration from the image to facilitate deployment to disparate hardware), there are often components which are not compatible with the Generalize process which ultimately interfere with deployment to different hardware. One of the most notable examples are graphics drivers and their associated controlling software. The basic .inf drivers that are stored in the Windows folder are removed by the Generalize step, but components like the NVIDIA Control Panel and AMD Catalyst Control Center are not always reliably removed as they are installed not as drivers, but applications.

To avoid such issues, the best practice is to create images from a reference system which is virtual. Virtual environments are greatly simplified when contrasted against physical systems and do not require any complex drivers which have application style components. There are many virtualization solutions available, and any will work as a platform for image creation. The solution included with Windows Server 2008 and newer is Hyper-V, which is also included with Windows 8 Professional or Enterprise and newer Windows clients.

Note: Images are not compatible across architectures or firmware types. For example, an image of a 64 bit (x86-64) environment cannot be deployed to a 32 bit (x86) environment.

Selecting Applications for the Base Image

Another consideration when planning images is which applications to include in the base image. As described with the single image goal, the ideal configuration for an environment to be captured is as few applications and drivers as possible. With that said, there are certainly times when an application does need to be installed in the base image. For

example, some applications cannot be configured through installation or scripts and require that they be configured in the base image, or as mentioned before there are times when it is simply easier to create a fully configured image for a project where deployment will only be to one type of device with one set of applications.

When selecting the applications to include in an image, there are some points which warrant consideration. Among the most important is the interaction of an application with Sysprep. Some applications are aware of Sysprep, and will reset configurations and activation information when Sysprep is run. An example of this is Microsoft Office. One class of software noted for incompatibility with Sysprep is security software. Modern security software is often designed to protect itself and the core system files from unauthorized access, but those same security measures can also conflict with Sysprep in a way which produces an image which has been prepared but will not boot and which cannot be revered to a pre-Sysprep state.

Also worth consideration are application deployment solutions that can distribute applications to a live operating system. Some notable solutions include Windows Intune, System Center Configuration Manager, and a Post Deployment MDT Task Sequence. In the case of the latter, it may be beneficial to include any application that is not explicitly required in the base image as an application deployed by MDT. This allows for both deployment of the application with a new operating system and a separate deployment of the application to systems that only need the application.

Planning for Deployment

When preparing for a deployment, there are several best practices which should be considered. These best practices have been shown to increase efficiency and to reduce the impact of issues that might be encountered during the deployment process. The more complex your environment or the larger the organization, the more likely it is that you’ll encounter unforeseen issues. This section outlines some best practices to consider to minimize this impact.

Laboratory Testing

To help ensure that conflicts and incompatibilities are not encountered when performing a deployment, the first best practice is to test your deployments in a laboratory environment before piloting and deploying into production. By testing each task and process before it is implemented in a way that can impact users, issues which would otherwise impact uptime and the ability to perform business are often found and resolved before users encounter them. This is shown in Figure 2.2.

Develop Deployment

Process

Start

Deployment

Successful?

Import Deployment

Into Production

YES

End

YES

Test Deployment

Deployment

Successful?

Pilot Deployment

(Limited Scope)

Production

Deployment

Figure 2.2: Process for Testing and Piloting a Deployment.

Pilot Deployments

Once you have tested your deployments in a lab or VM, it is a good idea to deploy into production on a limited basis. Though lab testing can uncover many of the issues that would be faced by users, there may be unforeseen circumstances that exist in your production environment. Some important considerations for sizing a pilot deployment include:

 Support staff

 Pilot scope

Whether it be to explain how the user interface has changed or a system crash caused by an unforeseen incompatibility, the users of a new piloted operating system are likely to encounter issues requiring attention. This increased need for support should be considered before deploying to users who might overwhelm support staff.

When selecting users for a pilot, it is important to consider which users would represent a reasonable facsimile

of the production environment. For example, if you are deploying organization wide, but you pilot the deployment only to the financial department, the pilot does not provide a reasonable indication that the deployment will likewise be successful in the graphics department where hardware and software configurations may be different.

 Pilot duration

The more complex an environment, the more time you should give to pilot a deployment. It is important to allow enough time for the computers and users involved in the pilot program to uncover any issues with applications, configurations, drivers, etc.

 Comparable usage

It is important that users involved in a pilot deployment use the computers in the same way as a production system to ensure that potential issues or bugs are uncovered. For example, if users are allowed to work offsite with a production Surface Pro 3 device, they should be allowed to do so in the pilot program as well. This will ensure that any incompatibilities with devices in offsite environments are also uncovered.

Staggered Deployments

In a staggered deployment, the organization or production environment is divided into smaller sections with similar requirements and deployment is performed to these smaller sections one at a time. For example, consider an organization that has these functional areas:

 Executive  Administrative  Design  IT

You likely want to deploy to each functional area/department at a time instead of all departments at once. You might want to consider the “importance” of those functional areas. You want to ensure there are no deployment problems before deploying to your executives. Alternatively, it is common to break up deployments by geographical location. In an organization with offices in three separate buildings, the deployments may be performed by building.

Proper planning of a deployment can help to avoid the scenario where a deployment causes work stoppage or falls behind schedule. With the highly granular and modular nature of the Microsoft Deployment Toolkit, the deployment process can be divided or split without a loss of efficiency. The work done to deploy to one part of an organization can easily translate to another part with the ability to copy or link deployment shares and to manage applications and drivers separate from the system images.

“White Glove” Delivery

Receiving a new computer can be a radical change for some users. Not all users adjust to the changes of a new device at the same pace and, in some cases, users can end up frustrated or dissatisfied with a device simply due to a lack of familiarity that is otherwise a significant improvement. Some scenarios where this commonly occurs include:

 Changing between operating system versions, such as moving from Windows 7 to Windows 8.1  Changing between form factors, such as replacing a desktop with a tablet  Introducing new technologies, such as touch capabilities

A recommended tactic to help the end user adjust to the new experience is a “white glove” delivery, in which IT or support staff deliver the new device. When delivering the device, they review with the user the new features or functionality, and assist the user in this adjustment process. When a user adjusts to a new Surface Pro 3 device, it may encompass multiple scenarios at the same time (new form factor, touch, and new operating system). Therefore, as a best practice, make sure you understand the needs of your users and try to understand their pain points so you can address them proactively. It may be a good idea for your organization to construct a welcome guide or video to help guide users through the process. For Surface Pro 3 readiness materials, see the References section in the Appendix.

PART II

DEPLOYMENT

STEP-BY-STEP

Chapter 3 – Manual Deployment with MDT

This chapter shows you how to perform a basic deployment, which includes no customization. It simply shows you how to install and configure all required deployment tools, then deploy a preconfigured image, install.wim, to a Surface Pro 3 device from a deployment computer, known throughout this chapter as a manual deployment. In a manual deployment, the user is prompted to input many fields, such as administrator password, domain, etc. However, because the answers to the prompted questions are not preconfigured in this deployment scenario, it is the simplest type of deployment. Subsequent chapters show increasing levels of automation, but also increase the complexity of configuring the deployments.

The manual deployment scenario is not intended to be a best practice for a large enterprise, but may be appropriate for a small business where customization will take place after installation or serve as a framework for additional deployment configurations. In either case, if you have never performed a deployment, it is a good idea to follow the procedures in this chapter to serve as an introduction to how the tools work.

Caution: Following the instructions in this chapter will overwrite the operating system and data on your Surface Pro 3 device.

The manual deployment scenario discussed in this chapter is comprised of two physical computers: A computer running the deployment tools (referred to as the deployment server) and a Surface Pro 3 device, known as the deployment target. The computer running the deployment tools in this scenario requires Windows Deployment Services (WDS), so it must run any supported version of Windows Server.

Note: The deployment server can be either physical or virtual, but must have connectivity to the same network as the Surface Pro 3.

The environment for the manual deployment scenario, as shown in Figure 3.1, is configured as follows:

 Deployment Server – Windows Server with deployment tools installed  Target Computer – Surface Pro 3 device

Note: Windows Server 2012 or newer is recommended to ensure compatibility between the included Windows Deployment Services and the UEFI platform used by Surface Pro 3.

Surface Pro 3 Device

Deployment Server

Figure 3.1: Overview of Lab Environment.

The overall process is that deployment server running the deployment tools is responsible for deploying install.wim as a base image to the Surface Pro 3 device. Any desired customizations will need to be performed directly on the device(s) after deployment, or you can customize your deployments by incorporating elements of more complex scenario examples in later chapters of this guide.

Installing Deployment Tools

The first step in any deployment is to ensure you have the deployment tools installed on the deployment server, which must be installed in the following order:

 Windows Assessment and Deployment Toolkit (or Windows ADK) – contains the foundation needed by MDT.  Microsoft Deployment Toolkit (MDT)  Windows Deployment Services (WDS)

Note: There is no charge to download and install Windows ADK or MDT. There is also no charge for WDS, as long as you already have a licensed installation of Windows Server

Windows Assessment and Deployment Kit

The installation files for the Windows ADK are found online at the Microsoft Download Center. When downloading these files, it is important to select the most recent version that is compatible with your operating system, which at the time of this writing is the Windows ADK for Windows 8.1 Update. The link is

http://go.microsoft.com/fwlink/?LinkId=293840, which brings you to the download page, shown in Figure 3.2.

Figure 3.2: Downloading Windows ADK.

To permit downloads in Internet Explorer (IE) on Windows Server 2012 R2, you’ll need to disable Internet Explorer

Enhanced Security Configuration (IE ESC), which is shown in Figure 3.3. This can be done in Windows Server 2012 R2 in the Local Server tab of Server Manager.

Figure 3.3: Disabling Enhanced Security Configuration.

The Windows ADK download includes a small setup file that is used to select and download only the desired components. It presents you with a screen where you select the desired products you would like to install, as shown in Figure 3.4. The bare minimum required for MDT are the Deployment Tools and Windows Preinstallation Environment

(WinPE) options.

Figure 3.4. Windows ADK Installation Options.

Microsoft Deployment Toolkit

After the Windows ADK is installed, you need to download and install the Microsoft Deployment Toolkit (MDT), which is

the primary tool you’ll use for your deployments. The link to the main MDT page is http://technet.microsoft.com/en-

US/windows/dn475741. From there you can select the latest MDT download that is applicable for your operating

system. At the time of this writing, MDT 2013 was the latest version, as shown in Figure 3.5.

Figure 3.5: Downloading Microsoft Deployment Toolkit (MDT) 2013.

When downloading MDT, the only required component is the installer for the processor architecture on which MDT will be installed. The installers are the MSI files designated as x64 for 64-bit and x86 for 32-bit architectures respectively. Also available is an extensive set of documentation including the standard deployment guides for Windows. These options are shown in Figure 3.6.

Figure 3.6: MDT 2013 Download Options.

After you download and run the applicable MSI setup application, follow the prompts and accept all of the defaults.

Windows Deployment Services

After Windows ADK and MDT are installed, you need to install and configure Windows Deployment Services (WDS) to allow network boot in the environment. Each is described in the following sections.

Installing WDS

Because WDS is a role within Windows Server rather than a separate application, it does not need to be downloaded. Instead you install WDS using Server Manager in Windows Server by following these steps:

1. Open Server Manager.

2. Click the Manage  Add Roles and Features menu as shown in Figure 3.7.

Figure 3.7: Windows Server 2012 R2 Server Manager.

3. Clicking Add Roles and Features brings up the Add Roles and Features Wizard shown in Figure 3.8.

Figure 3.8: Add Roles and Features Wizard.

4. The Add Roles and Features Wizard presents a series of steps, as follows:

 Before You Begin – Presents an introductory page. Click Next.  Installation Type – Select from one of these installation types:

o Role-based or feature-based installation. Ensure this option is selected and click Next. o Remote Desktop Services installation. This option is used in a Virtual Desktop Infrastructure (VDI)

environment, but is out of scope for this guide.

 Server Selection – Ensure the correct server is selected and click Next.  Server Roles – Select Windows Deployment Services. Immediately after clicking this option, you are

prompted to add additional required features, as shown in Figure 3.9.

Figure 3.9: Add Roles and Feature Wizard Additional Features Prompt.

Click Add Features to accept the new features and return to the Add Roles and Features Wizard main page. Click Next.

 Features – Click Next to accept the newly selected required features.  WDS – Description page for WDS. Read this page and click Next.  Role Services – Ensure both Deployment Server and Transport Server are selected.  Confirmation – Displays a summary of the options selected.

Configuring WDS

After installing WDS in the prior section of this chapter, WDS needs to be configured to enable network boot. Network boot enables network adapters capable of PXE boot to access boot media created in the Preparing Boot Media section later in this chapter.

To configure WDS, follow these steps:

1. Launch the Windows Deployment Services console from the Start Screen under Administrative Tools on your

deployment server.

2. Right-click the name of the deployment server in the Servers tree and click Configure Server. This launches the

Windows Deployment Services Configuration Wizard, as shown in Figure 3.10.

Figure 3.10: Windows Deployment Services Configuration Wizard.

3. The Windows Deployment Services Configuration Wizard presents a series of steps, as follows:

 Before You Begin – Shows a description of WDS and the prerequisites. Click Next.  Install Options – Select the Standalone server option to install WDS without active directory. Click Next.  Remote Installation Folder Location – Enter or select the path where you would like to store the WDS

components that will be accessed by the remote client and click Next. The selected folder must be located on an NTFS volume and should not be located on the system volume.

 PXE Server Initial Settings – Enables you to configure which clients will receive a response from WDS when

attempting to network boot, as shown in Figure 3.11. Select the applicable choice from the following, then click Next:

o Do not respond to any client computers – Use this setting if you want to configure WDS without

enabling network boot, as in the case when you are staging and configuring a WDS server. This scenario does not use this option.

o Respond only to known client computers – Use this setting if you want to configure which

computers WDS will respond to. This scenario does not use this option.

o Respond to all client computers (known and unknown) – Select this option, which ensures that

your Surface Pro 3 device can network boot without additional configuration. Additionally, the Require administrator approval for unknown computers checkbox can be selected to require approval through the WDS console for unknown machines. For this scenario, do not select this option.

Figure 3.11. PXE Server Initial Settings.

 Task Progress – Displays a progress bar during the configuration of WDS. Click Finish to close the Windows

Deployment Services Configuration Wizard.

Creating a Deployment Share

The main user interface in MDT is the Deployment Workbench, which is where you will create task sequences and lists of actions that MDT will perform. Sequences provide the workflow for deployment. They define when and how to perform the various tasks required to produce the desired Windows environment. When they are run they pass the instructions to perform these tasks to the independent components and tools that perform the actions, such as the MDT scripts or tools from the Windows ADK. More information on Task Sequences can be found in the Microsoft

Deployment Toolkit section in Chapter 2.

The MDT deployment workbench is comprised of two sections:

 Information Center – Contains help documentation and lists installed and available components. This example

scenario does not use the information center. Caution: The list of installed and available components may be shown for older operating systems, so use with caution.

 Deployment Shares – Contains a list of all the deployment shares and sub-folders. By default, there will be no

deployment shares listed. Right-click the Deployment Shares folder and click New Deployment Share. This brings up the New Deployment Share Wizard, as shown in Figure 3.12.

Figure 3.12: New Deployment Share Wizard.

The New Deployment Share Wizard presents a series of sequential steps, as follows:

 Path – Enter the path to your deployment share. It can reside anywhere you would locate a shared folder, but

for this scenario, you can accept the default path of C:\DeploymentShare. Click Next.

 Share – Enter the name of the deployment share. The default inclusion of the dollar sign ($) character indicates

that an administrative share is created, causing the deployment share not to be visible when browsing the network. You can accept the default value of DeploymentShare$. Click Next.

Note: The deployment share name cannot contain spaces. Some of the scripts included in MDT are not compatible with deployment share names that contain spaces.

 Descriptive Name – Give the deployment share a descriptive name. By default, this value is MDT Deployment

Share, which is acceptable for this scenario. This value is used to differentiate between deployment shares in the MDT Deployment Workbench. Click Next.

 Options – Enables the configurations of defaults for this deployment share, as shown in Figure 3.13. For this

scenario, ensure all of the following options are selected, then click Next:

o Ask if a computer backup should be performed – If selected, this option prompts the user to create an

image backup of the computer before performing the deployment.

o Ask for a product key – If selected, this option prompts the user for product key during the deployment

process. This option is not selected by default.

Note: Single license keys must be entered individually on each computer, so this option should be checked in most scenarios. However, MAK volume license keys are specified in MDT task sequences, so this option should not be checked in those scenarios. If you are using KMS volume license activation, this option should be unselected because activation is an automatic process.

o Ask to set the local Administrator password – If selected, this option prompts the user for a password

for the local Administrator account. This option is not selected by default.

o Ask if an image should be captured – If selected, this option prompts the user if a system image of the

target computer should be created for deployment to other computers. This option is selected by default.

o Ask if BitLocker should be enabled – If selected, this option prompts the user if the file system should

be encrypted with BitLocker during the deployment process. This option is selected by default.

Figure 3.13: New Deployment Share Options.

All deployment share options are discussed in more detail in Chapter 4.

 Summary – Review the summary of your deployment share configuration and click Next.  Progress – Displays a progress bar during the creation of the deployment share.  Confirmation – Displays confirmation of success or errors generated during deployment share creation. Click

Finish to close the New Deployment Share Wizard.

After the deployment share is created, you’ll see many sub-folders under the name of the deployment share in the

Deployment Shares tree, as shown in Figure 3.14.

Figure 3.14: Folders Created For New Deployment Share.

Importing an Operating System

A newly created deployment share is empty and contains no operating system files, drivers, or any other configurations. Therefore, the first step after creating a new deployment share is to import the files for the operating system intended for deployment to the target computer(s).

For this scenario, you will import the standard install.wim image as the operating system, by following these steps:

1. Locate installation media that contains the install.wim file. This installation media is typically located on a

physical DVD, USB stick, ISO file, etc.

2. Insert or mount the installation media on the deployment server (where the deployment tools are installed).

3. In the MDT Deployment Workbench, expand the newly created deployment share.

4. Right-click Operating Systems and click Import Operating System. This launches the Import Operating System

Wizard, as shown in Figure 3.15.

Figure 3.15: Import Operating System Wizard.

5. The Import Operating System Wizard presents a series of steps, as follows:

 OS Type – Select the type of operating system to add. Select the Full set of source files option. A full set of

files is required for each operating system you will deploy. More details about the other options is discussed in Chapter 4. Click Next.

 Source – Enter or browse to the path containing the full set of source files. This will be the drive or mounted

ISO file you identified in Step 2. This step is not available if you select Custom image file or Windows Deployment Services images in the prior step. Click Next.

 Image – Enter or browse to the path of your custom WIM file. This step is not available if you select Full set

of source files or Windows Deployment Services images in the first step. Click Next.

 Setup – Enter or browse to the set of full source files for the operating system in your custom WIM file. This

option is not available if you select Full set of sources files or Windows Deployment Services images in the first step. Click Next.

 WDS Server – Enter the name of the WDS server from which you will import all images. This option is not

available if you select Full set of sources files or Custom Image file in the first step. Click Next.

 Destination – Enter the name of the folder where the operating system files will be stored. This folder is

created in the deployment share on the deployment server. For example, you could enter Windows 8.1 as the destination. Click Next.

 Summary – Review the summary of your operating system import configuration and click Next.  Progress – Displays a progress bar during the importing of the operating system files.

 Confirmation – Displays confirmation of success or errors generated while importing the operating system

files. Click Finish to close the Import Operating System Wizard.

After you import the operating system files and close the Import Operating System Wizard, the MDT Deployment

Workbench will look similar to the one shown in Figure 3.16.

Figure 3.16: Deployment Workbench after Importing Operating System.

Note: The default name given to the operating system is specified in the operating system source files. You can rename the operating system by right-clicking the imported operating system and clicking Rename.

Note: As Surface Pro 3 is a 64 bit device with UEFI, a 64 bit operating system is required.

Importing Drivers

While some computers such as virtual machines, can boot from the MDT boot media without additional drivers, the Surface Ethernet Adapter requires additional drivers that must be added to the boot media. Additionally, the deployed Surface Pro 3 devices require additional drivers to enable the deployed operating system to function as intended. In order to include these drivers in a deployment, they must first be imported into the deployment share.

Downloading the Surface Pro 3 Firmware and Driver Pack

For Surface Pro 3, as well as Surface Pro and Surface Pro 2, drivers are made available through the Microsoft Download Center, on the Surface Pro 3, Surface Pro 2, and Surface Pro firmware and driver packs page. This page can be accessed at http://go.microsoft.com/fwlink/?LinkID=301483, and is shown in Figure 3.17.

Figure 3.17: Microsoft Download Center Page for Firmware and Driver Packs.

At the time of writing, the following resources are available for download:

 Surface Ethernet Adapter.zip – Provides drivers for the Surface Ethernet Adapter accessory.  Surface Gigabit Ethernet Adapter.zip – Provides drivers for the Surface Gigabit Ethernet Adapter accessory.  Surface Pro - Enterprise Deployment Quick Start Guide-June2013.pdf – Instructions for enterprise deployment

for Surface Pro and Surface Pro 2, in English

 Surface Pro - Enterprise Deployment Quick Start Guide-June2013_JP.PDF – Instructions for enterprise

deployment for Surface Pro and Surface Pro 2, in Japanese.

 Surface Pro 1 - August 2014.zip – A collection of the drivers and firmware for Surface Pro.  Surface Pro 2 - July 2014.zip – A collection of the drivers for Surface Pro 2.  Surface Pro 3 - September 2014.zip – A collection of the drivers for Surface Pro 3.  SurfacePro3PenDriverOct62014.zip – An updated driver for Surface Pen.  Windows8.1-KB2969817-x64.msu – An update for the firmware update process.

For Surface Pro 3 deployment, the Quick Start guides and collections for Surface Pro and Surface Pro 2 are not required.

Importing Drivers for Windows PE

When configuring a deployment share for an organization that uses many computer models, each using different drivers, it is advisable to create a separate selection profile for the WinPE boot media. This will help to prevent any conflicts with drivers and functionality that is not provided in WinPE. The drivers most frequently required by WinPE are network and storage drivers. To make drivers available to the selection profile, they must be imported into the deployment share. To import the Surface Ethernet Adapter drivers for WinPE, follow these steps:

1. Open File Explorer and navigate to the download location for the Surface Pro 3 drivers.

2. Extract the Surface Ethernet Adapter and Surface Gigabit Ethernet Adapter ZIP archives to a folder on the

production deployment server.

3. Open the MDT Deployment Workbench.

4. Expand the deployment share tree and select the Out-of-Box Drivers folder.

5. Select the New Folder option from the Actions pane to launch the New Folder dialog box as shown in Figure

3.18.

Figure 3.18: New Folder Dialog Box.

6. The New Folder dialog box shows the following options:

 General Settings – Specify the name WinPE and any desired comments and then click Next.  Summary – Confirm the specified options and click Next.  Progress – A progress bar will be displayed as the folder is created.  Confirmation – Confirmation of the successful creation of the folder will be displayed here. Click Finish.

7. Select the newly created WinPE folder in the Out-of-Box Drivers folder.

8. Select the Import Drivers option from the Actions pane to launch the Import Driver Wizard, as shown in Figure

3.19.

Figure 3.19: Import Driver Wizard.

9. The Import Driver Wizard presents a series of steps.  Specify Directory – Enter or browse to the folder in which the extracted drivers are located and click Next.

Note: Drivers are imported at the folder level. Therefore, when you import drivers and specify a folder, all

drivers in that folder are imported. WinPE should have only those drivers necessary to boot and connect to the network. In this scenario, only the Surface Ethernet Adapter drivers are required, so it is a good idea to locate all other drivers in a separate folder.

 Summary – Confirm the specified options and click Next.  Progress – A progress bar will be displayed as the drivers are imported.  Confirmation – Confirmation of the successful import of the drivers will be displayed here. Click Finish.

10. Repeat steps 7-9 and the Import Driver Wizard if required for the second Ethernet adapter folder.

Creating the WinPE Selection Profile

After the drivers for WinPE are imported into the deployment share, the deployment share needs to be configured to use these drivers when creating boot media by following this procedure:

1. Expand the Advanced Configuration folder of the production deployment share in the Deployment Workbench.

2. Select the Selection Profiles folder.

3. Select New Selection Profile from the Actions pane to launch the New Selection Profile Wizard.

4. The New Selection Profile Wizard presents the following options:

 General Settings – Specify the name WinPE for the selection profile and any desired comments, then click

Next.

 Folders – Expand the deployment share tree and the Out-of-Box Drivers folder and check the box next to

the WinPE folder as shown in Figure 3.20.

Figure 3.20: WinPE Folder Selected In Selection Profile.

 Summary – Confirm the specified options and click Next.  Progress – A progress bar will be displayed as the selection profile is created.  Confirmation – Confirmation of the successful selection profile creation will be displayed here. Click Finish.

5. Right-click the deployment share and select Properties and perform these actions:

 Select the Windows PE tab.  Select x64 from the Platform drop down menu, as shown in Figure 3.21.  Select the Drivers and Patches tab.  Select WinPE from the Selection profile drop down menu shown in Figure 3.21.

Figure 3.21: Windows PE Selection Profile.

 Click OK to apply the changes and close the window.

Note: Repeat step 5 for the x86 platform if you are using boot media for 32 bit systems.

Importing Drivers for Windows 8.1

Now that the drivers are configured for the boot media to enable Surface Pro 3 devices to launch the deployment process from network boot, the drivers for the operating system need to be supplied. As with WinPE, it is beneficial to organize the drivers used for different operating systems and models. This helps to avoid conflict where different models may use different versions of the same driver that are incompatible with one another. Selection profiles will be used to specify the operating system and the model used.

To import the drivers for the operating system, follow these steps:

1. Open File Explorer and navigate to the download location for the Surface Pro 3 drivers.

2. Extract the Surface Pro 3 collection and Surface Pro 3 Pen ZIP archives to a folder on the production deployment

server.

3. Open the MDT Deployment Workbench.

4. Expand the deployment share tree and select the Out-of-Box Drivers folder.

5. Select the New Folder option from the Actions pane to launch the New Folder dialog box.

6. The New Folder dialog box presents the following options:

 General Settings – Specify the name Windows 8.1 x64 and any desired comments and then click Next.  Summary – Confirm the specified options and click Next.  Progress – A progress bar will be displayed as the folder is created.

 Confirmation – Confirmation of the successful creation of the folder will be displayed here. Click Finish.

7. Select the Windows 8.1 x64 folder.

8. Select the New Folder option from the Actions pane to launch the New Folder dialog box.

9. The New Folder dialog box presents the following options:

 General Settings – Specify the name Surface Pro 3 and any desired comments and then click Next.  Summary – Confirm the specified options and click Next.  Progress – A progress bar will be displayed as the folder is created.  Confirmation – Confirmation of the successful creation of the folder will be displayed here. Click Finish.

10. Select the newly created Surface Pro 3 folder.

11. Select the Import Drivers option from the Actions pane to launch the Import Driver Wizard.

12. The Import Driver Wizard presents the following options:  Specify Directory – Enter or browse to the folder in which the extracted drivers, including the Surface

Ethernet adapters, the Surface Pro 3 collection, and the Surface Pro 3 Pen driver, are located, then click Next.

All of the drivers provided by the driver and firmware pack downloads should now appear inside the Surface Pro 3 folder. This includes the drivers that provide firmware updates to Surface Pro 3, as shown in Figure 3.22. These drivers will be injected into the deployment image as part of the deployment task sequence and therefore will be preinstalled in the image that is written to Surface Pro 3. When the firmware drivers are written to the Surface Pro 3 device for the first time, as part of the image, the firmware updates will be applied when the computer is restarted. This restart occurs automatically as a part of the deployment process.

Figure 3.22: Deployment Share Showing Surface Pro 3 Firmware Drivers.

Creating the Surface Pro 3 Win 8.1 x64 Selection Profile

In a production deployment share with multiple makes and models of computers, there may incompatible drivers available. You need to ensure that only Surface Pro 3 drivers are deployed to Surface Pro 3 devices. The mechanism to specify which drivers are to be deployed to specific computers is to configure another selection profile, by following these steps:

1. Expand the Advanced Configuration folder of the deployment share.

2. Select the Selection Profiles folder.

3. Select New Selection Profile from the Actions pane to launch the New Selection Profile Wizard.

4. The New Selection Profile Wizard shows the following options:  General Settings – Specify the name Surface Pro 3 Win 8.1 x64 for the selection profile and any desired

comments, then click Next. Note: Though the Surface Pro 3 supports only Windows 8.1 Update 64 bit, it is recommended to include the operating system and architecture in all model selection profile names to allow for separate selection profiles for each model, operating system, and architecture.

 Folders – Expand the deployment share tree, the Out-of-Box Drivers folder, and the Windows 8.1 x64

subfolder, and then check the box next to the Surface Pro 3 folder as shown in Figure 3.23.

Figure 3.23: Windows 8.1 x64 Folder Selected In Selection Profile.

Creating the Task Sequence

You have now installed the deployment tools, created a deployment share, and imported operating system files and drivers. All required components are configured and you are ready to begin configuring how the deployment will be performed. The deployment process is controlled through task sequences. For more details about task sequences, refer to the Task Sequences section of Chapter 2.

Creating the Deployment Task Sequence

Task sequences are configured in the MDT Deployment Workbench. For this scenario, you will create a basic task sequence that deploys the imported operating system to the target Surface Pro 3 device. You create a task sequence by following these steps:

1. In the MDT Deployment Workbench, expand the deployment share.

2. Right-click Task Sequences and click New Task Sequence. This launches the New Task Sequence Wizard, as

shown in Figure 3.24.

Figure 3.24: New Task Sequence Wizard.

3. The New Task Sequence Wizard presents a series of steps, as follows:

 General Settings – Enter the Task sequence ID and Task sequence name. These fields are used to uniquely

differentiate this task sequence from others in the deployment share. For example, a task sequence to deploy Windows 8.1 Update Enterprise, you can enter a Task sequence ID of DplyWin8.1Ent and a Task

sequence name of Deploy Windows 8.1 Update Enterprise. Click Next. Note: The Task sequence ID field only allows for 16 characters with no spaces.

 Select Template – Select Standard Client Task Sequence from the dropdown list of predefined templates.

For more information about the additional templates, refer to Chapter 2. Click Next.

 Select OS – Select the imported operating system from the list. Click Next.  Specify Product Key – Ensure the Do not specific a product key at this time option is selected. For this

scenario, the product key will be entered at the time of deployment. Click Next.

 OS Settings – Enables you to configure the following basic operating system settings, then click Next:

o Full Name – Enter full name you’ll use to register the operating system. This field is required. o Organization – Enter the name of your organization you’ll use to register the operating system. This

field is required.

o Internet Explorer Home Page – Enter the URL of the home page that comes up when Internet

Explorer is launched. This field is required.

 Admin Password – Enter a strong password for the local Administrator account. Click Next.  Summary – Review the summary of your new task sequence and click Next.  Progress – Displays a progress bar during the creation of the new task sequence.

 Confirmation – Displays confirmation of success or errors generated while creating the task sequence. Click

Finish to close the New Task Sequence Wizard.

Configuring Driver Selection

To configure the task sequence to use the selection profile, follow these steps:

1. Right-click the production deployment task sequence and select Properties.

2. Select the Task Sequence tab.

3. Expand the Preinstall folder and select the Inject Drivers step as shown in Figure 3.25.

4. Select the selection profile that you created for Surface Pro 3 from the Chose a selection profile: drop down

menu as shown in Figure 3.25.

5. Change the option from Install only matching drivers from the selection profile to Install all drivers from the

selection profile as shown in Figure 3.25. Note: This will force all drivers selected in the selection profile to be installed, even if the PnP signature is not

available on the system. This is important for Surface devices because some components are not visible until drivers for other components are installed.

Figure 3.25: Inject Drivers Step with Selection Profile Configuration.

Note: Specifying the selection profile in the deployment task sequence will make the task sequence applicable to Surface Pro 3 only. Selection profiles can also be specified with model specific deployment share rules. See the Customizing Rules for Automation section of Chapter 5.

Preparing Boot Media

Preparing boot media is comprised of two separate steps, each of which is described in this chapter:

 Generating boot media – creates the media that the target deployment computer boots from.  Configuring network boot – configures the environment that enables the boot media to read the deployment

share on the deployment server.

The concept of boot media is described in more detail in Chapter 2.

Generating Boot Media

After the task sequence is created, you need to generate the boot media to be used on the Surface Pro 3 device that will connect to the deployment share (including access to the task sequence and source files). To generate boot media, follow these steps:

1. In the MDT Deployment Workbench, expand the deployment share.

2. Right-click the name of your deployment share and click Update Deployment Share. This launches the Update

Deployment Share Wizard, as shown in Figure 3.26.

Figure 3.26: Update Deployment Share Wizard.

3. The Update Deployment Share Wizard presents a series of steps, as follows:  Options – Enables you to select the desired option for updating the boot media. For this scenario, you can

simply click Next because there is no boot image to update.

 Summary – Review the summary of updating the deployment share and click Next.  Progress – Displays a progress bar of updating the deployment share.

Note: Both 32-bit and a 64-bit boot images are created. By default, these images are named LiteTouchPE_x86.wim and LiteTouchPE_x64.wim respectively and are located in the Boot folder on the

deployment share.

 Confirmation – Displays confirmation of success or errors generated while updating the deployment share.

Click Finish to close the Update Deployment Share Wizard.

Importing Boot Media into WDS

You have now installed and configured WDS for network (PXE) boot and created a basic deployment share to support this scenario. Now you need to add the previously created boot image into WDS to make it available to the PXE boot clients, such as a Surface Pro 3 device.

To import the boot image into WDS, follow these steps:

1. Launch the Windows Deployment Services console from the Start Screen under Administrative Tools on your

deployment server.

2. Expand the name of your server in the Servers tree and right-click the Boot Images folder. Click Add Boot

Image. This launches the Add Image Wizard.

3. The Add Image Wizard presents a series of steps, as follows:

 Image File – Select the LiteTouchPE_x64.wim boot media image file you created earlier in this chapter. Click

Next.

 Image Metadata – Prompts you for the image name and description. For this scenario, accept the default

values. Click Next.

 Summary – Review the summary of the image to be imported and click Next.  Task Progress – Displays a progress bar during the importing of the boot image. Click Finish to close the Add

Image Wizard.

After the boot image is imported, you’ll see it listed in the Boot Images folder in WDS console, as shown in Figure 3.27.

Figure 3.27: WDS Console Showing Imported Boot Image.

Deploying the Basic Scenario

After creating the deployment share in MDT and configuring WDS, you are ready to deploy to the target Surface Pro 3 device. The deployment method is specific to the manual deployment scenario because it requires several prompts to be addressed on the target computer during the deployment process.

Booting from the Network

To deploy the prepared image to your Surface Pro 3 device, you will need to boot the device from the network. For Surface Pro 3 devices this can be done with a simple combination of buttons. To boot your Surface Pro 3 from the network, follow this procedure:

Note: Network booting with a Surface Pro 3 device requires either the Surface Ethernet Adapter or the Surface Pro 3 Docking Station. Other third party external network adapters are not supported for network boot.

1. Connect the Surface Ethernet Adapter to the USB port or insert your Surface Pro 3 into the Surface Pro 3

Docking Station.

2. Power off the Surface Pro 3 device.

3. Press and hold the volume down button.

4. Press and release the power button.

5. Continue to hold the volume down button until the text Checking Media Presence… appears on the screen, as

shown in Figure 3.28, indicating that network boot has begun. Once this text appears, the volume down button can be released.

Figure 3.28: Surface Pro 3 Device Booting from the Network.

6. The network adapter will receive an IP address from a DHCP server and after the WDS PXE service is detected,

will prompt the user to press ENTER to begin the network boot process as shown in Figure 3.29.

Figure 3.29: Confirmation of Successful Connection to WDS Server.

Note: In order to press the Enter key, the Surface Type Cover or a USB keyboard should be connected.

After the network boot process has been initiated, the boot image generated for the MDT deployment share (LiteTouchPE_x64.wim) will load. A progress bar appears along with the name of the loading image, as shown in Figure

3.30.

Figure 3.30: Network Boot Progress Bar.

Windows Deployment Wizard

After the boot image is loaded onto the target Surface Pro 3 device, the Microsoft Deployment Toolkit Welcome Page launches. You can start the Windows Deployment Wizard by following these steps:

1. Select the Run the Deployment Wizard to install a new Operating System option, as shown in Figure 3.31.

Figure 3.31: Microsoft Deployment Toolkit Welcome Page.

2. Enter credentials in these fields for access to the deployment share and click OK:

 User Name – Enter the user name for an account that has a minimum permission level of Read. This

field is required.

 Password – Enter the password for the account. This field is required.  Domain – Enter the domain where the user account belongs. This field is required.

Note: When using a standalone deployment server that is not connected to a domain, the name of the deployment server should be used to indicate that a local account is being used.

3. If the specified credentials are valid, the Windows Deployment Wizard launches. The Windows Deployment

Wizard is used to initiate and control the deployment process on the target Surface Pro 3 devices by following a series of steps presented sequentially:

 Task Sequence – Select the desired deployment task sequence that was created earlier in this chapter, then

click Next.

 Computer Details – Enter the desired name for the deployed computer and specify either a domain or

workgroup to be joined. If selecting a domain, enter the credentials with permissions to join the domain. Click Next.

 Move Data and Settings – Select the option to control how data and settings are managed, then click Next:

o Do not move user data and settings – Indicates that user data and settings are overwritten. If you

don’t need any existing user data or settings while testing deployment with this scenario, click this

option.

o Keep existing partitions – Indicates that any existing partitions should be preserved and not

formatted or partitioned.

o Move user data and settings – Indicates user data and settings should be preserved.

 User Data (Restore) – Select the option to control whether user data should be restored with the following

options, then click Next:

o Do not restore user data and settings – No user data is restored from a network location or USMT

backup. For testing a manual deployment, select this option.

o Specify a location – Restores user data from a specified backup location.

 Product Key – Select the desired product key option, then click Next:

o No product key is required – Select this option if your deployed operating system will use a KMS

server for activation, or you are using evaluation software. This scenario uses evaluation software, so select this option.

Note: If you are using a Windows 8.1 Professional image to be licensed using the embedded product key included with a Surface Pro 3 device (OA 3.0), no product key is required. More details about OA

3.0 are described in Chapter 2.

o Activate the machine with a multiple activation key (MAK) – Select this option if your organization

uses MAK keys, which are used for volume licensed operating systems.

o Use a specific product key – Select this option if you have a single product key, such as one

obtained from a retail box or from a preinstalled operating system.

 Locale and Time – Select the desired language and time zone settings from the following options, then click

o Language to install – Select your desired operating system language. o Time and currency format – Select your desired time and currency format. o Keyboard layout – Select your desired keyboard locale. o Time zone – Select your desired time zone.

 Administrator Password – Enter and confirm a strong password for the local Administrator account in the

target Surface Pro 3 device, then click Next.

 Capture Image – Select the desired image capture settings from the following options, then click Next:

o Capture an image of this reference computer – Captures an image when using a reference

computer. This option is discussed further in Chapter 4.

o Sysprep this computer – Generalizes the computer but does not capture an image. o Prepare to capture the machine – Only copies required Sysprep files. o Do not capture an image of this computer – Does not create any images from the target Surface

Pro 3 device after deployment. Ensure this option is selected for testing the deployment of this scenario.

 Ready – A detailed summary of the selected options is provided under the Details button. Click Begin to

initiate the deployment.

As shown in Figure 3.32, a progress bar is displayed to show the installation progress. The process runs without any further user interaction until the operating system is fully deployed.

Figure 3.32: Installation Progress Bar.

At the completion of a successful deployment, a Deployment Summary page is displayed, as shown in Figure 3.33. After review, the Deployment Summary page can be closed and the computer and operating system are ready for use or further customization.

Figure 3.33: Deployment Summary Page.

Note: The system is logged in using the local Administrator account specified in the Windows Deployment Wizard.

Chapter 4 – Reference Deployment with MDT

One of the most common deployment tasks required by an organization is the creation of custom images. Sector-based imaging tools, such as many third-party tools, have no mechanism to customize an image during the deployment process. On the other hand, file-based imaging tools, such as MDT, can provide customization at the time of deployment. However, some scenarios still may require a custom image, such as:

 Deployment Performance – Capturing an image from a reference system that already includes the latest

updates or applications can consume less bandwidth and fewer system resources than having MDT manage those updates and applications at the time of deployment. For example, deploying an image with Windows Updates already installed can be much faster than having those updates injected as packages or having updates applied during the task sequence.

 Customization – Some customizations do not support automated deployment, such as apps that require user

interaction in a GUI. Other customizations are performed only during image creation, such as the examples shown in the Customizations to the Reference Image section later in this chapter.

 Deployment Scope – Capturing an image from a reference system that already includes updates, applications,

and drivers) can take far less time than having MDT manage updates, applications, and drivers at the time of deployment. For example, to include .NET framework in an image for deployment of limited scope it could be faster to download and install .NET framework on the reference computer before capturing an image than to download the files for installation, research the commands for silent installation, and import the application into MDT.

The reference deployment scenario in this chapter builds upon the manual deployment scenario discussed in Chapter 3. The reference deployment scenario increases the level of automation over the manual deployment scenario by introducing some customization.

The reference deployment scenario outlined in this chapter is applicable to organizations or businesses of any size and is often the next step towards more the more complex deployments described in Chapter 5 and Chapter 6.

The lab scenario used in this chapter is comprised of only one physical system: A Windows Server 2012 R2 environment configured with Hyper-V. The VMs hosted by the physical server are designated as the virtual lab for testing, planning, creation, and deployment of images. Hyper-V is configured with a virtual switch to allow connectivity between virtual machines and the local network and internet access.

The environment, as shown in Figure 4.1, is configured as follows:

 Virtualization Host:

o Hyper-V (either server or client) to host two virtual machines o Virtual Switch (configured to provide network and internet access to virtual machines)

Note: Machines connected to the virtual switch must be able to receive IP addresses from DHCP, a prerequisite for PXE network boot.

 Virtual Machine (VM) 1: Deployment Server

o Windows Server 2012 R2 o Windows Assessment and Deployment Kit (Windows ADK) o Microsoft Deployment Toolkit (MDT) o Windows Deployment Services (WDS)

Instructions for installation of the deployment tools are provided in Chapter 3.

Virtualization

Host

VM2

(Reference System)

Hyper-V Virtual Machines

VM1

(Deployment Server)

VM3

(Test System)

 Virtual Machine (VM) 2: Reference System

o Generation 1 Virtual Machine o Legacy network Adapter o No operating system installed

 Virtual Machine (VM) 3: Test System

o Generation 1 Virtual Machine o Legacy network Adapter o No operating system installed

The conceptual process of capturing and deploying images is described in Chapter 2. For the reference deployment scenario outlined in this chapter, VM1 is responsible for deploying install.wim as a base image to VM2. You then customize the base image according to your needs. After customization, you capture the image from VM2 to VM1 and deploy it to VM3.

Figure 4.1: Overview of Lab Environment.

Note: It is recommended to use generation 1 virtual machines for image creation because the resulting images are compatible with a wider range of potential clients. To support PXE boot, generation 1 virtual machines must use a legacy network adapter.

Configuring Deployment Share Rules

In Chapter 3, you learned how to create a new deployment share on the deployment server. If necessary, refer to

Chapter 3 to learn how to navigate to and create the deployment share. During creation, a several options can be

specified to control the behavior of the deployment process. These options result in the enabling and disabling of specific prompts presented to the user/technician by the Windows Deployment Wizard. In the reference deployment scenario, described herein, you’ll learn how to configure the options to suppress some of the prompts, thereby reducing the amount of user interaction required from Chapter 3.

To suppress Windows Deployment Wizard prompts, follow this procedure:

1. Create a new deployment share by following the procedure you learned in the Creating a Deployment Share

section of Chapter 3, but stop at the Options page.

2. In Chapter 3, you selected all options, which resulted in every possible prompt during deployment. In the

reference deployment, some of those prompts are suppressed by unselecting these options, as shown in Figure

4.2:

 Ask if a computer backup should be performed – This option can be unselected because no users or data

(except for tests accounts) will exist.

 Ask for a product key – This option can be unselected because the product key will be specified in the

deployment task sequence.

 Ask to set the local Administrator password – This option can be unselected because the password for the

local Administrator account will be supplied in the task sequence.

 Ask if BitLocker should be enabled – This option can be unselected because encryption is not required in a

lab environment where no user data will exist on deployed systems.

Figure 4.2: New Deployment Share Options.

3. Continue clicking Next to complete and close the New Deployment Share Wizard as you did in Chapter 3.

Configuring Windows Deployment Wizard Rules

The values for the options on the deployment share Options page, shown in Figure 4.2, are specified as settings, known as rules. These rules are stored in a file named customsettings.ini. Each deployment share contains this file, so each can be configured differently. The five options on the page shown in Figure 4.2 are not the only options that can be configured, but additional options can only be configured by editing the customsettings.ini file.

To edit the customsettings.ini file, follow these steps:

1. Expand the Deployment Share tree in the Deployment Workbench and right-click the deployment share, and

then click Properties.

2. Click the Rules tab. This brings up the screen shown in Figure 4.3.

Figure 4.3: Original Deployment Share Rules.

Notice that the options in the [Default] section correspond to the options selected in the GUI screen in Figure

4.2.

3. Specify additional customizations by replacing the text shown in Figure 4.3 with the text shown in Listing 4.1.

[Settings] Priority=Default Properties=MyCustomProperty

[Default] OSInstall=Y SkipCapture=NO SkipAdminPassword=YES SkipProductKey=YES SkipComputerBackup=YES SkipBitLocker=YES SkipBDDWelcome=YES SkipUserData=YES UserDataLocation=NONE SkipDomainMembership=YES JoinWorkgroup=WORKGROUP SkipLocaleSelection=YES KeyboardLocale=en-US UserLocale=en-US UILanguage=en-US

SkipTimeZone=YES TimeZoneName=Pacific Standard Time UserDomain=SP3DEPLOY UserID=MDT UserPassword=P@ssw0rd SkipFinalSummary=YES

Listing 4.1: Specifying Additional Customizations in the customsettings.ini File.

Note: This guide does not outline every possible customization option in the customsettings.ini file. For more details

about what can be customized and the values that can be specified, refer to the MDT Toolkit Reference, available in the MDT documentation. For more information about downloading MDT documentation, refer to the Installing Deployment

Tools section of Chapter 3.

The additional settings specified in Listing 4.1 are:

 SkipBDDWelcome – Setting this value to YES bypasses the MDT Welcome Page when the Windows Deployment

Wizard is launched.

 SkipUserData – Setting this value to YES bypasses the prompts to back up or restore user data.  UserDataLocation – Setting this value to NONE instructs MDT that user data should not be backed up. For more

information on backing up user data with this setting, see the Migrating User Data section of Chapter 8. This setting is required when specifying YES for the SkipUserData rule.

 SkipDomainMembership – This setting controls the prompts for domain or workgroup on the Computer Details

page of the Windows Deployment Wizard. When set to YES, the setting JoinWorkgroup or JoinDomain must also be set to supply the information otherwise provided at the prompt.

 SkipLocaleSelection – This setting controls the localization and language prompts on the Locale and Time page

of the Windows Deployment Wizard. When set to YES, the following settings must be configured to specify the information otherwise provided at the prompt:

o KeyboardLocale o UserLocale o UILanguage

 SkipTimeZone – This setting controls the prompt for time zone. When both the SkipTimeZone and

SkipLocaleSelection settings are set to YES, the Locale and Time page will be skipped. When set to YES, the desired time zone must be specified with the setting TimeZoneName.

 These settings are used to specify the credentials used by the Windows Deployment Wizard during

deployment:

o UserDomain o UserID o UserPassword

 SkipFinalSummary – This setting determines whether a final summary will be displayed upon deployment

completion.

Note: The reference system, the computer that will be prepared with a base configuration before being captured to an image for deployment to other computers, should not be joined to a domain to ensure that no group policies are applied to the base environment. To ensure that systems deployed in the lab environment are not joined to the domain, the JoinWorkgroup setting must be specified in the deployment share rules.

Configuring Boot Media Rules

In the same way that rules defined in customsettings.ini control the behavior of the Windows Deployment Wizard, rules defined in the file bootstrap.ini control the way the boot media for a deployment share behaves. The default behavior when booting to the MDT boot media is:

1. Before the Windows Deployment Wizard is launched, the MDT Welcome Screen is displayed and shows a Run

the Deployment Wizard to install a new Operating System button.

2. Clicking the Run the Deployment Wizard to install a new Operating System button prompts the user to specify

credentials for connectivity to the deployment share.

Configuring bootstrap.ini to instruct the Windows Deployment Wizard to launch without displaying the Welcome Screen and to bypass the prompts for credentials can performed with this procedure:

1. Expand the Deployment Share tree in the Deployment Workbench and right-click the deployment share, and

then click Properties.

2. Click the Rules tab. This brings up the screen shown in Figure 4.3.

3. Select the Edit Bootstrap.ini button. This opens the bootstrap.ini file in Notepad as shown in Figure 4.4.

Figure 4.4: Original Bootstrap.ini File Configuration.

4. Specify additional customizations by replacing the text shown in Figure 4.4 with the text shown in Listing 4.2.

[Settings] Priority=Default

[Default] DeployRoot=\\SP3DEPLOY\LabDeploymentShare UserDomain=SP3DEPLOY UserID=MDT UserPassword=P@ssw0rd SkipBDDWelcome=YES

Listing 4.2: Additional Rules in Bootstrap.ini.

The additional settings specified in Listing 4.2 are:

 SkipBDDWelcome – Setting this value to YES bypasses the MDT Welcome Page when the boot media is

launched.

 These settings are used to specify the credentials used by the boot media to connect to the deployment share.

o UserDomain o UserID o UserPassword

Note: Credentials specified in the bootstrap.ini and customsettings.ini files are stored in plaintext on the MDT boot media. It is recommended to use a local user account dedicated to deployment processes that has readonly permissions to the deployment share.

After the deployment share is created and configured with the desired rules for automation, you then supply the installation files for the operating system. Import the source files for the operating system to be deployed to the reference system, which is detailed in the Importing an Operating System section in Chapter 3.

Creating a Reference Deployment Task Sequence

You have now configured the deployment share for automation and supplied source files for the operating system to be deployed to the reference system. Contrary to the manual deployment scenario discussed in Chapter 3, for the reference deployment scenario, the task sequence includes additional steps to automate the deployment and installation of Windows Updates. To create the reference deployment task sequence, begin by following the procedure shown in the Creating the Deployment Task Sequence section of Chapter 3, but then customize according to the instructions in this section.

Note: Because the SkipAdminPassword rule is set to a value of YES, the user is not prompted for a password at the time of deployment, so it must be specified in the task sequence.

After the reference deployment task sequence is created, additional behaviors or customizations can be specified. To open the task sequence, expand the Task Sequences section of the deployment share and double-click the task sequence. The properties of a task sequence include these three tabs:

 General – Contains the name, comments, and target platforms of the task sequence. The task sequence can also

be enabled or disabled from this tab.

 Task Sequence – Contains the steps to be performed by the task sequence.

 OS Info – Contains information regarding the operating system used by the task sequence and a button to edit

the answer file that is used by the task sequence.

Enabling Windows Updates

To instruct the deployment process to run Windows Updates, follow this procedure:

1. Expand the lab deployment share in the Deployment Share tree in the Deployment Workbench and click the

Task Sequences folder.

2. Right-click the reference deployment task sequence created earlier in this chapter.

3. Click Properties.

4. Select the Task Sequence tab.

5. Expand the State Restore folder.

6. Select the Windows Update (Pre-Application Installation) step.

7. Select the Options tab for the selected step as shown in Figure 4.5.

Figure 4.5: Windows Update Step Enabled.

8. Uncheck the Disable this step checkbox.

9. Select the Windows Update (Post-Application Installation) step.

10. Select the Options tab for the selected step.

11. Uncheck the Disable this step check box.

12. Click OK to save and close the task sequence properties.

Note: Enabling Windows Update during deployment will significantly increase the time required to perform the deployment task sequence. The increase in time is dependent on how many updates must be installed.

The task sequence is now configured to install Windows Updates on the reference system.

Deploying to the Reference System

Network boot is required to deploy to the reference system. See Chapter 3 for a complete walkthrough of configuring WDS for network boot, generating boot media, and importing boot media for use with WDS. These steps are required before proceeding.

To deploy an image to the reference system, follow these steps:

1. Verify the boot order is configured to boot from the network as the first priority in the settings of the Hyper-V

virtual machine as shown in Figure 4.6:

Figure 4.6: Boot Priority in Hyper-V Virtual Machine Settings.

2. In Hyper-V, start VM2, which is a blank virtual machine. The adapter will receive an IP address from the DHCP

server and then contact the PXE server.

3. After the PXE server is found, the PXE boot screen is displayed, as shown in Figure 4.7.

Figure 4.7: WDS PXE Boot Screen.

4. Press Enter to boot from the network. This launches the MDT boot media and processes the bootstrap.ini and

customsettings.ini configuration files. You’ll notice a progress bar on the screen.

5. The Task Sequence page is displayed. Select the reference deployment task sequence created earlier in this

chapter, as shown in Figure 4.8. Click Next.

Figure 4.8: Selecting the Task Sequence.

6. Enter the desired computer name on the Computer Details page as shown in Figure 4.9 and click Next.

Figure 4.9: Entering the Computer Name.

The Installation Progress window appears to show the progress of the deployment. The deployment process will write the image to the reference computer and automatically manage the installation of Windows Updates, as shown in Figure 4.10.

Figure 4.10: Progress of Windows Updates Installation.

When complete, the Windows Deployment Wizard will close automatically and the system will be logged in as the Administrator account with the password supplied during task sequence creation. The reference system is now ready for application installation, customization, and tweaking before it is captured back to the deployment share as an image.

Customizations to the Reference Image

Before an image of the reference system is captured for deployment to other computers, it can be customized in a number of ways. Any changes or settings made to the reference system will be captured in the resulting image and therefore will be included on any deployed computers using that image. Examples of changes to a reference system include installed applications, changed settings, or any data placed on the system.

Customizing the experience for all new users on a computer that uses a deployed image follows this overall procedure, which is described in more detail throughout the rest of this chapter:

1. Make desired changes to the reference system while being logged in as the Administrator account.

2. Capture the image.

3. Deploy the image, specifying the CopyProfile setting, which copies the customized changes made to the

Administrator profile to the default profile. The default profile is used as a baseline for users logging into a computer for the first time.

Note: The CopyProfile setting must be configured in the deployment task sequence, not the capture task sequence. The CopyProfile setting is processed in the Specialize pass, during deployment.

4. During deployment, the Administrator account is automatically deleted.

This section shows how to customize the reference system to include:

 Customization of the wallpaper  Customization of the default user account picture  Removal of Windows Store apps  Customization of the Start Screen

Note: As any changes to the system are recorded in the image, it is highly recommended to clean up any temporary files, application installers, and empty the recycle bin before capturing.

Customizing the Wallpaper

To customize the wallpaper of the reference system, follow these steps:

1. Place the desired wallpaper image in the C:\Windows\Web\Wallpaper folder on the reference system. This will

make the wallpaper available in the Windows Desktop Backgrounds picture location. This example uses the Microsoft Surface wallpaper, as shown in Figure 4.11, which is located in the C:\Windows\Web\Wallpaper\Surface folder in the unaltered Surface Pro 3 installation of Windows 8.1 Professional.

2. Right-click the desktop and select Personalize to launch the Personalization control panel applet.

3. Click Desktop Background, then select the desired wallpaper(s) and click Save Changes.

4. Select the Save Theme option under My Themes and assign the desired name for the theme.

5. Close the Personalization control panel applet.

Figure 4.11: Configured Microsoft Surface Wallpaper.

Customizing the Default User Account Picture

The default user account picture is used as the default picture for each new account created on a computer, unless the user changes it. The default user account picture is not configured as a component of the user profile, but as a separate set of images stored in the C:\ProgramData\Microsoft\User Account Pictures folder. To customize the default user account picture, follow these steps:

1. Open File Explorer.

2. Enter C:\ProgramData\Microsoft\User Account Pictures in the address bar. The full path must be entered

because the ProgramData folder is hidden by default and cannot be selected or browsed without enabling display of hidden files and folders. This shows the default screen in Figure 4.12 before image replacement.

Figure 4.12: User Account Picture Before Replacement.

3. For the default user account, these four images must be provided in the specified format and size:

 user.bmp (448x448 pixels)  user.png (448x448 pixels)  user-40.png (40x40 pixels)  user-200.png (200x200 pixels)

4. Replace all four image files with your desired customized image, as shown in Figure 4.13.

Figure 4.13: User Account Picture After Replacement.

5. When prompted to Replace or Skip Files, select Replace the files in the destination.

6. When the Destination Folder Access Denied dialog box appears, check the Do this for all current items

checkbox to provide administrator permission to copy files to the folder and click Continue.

7. Close File Explorer. After customization, the default user account picture is shown in Figure 4.14.

Figure 4.14: Customized User Account Picture.

Customizing Windows Store Apps

It is important to understand the relationship between the provisioned apps and installed apps. A provisioned app is staged in the image and will be installed at the first logon for each user. An app is installed for a specific user. When a user updates an app or installs an app from the Windows Store, it becomes installed only for that user. Therefore, there becomes a mismatch between the user’s installed app and the staged provisioned app.

For example, when an app is uninstalled for a user, it will still be installed for any new users on that computer. This is because the app is still provisioned. If an app is unprovisioned it will not be installed for new users on the computer, but it will remain installed for any users who had already installed the app. When an app is installed from the Windows Store, it is installed only for that individual user but not provisioned for new users.

Windows Store apps cannot be updated during the customization of a reference system. Updating these apps including the built in apps such as Mail, Calendar, or News will cause Sysprep to fail. This is because when apps are updated, the updated version is installed only for the user. This breaks the association with the provisioned app, which is available for all users of the computer.

To completely remove a Windows Store app from the image, it must be removed for both the user (uninstalled) and the computer (un-provisioned). This is because Windows Store apps can exist in a state where they are available for all users of a computer even when they are not installed for a specific user, or they can exist for a specific user, but not all users of the computer.

To begin, refer to Figure 4.15 to see what the Start Screen looks like before customization.

Figure 4.15: Start Screen Before Customization.

As an example, this procedure shows you to uninstall and un-provision the Sports app, but the same procedure works for any other Windows Store app as well:

1. Open an Administrative PowerShell session.

2. Get a list of packages that are installed for specific users on the computer by executing the get-appxpackage

cmdlet with this statement:

get-appxpackage –alluser | format-list -property packagefullname

You will see a list of all apps that are currently installed, as shown in Figure 4.16.

Figure 4.16: Get-AppxPackage Output.

Note: The output from this statement can be written to a text file to make it easier to reference, search, or copy

from. This is done by adding > c:\report.txt to the end of the statement. For example:

get-appxpackage –alluser | format-list -property packagefullname > c:\users\administrator\desktop\installedappx.txt

3. If you scroll through the list of returned apps, you’ll see

Microsoft.BingSports_3.0.4.212_x64__8wekyb3d8bbwe in the list. You’ll need this exact name to supply as an argument to the PowerShell cmdlet to remove the app in the next step.

4. Uninstall the undesired apps by executing the remove-appxpackage cmdlet with this statement:

remove-appxpackage Microsoft.BingSports_3.0.4.212_x64__8wekyb3d8bbwe

5. Get a list of packages that are provisioned in on the computer by executing the get-appxprovisionedpackage

cmdlet with this statement:

get-appxprovisionedpackage -online | format-list -property packagename

You will see a list of all apps that are currently provisioned.

6. If you scroll through the list of returned apps, you’ll see

Microsoft.BingSports_2014.926.258.4003_neutral_~_8wekyb3d8bbwe in the list. You’ll need this exact name

to supply as an argument to the PowerShell cmdlet to remove the app in the next step.

7. Un-provision the undesired apps by executing the remove-appxprovisionedpackage cmdlet with this statement:

remove-appxprovisionedpackage -online -packagename Microsoft.BingSports_2014.926.258.4003_neutral_~_8wekyb3d8bbwe

Figure 4.17 shows the same Start Screen as in Figure 4.15, but with the Sports app removed.

Figure 4.17: Start Screen After Sports App Removed.

Customizing the Start Screen

Customizing the Start Screen involves the arrangement of the tiles on the screen and grouping them into logical sections and alternatively naming those sections. You do this by simply dragging the tiles into the desired location on the screen, resizing them, or any other action that configures the screen any way you like. These customizations are stored in the local Administrator profile and will be captured as-is during the deployment process, which is described in the Testing

the Image section later in this chapter.

It is a best practice, as discussed in the Considerations for Images section in Chapter 2, to not install apps on the reference system. The guidance is to install apps during deployment, which is covered in Chapter 5. However, you can still customize Start Screen tiles for apps that are not yet installed.

This is done by copying the layout of the Start Screen from a computer that does have the apps installed using a template. A template stores the layout of the tiles, but does not install the apps. Figure 4.18 shows the Start Screen before customization.

Figure 4.18: Start Screen Before Customization.

To export and import a Start Screen layout template, follow these steps:

1. On the computer with the app(s) installed, open an Administrative PowerShell session.

2. To generate the template, run the Export-StartLayout cmdlet with the following statement:

export-startlayout –path c:\startscreenlayout.bin -as bin

3. Close the PowerShell session window.

4. Copy the generated c:\startscreenlayout.bin file from the computer with the app(s) installed to the C:\ drive on

the reference system.

5. On the reference system open an Administative PowerShell session.

6. To apply the template, run the Import-StartLayout cmdlet with the following statement:

Import-startlayout -path c:\startscreenlayout.bin –mountpath c:\

7. Close the PowerShell session window.

After the layout is imported into the reference system, all customizations are visible. Figure 4.19 shows the Start Screen after customization. Notice in Figure 4.19 the desktop tile is in the top left position, the Start Screen background is changed, the Weather tile size is wide, and the Reading List tile is removed.

Figure 4.19: Start Screen After Customization.

Note: The same PowerShell cmdlets can also be used to generate an XML export of a Start Screen layout for use with

the Start Screen Layout group policy setting.

Creating a Capture Task Sequence

After the reference system is customized the system must be prepared for deployment and captured into an image file. Capturing an image is controlled by using a task sequence. To create a task sequence to capture an image of the reference system, follow these steps:

1. Expand the Task Sequences folder in the Deployment Share tree in the Deployment Workbench.

2. Right-click the Task Sequences folder and select New Task Sequence. This launches the New Task Sequence

Wizard.

3. The New Task Sequence Wizard presents a series of steps, as follows:

 General Settings – Supply a name and ID for this new task sequence, as shown in Figure 4.20, and then click

Next.

Figure 4.20: Capture Task Sequence.

 Select Template – Select the Sysprep and Capture template and click Next.  Select OS – Select the operating system that was originally deployed to the reference system and click Next.  Specify Product Key – When capturing an image, you do not specify a product key. Click Next.  OS Settings – Enter the desired registration information and home page and click Next.  Admin Password – Enter the desired strong password for the local Administrator account and click Next.  Summary – Confirm the selected options and click Next.  Progress – Shows a progress bar during task sequence creation.  Confirmation – Click Finish to complete the New Task Sequence Wizard.

The newly created capture task sequence appears in the Task Sequences folder of the deployment share as shown in Figure 4.21.

Figure 4.21: Capture and Reference Deployment Task Sequences.

Note: It is possible to perform the deployment and capture steps in the same task sequence. To accomplish this, the

task sequence must automate customization to the reference image. However, automation is not possible for some tasks. Therefore, the task sequence will need to be paused to enable user interaction. MDT includes a script named LTISuspend.wsf, which pauses a task sequence for this purpose. Refer to the MDT documentation for more information on this script.

Profile customizations made to the reference system are stored in the local Administrator profile. Examples of some of these customizations include configuration of the Start Screen and wallpaper. To make these customizations available to all new users who log onto the deployed computer, the deployment answer file needs to have the CopyProfile setting configured. The CopyProfile setting is configured in the specialize pass, which is run during the deployment process rather than the generalize process. See the Testing the Image section in this chapter for details on including the CopyProfile setting in a deployment task sequence.

Unlike deploying an image, which needs read-only permissions to the deployment share, capturing an image needs to write to the Captures folder in the deployment share. Ensure the account specified in the customsettings.ini file has write permissions to the Captures folder.

Creating an Image from the Reference System

You have now made customizations to the reference system and prepared the capture task sequence to create an image of the reference system. Now the capture task sequence must be run on the reference system to create that image.

Note: Another advantage in using a virtual machine as a reference system is the ability to use checkpoints or snapshots. Checkpoints store the exact state of a virtual machine at the specified point of time. A virtual machine can be easily reverted to this state, if necessary. For example, the Sysprep process makes irreversible changes to the reference system, so creating a checkpoint gives you the ability to restore to a specific point in time.

Launch the Windows Deployment Wizard via the litetouch.wsf script using the following steps:

1. Open an Administrative PowerShell session.

2. Enter the following command to map a network drive to the deployment share and press Enter:

net use * \\sp3deploy.contoso.com\labdeploymentshare /user:sp3deploy\mdt

This is done to specify the user account which will be used to connect to the share. In this command sp3deploy.contoso.com is the name of the deployment server, labdeploymentshare is the name of the deployment share, and mdt is the name of the user account for MDT deployments. These values should be replaced with the values used in your environment.

3. Enter the following command to launch the Windows Deployment Wizard and press Enter:

cscript \\sp3deploy.contoso.com\labdeploymentshare\Scripts\LiteTouch.WSF

4. The Windows Deployment Wizard presents a series of prompts:  Task Sequence – Select the capture task sequence that was created in the Creating a Capture Task Sequence

section of this chapter and click Next.

 Capture Image – Specify the desired location for the captured image to be placed, along with the name of

the image to be created, as shown in Figure 4.22. The default location is the Captures folder of the deployment share, where the required write permissions were added earlier in this chapter. Click Next.

Figure 4.22: Settings for Image Capture.

Testing the Image

After the image has been captured, it is ready to be used to deploy to other computers. To verify the successful application of the customizations in the resulting image, a test deployment to a second virtual machine in the lab is recommended. To perform this test deployment, follow these steps:

1. Import the captured image in the deployment share

2. Create a new test deployment task sequence

3. Run the new test deployment task sequence on a second virtual machine (VM3), as shown in Figure 4.1.

Each of these steps is covered in the next three sections.

Importing the Captured Image

To import the captured image in the deployment share, follow these steps:

1. Expand the deployment share in the Deployment Workbench.

2. Right-click Operating Systems, and then select Import Operating System. This launches the Import Operating

System Wizard.

3. The Import Operating System Wizard presents the following steps:

 OS Type – Select the type of operating system to add. Select the Custom Image option. Click Next.  Image – Enter or browse to the Custom folder in the deployment share and select the image captured in the

previous section of this chapter. Check the Move the files to the deployment share instead of copying them check box if you’d like to reduce the storage space required by the MDT deployment share, but it isn’t necessary for the imported image in this scenario. Click Next.

 Setup – Select the Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path

option. Enter or browse to the Operating Systems folder of the deployment share and select the folder that contains the original operating system installation media for the reference system. Click Next.

 Destination – Enter the name of the folder where the operating system files will be stored. This folder is

created in the deployment share on the deployment server. For example, you could enter Windows 8.1 Custom as the destination. Click Next.

 Summary – Review the summary of your operating system import configuration and click Next.  Progress – Displays a progress bar during the importing of the operating system files.  Confirmation – Displays confirmation of success or errors generated while importing the operating system

files. Click Finish to close the Import Operating System Wizard.

More details about the options presented by the Import Operating System Wizard are available in Chapter 2.

Creating the Test Deployment Task Sequence

To create the test deployment task sequence, follow these steps:

1. Expand the deployment share in the Deployment Workbench.

2. Right-click the Task Sequences folder, then select New Task Sequence.

3. The New Task Sequence Wizard presents a number of steps, as follows:

 General Settings – Enter the desired task sequence ID, name, and comments. Click Next.  Select Template – Select the Standard Client Task Sequence and click Next.  Select OS – Select the operating system you imported from your custom image. Click Next.  Specify Product Key – Select Do not specify a product key at this time and click Next.  OS Settings – Enter the desired registration information and home page and click Next.  Admin Password – Specify a strong password for the local Administrator account on the deployed

computer. Click Next.

 Summary – Review the summary of your new task sequence and click Next.  Progress – Displays a progress bar during the creation of the new task sequence.  Confirmation – Displays confirmation of success or errors generated while creating the task sequence. Click

Finish to close the New Task Sequence Wizard.

For more information about what the CopyProfile setting does and how it relates to the local Administrator account, refer to the Creating a Capture Task Sequence section earlier in this chapter.

To set the CopyProfile setting in the answer file, follow these steps:

1. Open the Task Sequences folder of the deployment share in the Deployment Workbench.

2. Right-click the test deployment task sequence and select Properties.

3. In the task sequence properties, select the OS Info tab.

4. Edit the answer file by clicking the Edit Unattend.xml button, as shown in Figure 4.23. This launches the

Windows System Image Manager (Windows SIM).

Figure 4.23: OS Info Tab Showing Edit Unattend.xml Button.

Note: When the answer file for a specific operating system is opened for editing for the first time, a catalog of

available settings is generated. This may take several minutes.

5. Select the EditFind menu or press Ctrl+F to launch the Find dialog box.

Note: With a large number of available components, it is typically quicker to find a specific setting by searching rather than expanding the components tree under the Windows Image pane.

6. Enter the term copyprofile and click Find Now to locate the Microsoft-Windows-Shell-Setup component.

7. Double-click the amd64 version of the component to locate the setting in the Windows Image pane that

matches the architecture of the image being deployed.

8. Right-click the Microsoft-Windows-Shell-Setup component and select Add Setting to Pass 4 specialize.

9. Select the setting from the Answer File pane in the center of Windows SIM. After this setting is selected, the

available setting options will appear in the right pane which is labeled with the setting name, Microsoft- Windows-Shell-Setup.

10. Set the property value for the CopyProfile setting to True as shown in Figure 4.24.

Figure 4.24: Configuring CopyProfile Settings.

11. Select the FileSave Answer File menu or press Ctrl+S to save the answer file.

Note: Windows SIM will automatically validate the answer file when selecting save. Any settings that are

configured improperly will result in a warning message on the screen.

12. Close Windows SIM.

When the image is applied to the target system, the specialize pass will run, which copies the Administrator profile to the local Default User profile, enabling new users to receive the customizations made to the Administrator profile in the reference system.

Deploying the Captured Image

To deploy to the test system (VM3), follow the procedure for deploying as outlined in the Deploying to the Reference

System section in this chapter, but in step #5, where you select the task sequence, select the test deployment task

sequence created in the Testing the Image section in this chapter. All other parts of the procedure remain the same.

The deployed system (VM3) will contain the customizations configured in the reference system (VM2). Before rolling out the image to production, as detailed in Chapter 5, verify that all customizations are present in VM3.

Chapter 5 – Automated Deployment with MDT

The automated deployment scenario in this chapter builds upon the reference deployment scenario discussed in

Chapter 4. The automated deployment scenario decreases the level of interaction required by the user/technician and

also includes apps and drivers. The automated deployment produces a computer that is production-ready.

While this chapter shows how to deploy to computers in two specific scenarios (connected and offline), the procedures outlined in this chapter can be used to address the demands of an entire organization, including the need for different apps, computer models, and customizations.

The deployment process described in each scenario can be used to deploy any number of computers, but this step-bystep focuses on three specific computers, as shown in Figure 5.1:

 Production Deployment Server

o Windows Server 2012 R2 o Windows Assessment and Deployment Kit (Windows ADK) o Microsoft Deployment Toolkit (MDT) o Windows Deployment Services (WDS)

 PC1: Connected Device

o A Surface Pro 3 device o Connected to the corporate network

 PC2: Offline

o A Surface Pro 3 device o Not connected to the corporate network

PC1

(Connected Device)

PC2

(Offline Device)

Production

Deployment Server

Figure 5.1: Offline Deployment Scenario Computers.

Note: A USB stick with at least 10GB of storage is required for the offline deployment outlined in this chapter. The USB

drive must be reported as a fixed drive to support multiple partitions. A Windows To Go certified drive is recommended.

Disabling WDS PXE Boot

In Chapter 4, the lab deployment server was configured for PXE boot. Therefore, if your lab deployment server is on the same network as the production deployment server shown in Figure 5.1, PXE boot on the lab deployment server will need to be disabled to prevent conflicting responses. To disable network boot, follow these steps:

1. Launch Windows Deployment Services on the lab deployment server.

2. Expand the Servers tree and right-click the lab deployment server, then select Properties.

3. Select the PXE Response tab.

4. Select the Do not respond to any client computers option as shown in Figure 5.2 and click OK to save and exit

the server WDS properties.

Figure 5.2: Disabling PXE Response to Clients.

5. Close Windows Deployment Services.

Creating the Production Deployment Share

The production deployment share will contain the applications, drivers, and custom images for deployment across the organization and will share these components with the offline deployment share. The deployment production share and offline deployment share will use the same apps, drivers, and images, so instead of duplicating effort, deployment shares can be linked. To create the production deployment share follow the Creating a Deployment Share section

outlined in Chapter 3.

Customizing Rules for Automation

As with the reference deployment scenario outlined in Chapter 4, the deployment share will be customized by configuring rules to bypass the prompts that are displayed by the Windows Deployment Wizard. As you may recall, these rules are stored in the configuration files customsettings.ini and bootstrap.ini, which control the Windows Deployment Wizard and boot media respectively.

To configure deployment share rules to automate the Windows Deployment Wizard, follow these steps:

1. Expand the Deployment Shares tree in Deployment Workbench.

2. Right-click the production deployment share and select Properties.

3. Select the Rules tab.

4. Replace the text displayed on the Rules tab with the text provided in Listing 5.1:

[Settings]

Priority=Default Properties=MyCustomProperty

[Default] OSInstall=Y SkipCapture=YES SkipAdminPassword=YES SkipProductKey=YES SkipComputerBackup=YES SkipBitLocker=YES SkipBDDWelcome=YES SkipUserData=YES UserDataLocation=AUTO SkipApplications=YES SkipPackageDisplay=YES SkipComputerName=YES SkipDomainMembership=YES JoinDomain=contoso.com DomainAdmin=MDT DomainAdminDomain=contoso DomainAdminPassword=P@ssw0rd SkipLocaleSelection=YES KeyboardLocale=en-US UserLocale=en-US UILanguage=en-US SkipTimeZone=YES TimeZoneName=Pacific Standard Time UserID=MDT UserDomain=SP3ProdDeploy UserPassword=P@ssw0rd SkipSummary=YES SkipFinalSummary=YES

Listing 5.1: Deployment Share Rules for Added Automation

Listing 5.1 differs from the similar listing 4.1 in Chapter 4 in the following ways:

 SkipCapture – This setting has been changed to YES to prevent the Capture Image page of the Windows

Deployment Wizard from appearing. Custom images for this production deployment share will be produced in the lab environment and thus image capturing will not be performed from the production deployment share.

 SkipApplications – By configuring this setting to NO, the Applications page of the Windows Deployment Wizard

will not be displayed, even if there are applications available in the deployment share and the install applications step is present in the task sequence. To install applications while keeping this page hidden, an application installation step must be created to explicitly define an application for installation. See the Importing

Applications section later in this chapter for more information.

 SkipPackageDisplay – By configuring this setting to NO, the Packages page will be hidden, even if language

packs, updates, or firmware packs are available in the deployment share. Packages will need to be specified by a

selection profile in the task sequence. Selection profiles are covered in the Importing Drivers section in this

chapter.

 SkipDomainMembership – This setting is still configured as YES to prevent the display of the domain or

workgroup join fields on the Computer Details page, but rather than specifying a workgroup to join, the following settings specify a domain to be joined along with the required credentials:

o JoinDomain – This setting is used to specify the domain for the deployed computer to join. o DomainAdmin – This setting is used to specify the user name with rights to join a computer to the

domain.

o DomainAdminDomain – This setting is used to specify the domain membership of the user being used

to join the computer to the domain.

o DomainAdminPassword – This setting is used to specify the password for the user being used to join

the computer to the domain.

Note: The user name and password information is stored in the deployment share rules in plaintext. As such it is recommended to use an account that is designated to the required task only. In this case the user account MDT in the contoso.com domain will be configured with delegation rights to join computers to the domain and will be enabled only during active deployments.

Follow the procedure for configuring the bootstrap.ini file in the Configuring Boot Media Rules section of Chapter 4.

Customizing Task Sequence Selection by Model

The SkipTaskSequence setting is not specified in the [Default] section of the deployment share rules, but is required for full automation of the deployment. It was omitted to enable a technician to select between task sequences during deployment. If it was specific in the rules, the same task sequence would be applied to every computer. To automate the selection process for a specific computer model, you need to determine the value for the built-in Model variable and specify it in the customsettings.ini file.

To find the value for the Model variable for a specific computer or device, launch a PowerShell session on the desired computer and run the following command, as shown in Figure 5.3:

wmic csproduct get name

Microsoft Surface 3 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual