TS/UK/GTS/PwC OSD Image creation for Windows 7 - UK Desktop Security Products compliance Digital signing of Microsoft Office applications DMA Server Share Cleanup Allocated to: TCS MDS - Vivekananda Mandekara/UK/GTS/PwC Admin Category Hardware none Software Base Images Initial requirements Full details of task System Centre Configuration Manager (SCCM) offers wealth of features. Once of the features is Operating system deployment (OSD). We have carried various out various POC on OSD to confirm whether it suit PwC requirement. Based on various result it is concluded to use OSD as way forward. OSD Operating system (OS) deployment allows you to create and deploy Operating System images to target computers through SCCM. Provides wealth of features to centrally manage and maintain the Operating System deployment. Meets all the imaging requirements of PwC UK and also provides additional features. PwC Imaging Requirement Existing Imaging Requirements Does OSD Support? Added benefits of OSD New PC Built in Onsite and OffsiteYes Reduction in time taken to build PCs Data Migration can be automated Enhanced security Reduction in time taken to carry out Image refresh activity by MDS team Can be replicated to other territories with slight modification Reimaging of PCs Onsite Yes Same benefits as above Swing stock and Loan PCs Yes Same benefits as above BCP and System Builds (AOS Kiosks) Yes Same benefits as above The current Imaging process Three Phases of Imaging Build Phase: Imaging the PC with Windows 7 using USB key. Starts at booting the PC with USB key, ends with initiation of PC Config tool for UK and completion of encryption for US Commission Phase: PC Config Phase: Runs PC Config tool to initiate encryption, Installs Territory apps (only for US), Joins PC to domain and installs SCCM client LoS Applications Installation: Download and install LoS applications based on users LoS (for UK only). Data Transfer Phase: Transfer of user data using DMM from old to new PC applicable only on reimage and PC replacement scenarios Current Imaging Process - UK Current Imaging Process - US Proposed Imaging Process with OSD UK PC Image Timing - Comparison Setting up and configuring OSD This phase is split into three 1) Boot Image 2) Image Interface 3) OSD Task Sequence Boot Image : X86 Boot image is created using WAIK tool kit and following customisation were carried out Unattend.xml Basic unattend.xml for WinPE which provides simple configuration settings: Disables firewall 1. Display settings 2. US Locale Settings 3. Organisation Name PricewaterhouseCoopers 4. Auto accept EULA 5. Unattend_xml.zip Unattend_xml.zip Password.ini Reference file used to store user password details for access file and print server at US, UK and UK Offsite Vendor. Format as follows: [Locale] username=Domain\Username password=password password_ini.zip password_ini.zip Launch.cmd The file is placed under system32 folder. customised command-line scripts is added which are executed during winPE Startup. In this case we need call imaging interface before imaging process can trigger. launch_cmd.zip launch_cmd.zip TSconfig.ini The file is placed in root folder. By design anything to be execute during winpe startup should be updated/added in TSConfig file.. TSConfig_ini.zip TSConfig_ini.zip Network/USB Drivers The following model Network interface drivers and USB 3.0 Drivers are added to boot image. Lenovo Thinkpad T410/T400/T430/T420 1. Lenovo Thinkpad X200/X200T/X201/X201T/X220/X220T 2. Lenovo X1 3. think centre M90/91/92 4. Dell XP 13/14/15 5. HP 2570 6. Sony Viao 7. McAfee Filter Driver/EETECH Utility 1) Insert the driver files. The driver files can be extracted by any existing Endpoint Encryption installation. Just copy the files from windows/system32/drivers folder to the equivalent on windows PE folder: MfeEpePc.sys For release versions of 6.1.2 and greater, the following driver must also be considered: MfeEEAlg.sys 2) Open the registry editor and load the System Hive from the Windows PE folder Windows\system32\config\system (The following examples assume that you have loaded the hive with the name pe3. 3) Insert the following registry keys for the MfeEpePc.sys driver [HKEY_LOCAL_MACHINE\pe3\ControlSet001\services\MfeEpePc] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000003 4) For release versions of 6.1.2 or greater insert the following registry keys for MfeEEAlg.sys driver [HKEY_LOCAL_MACHINE\pe3\ControlSet001\services\MfeEEAlg] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000003 "Group"="Primary Disk" 5) Find the following registry entry [HKEY_LOCAL_MACHINE\pe3\ControlSet001\Control\Class\{4D36E967 E325 11CE BFC1 08002BE10318}] 6) Edit the current value which is usually as follows: PartMgr 7) And change it to the following: MfeEpePc PartMgr 8) Added EETECH Files in appropriate folder so that filed service can use EETECH Tool to carry out troubleshooting Safefguard Filter Driver The below utility to inject safeguard filter driver in boot image InstallSGE2WinPE20.zip InstallSGE2WinPE20.zip Hotfix The following hotfix is injected in Boot image http://support.microsoft.com/kb/982018 Image Interface : We have following imaging interface 1) Srv.hta : This interface is used to sync the USB key and also required to select country and operating system to be imaged. This interface has been updated to store all option which are selected in the interface as SCCM Task Sequence variable so that it can be used in OSD Task Sequence to carry out condition based installation srv_hta.zip srv_hta.zip 2) PwC_Win7.hta : This interface is used to select type of build and model on which image to be applied. This interface has been updated with LOS option so that based on LOS selected the respective LOS application will be installed as part of build process and all option which are selected in the interface are stored as SCCM Task Sequence variable. EETECH Tool shortcut is placed in this interface so that Field Service/ITSP can use it when it is required for troubleshooting disk encryption issue. pwc_win7_hta.zip pwc_win7_hta.zip 2) PwC_WinXP.hta : This interface is used to select type of build and model on which image to be applied. No changes are done pwc_winxp_hta.zip pwc_winxp_hta.zip OSD Task Sequence : Before setting Task Sequence the following wim files are imported to SCCM 1) Operating System Image : PwC Image Release 1.4 has been imported to SCCM OSD 2) Driver Image : The following driver image has been imported to SCCM OSD a) ibmtcm90p.wim - Lenovo Think Centre M90 Driver Wim b) ibmtcm91p.wim - Lenovo Think Centre M91 Driver Wim c) ibmtcm92p.wim - Lenovo Think Centre M92 Driver Wim d) ibmtx2430t.wim - Lenovo Thinkpad T430/X230 e) ibmtx2420t.wim - Lenovo Thinkpad T420/X220/X220T f) ibmtx2400t.wim - Lenovo Thinkpad X200 and X200T and T400 g) ibmtx24501t.wim - Lenovo Thinkpad X201 and X201T and T410 3) Common Application Image : The common Application wim has been imported to SCCM OSD 4) Territory Application Image: UK & US Territory Apps wim has been imported to SCCM OSD 5) Updates Wim : The updates wim has been imported to SCCM OSD The Task Sequence is split into the following section 1) Apply the Operating System Image : Based on country selected in imaging interface the Task Sequence will apply PwC Image Release 1.4 and apply country specific unattended xml file 2) Apply Data Wim : Based on the model selected the respected driver wim is applied along with Common Apps & Territory Apps & Updates wim. 3) Inject Offline Drivers : Task Sequence will execute the following command to carry out offline driver injection %comspec% /c dism.exe /image:c:\ /add-driver /driver:"c:\windows\drivers\Offline Servicing" /recurse /forceunsigned 4) Inject Windows 7 Hotfix & Security Updates : Since we are using SCCM to deploy software updates. Same package is used in task sequence. It will execute following script to carry out offline Windows updates injection/service ZTIPatches_wsf.zip ZTIPatches_wsf.zip 5) Setup and configure Windows: Once all the wim files and offline services is carried out. The following script is execute to restart PC from WinPE to Windows. Once it has proceed unattened xml file, SCCM Task Sequence will install SCCM Client and put the client in provision mode. 6) Driver Installation: Once SCCM client is installed. Task Sequence will carry out installation of Driver which cannot be carried out through offline service. This based on model selected in imaging interface 7) Application Installation : Based on the image type i.e Standard/System/BCP & model and country selected the following application installation are carried out. A) Common Application B) Territory Application C) Portable/Desktop Application 8) LOS Application Installation : Based on the LOS selected in imaging interface the respective LOS application will be installed. This is currently applicable and configured only for UK. We are in process doing the same for US. Till that time no LOS application will be installed as part of build process 9) OS Configuration : At end of build process there are some OS Configuration are carried out. current OS Configuration are replicated in Task Sequence to carry out the same. 10) PC Config : Once build process is completed auto login is enabled and on startup PC Config is triggered. At the end of PC Config process the Administrator password is randomised using below script and information is stored in MIF File. SCCM Client will pickup as part of inventory. MachineConfiguration_vbs.zip MachineConfiguration_vbs.zip Argument : /password Exported Task Sequence PwC_Imaging_System_xml.zip PwC_Imaging_System_xml.zip J ournal History