2012XRQAECQ01

Created 22/12/2012 19:11 by Thirulogachandar

TS/UK/GTS/PwC
OSD Image creation for Windows 7 - UK
Desktop Security Products compliance
Digital signing of Microsoft Office applications
DMA Server Share Cleanup
Allocated to:
TCS MDS - Vivekananda Mandekara/UK/GTS/PwC
Admin
Category
Hardware
none
Software
Base Images
Initial requirements
Full details of task
System Centre Configuration Manager (SCCM) offers wealth of features. Once of the features is
Operating system deployment (OSD). We have carried various out various POC on OSD to confirm
whether it suit PwC requirement. Based on various result it is concluded to use OSD as way forward.
OSD
Operating system (OS) deployment allows you to create and deploy Operating System images to
target computers through SCCM. Provides wealth of features to centrally manage and maintain the
Operating System deployment. Meets all the imaging requirements of PwC UK and also provides
additional features.
PwC Imaging Requirement
Existing Imaging
Requirements Does OSD Support? Added benefits of OSD
New PC Built in Onsite and OffsiteYes
Reduction in time taken to build PCs
Data Migration can be automated
Enhanced security
Reduction in time taken to carry out Image refresh activity by MDS
team
Can be replicated to other territories with slight modification
Reimaging of PCs Onsite Yes Same benefits as above
Swing stock and Loan PCs Yes Same benefits as above
BCP and System Builds (AOS
Kiosks)
Yes Same benefits as above
The current Imaging process
Three Phases of Imaging
Build Phase: Imaging the PC with Windows 7 using USB key. Starts at booting the PC with USB
key, ends with initiation of PC Config tool for UK and completion of encryption for US
Commission Phase: PC Config Phase: Runs PC Config tool to initiate encryption, Installs Territory
apps (only for US), Joins PC to domain and installs SCCM client LoS Applications Installation:
Download and install LoS applications based on users LoS (for UK only).
Data Transfer Phase: Transfer of user data using DMM from old to new PC applicable only on
reimage and PC replacement scenarios
Current Imaging Process - UK
Current Imaging Process - US
Proposed Imaging Process with OSD
UK PC Image Timing - Comparison
Setting up and configuring OSD
This phase is split into three
1) Boot Image
2) Image Interface
3) OSD Task Sequence
Boot Image : X86 Boot image is created using WAIK tool kit and following customisation were
carried out
Unattend.xml
Basic unattend.xml for WinPE which provides simple configuration settings:
Disables firewall 1.
Display settings 2.
US Locale Settings 3.
Organisation Name PricewaterhouseCoopers 4.
Auto accept EULA 5.
Unattend_xml.zip Unattend_xml.zip
Password.ini
Reference file used to store user password details for access file and print server at US, UK and UK
Offsite Vendor. Format as follows:
[Locale]
username=Domain\Username
password=password
password_ini.zip password_ini.zip
Launch.cmd
The file is placed under system32 folder. customised command-line scripts is added which are
executed during winPE Startup. In this case we need call imaging interface before imaging process
can trigger.
launch_cmd.zip launch_cmd.zip
TSconfig.ini
The file is placed in root folder. By design anything to be execute during winpe startup should be
updated/added in TSConfig file..
TSConfig_ini.zip TSConfig_ini.zip
Network/USB Drivers
The following model Network interface drivers and USB 3.0 Drivers are added to boot image.
Lenovo Thinkpad T410/T400/T430/T420 1.
Lenovo Thinkpad X200/X200T/X201/X201T/X220/X220T 2.
Lenovo X1 3.
think centre M90/91/92 4.
Dell XP 13/14/15 5.
HP 2570 6.
Sony Viao 7.
McAfee Filter Driver/EETECH Utility
1) Insert the driver files. The driver files can be extracted by any existing Endpoint Encryption
installation.
Just copy the files from windows/system32/drivers folder to the equivalent on windows PE
folder:
MfeEpePc.sys
For release versions of 6.1.2 and greater, the following driver must also be considered:
MfeEEAlg.sys
2) Open the registry editor and load the System Hive from the Windows PE folder
Windows\system32\config\system (The following examples assume that you have loaded the
hive with
the name pe3.
3) Insert the following registry keys for the MfeEpePc.sys driver
[HKEY_LOCAL_MACHINE\pe3\ControlSet001\services\MfeEpePc]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000003
4) For release versions of 6.1.2 or greater insert the following registry keys for MfeEEAlg.sys
driver
[HKEY_LOCAL_MACHINE\pe3\ControlSet001\services\MfeEEAlg]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000003
"Group"="Primary Disk"
5) Find the following registry entry
[HKEY_LOCAL_MACHINE\pe3\ControlSet001\Control\Class\{4D36E967 E325 11CE
BFC1
08002BE10318}]
6) Edit the current value which is usually as follows:
PartMgr
7) And change it to the following:
MfeEpePc
PartMgr
8) Added EETECH Files in appropriate folder so that filed service can use EETECH Tool to carry
out troubleshooting
Safefguard Filter Driver
The below utility to inject safeguard filter driver in boot image
InstallSGE2WinPE20.zip InstallSGE2WinPE20.zip
Hotfix
The following hotfix is injected in Boot image
http://support.microsoft.com/kb/982018
Image Interface : We have following imaging interface
1) Srv.hta : This interface is used to sync the USB key and also required to select country and
operating system to be imaged. This interface has been updated to store all option which are selected
in the interface as SCCM Task Sequence variable so that it can be used in OSD Task Sequence to
carry out condition based installation
srv_hta.zip srv_hta.zip
2) PwC_Win7.hta : This interface is used to select type of build and model on which image to be
applied. This interface has been updated with LOS option so that based on LOS selected the
respective LOS application will be installed as part of build process and all option which are selected in
the interface are stored as SCCM Task Sequence variable. EETECH Tool shortcut is placed in this
interface so that Field Service/ITSP can use it when it is required for troubleshooting disk encryption
issue.
pwc_win7_hta.zip pwc_win7_hta.zip
2) PwC_WinXP.hta : This interface is used to select type of build and model on which image to be
applied. No changes are done
pwc_winxp_hta.zip pwc_winxp_hta.zip
OSD Task Sequence : Before setting Task Sequence the following wim files are imported to SCCM
1) Operating System Image : PwC Image Release 1.4 has been imported to SCCM OSD
2) Driver Image : The following driver image has been imported to SCCM OSD
a) ibmtcm90p.wim - Lenovo Think Centre M90 Driver Wim
b) ibmtcm91p.wim - Lenovo Think Centre M91 Driver Wim
c) ibmtcm92p.wim - Lenovo Think Centre M92 Driver Wim
d) ibmtx2430t.wim - Lenovo Thinkpad T430/X230
e) ibmtx2420t.wim - Lenovo Thinkpad T420/X220/X220T
f) ibmtx2400t.wim - Lenovo Thinkpad X200 and X200T and T400
g) ibmtx24501t.wim - Lenovo Thinkpad X201 and X201T and T410
3) Common Application Image : The common Application wim has been imported to SCCM OSD
4) Territory Application Image: UK & US Territory Apps wim has been imported to SCCM OSD
5) Updates Wim : The updates wim has been imported to SCCM OSD
The Task Sequence is split into the following section
1) Apply the Operating System Image : Based on country selected in imaging interface the Task
Sequence will apply PwC Image Release 1.4 and apply country specific unattended xml file
2) Apply Data Wim : Based on the model selected the respected driver wim is applied along with
Common Apps & Territory Apps & Updates wim.
3) Inject Offline Drivers : Task Sequence will execute the following command to carry out offline driver
injection
%comspec% /c dism.exe /image:c:\ /add-driver
/driver:"c:\windows\drivers\Offline Servicing" /recurse /forceunsigned
4) Inject Windows 7 Hotfix & Security Updates : Since we are using SCCM to deploy software updates.
Same package is used in task sequence. It will execute following script to carry out offline Windows
updates injection/service
ZTIPatches_wsf.zip ZTIPatches_wsf.zip
5) Setup and configure Windows: Once all the wim files and offline services is carried out. The
following script is execute to restart PC from WinPE to Windows. Once it has proceed unattened xml
file, SCCM Task Sequence will install SCCM Client and put the client in provision mode.
6) Driver Installation: Once SCCM client is installed. Task Sequence will carry out installation of Driver
which cannot be carried out through offline service. This based on model selected in imaging interface
7) Application Installation : Based on the image type i.e Standard/System/BCP & model and country
selected the following application installation are carried out.
A) Common Application
B) Territory Application
C) Portable/Desktop Application
8) LOS Application Installation : Based on the LOS selected in imaging interface the respective LOS
application will be installed. This is currently applicable and configured only for UK. We are in process
doing the same for US. Till that time no LOS application will be installed as part of build process
9) OS Configuration : At end of build process there are some OS Configuration are carried out. current
OS Configuration are replicated in Task Sequence to carry out the same.
10) PC Config : Once build process is completed auto login is enabled and on startup PC Config is
triggered. At the end of PC Config process the Administrator password is randomised using below
script and information is stored in MIF File. SCCM Client will pickup as part of inventory.
MachineConfiguration_vbs.zip MachineConfiguration_vbs.zip
Argument : /password
Exported Task Sequence
PwC_Imaging_System_xml.zip PwC_Imaging_System_xml.zip
J ournal
History