Introduction to OSD in Microsoft SCCM (WIMs, Boot Images, PXE, Drivers and More)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Justin shellphone I'm the engineering lead at patch my PC we develop a third-party patch management solution that integrates into Microsoft SCCM prior to my current role I is also a premier field engineer at Microsoft supporting SCCM in this video it's going to be a series of videos around operating system deployment so this first one is going to cover some of the fundamentals so this is gonna be things like boot images drivers driver of packages operating system images tasks sequences pixie servicing images to apply the latest updates but I do expect future videos that cover some cool topics like front-ends and how we can use em bt user driven installations to do a lot of customization around the actual deployment but this one is gonna be just kind of fundamental is getting you to know some of the basics on what's actually happening config manager when we deploy images so I do expect this to be a lot of topics that we kind of go through within this so I'm gonna go ahead and jump right in the first thing that we need to understand is our boot images so this is a core piece of operating system deployment in SCCM so when you install SCCM one of the prereqs is going to be in to install the Windows 10 80k so that's the assessment and deployment kit for Windows 10 one of the components within that piece is going to be something called winpe or Windows pre-installation environment is what that stands for so these winpe boot images are basically many versions of Windows that are running in memory to install the core windows operating system onto the hard drive so when se seems installed it's going to automatically generate boot images based on the installed version of the Windows 10 ADK so one thing to note is that we will go into the properties of our default boot images that were generated I'm just going to go over some of the different settings that you might want to have add to your boot image now one thing to note if you don't have all the tabs here like customization and just the if it's stripped down what that means is that you don't have a supported Windows 10 8 a version for the version of config manager that you're running so in order to have all the tabs and be able to customize boot images you need to make sure that your ATK is upgraded to a supported version so for example I'm running config manager 18:02 at this time and I've got the 1803 Windows 10 ATK installed so we can see that as a supportive scenario for our boot image within SCCM now if I had a previous version of config manager and it wasn't upgraded I tried to use some of the newer ADK for example we could see that 18:03 version of the ADK isn't compatible with 1710 or 1706 so if you didn't have some of the tabs that I'm going to show you that means that your boot images need to be upgraded and you can do that by installing the latest Windows 10 ATK a little tip you want to make sure that you get that installed if you can before you do the site upgrade because it will auto-generate and recreate the default boot images based on the current version during the upgrade for what's installed for the ADK so the first thing I want to look at here is the customization so one thing that I'm going to a ballista sting lab is this command line support option so this is not enabled by default if you're in a production environment one thing to note if we look at the documentation for this it's not recommended to enable command line support in a production environment because what that means is somebody could go into a command prompt while the task sequence is deploying your image and basically have full system access because we're installing the tasks sequence under system context so there's some security concerns if that was enabled in production deployment where if a user got in they could gain access as well as if they know what they're doing they could possibly dump some of the task sequence variables and get access to things like the network access account so for our testing we are going to be using command prompt support to show you what's going on if this is a production task sequence you might want to use a boot image without this enable the next thing we want to look at is the data source tab so we want to make sure that we are deploying our boot images to pics the enable distribution points so if you plan to use pixie to boot images or boot your winpe boot images off the network you want to make sure this option is deployed on your boot image now under the drivers tab that could come into play at some point usually if you're using the latest Windows 10 80k it's pretty rare that you ever need to add drivers into that winpe environment the only type of drivers that you might need would be network and storage drivers you wouldn't ever want to add anything else because that would just blow the boot image you would only need to add network drivers or storage drivers if you needed those but like I said usually it's going to contain everything it needs for the majority of operating or the majority of hardware out there if you did have a machine that picks it up and then it didn't get an IP address and didn't detect the NIC that's usually when I would go in and think about adding the additional network drivers that you would need for that optionally if you want to add some different components so if you wanted to add things like PowerShell support within your wimpy environment or dotnet you do have the ability to do that but not something that we would need for this deployment I also have the same settings for command line support on my 64-bit boot image and also have that set to deploy to our pixie enabled distribution point so what I'm gonna do is go ahead and get those boot images out to my distribution point in our case that's just the simple lab we're gonna install that on our single distribution point that we have now the next thing that we want to look at is our operating system images so these are gonna actually be the windows images that get deployed to our clients we have a few different options for the way that this happens so we could either use a default image so that's gonna be what comes with the Windows 10 ISO there's going to be a whim or Windows image file that's contained within that extracted ISO so that's where we're going to be covering in today's video is just using that default install dot whim so looking directly at the SD CM docks some of the advantages and disadvantages to this method will cover that the default image is always going to be smaller than any type of capture if you were to do a building capture and put in custom applications and things like that so that's gonna allow you to get a smaller image size the second thing that we can do here is you can have your task sequence to be more dynamic meaning that when we actually deploy our default installed out whim we can then do things like layer on applications and be more dynamic with those applications so for example instead of baking in a specific version of Java for example if we were to do a building capture and create an image we could always apply the latest version that you have packaged within that deployment if you use the installed out wim because it wouldn't be there before so that can be nice being a bit more dynamic the other disadvantage of using the install at wim if you do a lot of application deployment during the actual deployment of the image that process is going to take a little longer to install those applications versus if you were to use a captured image and basically preload all your applications into an image and then capture that into your own custom wim so we'll cover a building capture in a different video so in this one we're just going to use that default image file so in order to do that what you need to do is get the latest ISO for Windows 10 that you want to deploy in our case the current one is 1803 so what I've done is extracted that ISO and the default image is going to be in the sources folder and there's going to be a install dot wim so if we look at this file we can see it's just about 4 gig for the 1803 version of Windows 10 64 bits so what I'm gonna do is go ahead and copy that and within my network UNC path that I used for my packages I've got a different folder here called whims and I've already pre created a few different folders so the default install that we get directly from the ISO I'm gonna copy it in this folder that says install it out when - all indexes so that's gonna be the default image that contains all the different business editions of Windows 10 so this will be things like Education Pro and enterprise for example so that looks good now since I'm only interested at least in my environment in deploying the Enterprise Edition what we can do is basically extract that image out of here so the first thing I'll show you is what the different images look like so for example if we were to just add this installed out wim let me just point out to that path and then install it out wim and paste that in and add that into SCCM let me just rename this to match my folder name 3 and then import so within this image what we'll see here under the details tab this is going to show you all the additional image indexes or you can think of these as the different SKUs of Windows that will be available within that image so for example you can see education Enterprise pro pro for education and pro for workstations so these could potentially be different images that you could deploy based on the different index number that we could configure in our task sequence but since we're only interested in one of those editions at least in my lab what we can do is extract out that index for enterprise so in order to do that we can basically run a disome command on that win file so what I'm going to do is run the port's that fit for the first man we're gonna run the get image all right so we'll paste that in I'll zoom in to kind of show you what that looks like so we're gonna get the wim info we're gonna specify the wim file path for that extractive wim that we did for the just the default and we'll go ahead and run that and then what you can see you're going to get all the different image indexes or additions just like we see over here in SCCM so in our case we can see the one we're interested in is enterprise which is index 3 so we can see that here the enterprise version is index 3 so in order to extract that it's just going to be another disome command that I'm going to run so let me just copy that come back over paste in that command so what we're going to see here is we're going to run the disome export image we're going to specify the source image file so that's going to be that wim that we got directly from the ISO that contains all those indexes we're gonna specify the source index that we want to extract out and then we're going to specify the destination wim file where we want to save that to so I'm just gonna save it to one of those folders that I pre created here if we go look at that we've got this folder called enterprise only ok so I'm going to go ahead and copy that path that we're going to use for the updated version so we can see right now it's just going to be that same one that we exported so we're gonna go ahead and paste that in I'm going to copy this name ok ok we're gonna select the image next here for the image name and we're gonna kind of paste that in it looks like it might be too long let me do let me just rename this image Enterprise only - updated ok that looks good in our case it's 2016 or 2018 and the month is June so we're going to be able to inject the June offline update using offline servicing the June 2018 criminal update to this image so we'll paste that in do next here and there we go so we've got essentially the default installed out wim that contains all those images right here and then we have our enterprise only version that we extracted out so for the enterprise only one what I'm going to do is go ahead and sketch we'll update so as long as you have your software update point synced and downloaded into an update package you're gonna have the ability within this offline servicing or the scheduled updates feature of the SEM console to inject any of those updates into our image file so in my case what I'm going to do is I'm not worried about the previous month's cumulative update I'm gonna only apply the latest criminal update so we'll do the looks like we have a flash update I guess I'll try all three of these so that looks fine so we'll do next here we're gonna apply the updates as soon as possible if an update fell is to inject we're gonna go ahead and continue on that error and then we're gonna automatically update the distribution points with the image after we update after we install the patches to it I'll go ahead and choose next here and then close so what's happening on the back end here if we go and look at our log files there's going to be a log file called offline servicing manager and what that is going to do is it's gonna copy the image from the source path so we can see that source path that we defined and it's going to copy it to a staging area so if we go and look at that it's actually copying it over to the D Drive in our scenario and it's going to copy that women and mount it to this directory okay so we can see it copying over so we'll pause up all this copy all right so we can see that the image was copied and it's now being mounted so were you in the background config manager is basically using disome and what we're doing is we're mounting that installed out wim into the mount folder so if you look at where it's actually being mounted you can see that this wim file when it's extracted out it's basically got this same folder structure that you would see with in a in a installed operating system so we've got our Program Files the windows directory and what's happening in the background these patches are actually being injected into that offline folder so we can see our three updates it's gone through one of them we're currently going through the second one if you want more details on what's actually going on in the background we can look at the disome log on your site server that's running this so see windows logs disome there's gonna be a disome underscore SCCM log file that we can look at so this will actually show you what's going on on the back end when these patches are being injected into that offline folder so this could be helpful if a patch were to fail to be applied you could basically come in here and look at what's going on so I'll just go ahead and pause it while we wait for this process to complete all right so the offline servicing has completed so we take a look we can see that we had total of two updates that were applied one of those updates if we come here and look we can see it wasn't applied what that means is the update wasn't a component component based servicing update so not all updates can be applied offline so that's why we had two of those three get applied after that what happens is it's gonna copy the wim that was created and updated and it's gonna basically copy it over to that source folder where your image was located before and override it but there is a backup that's going to get created so if we go and look at the folder for the updated wim that we did what we can see here is that the new wim file is now 4.2 gigabytes so that looks good so we went from about if we go look at the enterprise only one for that latest camera of update we added about 700 megabytes so if we come back into our console what we want to do is go ahead and distribute these two images our distribution points next here okay here and then next and we can see here that the size did now go up in the console so it's now showing that 4.2 gig now one thing I do want to point out another reason why you might want to extract the index that you want to use so in our case that was just enterprise what I've got here is some previous versions of Windows 10 1803 that I was playing with so what you can see that the the base installed out wim was that 3.9 gig file what happens when we do an offline servicing it there can be some duplication that wouldn't happen if you just had one image so we can see that the patch version for all ten of those indexes added about a gig a little over a gig about 1.2 gig so it added about an additional half a gig versus the enterprise only that we service to the latest criminal update so if you did want to use that base wim and do offline servicing just note that the servicing process does basically loop through all images and apply update so it does add some additional space on that install dot wim when it patches all of those indexes but I think that looks pretty good with the image file since we're using just the base one that we got we're gonna be using this enterprise one that we patch with the latest camera of update so if you look at the update status you will see what updates were applied to that image offline when we use that schedule updates feature alright so the next thing I think I want to take a look at are the drivers so in our case we're actually going to be deploying this to a hyper-v machine so there aren't going to be any drivers that come into play obviously in production environments you're going to be using physical machines often when you do deployments so I do want to go in into that process so the way that I structure my driver layout is I create a folder that's shared out and then I have two subfolders under the drivers folder called sources and then packages within the sources folder I generally like to lay it out like this so I'll do the operating system and architecture then I'll filter by manufacturer so in our case we're going to be using a surface book drivers so I would do Microsoft and then for the actual model of the device for this demo we'll be doing a surface book okay and then what I'll do I'll copy that same structure that I copied in the sources folder and I'm going to copy that same structure over to my packages folder then what we would need to do is go to your vendor and download their driver packages so for Microsoft it's pretty easy I should already have that downloaded might have put on my desktop no okay might be over my sources scratch folder [Music] alright so it looks like I didn't have that copied over so I went ahead and copy that over so I just put it in a scratch workspace that I'm gonna be using and the way the surface works is Microsoft provides their drivers in a zip format that basically contains all the drivers within that for Dell they have a enterprise cab so it's basically just like a zip file that you can extract but it's in a cab format that would contain all the drivers for a specific model for HP I think they use self-extracting executable files but the process should be pretty similar regardless of the vendor you would just want to extract the drivers so for the surface these this is going to be the subfolder that I'm interested in that has the drivers so I'm just going to go ahead and choose to extract that and we want to extract that to our source folder so we're gonna go within that Windows 10 folder the Microsoft for the manufacturer and then the actual model which is a surface book in our case there's just the surface book one drivers that we're extracting so that's going to go ahead and get those drivers extract it in here we're gonna go ahead and copy that path for these sources for the surface book that looks good extraction is done and within the drivers node of SCCM this is where we do our import so a couple things here if you wanted to get really organized we could do things like create subfolders so I could have a similar folder structure Windows 10 X 64 now folders for this is just used for organization so if you wanted we could just import everything at the root level and then you could use categories or if you wanted to use categories and folders you could also do that as well it's really going to be personal preference with with how deep you would want your layout to go in my case I'll show you how we can use folders here so we'll just do surface book alright now I know you couldn't import directly to folders in the past that looks like it's still like that so what we'll do we'll import directly on the drivers node we're gonna paste in the folder of our sources path for this specific model I'll leave the default option import the driver and append to a new category if we have multiple drivers so that's pretty common with things like knit cards it's gonna go out and basically analyze all the INF files for the drivers so this can take a few minutes I thought it might be helpful to show what's going on here in the backend so if we're looking at the log files in secm there should be a log file called driver catalog so this is where you can basically see the config manager searching out through the drivers and verifying that they're digitally signed and compatible so this will go out and analyze all the INF files it looks like we are done though so if we go back to our wizard and let's see here we go so this will go ahead and show all the drivers that were available within that surface book this is also where we could assign categories if we wanted so looks like I already have a few that I want to add so Windows 10 usually I like to use multiple categories so when we search for example we could search for Windows 10 drivers that would show basically all models that are Windows 10 if we have an additional one for 64-bit we could then add that condition and then we can also do things like the model so a Surface book I think I had a space and that is the official name so let me just rename that and you could even do things like the manufacturer if I wanted to add Microsoft in here so it looks good on this is purely used just for searching an organization for the categories so we'll go ahead and choose next here and this is where we need to make a new driver package so if we look back at our source folder OSD ISO no drivers packages we've got our folder structure we copied and we can see that this is empty so we want to use this path for the actual package for the name of the package I generally like to name it by operating system and architecture and then the actual model of the device service book ok looks good and then we'll choose next here now you definitely don't want to add all these to your boot image the only time you would want to add to your boot image would be network drivers and usually it's best to just go to the properties of the boot image and just add the single network driver or storage driver directly using that method and then we're do next here so what's gonna happen now if we look at this driver package the content of these binary files are gonna get copied over and that's gonna be what actually gets distributed out to our distribution point and when our clients are installing an image and they go to the driver step if it's the model for the package we create we're going to use a condition and then they're basically going to download all the drivers within this package and then apply them using disome alright so that driver package imported successfully so this is where the package is where the actual INF s get copied so that all looks good so over here what we can see is we've got all those surface drivers now if you wanted to totally fine if you wanted to leave these all at the route if you did want to use subfolders for organization what we could basically do since these are the only drivers I've imported I could basically just come in select them all and then choose to move now if you had drivers before this we could basically filter on the classification and the search and then we could just move the surface ones to this folder for the surface book okay that looks good so let's just gonna move all the drivers for the surface book and it's just gonna move them to that subfolder for organization so we could directly come and kind of look at what versions of drivers that we've imported for that model for example next thing I'll do is I'll go ahead and distribute this package so you you generally will want to create a different driver package for each model it makes the process of applying drivers much cleaner versus trying to use the auto apply feature which can try to dynamically kind of search out the driver catalog that you've imported and try to match that up usually that can be a bit sporadic and cause some issues so by having a different driver package for each model we can basically have a condition that will apply all drivers within that model to a specific device that if it matches that model for that device so I think that process is good for covering the driver piece of things you would just kind of repeat this I will include a link to some community tools that can basically automate a lot of this process if you wanted to automatically create driver packages for different models so the next thing that we're going to look at is some of the accounts that need to be created and added to secm in order for us to image so the the first account that we need to use is something called a network access account so this account is configured in your site properties if we right click and choose to configure site components and then software distribution under the network access account this is where we can add this so the way that this would look is on my domain I've got a account that's been created it's a service account or a service account where the password doesn't expire for the network access account you want this to be just a standard domain account with no permissions at all just a default domain user member of that's the tab I was looking for so we can see this is just a domain user so this is gonna have no special permissions or needed we want this to be the lowest level account we can provide so back over here what I'm going to do is basically browse out to that service account and then enter the password in and the network access account is going to be used for authenticating to the network when we're doing things like downloading content from our SCCM site so that's the first account that we need the second account that we need is going to be a domain joint account so in order for us to actually domain join machines we need to have a domain a joint account that has permissions now I thought this was really important to cover because I would often find people might not know the permissions that you need for a minimum to join computers so a lot of customers might just be using things like the domain administrator account which can be a pretty big security issue since the password for this account is going to be in the unattended ml and if you know what you're doing and have command line support enabled you could potentially if you know get access to that account so what we're going to do if we look at our users here I've already pre created an account here called SCCM domain join I want to make sure that I have my advanced features enabled in Active Directory users and computers and what we're going to do is delegate the permissions needed to join computers to the domain so you could either select a specific öyou that you're going to be using to join computers to or if you wanted to recursively set that at your domain level which is what I'm gonna do here you can just do properties of the domain under the security tab we're gonna click on the advanced view and then we are going to add a new account this is gonna be where we choose that SCCM underscore the main drawing account and what we want to do is for this first option we're gonna allow this object in all descending objects and we want to choose the option here to create and delete computer objects so if we zoom in create and delete computer objects the next option we want to drop down and apply some permissions to descendant computer objects so these are for computer objects that already exist for this setting we want to enable the option to write all properties okay we want to be able to zoom out here reset the password so we have a computer that is being reimaged we need to make sure that we can reset the existing computer account password with an active directory okay we're going to need to be able to change the password so that option there and then the modified permissions for the computer object that should be what we need for domain joining there's also some DNS entries that we want to add here so we want to be able to have it validate right DNS hostname and then update validate write the service principal name so that should be good what that's going to do is basically give that domain joint account permissions to join machines to my domain and any sub o u within my domain alright so jumping back over to our a CCM site the next thing that we're going to do is enable pixie so if we look at our distribution point so if you you should already probably have a distribution point installed if you don't I'll link to a video that we did for installing our site as well as the distribution point but on the properties of the distribution point we want to make sure that we have pixie enabled so in this lab we're going to use pixie to network boot and deploy our images so if we look at the pixie tab of our distribution point site system we're going to enable pixie and choose yes to allow the firewall exceptions the next thing that we're gonna do is allow this pixie service point on this juice region point you respond to pixie request obviously that would be needed in my case I'm going to enable unknown computer support so that means that any devices that don't already exist in SDC and will have the ability to pixie boot in deploy an image optionally if you wanted to require a password before the image can be selected you could set that setting and configure a password for your pixie point in the lab I'm not going to require a password and keep the default options for the network interfaces I'm just gonna have it respond on all network interfaces in our case that's going to be just one here and choose apply now if you have multiple pixie servers in the same subnet that shouldn't be common I can't really see a good reason for doing that you have the ability to basically delay one of them if you wanted the other one to respond to pixie requests so what's actually going to happen on the back end if we look at our log files the component responsible for enabling pixie is actually going to be the distribution manager component so we can see here that it's already kicked in so we're starting to install the pixie role so we can see here that the command that we're running to install pixie we're actually using PowerShell so it's running the command and then it's running the import and then installing the feature there we go it looks like installed the WDS roll and now it's initializing it so we can see that it's putting our boot images on the J Drive and then the remote install folder so that looks good if we go and look at that folder what we should see is some stuff getting copied and getting installed for our pixie point there we go so we can see we've got our boot images already copied over so these are the boot images that we ensured that we enabled that option to deploy to our pixie point if we didn't do that no boot images would be deployed and running now on the actual pixie server there's gonna be a log file it's gonna be SMS pixie now in my case it looks like it installed it on my site server on that location so that looks good it might possibly be on your client folder so if you're looking back on your main install directory it might be in your client logs folder depending on when that was installed the pixie log might be there so it can kind of change around depending on it the clients pre-installed before you install this role so that's looking good we can see it added our boot images in there and everything seems to be running if we look at our services we can see that the Windows deployment services server is running so that's the actual service that runs on your server that handles the actual pixie booting so that looks good at this point I think we can go ahead and create a basic task seek task sequence that can deploy our image so the task sequence is the actual steps that are going to happen to get an image deployed to our client so we're gonna go ahead and create a new one we're gonna choose the option to install an existing image will call it Windows 10 X 64 X 64 18:03 for the boot image we're going to choose our 64-bit boot image because that's going to be the architecture that we're deploying for our image package we're gonna choose that enterprise only in the one that we serviced to contain that June criminal update I'm not going to use BitLocker so I'm going to uncheck that option and I am going to enable the local administrator account just in case something were to fell we could basically still log into the account if the domain join felled for example I'm going to have that password set so I'm not going to have it randomly create it and disable it so it looks good will do next here we're going to join a domain so we're gonna join our contoso domain and then for the o you I'm gonna place this in a oh you name managed and then a sub oh you named workstations for the account that's being used this is going to be that domain joint account that we created and gave permissions to okay it looks good will do next here this is just gonna install the config manager client so it should automatically pick up the default client package that's installed for your site there shouldn't be any parameters that should just Auto pick that up for us now if you wanted to do a user state migration if this was a refresh or your reimaging that you know an existing machine you could possibly do a capture and restore in our case I'm gonna disable all the capture settings because we want this to be a bare-metal new deployment I'm just getting the basics done optionally if you had your patches deployed you could include a install a software update step that would install any deployed updates through a CCM to you the clients that you're imaging in our case I know that we've already got our cumin of update installed so I'm not gonna worry about this step ok and for the install application step let's see what we've got going on here so here's an application that'll go ahead and install it's the local administrative password solution or the lapse tool that can be used to basically apply a local administrator password and kind of randomize it and reset it and send that up to Active Directory so that's just a simple MSI that I've got here let me see if there's any other ones that I could add here I think most of these are going to be really old because I haven't really used too much in this environment yeah they're super old for all these apps we're just install that one that should be fine well do I'll choose to keep going with the sequence if an application the lists were to fell in our case there's just one so that shouldn't really matter right so if we go and look at this if we choose the edit option this is gonna actually show us the steps that are gonna happen when we deploy our image so the first thing that we're gonna do here is if we're deploying this to an existing machine that's already running and you deploy this through Software Center it's gonna restart into winpe or that boot image environment to actually format and apply the OS we've got two different format steps here so one's going to be for bias-based machines or legacy and then one's going to be for UEFI based machines so if we actually look at what's going on here the partitioning of these two different format steps are going to be different based on whether it's a legacy device or whether it's UEFI so that all looks fine if we look at the conditions it's just using some built-in conditions that the clients going to know about whether it supports UEFI or not the next setting here is we're going to apply the operating system image so that's just the image that we created and captured this is where we could see the different indexes so for example if you if we browsed out and change that to that install dot wim you can see this one contains all ten of those indexes that we had in that original image in my case we're just going to do the enterprise one here that we patched the next setting is applying some windows settings so we're going just rename this to contoso IT same thing for the organization name now if you had a product key this would be where you want to enter that here if you had like a Mac key if you're using kms it should just automatically pick it up here's our local administrator password we can optionally change the timezone here the next thing that we're doing is our network settings so this is where we're going to join the domain so this will actually write out this information into the unattended joins it but this just gives all the information to the Machine so when it restarts that unattended and that's actually what's going to join the machine to the domain now this next setting is one that I generally do like to change so instead of using the auto apply driver step which is where the machine will basically search out to SCCM and try to match the drivers that you imported based on their IDs with what's what machine is running on I usually don't like this step sometimes you can get some weird things happening so I'm going to delete that all to apply driver step I'm going to create a new grouping I like to keep this organized we'll call it apply drivers okay and just move this one step down so it is level and we're gonna add a new condition here for the drivers and apply a driver package okay so we would basically have a different step here for each driver package that we have so I'm just gonna rename this step and call it Windows 10 X 64 - surface book now we don't want this step to just apply to any device we image so what we need to do is add a condition here and it's going to be a WMI query so the thing that we're going to search here is if we zoom in hopefully I can remember the syntax here just offhand so select asterisk from when thirty-two underscore computer system where model like we're gonna wild called card this and its surface book percent if we test this query looks like it's invalid let's see select asterisk from it looks like I forgot my double quotes around the model condition so if we test this we can see that it doesn't check out the reason for that is because I'm running on a virtual machine but this that we verified the syntax ran now let me just open up a on my host machine here let me just drag in this window I'm using a tool called WebM test so if you just go to a command prompt I'll show you what that would look like on the server just type in WebM test that will open the same window here so this is what I'm running on my surface book so if we were to run this query paste that in so we're select asterisk from win32 underscore computer system we're model-like double quote % surface space book % and apply that we can see that that checked out and we got my device returned now if we were to want to look at what's actually in here if we just do select asterisk from win32 computer system and select my device you can basically come down and see that model filled so this is where we can verify that surface space book is in fact the model that gets put into WMI for that hardware so this condition looks good so this this step to apply the driver package for the surface would only run on a model where it is surface book on so that looks good so coming back to our sequence the next step we're going to install the client and then the final step we are going to install our laps password tool so that looks good so at this point we should be able to go ahead and deploy our task sequence now what I'm going to do initially is I'm going to deploy this to unknown computer so an unknown computer would be essentially any device that you try to image whether that's a pixie boot or whether you're using boot media with like a USB Drive any machine that SCCM doesn't know about so if it it's never had the client before it would be considered a unknown device so that's a default collection that we're going to be targeting here for this image for the for the how we want to make it available we only want this to be available in media or pixie booting so that means that the only way a device could be image is if you hit f12 and pixie booted it or you had a USB Drive with the media we're gonna make this an available deployment we don't want to force it and make it required and we'll go next here we're gonna make it available just the defaults will be as soon as possible where they could start imaging we'll leave all the defaults here I don't think any of this is going to apply to a bare-metal deployment but if you did have a machine that you wanted to reimage this already out there this is where you could allow things to happen outside of a maintenance window if you had those defined one setting here that could come into play if you don't have your boundaries configured for clients Imaging is whether or not you want to allow them to fall back and download content so I'm going to choose that option in my case my boundaries are configured correctly so it should always find the content on that local DP if you wanted to allow imaging for clients that might not be in a distribution point that's in a boundary group you could basically allow them to fall back actually I'll leave this uncheck this should all work fine for me and then if you wanted to allow clients to fall back to a different boundary group you could allow that here as well and then with deploy all right so for the unknown computer collection this is one of the most basic ways that we could rename a compute is we can use something called a collection variable so any machine that is not known to our site would be in this unknown computers collection essentially would be just an object that represents them so since we have this task sequence targeting it what we can do is create a collection variable to rename the computer so it looks like I've already done that so let me just delete that and show you what that would look like so if you wanted to add a variable that the user would get prompted for during their imaging we can create the OSD computer name variable so this is the variable that gets assigned to the computer name that you can change so we're going to just set that on the collection directly now there's a lot of really good ways that we could automate this or even give the users a prompt or wizard that's much cleaner but just for the basics of image deployment I'm going to show you how we can do it via the collection variable on the unknown computers collection so that looks good so I think we're at a place where we could go ahead and open up that SMS pixie log come back over here logs SMS pixie open that up so if we come over to my host machine I've already created a VM so it's a gen 2 VM that we're gonna use for Windows 10 I am gonna bump up the processors a bit so we can get this imaging faster but what I've configured here is for it to boot to the network adapter by default so we go ahead and start this guy up we'll go ahead and hit enter to boot it and then I'm gonna start a timer just because we're gonna show you a few things here just make this fullscreen alright so it just went through and loaded that boot image the total time it took looks like was about 37 seconds so that's quite a while what I'm gonna do is go ahead and turn this off and I'm gonna show a little trick that we can do to make the pixie process quite a bit faster so there's something that we can configure in the registry called the ramdisk TFTP block size so what this setting is is it's basically the size of the packets that we send for the boot image to the client so within your registry under software Microsoft SM SDP what we can do is create a new D word value within here and the value we want to create is the ramdisk TFTP block size now I'll also include some links that talked about this and how we can change it so the default size of this value is going to be 4096 so this is the number of bytes that get sent to the client when it's downloading that boot win file from our pixie service now what we can do is basically increase this in multiples of so that value for 0 9 6 that's the default value so we can increase this in multiples of that value so for example if you wanted to double the size of the packets getting sent it would be 8 1 9 2 we'll go ahead and double that one more time so it will be 4 times the amount so this value can change not all computers will be able to pixie boop with large packet sizes depending on their firmware usually I find this is probably gonna be the largest value that's gonna be supported once you start going above this you're probably gonna have start start seeing machines that no longer pixie boot so you could basically increase this by that number so if you wanted you to start with 8,192 and then basically go up until you find machines that no longer pixie boot so it can depend on whether your routers are going to support packets that size as well as your clients firmware or whether they're going to support that so in order for this to take effect what we're gonna do is go ahead and go back to our services windows deployment server and then restart that service what we'll see in the pixie log is SCCM is actually going to pick up that new setting and it would display it out so we can see that it detected the new block size is now and 84 so coming back over to my client we're gonna go ahead and pixie booth this one more time click enter here start that timer and you can see that we're already done so that process took I don't think it reset it so it probably went from about 38 to 44 so that took us down to about 6 seconds within this virtual machine so that was quite a bit of an improvement for that pixie booting time so that's something that you can play around with if you do want to try to increase your boot times when you're doing a network boot alright so at this point we are in that winpe environment or that mini Windows environment if you will since we had f8 command line support enabled what we can do is go ahead and open a command prompt so starting with 1802 the CM trace is automatically added into the budem and so that's pretty nice so if we just type in CM trace and then enter it's gonna automatically open our CM trace tool so if we go ahead and kind of browse out what's going on here this is our wind PE Drive so this is actually what's booted up into memory this X Drive and this is contain all the boot files so if we look at the temp folder so the X windows temp this is where the test sequence logs so under the SM STS log we're gonna find that SM STS logs so this is going to contain all the information about our task sequence so for example we can see the first thing that happens when we boot up into our task sequence is this going to start the task sequence process and then it's going to go ahead and start requesting policy for this device so we're gonna see things about the deployments that are targeting it and information about that so here's the different assignments that are going to our computer so there's going to be things like our task sequence deployment if we look back on SCCM in the pixie log we can also see information about the client pixi booting so let me see if I can figure out where this happened at here we go so here's the pixie booting so we can see the client is pixie booted up into our environment we can get information like the MAC address here of the client so that looks good so going back over to the wind PE environment so what's actually happened in the background the wind P environment is going to launch the SCCM tasks sequence so if we open up task manager and look at our processes what we're gonna see is there's two different task sequence processes that get auto launched and that's going to be what actually initiates the task sequence to go out and check whether there are deployments and basically show us this screen so the next thing we're gonna do is trees next we're gonna select our task sequence and choose next and this is where we're going to get prompted for that computer name variable someone just call this OSD demo and then okay and then choose next here so at this point if we open up a command prompt this is where we're actually formatting the device so we might be able to find some interesting things going on here we look at that task sequence log now we can see that we're downloading that wim file but if we come back and look at our format step here's where we can see it actually creating the different partitions so what's interesting about this this file might not exist anymore because I think it deletes it let's see if we have it in the temp folder but it's actually using disk part to perform the formatting so we can see that it was just calling dis part and then it was going to X Windows temp and it basically just generated a text file that it was using to do the disk part so it looks like it's no longer in this folder but just an interesting fact it's just generating text file based on the partitions from that format step and then doing that so next we can see that we're applying the image so if we come here and just kind of browse out if we look at that we can see that the drives were formatted and now it's basically extracting that wim on to the C Drive so you can almost think of that Windows image file or that wim file we created as like a zip file and when we're in this wind PE environment it's basically extracting all that OS content onto our disk that got formatted so we'll go ahead and pause this and just wait for this process to complete alright so at this point the image got applied and we did a restart so it so at this point it's going through kind of the ooby process and a lot of things are happening on the back end where it's applying the under 10 file this would be where the drivers that get injected into it if this was a surface book those drivers that get injected they would be installing and extracting at this point of the process of imaging all right we are back I did run into an issue that I do want to cover I'm just in case you guys run into it so what was happening during my imaging process if I bring up this screenshot basically the second half of the imaging after we install the OS and reboot into the out-of-the-box experience where it's actually doing things like joining the main installing drivers and things like that what was happening is the ooby experience this just just a moment screen it basically wasn't going away so I couldn't see the task sequence bar running in the background so I did a little searching it's been a little while since I've really done quite a bit with imaging it's been about a year or so but this seems to be a common issue that people have been getting since 1703 when Cortana got introduced so there is most likely some changes in the ooby experience where we have to add an additional element to our unattended usually just having config manager create the unattended for you works just fine but for this boat of Windows 10 I was running into that issue so what we've done here I've created a new folder in my UNC path that I'm using for package just called it unattended smell within there I created a unattended that I'm gonna use and there's a few additional elements that we're gonna add here that it's going to skip different things so we're skipping the machine ubi we're hiding the wireless screen and we're skipping the user ubi process so what I'm gonna do to actually apply this in my task sequence I'm going to copy the path do this XML for my UNC path we're gonna go and create a new package in sec m so create a package we are going to call it custom unattended ml for the path file we need to point out to that UNC path for that XML file is we're going to choose next here we don't need to create a program we're just using this to store the package and we'll create that then what we're gonna do is go ahead and distribute that package with that XML to our distribution point I expect that if you guys are just doing a basic install using the 1803 media it's probably pretty likely you might run into this because I didn't really do much as far as customization goes here so I think this might be actually a good thing that we ran into this might help some other people out so now in my task sequence in order to actually apply this on a 10 file we're gonna go to the apply operating system step of the task sequence and there's an option here where we can add a unattended ooh we're going to point out to that custom package that we created that's gonna host that file and let me just copy the name to make sure I get it right and this is the actual file name of the uh nitendo config manager will basically append the additional options in this custom XML with the XML that it generates so for example it's going to generate an XML for things like the domain that we're joining here so all this information about the domain joint account do you all of that essentially gets put into an unattended smell so it's just going to append those three additional attributes that we had for skipping the Wi-Fi skipping the user and machine ubi in that process so let's go ahead and put this up and we'll kick off this task sequence again here okay I'll just do the same option here choose our task sequence we'll name it OS the demo for the computer name and then get that started all right so we are at the point we're installing the wim file but I was able to grab that disk part txt file before it got deleted so essentially on the back end so in this this part file we can basically see what we're doing here it's selecting the disk it's cleaning it and then it's creating the different partitions for UEFI so just all that would be an interesting point to kind of look at here while we're waiting for the task sequence you all right so this looks much better I'm now able to see the progress bar after that set up um if we take a look at what's going on here if we open a command prompt what I'm going to do since I didn't copy see him tracing this image we should be able to basically map a network drive and we'll see if we can get that copied over CD there see I'm trace open that up so on the back end what's happening here is the client should be getting installed at this point so if we go look at see windows CCM setup logs and then CCM setup dot log and we should see the process of the client where it's actually doing the installation here so this is where it's installing the client MSI file so we'll wait for that to complete ok so it looks like that is now done now we're on to the application step this should go really fast because it's just an MSI let me see if I can quickly jump over here to get this log file so under our client logs at this point we're running the full agent in the full operating system so the log file for the installation is going to be take a look it's going to be this app enforce that log so this is where we can see the actual command line for the laughs agent so it's an MSI here so this is where we can actually see that installing so it looks like that's complete so if I close my command prompt we should get basically into the login screen here in a couple seconds alright so it looks like our imaging is now done so we can see that we our domain joined so if I go ahead and login to this device that should get us logged into our domain one thing I do want to cover is a common issue that I see people posting about when they try to pixie boot a machine and they get an abort pixie error so I want to kind of go / why this happens and what you can do to work around it so we've got a machine here this is an existing client so when 10 X 60 for lab 1 so if I come in look at my console this is a device that already exists in config manager so this is a known device so what would happen if you try to pixie boot an own device since we don't have any cash sequence targeting to it you're basically going to get when we pixie boot this message that says abort pixie so it just went by real fast and we can see that on the back end of SCCM if we look at that SMS pixie log what we can see is we can see information about that machine that's trying to pixie boot so for example if we copy the device ID for that device the next line here we can also see that it says hey no advertisements were found with this device ID and the mac address for that but if we go into our clients and do a quick search for that ID we can see that this is the Windows 10 machine and that makes sense so that's a known device since it's a known device we didn't deploy our cash sequence to any of our known devices we only target if we look at the deployments we only target it to that unknown collection group so what happens when a device tries to pixie boot and it doesn't have any task sequence you're gonna get that message that says abort pixie and then we'll go by real fast and you won't get your task sequence screen so there's a few ways that we can basically work around this the first option which would require a lot more effort each time you want to reimage an existing device is you could come in to secm and basically delete that device that will then make that device a unknown device because SCCM won't will no longer know about it the second option is we could target our task sequence to a collection that contains known devices so in my example I'm going to use that method it's pretty easy and as long as you do it correctly you can minimize any type of impact that could happen so for the collection by default config manager will limit some collections based on the criteria let me go and see if I can show you where that limiting is so if we look at the properties of our site there's going to be a tap here called deployment verification so depending on how your settings are set I think the default will limit this where you won't see any collections over a specific number I believe I disabled this in my instance by setting that number to zero so if you didn't see any collections that you wanted to target you may have to go and adjust your deployment verifications this is just a method that helps to ensure that you don't accidentally target a large collection of devices but the way that we're going to be doing this deployment it should be pretty safe because we're only going to play it for pixie so in my case I'm going to create a collection or I'm gonna target a collection for all my workstations here so this would be basically all nine of the workstations that have the client I'm going to choose next here now this is the most important part you wouldn't ever want to accidentally deploy this to existing devices that are running on your computer or on your network so what we're gonna do we're gonna make this an available deployment so it would never automatically install and another critical setting here we don't want to make this available to config manager clients meaning that it would show up and saw for a Center for them to deploy this image we want to only make this available in pixie and media scenarios so that means for an existing known device in your network the only way that they could ever get this image is if they did an F 12 and pixie booted or if you generated boot media with a USB Drive and they booted directly to that so it's a pretty safe way that we can re image existing machines without having the need to delete those objects to make them unknown computers so I'll just keep all the defaults here and go ahead and walk through this deployment and choose close so now we've got it deployed to all unknown computers but we also have it available for pixie and media booting for existing workstations as well so what we can do here if we come back to this device we'll see if that policy is kicked in yet it doesn't look like sometimes it takes a minute or two for the policy to kick in so if we come and look at our pixie log what we can see is there's basically no advertisements yet so we'll give that a minute and will retry in a sec all right so we just waited about a minute so I think that's probably enough time for the policy to be in the database by now so if we come try to reap IXY booth this Windows 10 device there we go so now we've got the enter option so we can actually pixie boot it so if I come and look at my pixie log back on my server what we can see here is at this point we've got the reply and we we then have policy for it so we offer the boot image we don't get that message saying no deployments found so at this point if we come here I'm not gonna actually image this device obviously but now we can see that that task sequence is now showing is available and we could go ahead and reimage an existing device if you ever did want to reimage a known computer so that looks good let's see if this machine has logged in yet okay looks good so if we just do a quick look on that machine we imaged go look at our control panel and add and remove programs looks like our application did install successfully so that all looks that all looks good so I think that that's all that I wanted to cover in this video so hopefully this was helpful to you like I said we are going to be covering some more advanced topics or things like front-ends and maybe some more advanced conditions around variable wasn't and just different things that we can do to really customize this scenario for image deployment I hope this video was helpful for you and thank you for watching
Info
Channel: Patch My PC
Views: 142,275
Rating: undefined out of 5
Keywords: SCCM OSD, ConfigMgr OSD, Configuration Manager OSD, Image Deployment SCCM, Imagedeployment ConfigMgr, SCCM Imaging, How to deploy images in SCCM, OSD in Microsoft SCCM, Windows 10 Deployment SCCM, ConfigMgr Image Deployment Windows 10, offline servicing in SCCM
Id: BPcy_nOQZoI
Channel Id: undefined
Length: 71min 18sec (4278 seconds)
Published: Sun Jul 01 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.