2019-05-29-osd-test.md

layout	published	title	date	subtitle
post	false	You down with OSD TEST?	2018-06-05	Yeah P.X.E.

Updated: 5/30/2019

Operating System Deployment over PXE boot

Operating system deployment is a core functionality of SCCM. While there are other ways to deploy Windows 10, all the tools we need to configure the OS are already in SCCM. Being able to bring it all together makes OSD in SCCM flexible, powerful, and simple.

In this post we'll do a minimalistic configuration of OSD over PXE. This means we can boot a workstation directly into the task sequence over the network. Eventually, after we cover more SCCM fundamentals, we will revisit this idea in a series more advanced posts to really highlight the potential of OSD.

Windows and Office Deployment Lab Kit does a couple convenient configurations if we're using the Current Branch lab we configured in the previous post. If we're using the tech preview lab we will need to do some additional set up.

The Requirements

1. A Windows 10 Enterprise ISO.

2. The latest Windows Assessment and Deployment Kit and the Windows PE add-on for the ADK.

The Overview

For a no frills (non-MDT) OSD setup, I'm quite partial to Ricky Gao's step-by-step guide. It provides the basic outline of our OSD configuration.

1. Configure Active Directory and the ADK

2. Enable PXE

3. Create sources

4. Create the Task Sequence

5. Perform OSD over PXE

Active Directory and Windows ADK

Active Directory Users and Computers

We need an OU for our workstations to go. While we could use the builtin Computers OU, that doesn't leave us any wiggle room later for things like applying Group Polices.

Create the domain join account

You may now skip creating the domain join account, it will be created with the Powershell script

1. Log into the domain controller, HYD-DC1.

2. Launch Active Directory Users and Computers.

3. Right click the Users OU, select New -> User.

   

4. Leave Initials, First name, and Last name blank. For User logon name and Full name, type CM_DomainJoin. Click Next.

   

5. Set the password to P@ssw0rd. Uncheck User must change password at next logon and check Password never expires. Click Next, then click Finish.

   

Ceate the Workstations OU and set permissions

You may now skip creating the OU, it will be created with the Powershell script

1. In the Active Directory Users and Computers tool, right-click on the CORP OU. Select New -> Organizational Unit.

   

2. Name the container Workstations and click OK.

   

3. On the HYD-DC1, launch Windows Powershell ISE as administrator. Johan and Mikael have created a script to set permissions on the domain join account. This is so it can add computers to the Workstations OU during OSD.

4. Below is a modified version of Johan and Mikael's script to suit our lab. It will now create the account and OU if they haven't been manually created already. Paste the code into the top script pane, and hit F5 to run.

   <script src="https://gist.github.com/dugmo/96d3efefd65a205e85694e2a2781c3b1.js"></script>

5. When it prompts for Account, type CM_DomainJoin. Hit enter.

6. When it prompts for target OU, type Workstations. Hit enter.

   

The Windows Assessment and Deployment Kit

We ended the SCCM lab setup by updating to the latest version of Current Branch. So we'll need to install the latest version of the Windows ADK so we're fully compatible deploying the current version of Windows 10.

1. Log into the SCCM server, HYD-CM1.

2. Open the Programs and Features control panel, and uninstall the existing Windows Assessment and Deployment Kit - Windows 10.

   

3. Download the Windows ADK and run it. Jonathan Lefebvre of the System Center Dudes has a great guide on setting up the ADK for SCCM.

4. Accept the defaults until we reach the Select the features you want to install section. Uncheck everything except Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tool (USMT). Click Install.

   

5. Once the install is complete, click Close. Reboot the SCCM server.

PXE

The Boundary

Boundaries and Boundary groups are how we logically define which sites (servers) workstations use. For the lab, we only need to configure one boundary and boundary group.

1. Log into the SCCM server, HYD-CM1.

2. In the SCCM console, expand the Administration -> Hierarchy Configuration node.

3. Right-click Boundaries and select Create Boundary.

4. General tab - Set description to PXE. Change Type to IP address range. We will use the DHCP range from the domain controller. Set Starting IP address to 10.0.0.100 and set Ending IP address to 10.0.0.200.

   

   For reference, here is what the DHCP address pool looks like:

   

5. Boundary Groups tab - Select the Boundary Groups tab. Click Add. Check Corp Boundary Group and click OK. Click OK again to create the boundary.

   

6. The Microsoft lab already has the boundary group created and configured, but we'll just verify the settings. Click on Boundary Groups, right-click Corp Boundary Group and select Properties. Select the References tab and confirm that User this boundary group for site assignment is checked.

   

The Distribution Point

In SCCM, distribution points are where workstations get their content. This is true for OSD as well, and we need our DPs to function as PXE servers.

1. In the SCCM console, navigate to the Administration -> Distribution Points node.

2. Right-click CM1.CORP.CONTOSO.COM and select Properties.

3. General tab - Leave HTTP selected and check Allow clients to connect anonymously.

   

4. PXE tab - To automatically install WDS and configure PXE, check Enable PXE support for clients. Additionally check Allow this distribution point to respond to incoming PXE requests AND Enable unknown computer support. Uncheck Require a password when computers use PXE and click OK.

   

Sources

The package source share

We'll use Odd-Magne's script to create the folder structure, share it, and grant permissions to our network access account.

1. On the SCCM server, launch Windows Powershell ISE as administrator.

2. In the top script pane, paste the following code. The script is customized to our folder path and network access account name. Press F5 to run.

	#Set the Following Parameters
	$Source = 'C:\PackageSource'
	$ShareName = 'PackageSource'
	$NetworkAccount = 'CORP\CM_NetAcc'

	#Create Source Directory
	New-Item -ItemType Directory -Path "$Source"


	#Create Application Directory Structure
	New-Item -ItemType Directory -Path "$Source\Applications"
	New-Item -ItemType Directory -Path "$Source\Applications\Adobe"
	New-Item -ItemType Directory -Path "$Source\Applications\Apple"
	New-Item -ItemType Directory -Path "$Source\Applications\Citrix"
	New-Item -ItemType Directory -Path "$Source\Applications\Microsoft"

	#Create App-V Directory Structure
	New-Item -ItemType Directory -Path "$Source\App-V"
	New-Item -ItemType Directory -Path "$Source\App-V\Packages"
	New-Item -ItemType Directory -Path "$Source\App-V\Source"

	#Create Hardware Application Directory Structure
	New-Item -ItemType Directory -Path "$Source\HardwareApplications"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Dell"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Dell\Latitude E6510"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Dell\Latitude E6510\x86"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Dell\Latitude E6510\x64"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\HP"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\HP\EliteBook 8470p"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\HP\EliteBook 8470p\x86"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\HP\EliteBook 8470p\x64"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Lenovo"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Lenovo\X1 Carbon"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Lenovo\X1 Carbon\x86"
	New-Item -ItemType Directory -Path "$Source\HardwareApplications\Lenovo\X1 Carbon\x64"

	#Create Hotfix Directory Structure
	New-Item -ItemType Directory -Path "$Source\Hotfix"

	#Create Import Directory Structure
	New-Item -ItemType Directory -Path "$Source\Import"
	New-Item -ItemType Directory -Path "$Source\Import\Baselines"
	New-Item -ItemType Directory -Path "$Source\Import\MOFs"
	New-Item -ItemType Directory -Path "$Source\Import\Task Sequences"

	#Create Log Directory Structure
	New-Item -ItemType Directory -Path "$Source\Logs"
	New-Item -ItemType Directory -Path "$Source\Logs\MDTLogs"
	New-Item -ItemType Directory -Path "$Source\Logs\MDTLogsDL"

	#Create OSD Directory Structure
	New-Item -ItemType Directory -Path "$Source\OSD"
	New-Item -ItemType Directory -Path "$Source\OSD\BootImages"
	New-Item -ItemType Directory -Path "$Source\OSD\Branding"
	New-Item -ItemType Directory -Path "$Source\OSD\Branding\WinPE Background"
	New-Item -ItemType Directory -Path "$Source\OSD\Captures"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x86"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x86\Dell"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x86\HP"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x86\Lenovo"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x86\VMWare"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x64"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x64\Dell"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x64\HP"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x64\Lenovo"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 7 x64\VMWare"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 8 x64"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 8 x64\Dell"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 8 x64\HP"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 8 x64\Lenovo"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverPackages\Windows 8 x64\VMWare"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x86"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x86\Dell"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x86\HP"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x86\Lenovo"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x86\VMWare"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x64"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x64\Dell"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x64\HP"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x64\Lenovo"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 7 x64\VMWare"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 8 x64"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 8 x64\Dell"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 8 x64\HP"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 8 x64\Lenovo"
	New-Item -ItemType Directory -Path "$Source\OSD\DriverSources\Windows 8 x64\VMWare"
	New-Item -ItemType Directory -Path "$Source\OSD\MDTSettings"
	New-Item -ItemType Directory -Path "$Source\OSD\MDTToolkit"
	New-Item -ItemType Directory -Path "$Source\OSD\OSImages"
	New-Item -ItemType Directory -Path "$Source\OSD\OSInstall"
	New-Item -ItemType Directory -Path "$Source\OSD\Prestart"
	New-Item -ItemType Directory -Path "$Source\OSD\USMT"

	#Create Script Directory Structure
	New-Item -ItemType Directory -Path "$Source\Script"

	#Create State Capture Directory Structure
	New-Item -ItemType Directory -Path "$Source\StateCapture"

	#Create Tools Directory Structure
	New-Item -ItemType Directory -Path "$Source\Tools"
	New-Item -ItemType Directory -Path "$Source\Tools\PSTools"

	#Create Windows Update Directory Structure
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Endpoint Protection"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Lync 2010"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Office 2010"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Silverlight"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Visual Studio 2008"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Windows 7"
	New-Item -ItemType Directory -Path "$Source\WindowsUpdates\Windows 8"

	#Create WSUS Directory
	New-Item -ItemType Directory -Path "$Source\WSUS"
	New-Item -ItemType Directory -Path "$Source\WSUS\SCCMDeploymentPackages"

	#Create the Share and Permissions
	New-SmbShare -Name "$ShareName” -Path “$Source” -CachingMode None -FullAccess Everyone
	New-SmbShare -Name "SCCMDeploymentPackages” -Path "$Source\WSUS\SCCMDeploymentPackages" -CachingMode None -FullAccess $NetworkAccount,"NETWORK SERVICE"

	#Set Security Permissions
	$Acl = Get-Acl "$Source\Logs"
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetworkAccount","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl "$Source\Logs" $Acl

	$Acl = Get-Acl "$Source\OSD\Captures"
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetworkAccount","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl "$Source\OSD\Captures" $Acl

	$Acl = Get-Acl "$Source\StateCapture"
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("LOCALSERVICE","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl "$Source\StateCapture" $Acl

	$Acl = Get-Acl "$Source\WSUS"
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetworkAccount","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl "$Source\WSUS" $Acl

	$Acl = Get-Acl "$Source\WSUS"
	$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("NETWORK SERVICE","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
	$Acl.SetAccessRule($Ar)
	Set-Acl "$Source\WSUS" $Acl

The Operating System Image

We need an operating system image as the basis of OSD. There are several guides on creating a fully patched reference image, but we're just going to use the WIM file off of the ISO for now and revisit reference images in a later tutorial.

1. On the host system, mount the Windows 10 Enterprise (or Pro) ISO. If your host system is Windows 10 you can just double click the ISO.

2. Navigate to the sources folder, right-click install.wim and select copy.

   

3. On HYD-CM1 (the SCCM server) navigate to C:\PackageSource\OSD\OSImages

4. Paste the install.wim to this folder. Hyper-V will let you copy and paste files directly between host and VM.

   

5. From the SCCM console expand the Software Library -> Operating Systems node.

6. Right-click Operating System Images and select Add Operating System Image.

7. Data Source - In the path field type \\cm1\PackageSource\OSD\OSImages\install.wim and click Next.

8. General - Leave the default name, but type the Windows 10 build in the Version field. Click Next.

   

9. At the Summary screen, click Next. At the Completion screen, click Close.

10. Right-click the OS image we just created and select Distribute Content. At the General screen click Next.

11. Content Destination - Click Add -> Distribution Point, and check CM1.CORP.CONTOSO.COM. Click OK, then click Next.

    

12. At the Summary screen, click Next. At the Completion screen, click Close.

The Boot Image

SCCM requires a WinPE image to initiate the task sequence. This is a low level Windows OS that runs in the beginning of a task sequence when we PXE boot.

1. From the SCCM console, expand the Software Library -> Operating Systems node.

2. Click on Boot Images. Right click Boot image (x64) and select Properties.

3. Customization tab - Check Enable command suppport (testing only). This allows us to press F8 during the task sequence to bring up the command prompt, which is useful for troubleshooting.

   

4. Data Source tab - Confirm that Deploy this boot image from the PXE-enabled distribution point is already checked. Click OK.

   

5. We'll be prompted to update the distribution points. Click Yes, and the Update Distribution Points Wizard will launch.

   

6. At the General screen, check Reload this boot image with the current Windows PE version from the Windows ADK. Click Next.

   

7. At the Summary screen click Next. At the Completion screen click Close.

8. We can now see Boot image (x64) has a higher OS Version but the Version needs to be updated.

   

9. Right-click Boot image (x64) and select Properties. Change the Version to match the OS Version.

   

Optionally Ricky Gao's guide creates a new Configuration Manager Client package. We will skip for our lab.

The Task Sequence

Creating the task sequence

We can now create our Windows 10 task sequence and deploy it.

1. From the SCCM console, expand the Software Library -> Operating Systems node.

2. Right-click Task Sequences and select Create Task Sequence.

3. Choose Install an existing image package and click Next.

4. Set the Task sequence name to Windows 10 and click Browse. Select Boot image (x64) and click OK. Click Next

   

5. For the Image package click Browse and select the OS image we created earlier. If the image contains multiple indexes, choose Windows 10 Enterprise. Click Next.

   

6. Choose Join a domain. For Domain click Browse and select corp.contoso.com. Click OK.

   

7. For Domain OU click Browse. Expand CORP and choose the Workstations OU we created earlier. Click OK.

   

8. For Account click Set. Set the User name to CORP\CM_DomainJoin and enter P@ssw0rd as the Password. Click Verify, and click Test connection.

   

9. Click OK, click OK again, and click Next.

   

10. At the Install the Configuration Manager client wizard, leave the default and click Next.

11. Since we're doing a bare metal install, we don't need USMT. Uncheck Capture user settings, uncheck Capture network settings, and uncheck Capture Microsoft Windows settings. Click Next.

12. Click Next through the Updates, Applications, and Summary screens. We'll cover all of that in a later post which we'll eventually link from this one. At the Completion screen, click Close.

Deploying the task sequence

We need to deploy our task sequence to the All Unknown Computers collection so that we can image bare metal workstations.

1. Right-click the Windows 10 task sequence we just created and select Deploy.

2. For the Collection click Browse. Read the warning and click OK. Select All Unknown Computers and click OK. Click Next.

   

3. Leave the purpose as Available. Set Make available to the following to Only media and PXE and click Next.

   

4. Leave the rest of the wizard as default and click Next until you reach the Completion screen. Click Close.

Imaging

It's time to test all our hard work. We'll create a brand new VM and image it over PXE.

1. On the host machine, open the Hyper-V console. Right-click your host machine and select New -> Virtual Machine.

   

2. If New Virtual Machine wizard takes you to the Before You Begin screen, click Next. Name the VM HYD-WS1 and click Next.

   

3. Select Generation 2. This will make it UEFI based as opposed to BIOS, and allows us to do Secure Boot. Click Next.

4. Set the Startup memory to 2048 or higher. Click Next.

   

5. Change the Connection to our internal virtual switch HYD-CorpNet. Click Next.

6. Set the Location to the large and fast drive where your other VMs are located. Change the Size to 64GB. Click Next.

   

7. Set the installation option to Install an operating system from a network-based installation server. Click Next.

8. At the Summary screen click Finish.

9. In the Hyper-V console, right-click our new virtual machine HYD-WS1 and select Settings. Click on Security, and check Enable Trusted Platform Module. Click OK.

   

10. HIT THE SWITCH - Open HYD-WS1 and click Start. Since we're using an Available deployment, we will need to press ENTER to PXE boot.

    

11. The boot image will download and boot WinPE. At the task sequence Welcome screen, click Next.

    

12. Select the Windows 10 task sequence we created earlier and click Next.

    

13. Wait and watch as the task sequence performs each step.

    

14. That's it, we've successfully deployed a bare metal workstation over PXE with SCCM. Log into HYD-WS1 and verify that it's on the domain, BitLocker is on, and the Configuration Manager control panel is there. Make note of the computer name, open the SCCM console on HYD-CM1 and confirm the new workstation shows up under Devices.

Congratulations again! Now, we have an SCCM environment we can populate with workstations to manipulate.

Next up - Patching with SCCM and WSUS