Windows Deployment

in the Enterprise
Chad DeGuira

Oak Ridge National Laboratory

Introduction

Background
Windows Deployment Benefits
Windows Deployment Solutions
Windows 10 Deployment
Recommendations and Lessons Learned

Deployment Benefits

Why do we reload Windows so often?

New machines
Replacing existing machines

Replacement and push downs (1 new machine can mean many

deployments)

Decommissioning

Function of purpose

Training rooms, interns, etc.

Testing Environments

A clean environment to test in

Migration to new operating systems

Support tool

Fixing that needle in a haystack

Refreshing

How long does it take to deploy a computer manually?

1 hour:
Backup data and settings
1 hour: Load operating system
1 hour:
Download and install latest drivers
hour: Load operating system patches (Windows Updates)
hour: Load all required applications
1 hour:
Restore data and settings

Approximately = 5 hours average

ORNL images/reimages approximately 4500 computers per
year

Automated Deployment Benefits

Effort costs
Fix one, fix many approach
Training requirements are simplified
Support staff can focus on real problems
Faster migrations
Disaster Recovery
Improved Security due to reloading versus re-using
Productivity gains using User State Migration
Computer support simplification fixing needle in the haystack
problems
Standardization
And many, many more

Deployment Tool Options

Microsoft

Windows Deployment Services (WDS)

Microsoft Deployment Toolkit (MDT)

System Center Configuration Manager (SCCM)

Very simple and basic

No significant flexibility

Builds on WDS foundation

Highly customizable

Builds on MDT foundation

Extends Enterprise functionality

Third Party Solutions

Using Microsoft Deployment Toolkit

(Skipping WDS)

Notice the spiral

motiona common
aspect of the
deployment process

Quick Setup

Load a Windows 2012 R2 Server Standard

Apply the Hyper-V Feature

Install the latest Windows Assessment and Deployment Kit (Windows

ADK)

Can do this on other OSs however, for an Enterprise, use 2012 R2 as the base
This will serve as the Management Computer and Deployment Share

Setup two VMs

One that is the Reference Computer, one that is the Target Computer

Prerequisite to MDT
USMT, Windows PE, Imaging tools, etc

Install the latest Microsoft Deployment Toolkit (MDT)

You are now ready to use MDT!

Getting Started with MDT

High Level

Reference Material

Windows Automated Deployment Kit (Windows ADK)

Microsoft Deployment Toolkit

https://technet.microsoft.com/library/mt280162.aspx

https://technet.microsoft.com/en-us/windows/dn475741.aspx

Learning Recommendations

Do not deploy to real computers while learning (Hyper-V VMs)

Take the time to learn Windows ADK

Disregard drivers while learning basics

SCCM Operating System Deployment

High Level Differences from MDT

Microsoft Deployment Using SCCM

Zero Touch versus Lite Touch

Lite Touch Deployment

Zero Touch Deployment

These definitions fail to adequately or correctly define either

deployment tool

Human intervention will be required at the computer

Associated with Microsoft Deployment Toolkit (MDT)

The process does not require human touch at the computer

Associated with SCCM Operating System Deployment

Microsoft Deployment Using SCCM

MDT versus SCCM

SCCM Operating System Deployment (OSD)

Still requires the use of MDT and WADK

Still Task Sequence based
Utilizes many additional aspects of SCCM to extend
Task Sequence functionality
Improves deployment in the following scenarios

Centralizing approved patch releases into deployment process

SCCM application packages can be easily integrated
Scheduling deployments
Large migrations
Improved reporting
Highly available/distributed infrastructure
Other features

Much more complex

Heavy reliance on SCCM revision, ADK revision, and MDT revision

Downsides:

https://blogs.technet.microsoft.com/configmgrteam/2015/11/20/issue-wi

Microsoft Deployment
Option Recommendations

Start with WDS to understand benefits, get basics

Build a production, MDT solution
Grow into SCCM (if needed)
ButKeep BOTH!

Create an infrastructure (OSs, drivers, apps,

etc) that MDT and SCCM can both utilize

Creating Reference Images

Images

The reference image is a .WIM file.

This is the same thing that comes with a Windows OS disk

FAT versus THIN images, or a combination
Recommendations.
Install all REQUIRED applications, patches, etc. to reduce

effort
From the Deployment Wizard, have OPTIONAL applications
to keep your image THIN
Make it FAT with all patches and virus definitions already
included

Automate the Image Build and Capture process

Booting a target computer

Target Computer

Boot a device from:

ISO file (VM)
Make a boot CD
Bootable thumb drive
PXE services (WDS)
Preload boot files on existing hard drive

MDT and SCCM provides a highly customizable Graphical Us

Interface
The GUI asks general questions about setup
Can automate the responses to all questions

Drivers.

Drivers

Drivers are within the boot CD (Windows PE) for network

connections and hard disk controllers only

This is just enough to get stuff from network, and copy everything to
the hard drive
They are not passed onto the computer OS being installed

Model specific driver pools, per OS, per bit version

An image itself typically has no built-in drivers for each

supported model
During the boot CD phase, the image is copied, as well as the
model specific drivers, and scripts to continue installation
During the Windows installation phase, the copied drivers are
applied via Plug and Play, using a strict set of rules
Driver Recommendations.

Use logic to rationalize the make/model name to the driver pool location.

Desktops: HP, Dell and Lenovo Driver Packs

Server OS drivers can be very hard, but possible, if there is a standard
Only install drivers provided by the COMPUTER manufacturer
Avoid driver applications

Windows 10

Windows 10 - Overview
Tested within ORNL since release in October

Unlike previous versions, released to consumers before

enterprise

Primary management infrastructure required

extensive upgrade

MDT, Group Policy, DirectAccess, SCCM, McAfee,

Commvault, etc.

Released AFTER Windows 10

Windows 10 Released February 22

nd

Windows 10 the primary/preferred OS listed

to ORNL

Windows 10
Whats the hurry?

Windows 7 support runs until January 2020, however

Skylake Intels 6th generations processors limiting

Windows 7 support

FIRST STANCE:

After July 17, 2017, only the "most critical"

security fixes will be released, and those fixes will only be made
available if they don't "risk the reliability or compatibility" of
Windows 7 and 8.1 on other (non-Skylake) systems.

CURRENT STANCE (March 18

): The support period for

Windows 7 and Windows 8.1 devices on Skylake systems will be
extended by one year: from July 17, 2017 to July 17, 2018. After
July 2018,allcritical Windows 7 and Windows 8.1 security updates
will be addressed for Skylake systems until extended support ends
for Windows 7, January 14, 2020 and Windows 8.1 on January 10,
2023.

th

Skylake shipping on new models released around November 2015

Kaby Lake Intels next generation processors will only
run Windows 10

Windows 10
Support

End user acceptance

Training support staff
DaRT/RE Built into Windows PE Boot CD

Backwards compatible with Windows 7/8.1

Windows 10
ORNL strategies transitioning to Windows
10

Only offering Windows 10 64 bit

Adobe Reader no longer a standard

Built-in support not as feature rich, however

EMET
Removal of most Metro/Store style apps

Dont forget Microsoft Consumer Experience its a

feature!

http://blogs.technet.com/b/mniehaus/archive/2015/11/11/removing-windows-10-in-boxapps-during-a-task-sequence.aspx#comments
http://blogs.technet.com/b/mniehaus/archive/2015/12/31/updated-remove-apps-script-an
d-a-workaround.aspx

https://blogs.technet.microsoft.com/mniehaus/2015/11/23/seeing-extra-apps-turn-them-of
f
/

Security baseline

Windows 10
Major Issues?

Edge, much like Google Chrome, does not support

plugins (Silverlight, Java, etc.). Internet Explorer
remains in Windows 10 for backward compatibility.

Changes we had to make

Enterprise Mode Microsoft browser redirection

Edge to Internet Explorer

Internet Explorer to previous version emulation

Internet Explorer end-of-life January 12 , 2016

Only the most current version per OS supported
th

Google Chrome to be set as primary browser,

however default is optional

Google Legacy Browser Support (LBS)

Google Chrome to Internet Explorer

Windows 10 Servicing

Windows 10

Is it ready for Enterprise use?

Questions or Discussion

deguiraca@ornl.gov