Exam Ref 70-695 Deploying Windows Devices and Enterprise Apps (MCSE): Implement a Lite-Touch Deployment
- By Brian Svidergol
When you automate your first operating system deployment, it can be rather exciting. Often, your first automated deployment is nothing more than an answer file. Soon, administrators realize that additional areas of automation are possible. Many administrators begin testing additional automation tools such as Windows Deployment Services (WDS) and Microsoft Deployment Toolkit (MDT) and exploring automation options to reduce the administrative overhead of deploying operating systems. The keys to implementing a Lite-Touch deployment infrastructure successfully are knowing the available tools and capabilities, understanding the pros and cons of the configuration settings, and being able to implement the tools to meet your requirements.
Objective 2.1: Install and configure WDS
WDS is a foundation for many automated deployment infrastructures, especially as an infrastructure for Lite-Touch installation (LTI) deployments. WDS is often one of the first technologies you deploy when you build out your deployment infrastructure. You need to understand how to install it and configure it for an LTI deployment so that you can ensure a high-performing and trouble-free deployment infrastructure.
Configuring unicast and multicast deployment methods
WDS has two methods to deploy images to computers—unicast and multicast. You must become intimately familiar with both of these methods and understand environments and situations in which one would be superior to the other.
With unicast, the WDS server sends one network transmission to one computer. Thus, if you are deploying an operating system image to five computers, the WDS server sends five network transmissions, as shown in Figure 2-1.
FIGURE 2-1 Unicast deployment diagram
Familiarize yourself with the following characteristics of unicast:
- Unicast is the easiest method to use for deploying computers because it doesn’t require additional network setup as multicast does. Unicast works right out of the box.
- Unicast uses more network bandwidth than multicast when deploying operating system images to several computers or more.
- Although unicast uses more network bandwidth, it isn’t necessarily slower when deploying to several computers at one time than the same deployment by using multicast. It just means that it takes up more network bandwidth. The performance differences often aren’t visible until you try to image many computers at a time with unicast.
With multicast, the WDS server sends one network transmission to multiple computers, as shown in Figure 2-2.
FIGURE 2-2 Multicast deployment diagram
You should be familiar with the following characteristics of multicast:
- Your network team must enable Internet Group Management Protocol (IGMP) snooping on your network devices. This ensures that multicast transmissions are not broadcast to every computer on the subnet, which can cause network flooding.
- You must create a multicast transmission before you can deploy images by using multicast. The process to create a multicast transmission is shown later in this chapter.
- Multicast is best suited for environments where you will deploy images to several or more computers simultaneously. If you are only deploying images to one or two computers at a time, opt for unicast instead.
Before you deploy images by using multicast, look at the default multicast configuration to ensure that it meets your needs. The following settings represent the default multicast settings in WDS:
- Multicast IP addresses are allocated from a static pool. For IPv4, the range is from 126.96.36.199 to 188.8.131.52. For IPv6, the range is from FF15::1:1 to FF15::1:FF. Talk to your network team to ensure that this range won’t conflict with any existing multicasting on your network.
- The multicast transfer settings ensure that all multicast clients operate at the same speed during the multicast transmission. In such a situation, if you have an older computer with a slow network interface card (NIC) and a new computer with a fast NIC, the multicast transmission will operate at the speed of the slow NIC, which degrades
When you are ready to proceed with your first multicast-based deployment, make sure you have an existing image group and an installation image. Image groups and installation images are discussed in detail in Chapter 4, “Create and maintain desktop images.” Perform the following steps to proceed with your deployment:
- In the Windows Deployment Services console, right-click Multicast Transmissions and then click Create Multicast Transmission.
On the Transmission Name page, as shown in Figure 2-3, enter a descriptive name for the transmission and then click Next.
FIGURE 2-3 Multicast transmission creation process, Transmission Name page
On the Image Selection page, as shown in Figure 2-4, ensure that the image group that contains your installation image is selected, click the image you want to transmit, and then click Next.
FIGURE 2-4 Multicast transmission creation process, Image Selection page
On the Multicast Type page, as shown in Figure 2-5, select when the transmission will start.
FIGURE 2-5 Multicast transmission creation process, Multicast Type page
You can use the default setting, which starts the transmission when the first multicast client makes a request, or you can opt to start the transmission on a schedule. An Auto-Cast transmission starts when the first client requests the image while subsequent clients join the existing transmission. Clients that join a transmission after it has started will download the missed parts of the transmission after the initial transmission completes. Scheduled-Cast transmission is one that starts after a specified number of clients have requested the image or at a specified date and time. If you are imaging a classroom full of computers and plan to walk around and manually power them up, you should opt for a scheduled cast and start it 15 minutes out or after a specific number of computers have joined the transmission. This enables all the computers to start and finish at the same time.
On the Operation Complete page, as shown in Figure 2-6, review the multicast transmission settings that you selected and then click Finish.
FIGURE 2-6 Multicast transmission creation process, Operation Complete page
After you create the multicast transmission, view the status of the transmission in the WDS console, as shown in Figure 2-7. You can view the transmission speed for active clients by looking at the Transfer Rate column. You can disconnect a client by right-clicking a client and then clicking Disconnect. Alternatively, you can also force a specific client to use unicast by right-clicking the client and then clicking Bypass Multicast.
FIGURE 2-7 Multicast transmission status
Adding images to WDS
One of the primary operational tasks you will perform in WDS is adding images. Before you learn about the planning and operational tasks of adding images to WDS, review the four images that you will work with in WDS:
- Boot images You use a boot image to boot a WDS client computer before selecting an install image to deploy to it. A boot image contains Windows PE, which is used to boot a WDS client computer, and the WDS client, which is used to select the install image to deploy. For the vast majority of deployments, you will use the boot.wim file available as part of the Windows installation media. You can find boot.wim in the \Sources\ folder in the root of the Windows installation media.
- Install images You use an install image to deploy an operating system to WDS client computers. Usually, the install image is created from a reference computer that is configured to meet your company requirements. However, it can also be the install.wim file that is part of the Windows installation media. The install.wim file is located in the \Sources\ folder in the root of the Windows installation media.
- Capture images You use a capture image to create an install image from a reference computer. A capture image is a customized boot image. After you configure a reference computer to use for your install image, you should restart the reference computer and boot to a capture image. A capture image is made up of Windows PE and a WDS image capture wizard. After the reference computer is captured, a .wim file is created. As part of the capture, you have the option to upload the image automatically to WDS. Don’t forget, before capturing a computer with a capture image, you must run Sysprep and generalize the computer.
- Discover images A discover image is a customized boot image that you use for computers that don’t support Preboot Excecution Environment (PXE). A discover image facilitates such computers in booting up, finding a WDS server, and having an install image deployed.
Add boot images to WDS
There isn’t much planning to do for boot images in WDS. Often, you just need to add boot images for the operating systems, such as Windows, that you are planning to deploy with WDS. On the operational side, adding boot images from the WDS console is straightforward. You just right-click Boot Images in the left pane of the WDS console, click Add Boot Image, browse to the location of boot.wim (located in the \Sources\ folder in the root of the Windows installation media), and enter a name and description (or use the default name and description). From an exam perspective, there really isn’t much to test. One exception is adding boot images by using Windows PowerShell. New for Windows Server 2012 R2 is a WDS module that includes 33 functions. To use Windows PowerShell to add a boot image from the Windows 8.1 installation media mounted on the D:\ drive, run the following Windows PowerShell command.
Import-WdsBootImage –Path D:\sources\boot.wim –NewImageName "Windows 8.1" –NewFileName "Win8.1.wim"
After running the command, you should see output similar to running a Get-WdsBootImage command, as shown in Figure 2-8.
FIGURE 2-8 Adding a boot image by using Windows PowerShell
Add install images to WDS
Of all the images that you’ll work with in WDS, the install image is the most important one. It is the image that your computers will run, so a mistake in your reference computer, and thus your install image, could be spread across all your computers. You should be familiar with two types of install images for the exam:
- Default Windows install images A default Windows install image is just an image of the Windows installation media. If you deploy a default Windows install image to a computer, the result would be the same as if you had inserted the Windows installation DVD in the computer and performed a manual installation of Windows. Each Windows installation medium has an install.wim file that you can use as an install image. It is located in the \Sources\ directory at the root of the installation media. Often, a default Windows install image is used to perform initial testing of a new WDS deployment. Thereafter, most organizations choose to create a customized install image by capturing a reference computer.
- Custom install image A custom install image is one that is built to meet company requirements. It often contains a core set of applications such as Microsoft Office and antivirus software. It is typically customized to adhere to company standards. Many companies customize the theme, background, and support information to help standardize the look of their computers. Custom install images require a capture image to be created first. Without the capture image, you would have no way to capture the reference computer to an install image.
In Chapter 4, in the “Capture an image to an existing or new WIM file” section, you walk through the process of capturing an image for use as an install image.
Add capture images to WDS
Before you can create a custom install image, you must have a capture image, and before you can create a capture image, you must have a boot image. This information is important for the exam. You must understand how all the images work together, which images require which other images, and the order in which to perform core WDS tasks. In this section, you create a capture image.
Before beginning, ensure that you have a boot image; those steps were covered earlier in this chapter. To create a capture image, perform the following steps.
- In the WDS console, click Boot Images in the left pane.
In the right pane, right-click your boot image and then click Create Capture Image.
The Create Capture Image Wizard window appears.
On the Metadata And Location page, enter an image name, image description, and location of the .wim file, as shown in Figure 2-9. It is recommended to use a descriptive word such as capture in the name so that administrators can differentiate capture images from install images when booting to PXE. Click Next to continue.
FIGURE 2-9 WDS Create Capture Image Wizard, Metadata And Location page
On the Task Progress page, as shown in Figure 2-10, wait until the capture image creation completes, click Add Image To The Windows Deployment Server Now, and then click Finish.
FIGURE 2-10 WDS Create Capture Image Wizard, Task Progress page
The Add Image Wizard starts automatically. On the Image File page, as shown in Figure 2-11, verify the location that you saved the capture image to and then click Next.
FIGURE 2-11 WDS Add Image Wizard, Image File page
On the Image Metadata page, as shown in Figure 2-12, click Next to accept the name and description entered previously.
FIGURE 2-12 WDS Add Image Wizard, Image Metadata page
On the Summary page, shown in Figure 2-13, click Next.
FIGURE 2-13 WDS Add Image Wizard, Summary page
On the Task Progress page, the creation progress appears.
When the image is successfully added to the server, as shown in Figure 2-14, click Finish.
FIGURE 2-14 WDS Add Image Wizard, Task Progress page
Add discover images to WDS
Of all the images you’ll work with in WDS, the discover image is probably the least used. However, it is still important to know how to create a discover image in WDS. To do so, you need an existing boot image. To create a discover image in WDS, perform the following steps.
- In the WDS console, in the left pane, click Boot Images.
In the right pane, right-click a boot image and then click Create Discover Image.
The Create Discover Image Wizard window appears.
On the Metadata And Location page, as shown in Figure 2-15, type an image name, an image description, a location and file name, and the name of the WDS server that the discover image will use.
FIGURE 2-15 WDS Create Discover Image Wizard, Metadata And Location page
On the Task Progress page, the progress appears. When it’s finished, a message appears indicating that the image was successfully created, as shown in Figure 2-16.
FIGURE 2-16 WDS Create Discover Image Wizard, Task Progress page
- Click Finish to complete the process.
WDS offers limited scheduling capabilities. All the available scheduling capabilities are available for multicast deployments only. Although scheduling was touched on briefly earlier when discussing multicast deployment, the scheduling options are examined in greater detail here. The skills measured on the exam specifically call out the configuration of scheduling.
In WDS, when scheduling a multicast deployment, you are creating a Scheduled-Cast transmission. When configuring a Scheduled-Cast transmission, two options are available:
- Start when the number of clients that have requested the image meets a specified threshold. For this option, you specify a threshold, and when that threshold is met, the multicast transmission begins. Often, this option is useful when you image a group of computers and you want the imaging process to complete at the same time for all of them. If you don’t schedule the transmission, multicast clients can join the transmission at any time. For clients that join late, the beginning part of the transmission will have to be re-sent after the initial transmission completes.
- Start at a later time. Instead of waiting for a specific number of multicast clients to join a transmission, you can choose a date and time to start the transmission. This option is often used when an organization doesn’t want to saturate a network link during business hours. In such cases, you would select a time after business hours. The benefit of this approach is that the prep work can be performed during business hours, and the deployment can take place later.
Restricting who can receive images
An important but often overlooked aspect of automated operating system deployments is security. Consider some security considerations to take into account during your deployment planning.
- Licensed software Some of your images will contain licensed software. Often, the license keys are stored on the computer that makes them available to users. For images that contain licensed software, you should plan to prevent standard users from deploying your image with licensed software to their computer.
- Minimizing accidents or mistakes With a fully automated operating system deployment infrastructure, you run a risk of someone accidentally booting a computer to the network and the computer being reimaged. For a client computer, this might be a minor inconvenience for an employee. However, for a critical server, this could result in a major outage for the entire organization.
- Network Deploying images over the network takes a lot of bandwidth. If you have a WDS server in Los Angeles, you do not want an administrator in Shanghai to reimage a computer by using the WDS server in Los Angeles.
Fortunately, WDS offers multiple ways to restrict who can access WDS images. You should use one or more of the following methods to enhance the security of your company images:
- Authentication You must be able to authenticate to the domain to which the WDS server is joined to use WDS images. Although this opens up WDS images to all authenticated users by default, it also prevents anonymous users from using WDS images.
Filters You can use filters to narrow down the computers that can use an install image. By default, not many filters are applied, and any computer can use any image as long as the appropriate permissions are in place. Filters can be inclusive so that only the computers that match a filter can use an install image. In addition, filters can exclude computers that match a filter so that only computers that do not match the filter can use an install image. You can add filters based on the following computer characteristics:
- BIOS vendor
- BIOS version
- Chassis type
- Device group
Permissions There are two places to configure permissions. You can configure permissions on the User Permissions tab of an image’s properties, as shown in Figure 2-17, or you can configure permissions in an image group’s security settings. By default, authenticated users have Read and Read & Execute permissions, which allow them to access WDS images. The advanced permissions, which show more granular permission entries, show that authenticated users have the following permissions:
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
Multiple WDS servers For environments in which you need to restrict WDS imaging to local IT administrators, you can create geographically based security groups and configure the WDS images so that only the local group can deploy images. In such cases, you should deploy a WDS server in each geographic location that plans to use automated operating system deployments. Although not related to restricting who can receive images, it is important to know that WDS servers do not communicate with each other or share a common configuration. Thus, setting up and maintaining an infrastructure with multiple WDS servers requires extra administrative effort when compared to solutions such as MDT with linked deployment shares.
FIGURE 2-17 WDS image permissions
Finally, don’t forget about enhancing security indirectly. For example, as discussed earlier in this chapter, you can configure the PXE response so that WDS responds only to prestaged computers, or you can configure WDS to respond to all computers but then require an administrator to approve unknown computers manually. If you configure the PXE response so that an administrator must approve unknown computers, the administrator will have three options in the WDS console for the unknown devices:
- Approve By approving a pending device, the administrator enables the deployment process to continue.
- Name And Approve An administrator can specify a host name for the computer and approve it so that the deployment process continues.
- Reject By rejecting a pending device, an administrator cancels the deployment.
Often, in high-security environments, you should take advantage of most or all of the WDS security options. Combining multiple security methods in your solution is known as a layered security approach.
- A unicast deployment sends one network transmission to each WDS client.
- A multicast deployment sends one network transmission to multiple WDS clients, which reduces network bandwidth.
- A boot image is used to boot a WDS client computer to Windows PE and a WDS client prior to beginning the imaging process.
- You use an install image to deploy a customized version of Windows or a default installation of Windows. A customized install image is captured from a reference computer.
- A capture image is used to create an install image from a reference computer. You should capture the reference computer after it is configured and after you run Sysprep /Generalize /OOBE.
- A discover image is used to boot a computer that cannot boot to PXE so that you can deploy a WDS install image.
- You can configure scheduling of multicast deployments by choosing a date and time or setting a threshold for the number of computers that have to join a transmission before it starts.
- You can restrict access to WDS images by using filters and permissions. Permissions can be set on an individual image or on an image group.
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
You have a WDS server running on Windows Server 2012 R2. You need to automate some WDS configuration tasks. Which solution should you use? (Choose all that apply.)
- Windows PowerShell WDS module
You are attempting to capture an image of a reference computer. When you boot to the capture image, the WDS Image Capture Wizard does not see the system volume. What should you do?
- Reboot to Windows and then run the Sysprep /Generalize /OOBE /Shutdown command.
- Press Shift+F10 to open a Windows PE command prompt and then run the Sysprep /Generalize /OOBE /Reboot command.
- Reboot to Windows and then grant the SYSTEM account Full Control on the system drive.
- Press Shift+F10 to open a Windows PE command prompt and then use XCALCS to grant the SYSTEM account Full Control on the system drive.
You are running a default installation of WDS on Windows Server 2012 R2. Your immediate need is to create a discover image. What should you do first?
- Create a capture image.
- Create an install image.
- Add a boot image.
- Import the Windows PowerShell WDS module.
You are planning to image 100 client computers by using WDS. The network team has asked that the imaging take place after business hours, so you need to set up the imaging to take place at a future time. What should you do?
- Use unicast and schedule a transmission for a future time.
- Use multicast and schedule a transmission for a future time.
- Use unicast and a WDS filter.
- Use multicast and a WDS filter.
Your company has recently switched from Dell to HP for its laptop computers. A new batch of HP EliteBook 840 G1 laptops has arrived for imaging, but an advisory was sent out that recommends that all laptops of this model running a BIOS prior to F03 be updated before using. You need to ensure that your image is only installed on the HP laptops running the F03 bios. Which WDS filters should you apply?
- UUID and BIOS Version
- BIOS Vendor and BIOS Version
- Model and BIOS Version
- Model and BIOS Vendor