If you've been around for a while, you've probably worked with the Windows Automated Installation Kit (Windows AIK), Microsoft Application Compatibility Toolkit (ACT), Microsoft Assessment and Planning (MAP) Toolkit, Windows Deployment Services (WDS), Microsoft Deployment Toolkit (MDT), and Microsoft System Center Configuration Manager 2007. The release of Windows 8 introduces many new deployment tools, as well as feature enhancements to some of these existing ones.
Revisiting the Old Tools
In case the tools that I mentioned earlier are new to you, here's a brief explanation of each:
- Windows AIK contains several (mostly) command-line utilities such as Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Copype, Oscdimg, and ImageX.
- ACT keeps track of applications that exist in your environment, allowing you to categorize, prioritize, and analyze application compatibility for Windows 7. Applications that don't run properly on Windows 7 can be mitigated to run as well as possible, by applying ACT shims. ACT requires agents to be installed on each client machine, to gather application information.
- MAP accesses hardware to ensure that minimum OS requirements are met. These minimum requirements can be defined to reflect your corporate standards. MAP provides information about which machines need to be upgraded or replaced prior to the deployment of Windows 7.
- WDS provides Preboot Execution Environment (PXE) boot services, Windows Preinstallation Environment (WinPE) to boot, deployment of OS images, and multicasting. WDS is commonly integrated with MDT and Configuration Manager for PXE boot and multicasting functionality.
- MDT provides a unified, simplistic usage of the Windows AIK tools. Most of these tools are command-line only, and each has a unique syntax, which can make them time consuming to learn and difficult to use. MDT removes the complexity of the Windows AIK tools by providing friendly wizards that ask simple questions. Under the hood, MDT takes care of all the detailed and varied syntax of each tool.
- Configuration Manager 2007 can perform Zero Touch Installations of OS deployments (OSDs), even on computers that don't have the Configuration Manager client agent running. Integrating MDT into Configuration Manager 2007 provides the most flexible and robust deployment solution available from Microsoft. One of the most powerful features of integration is the ability to completely design your deployment wizard by using the user-driven interface. This interface lets you design (beginning to end) how your deployment wizard appears and the order in which the pages are presented.
New Deployment Tools
With the release of Windows 8, Windows AIK is being retired. In its place is a new toolkit, Windows Assessment and Deployment Toolkit (Windows ADK), which helps to ensure that your applications, hardware, and drivers are compatible with the new OS. In addition, Microsoft Security Compliance Manager (SCM) helps you quickly and easily manage your Group Policy Object (GPO) security settings. A long-awaited improvement to WDS 2012, which now includes the Expected Deployment Results Wizard, is the ability to filter drivers based on the model of client machines. MDT 2012 Update 1 now supports System Center 2012 Orchestrator runtime books as a task in a deployment. And last but not least, Configuration Manager 2012 gets a complete facelift, embracing the System Center management framework. If you aren't quite ready to deploy Windows 8, don't worry: You can still enjoy all the new tools and features when deploying Windows 7.
Windows Assessment and Deployment Toolkit
Windows ADK can be installed on Windows Server 2012, Windows 8, Windows 7, Windows Server 2008 R2, and Windows Server 2008. The only requirement is that .NET Framework 4 is installed. The documentation for Windows ADK states that if .NET Framework 4 isn't installed, the installation process will automatically install it. However, this didn't happen when I installed Windows ADK. I purposely left .NET Framework 4 uninstalled so that I could test the Windows ADK installer. I was a little disappointed to see that the installation failed until I manually installed .NET Framework 4. Once .NET Framework 4 was present, the installation continued without a hitch. (The machine on which you're installing Windows ADK does need Internet access.) Installation of Windows ADK can be a bit intimidating if you find the 10-page Microsoft document that explains the different ways you can perform the installation (i.e., from the Internet, by downloading adksetup.exe and running it locally, or by using command-line switches). During the installation, packages are downloaded from Microsoft, based on the Windows ADK features that you chose to install (as shown in Figure 1). Table 1 lists the Windows ADK features and their functionality.
Security Compliance Manager 2.5
SCM 2.5 makes managing GPO security settings during deployment a snap. You can do everything from using the default baselines to creating custom GPO Packs for deployment to machines that might never join a domain yet need to be as secure as domain-joined machines. The ability to document your existing GPO settings in a Microsoft Excel spreadsheet in less than 15 minutes is just one SCM feature:
- Get access to a great educational tool that explains GPO setting details, vulnerabilities, potential impact, and countermeasures.
- Export GPO security settings from a domain-joined machine and document existing GPOs.
- Create GPO Packs that can be deployed to all newly deployed machines, whether or not they join a domain.
- Compare GPO settings from two machines to determine the differences.
- Merge two GPO security settings, carefully selecting the desired setting to create a more solidified set of GPO settings.
Some new deployment tools deploy GPO Packs by default, based on the OS that's being deployed. For example, MDT 2012 Update 1 has four GPO Packs that can be deployed, based on the OS: Win7SP1-MDTGPOPack, WinVistaSP2-MDTGPOPack, WS2008R2SP1-MDTGPOPack, and WS2008SP2-MDTGPOPack. These GPO Pack settings are documented on The Deployment Guys blog.
Windows Deployment Services
WDS has some nice new features, including better driver management, pre-staging new devices, the Expected Deployment Results Wizard, and support for standalone WDS servers that don't require Active Directory (AD). New WDS features and enhancements include the following:
- When importing drivers into WDS, the new auto-detection of duplicate drivers is enabled and prevents importing the same drivers into multiple driver groups.
- Pre-staging devices can be done in the WDS snap-in. In the past, pre-staging was performed in Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
- The Expected Deployment Results Wizard helps to identify which driver groups will be applied to pre-staged devices if a deployment is performed.
- Standalone WDS servers are much easier to implement with the new built-in PXE providers and multicasting.
- You can add .vhd images through the WDS snap in. In the past, a Wdsutil command was necessary.
- Now, .vhdx image formats are supported and provide sparse dynamic representation.
- You can now assign a priority to boot and install images, to determine the order in which the images are presented during deployment.
- TFTP and multicasting of images over IPv6 is supported.
- Actual deployments are faster. In the past, images were deployed in two steps: Download the image to a target machine, and then apply the image. Now images are applied as they're downloaded.
- Deployment of ARM clients is supported.
- One of the best new features is the ability to filter drivers based on model, as shown in Figure 2.
- Pre-staging computers makes them known to WDS, one of its strongest security features. My favorite security setting is to set the PXE response to Respond to all Known and Unknown Computers, but administrative approval must be given for unknown computers. The new Add Prestaged Device Wizard, which Figure 3 shows, lets you set from which server the PXE client will PXE boot and retrieve its PXE prompt policy. You might be wondering what a PXE prompt policy is and what it does; I certainly did. A PXE prompt policy defines what happens after a network boot is initiated -- settings such as whether someone needs to press F12 to continue the PXE boot process, whether client machines automatically PXE boot unless Esc is pressed, or whether to boot a custom PXE network boot program.
- The Boot Image option lets you specify the default boot image (WinPE) to boot when PXE boot is completed. You can also set the unattend answer file to be used for this client when an installation is performed, as well as the settings for joining the newly deployed machine to a domain.
Microsoft Deployment Toolkit 2012 Update 1
MDT isn't new to the deployment world. This free deployment tool from Microsoft performs Lite Touch Installation (LTI), which simply means that a human must touch the target machine even if only to initiate a boot. The newest version, MDT 2012 Update 1, offers new enhancements:
- Capturing user state in-use files is no longer an issue. Files that are used by programs such as Outlook (e.g., address books) can be opened by the program upon boot to help ready it for use. These open files previously had locks that prevented them from being included when users' data and settings were captured, but this issue has been resolved.
- Windows PowerShell 3.0 scripts are now supported.
- The Microsoft Diagnostic and Recovery Toolkit (DaRT) 8 is supported, to provide remote control of target machines during deployment in the WinPE phase and additional tools to assist in troubleshooting failed deployments for Software Assurance (SA) clients.
- The Zero Touch Installation and user-driven interface task sequences have been combined.
- Orchestrator runtime books are supported in task sequences. A couple features offered by Orchestrator are the ability to move a computer during deployment from one organizational unit (OU) to another and to create a service request in the event of a failed deployment.
- The Microsoft Customer Experience Improvement Program (CEIP) now gathers more information about how MDT is being used than it did in the past.
- A user-driven interface has been added to MDT and lets you fully customize your deployment wizard to fit your environment's needs.
Configuration Manager 2012
Configuration Manager 2012 has a completely new look: the System Center management framework. The major changes in Configuration Manager 2012 are the UI, site hierarchy, state-based application deployment model, and terminology. The OSD feature hasn't changed much; when integrating MDT 2012 Update 1 with Configuration Manager, the MDT OSD task sequence hasn't changed drastically.
- The new UI uses the System Center framework as the administrative console (Microsoft.ConfigurationManagement.exe), instead of using the MMC interface that Configuration Manager 2007 and 2003 used. Embrace the Ribbon and Wunderbars, shown in Figure 4. The Wunderbars are at the bottom-left corner of the UI and control configuration of Asset and Compliance, Software Library, Monitoring, and Administrations. Selecting a Wunderbar determines the features that you can configure and monitor and the reports that you can create.
- Applications can be deployed in a state-based manner. You can identify an application as always being installed. Then, based on scanning intervals that you define, Configuration Manager clients are scanned and any missing applications are installed. You can also specify that an application should never be installed; based on your scanning interval, any such applications that are detected will be removed.
- There's a new type of site: central administration. Only large or geographically dispersed companies will need a central administration site; most companies will be able to create a standalone primary site. A central administration site by itself can't deploy applications or perform OSDs; in fact you can't even designate management or distribution points. Mainly, a central administration site is designed to link multiple primary sites. If you're in a small to midsized organization or setting up a lab environment, start with a standalone primary site.
- There are two changes to terminology. Instead of advertising a task sequence to a collection, you now deploy the sequence. Also, mandatory OSDs are now referred to as required OSDs.
- The configuration of client monitoring in a WinPE phase for Configuration Manager 2012 has been streamlined.
- Distributing content for an entire task sequence is now much easier. Typically, an OSD task sequence has multiple packages that need to be distributed to distribution points. In Configuration Manager 2012, you can highlight the OSD task sequence and choose Distribute Content. All packages that are associated with that task sequence will be updated on your distribution points, as shown in Figure 5.
New Tools, New Features
I hope that this article helps you understand the new Microsoft deployment tools and what you can do with them. Look for future step-by-step articles on these new tools and features. And as always, I would love to hear from you about deployment issues that you're having or enhancements that you'd like to see made to the new tools.
Table 1: Windows ADK Features
New to Windows 8
Gathers application data running in your environment;
tracks, prioritizes, categorizes, and mitigates applications
Application Compatibility Manager is the central tool;
inventory collection is now available for x64 clients
· Windows System Image Manager (Windows SIM)
· Oscdimg, DISM API, Bcdboot, WIMGAPI
· Help and Support
· Captures and applies images using PowerShell cmdlets; support for mounting and servicing .wim and .vhd images
· Creates unattend .xml answer files
· Additional deployment tools and accompanying APIs
· Customizes the Help and Support pages: Home, Escalation, and Browse
Scaled-down version of Windows 8 used to boot a computer with networking capabilities to capture or apply an OS image
Makewinpemedia.cmd creates a bootable WinPE, which can be placed on a USB flash drive or used as an ISO that can be burned to CD; supports .NET Framework 4
Windows Assessment Toolkit
Measures performance, reliability, and functionality
Assesses performance of one or more computers; measures system startup and shutdown, media streaming, out-of-box experience (OOBE), system idle time, overall energy efficiency;
offers a Results database tool
Windows Performance Toolkit (WPT)
Records system events and analyzes performance data in a GUI
Replaces Xperf, Windows Performance Recorder, and Windows Performance Analyzer;
new Issues window lists detailed information; offers full-text search capabilities
Migrates users' data, settings, and application settings
/Verify switch verifies status of each file in an existing migration store; /Extract switch can extract files from a compressed migration store; improved error management provides more detailed summary information in ScanState and LoadState logs
Manages activation of OSs and Microsoft Office products
New UI; computer information is now stored in SQL Server (SQL Server 2008 R2 is recommended but SQL Server Express is also supported); five new Volume License reports