Software Deployment Tips

#5: Two new BFF’s: Easy Software Deployment & Windows Deployment Services (Part 1)

Frank van Hoolwerff #SoftwareDeploymentTips 0 Comments

Software Deployment Tips

Part 1: Get it started.

Windows Deployment Services (WDS) is a strong “free” tool for deploying Windows operating systems to your organization’s computers. Yet even with Microsoft Deployment Toolkit (MDT), there is no management of the “live system” when the deployment of the operating system is done. So, here in this fifth Software Deployment Tips blog we present to you two new best friends forever: WDS and ESD! Or maybe if you already set up MDT you can add ESD to join in!

 

WDSworkflow

Workflow WDS and ESD

STEP 1: Requirements, what do you need to get started?

We named our product EASY Software Deployment. The word easy is there because we like things easy. In addition to keep our promise of making things easy, we wrote this guide for you on how to implement WDS and use ESD to manage your systems at the moment the machines come online in your domain.

What do we need?
– Domain Controller;
– DHCP server with PXE capabilities;
– Your Windows server 2012 ISO (in case you need the sources for adding WDS);
– Windows 10 ISO;
– Windows 10 Product code;
– File (DFS) shares;
– Client computers to test with, a VM will do;
– An account that can join computers to the domain and can read shares, we use an account named Domain Installer which we will explain later in this guide;
– The files included with this article;
– And last but not least: a working install of Easy Software Deployment. Request a free trial here and furthermore, look for the guide to install ESD in your network here.


STEP 2: Installing Windows Deployment Services

So, to not make this guide super lengthy, we found this great guide on how to install WDS. However, instead of using the Windows 8 ISO, use the Windows 10 ISO. Also use the Windows 10 ISO for adding the PE boot to your WDS server. If you don’t, you will receive all kinds of errors while deploying Microsoft Windows 10 images.

 

STEP 3: Finetuning WDS

STEP 3.1: Create an image.

First of all, create an image for your machines by putting all the drivers on board, or perhaps only the basic ones, whatever you like! If you do not know where to start, maybe you are new to WDS, so please give the great guide mentioned above a good read through. For this guide I have used the ISO from Microsoft Windows 10 and extracted the install.wim.

STEP 3.2: Answer file; edit/create the answer file for installation of your OS.

We included 2 answer files with this guide, click here to download them from our server, including some other files you’ll need later on. For now, the following files are the most important:
ESD_windows_10.xml
ESD_windows_10_OOBE.xml

The ESD_Windows_10.xml is used for the windows PE boot image. It will wipe your disk, select the language etc. The ESD_Windows_10_OOBE.xml is added to your install image, it will join your machine to the domain and execute some tasks.

If you’d want to, you can easily create your own XML’s. Microsoft has wrapped the WSIM in the ADK. A guide can be found here. To make the answer file effective for Easy Software Deployment, please do the following:

Replace the windows key with your KMS / MAK key. If you supply a retail key or a key for a version lower than Pro or Enterprise, the installation will fail with an error in pass specialize  (man I hope Microsoft will tell you what the heck exactly was wrong in the future, you need to be a Sherlock Holmes right now).

You have to change the values wrapped in % below to your specific environment properties:

ESD_Windows_10.xml:
%Domainname% – your domain name
%Productkey% – your Windows 10 product key

ESD_Windows_10_OOBE.xml:
%Domainname% – your domain name
%MACHINEOU% – use the example file for reference

Note: the local admin user for your image is: ladmin with the password of ESD2016! You are free to change this to whatever you like, use the WSIM to change this.

 

STEP 4: The installer account

STEP 4.1: Test.

Boot your machine; Press F12 and boot to network. Check if your image is deploying fine, if so continue to the next step.

STEP 4.2: Create account.

Like we said in the prereq’s section, you’ll need an account that can join the computer to the domain and access the necessary shares.

Go to your Active Directory and create an account named Domain Installer, give it the following password: FullyAutoRobo9000 (this is the password we have in the scripts, if you want to use something different, you are very much welcome to do so but do not forget to change the passwords in the scripts and answer files).

image002

image003

STEP 4.3: Upgrade account

The account we just made is just a user account with no special permissions, we need this account to be able to join computers to the domain. Create a security group in your OU for groups (whatever OU you use for storing groups is fine) named: GSEC_FG_Domain_Join (GSEC = Global Security, FG= Function Group)

image004

Add the newly created user Domain Installer to your new group:

image005

Now, open your Group Policy Management Console. I personally don’t like editing the default domain policy, so I create a new GPO in the root called %domainname%_Machine_Policy (in my case App.local_Machine_Policy)

image006

Navigate to: Computer Management > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment : Add workstations to domain.
Add the Functional Group to the Policy.

image007

Hit OK, we’re good to go.

STEP 4.4: Test account

Test it out locally on a system. Login with a local admin to a non-joined workstation and join it to the domain with the account we just added.

Now go back to the GPO we just created and edit it some more, we will need this later on in this guide:

image008

Click on: Log on as a batch job

image009

Check the Define these policy settings checkbox.

Click Add User or Group…

Click Browse

image010

Select the domain group we created (I use a simple method, if you are keen on security you can create a new group and service accounts when you like it)

image011

Hit OK, okay aaaand OKAAAYY.

Oh, one more thing, domain controllers do not listen to this GPO, they do only when you set the GPO to enforced!

 

STEP 5: Setupcomplete.cmd

STEP 5.1: Set up.

Microsoft introduced the setupcomplete a while ago, setupcomplete is a command line being triggered by setup after Windows is installed successfully. Let me explain shortly what you need to do, so this file is being copied into your image after deployment.

On your WDS server, go to: \\localhost\Reminst or \\yourwdsserver\Reminst. This share is always available on a WDS server.

When you imported an install image, for example the install.wim from Windows 10, you will have an install.wim file on the reminst share:

image012

Give this install.wim a name you can work with because this might come in handy for future options. For example, you can create an image for a specific department or function.

Our images are stored in the Image Group 1 Folder that we created in WDS, so it will look like this:

image013

 

Create a folder with the same name as the .wim file, so in our example create the folder Install

image014

Create the following folders in this install folder:

Folder to createDescription
$OEM$\$$This corresponds to the C:\ drive of the computer
$OEM$\$$\Setup\ScriptsThis is the location of setupcomplete.cmd
$OEM$\$1This corresponds to the %windir% folder, typically C:\Windows (We don’t need it for now but hey, always nice to share some intel right?

 

image015

 

As we said before, we like it easy, so we believe it’s best to use the setupcomplete to address a script which is on our network. This way we have one central point of management again, after all things are set up.

So in our setupcomplete.cmd we do the following:

Step 1: Create a network mapping to our deployment share;
Step 2: Execute our scripts from the network.

(Note: you can download all the scripts here, the setupcomplete.cmd is included in the zip file.)

STEP 5.2: SetupComplete.cmd

Net use i: \\app.local\Root /user:app.local\DomainInstaller FullyAutoRobo9000
CD i:\Scripts\Windows_Installer
I:\Scripts\Windows_installer\Start.cmd
exit

First, this creates a mapping with the letter I. If you hate to enter usernames and passwords over the network, you can choose to convert the mapping part to a separate command and encrypt it as an .exe: http://www.f2ko.de/en/b2e.php. Secondly, replace the values of the share to your environment.

STEP 5.3: Start.cmd

@ECHO OFF

msiexec /i “\\%yourdomain%\%DFS%\Applications\ESD_Agent_AMD64.msi” TRANSFORMS=”\\%yourdomain%\%DFS%\Applications\ESD_Agent.mst” /qb-!
exit

This installs the ESD Agent. That was kinda easy, wasn’t it? ☺ But wait! Okay, so I have an unattended installation of an OS and ESD is present. What now?

 

STEP 6: Automagically join computer accounts to security groups

STEP 6.1: Powershell Script.

ESD works with domain security groups and a random computer account is not automatically a member of a security group, unless you make it so. We will automate this for you! Place the following Powershell Script on your domain controller: autoaddsystems.ps1 (also added to the zip file).

$OU=”OU=Staging,OU=Machines,DC=app,DC=local”
$StagingGroup=”CN=GSEC_Staging_Baseline,OU=Staging,OU=Machines,DC=app,DC=local”
Get-ADGroupMember –Identity $StagingGroup | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $StagingGroup –Confirm:$false}
Get-ADComputer –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$StagingGroup)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $StagingGroup}

This script adds all computers from the Machine Staging OU to a security Group called GSEC_Staging_Baseline and when a machine is not found in the Machine Staging OU, it removes the computer from the security group.

We will create a scheduled task on our domain controller with an interval that suits our environment.

Download the autoaddsystems.PS1 file added to this article or select the powershell script from above and save it to your liking. You can edit it additionally, so it corresponds to the OU where you want the machines to pick up software.

STEP 6.2: Task Scheduler.

Log on to your domain controller.
Open the task scheduler: Start > Run: Taskschd.msc (Works on both 2008 and 2012).

image016

Hit OK

image017

The Task Manager Opens.

Right click Task Scheduler

image018

Select Create Basic Task

image019

Name your task and add a description if you like.

Click Next.

image020

Again, Click Next.

image021

Click Next.

image022

Click Next.

image023

Program / Script : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Argument: -command \\%yourserver%\%share%\Scripts\autoaddsystems.ps1

Click Next.

image024

Enable the checkbox: Open the Properties dialog for this task when I click Finish

Hit the Finish Button!

We now can edit the settings.

STEP 6.3: Edit settings.

image025

First we will change the user content under which this task will run, we will use the account we created earlier: Domain Installer. Click Change User or Group.

image026

Next, type the username and hit OK.

image027

Apply these settings.

Next, go to the Triggers tab.

image028

Select the Daily Job and select Edit.

image029

Check the box “Repeat task every”. You can set the interval as you like, for example 15 minutes. Usually it takes about 15 minutes for the machine to be picked up by ESD. But again, if your impatient like me, you could also try and set the interval to 5 minutes.

Next, adjust the duration to Indefinitely and check “Stop task if it runs longer than:” and select 30 minutes.

Finally, hit OK.

You will be prompted for your “service” account password, enter it and click ok.

image031

image032

Hot Darn! Again with the security huh Microsoft? It a great feat. 😉

When you see this dialog, it’s because you skipped a step from our guide. 😉 So, go back to the step where we configured the GPO. (We all know I forgot it myself and therefore edited the article, sssst don’t tell the boss).

When you wait 5 minutes, the machines that are in the specified OU will be joined to the security group.

 

Summary

  1. Install a machine bare metal with Windows 10 unattended via WDS
  2. The machine is joined to the domain unattendedly
  3. The machine is added to the security group GSEC_Staging_Baseline

Finally, we can create a baseline installation task(s) in ESD that is assigned to GSEC_Staging_Baseline so all the baseline software is installed when the machine joins the domain.

In our next guide (part 2) we will show you how to create a baseline, and maybe some driver action. 😉 So make sure you subscribe to our newsletter to be the first to know about our new guide!

 

Hope you enjoyed this Software Deployment Tips blog and you are now successfully running WDS and ESD.

If you don’t have ESD yet, want a trial or maybe want to read more? Go ahead and visit us at www.easysoftwaredeployment.nl.

Cheers!

Frank van Hoolwerff

 


Software Deployment Tips is a recurring blog series about current news in the software/app world.
Each time we will handle a situation, which is important and relevant at that time, and we will show you how to quickly take care of it using Easy Software Deployment.

Written by Frank van Hoolwerff, our Senior Technical Consultant.

Frankblauwrond2


So, did you enjoy this article on Windows Deployment Services on our Software Deployment Tips blog?

twittermailchimpcardesd

Subscribe to our mailing list!

Leave a Reply

Your email address will not be published. Required fields are marked *