LOPSA-ETENN - Building a Managed Desktop Environment
Building a ManagedDesktop EnvironmentMike JulianWednesday, August 8, 12
Who am I?• Windows (and a bit of Linux) sysadmin• First Win7 deployment at UTK: ~1500machines• Win98,WinXP, Vista, Win7, ~15+deployments, 20-1k+ eachWednesday, August 8, 12
What is a ‘ManagedDesktop Environment’?• Automated• Controlled• As lean as the business needs, and noleaner.Wednesday, August 8, 12I. Deﬁne A. What do I mean when I say a Managed desktop environment? B. Those of you working in large scale systems know that its easier and more efﬁcient to rebuild a system than to repair it. The same principle applies in a desktop environment as well.C. The goal of a managed desktop environment is very similar to that of a well-managed server environment: automate everything, know *exactly* what is on your systems, who needswhat, where the systems reside, etc.
Why does it matter?• The lens through which users view IT.• Do this right, and perceptions of IT willswing to positive.Wednesday, August 8, 12II. Why does it matter?A. You may have the most beautifully-designed and managed server infrastructure, but if the computers your customers use are slow, then in their minds, your network sucks.B. If a new user arrives and their computer and all accounts are not waiting for them by the time they get to their desk, the reputation of IT is immediately tarnished in their minds--nomatter what the reason is.C. There really is no excuse for a desktop to be down longer than an hour.C. What Im getting at is that your desktop environment is the lens through which your customers view IT. Do this right and you make great bounds in building user faith in IT.
How do I start?• Do an inventory• Decide on methodology• HTI vs LTI vs ZTI• Thin,Thick, HybridWednesday, August 8, 12
Inventory• Workstations, printers, software, ﬁleshares, usage patterns• Microsoft Assessment & Planning Toolkit(MAP)• Script it:VBS or PowerShellWednesday, August 8, 12IV. The ApproachA. Inventory1. Software2. Hardware3. Printers4. Users5. Shared folders/mapped drives6. Usage patterns (eg, groups of users)7. MAP can be a huge help here
Methodology• Install Types• HTI: High Touch Install• LTI: Lite Touch Install• ZTI: Zero Touch InstallWednesday, August 8, 12III. TermsA. ZTI - Zero Touch Installation1. Fully automated deployment. You dont touch the system at all. In fact, you could sit at your desk and never get up.2. Requires SCCM in order to do, which costs a good sum of money. Its worth it, but some of your companies may not have the budget or scale for it.B. LTI - Lite Touch Installation1. Just short of ZTI: your interaction is minimal, such as entering a computer name, or initiating the imaging process manually2. All the functionality needed for LTI is built-in on Server 2008, or comes free from Microsoft.
Methodology• Image types• Thin Image• Thick Image• Hybrid ImageWednesday, August 8, 12C. Thick Image1. Also called a flat image. Many of you are familiar with this already. This is where you build a system as your reference machine, then clone it as-is. Anyone who has ever used Ghostfor deployment has done this.D. Thin Image1. Way cooler stuff. The image isnt really an image. An example can explain it better: in my latest project, I have the Windows 7 vanilla WIM in WDS. I used WAIK to build an unattendfile, which I applied to it through MDT. MDT has a driver database stored on a network share. When I launch MDT and tell it to install this image, it goes through a standard Win7 install,applies the unattend file, installs drivers and updates from the local network. Part of the unattend is joining the domain. By the time the system does the first boot, it gets group policy, whichthen applies a ton of custom settings, and installs a bunch of software. As you can see, its not really an image, as the system is built piece by piece through the process. One of the neatthings about this method is that you can change things at any point in the process, unlike with a thick image, which would have to be snapshotted again. Changing anything on a thin imagerequires no deployment of it first. Its way more flexible.2. This is the method I advocate for most implementations.
The Tools• MDT• WAIK• WDS• SCCM - $$$Wednesday, August 8, 12IV. OS DeploymentA. Windows 71. MDT as thin or thick image2. SCCM - We wont be covering this, as awesome as it is.3. WAIK for building the unattend fileB. Windows XP1. MDT can deploy as a thick image
Customization• Group Policy!• Printers• Software• Settings• File sharesWednesday, August 8, 12V. Group PolicyA. System customization1. Group policy is your best friend. There is way too much to list here.B. Printer Deploymenta. Printer deployment sucks, but its better than it used to be.b. On printers, theres a lot of nitty gritty technical. Heres the overview: Use a print server, then pick one of the following methods:(1). Group Policy Preferences - An excellent choice and should be your first choice.(2). Print Management MMC through the Print Server role on 2k8 - Really easy to deploy, however, it has the limitation of not being able to use security groups to apply selectively(3). VBS script - Really easy, simple, and stable. I tend to use built-in functionality instead of scripting things, but this method works just fine.c. I mentioned security groups, so let me touch on that. Create a security group for each printer you have. Put computers or users in it, depending on where youre applying this ingroup policy. When you set up a printer for deployment, use the security group as the condition. The result is that only people or computers in that group will get the printers installed. Personneeds a new printer added? Simply add them to the group and tell them to reboot.C. Software Deployment1. Most major software packages have MSIs with transforms available. Add them to the Software Installation bit in group policy. If the package lacks an MSI, there is software availableto repackage as an MSI, though I dont have any experience with them. Another option is to set a batch script to perform a silent install against the EXE. MDT can also perform softwareinstallation itself.D. File shares1. Couple different options: Use Group Policy Preferences, or a script (batch/VBS). I prefer GPP.
Licensing• Three licensing types• OEM• Retail• Volume Licensing• OnlyVL has imaging rightsWednesday, August 8, 12VI. Licensing ConcernsA. There are three types of licensing1. OEM - This what you get when you purchase a new computer. Its the sticker on the side of the box. Individual keys.2. Retail - This is when you buy from a retailer, such as Best Buy. Individual keys.3. Volume Licensed - Purchased from resellers. Multiple different licensing models available; ask your reseller for more information on those, as it can get confusing quickly.B. Only VL has reimaging rights.1. One of the more important bits to know here is that a VL license for Win7 is an upgrade license, not a full license. You need an OEM or retail license on the computer already.
Resources• Windows 7 Resource Kit by Mitch Tulloch• Microsoft TechNet• MSVolume Licensing Service Center:microsoft.com/licensingWednesday, August 8, 12
Q&A• Questions?• email@example.comWednesday, August 8, 12