Wednesday, January 15, 2014

WES8 deployment with ConfigMgr 2012 SP1 or R2

Last month I did a few thin client deployments with ConfigMgr 2012 SP1. When starting you have the choice to download a clean WES8 image at the HP website. That way a FLASH.IBR (4GB) is downloaded, which can be renamed to FLASH.WIM and imported in ConfigMgr. Another way to create an image is using ConfigMgr Capture media. This can be started in Windows Embedded (WES) to sysprep and upload the image. Third option is to download a clean image from the Microsoft website, using Image Builder Wizard (IBW), with the risk that HP drivers are missing after deployment. I prefer using the download option, with the image customized for HP thin clients. Let's have a look at deployment progress. 
 
Deployment is done with the option "Download content locally when needed by running task sequence" by default. That way 4GB is downloaded on Flash RAM on the thin client and extracted after that. This seems not the fastest option, because Flash RAM isn't designed to do heavy Read/Write actions at same time. In my case downloading the image took 30 minutes and extracting the image took another 60 minutes. Why Flash RAM is that slow is a question for me also. Way to slow to do multiple deployments a day I think. When using an USB-stick for doing the deployment (without ConfigMgr usage) installation is done in 120 minutes also, so not that good also.
 
Let's have a look at the different Write Filters also. ConfigMgr supports managing the following types of write filters:
-File-Based Write Filter (FBWF) on WES 7E, 7P and 2009 devices (ConfigMgr 2012 SP1 or R2 only)
-Enhanced Write Filter (EWF) RAM on WES 7E, 7P and 2009 devices (ConfigMgr 2012 SP1 or R2 only)
-Unified Write Filter (UWF) on WES8 devices (ConfigMgr 2012 R2 only)

Note: ConfigMgr does not support write filter operations when the Windows Embedded device is in EWF RAM Reg mode.
 
To create Write Filter settings use Embedded Lockdown Manager (ELM). ELM is a snap-in to the Microsoft Management Console (MMC). You can use ELM directly on a Standard 8 device, or you can use ELM on a development computer and then remotely connect to a Standard 8 device. ELM automatically detects which lockdown features are installed on the device, and displays configuration options for only those features. ELM uses Windows Management Instrumentation (WMI) to detect and change configuration settings.
In a typical installation, ELM can be found at the following location:
%SYSTEMROOT%\System32\EmbeddedLockdown.msc
Just use "Connect to Device" from a remote system and "Export to PowerShell" to save WES settings in a ps1 file. This package must be used within ConfigMgr during deployment. (for example: ELM Write Filter settings package with TC-settings.ps1 file)
 
In the task sequence (used for TC deployment) there must be a few steps added:
-Browse to the newly created deployment task sequence. Right-click it and select Edit to open the Task Sequence Editor. Select Partition Disk 0. Double-click on (Primary) Volume to edit its properties. The Partition Properties window opens. Under Use a percentage of remaining free space, enter 95. (The deployment will fail if this value is left at 100, because Windows will not be able to create the write filter partition.) 
Two more settings need to be changed for thin clients that do not have enough disk space to store both the downloaded WIM and the extracted contents locally.
-Select Apply Operating System in the Task Sequence Editor and open the Options tab. Check "Access content directly from the distribution point".
-Right-click the reference image package in Operating System Images and open the Properties dialog. Configure the Package share settings on the Data Access tab. Check "Copy the content in this package to a package share on distribution points".
When deploy the task sequence (used for TC deployment) choose the following option:
-On the Distribution Points screen, set the deployment option to "Download content locally when needed by running task sequence" and check the option "When no local distribution point is available, use a remote distribution point".

The write filter status is disabled by default after the task sequence finishes successfully. Use the following settings in the deployment task sequence to configure and enable the write filter (Source: Nothing but ConfigMgr):
-Task Sequence Variable: SMSTSPostAction > Value: cmd /c shutdown /r /t 60 /f
-Command line: bcdedit /set {current} bootstatuspolicy ignoreallfailures

-Run PowerShell Script: Package: ELM Write Filter settings & Script name: TC-settings.ps1 & PowerShell execution policy: Bypass

Download links:
Download Windows Embedded 8 Standard
Drivers, Software & Firmware for HP t610 Flexible Thin Client
Managing HP Thin Clients with SCCM 2012 SP1 (PDF)
Deploying the ConfigMgr Client to WES Devices
ELM Technical Reference (WES8)

11 comments:

  1. Hey Henk,

    Nice article.

    Can you tell me how you implemented the use of Windows Updates on your Thin Clients? I'm doing a WES7 implementation at the moment.

    With kind regards,
    Hayo Veenstra

    ReplyDelete
    Replies
    1. Hayo,

      Thanks! I didn't make use of Windows Updates on this one. But SCCM is write filter aware, so it must be possible.

      Regards, Henk

      Delete
  2. Hi Henk,

    I'm right in the middle of doing this at the moment. I'm deploying Win 8.1 Embedded Industry Enterprise to a bunch of Wyse Terminals.

    Firstly, my thanks to you. This is a great article you've written, and it, and several others on your blog, have already pointed me in the right direction a number of times.

    I've taken the "build customised master, capture image with USB media, deploy via PXE Multicast" approach. This has gone very well so far, but my last hurdle: the deployed image still runs through the interactive setup after booting.

    I've used sysprep in the past (distant past, for XP), and I understand what I need to do in terms of creating and packaging an unattend.xml to include in the SCCM task sequence.

    Where I'm getting lost is the completely bewildering array of options, packages, etc. that you're presented with when you start creating an answer file from scratch in WISM. I've already configured everything in the master image exactly the way I want it, all I really need sysprep for is to ensure the UWF gets enabled properly - I originally tried deploying an un-sysprepped WIM image directly (with a run-once script to change the computer name utilising OSDComputerName in the task sequence), but I then discovered that UWF expects to find the GUID of the disk it's first enabled on, so even if you completely disable it and remove all the protected volume entries with uwfmgr before imaging, it still fails to re-activate properly for deployed images (it says it's active, but writes are still getting committed to flash). There doesn't seem to be a "complete re-initialise" option to speak of for UWF, so sysprep it is then...

    A great deal of web surfing has yet to reveal a "complete newie's guide to modern Sysprep options" that I can consult to find out what I need to know about unattended installations in Win7/8 - nearly all of the stuff I've found online pertains to full domain-member workstation installs, custom driver installation, etc. which uses a great deal more of the options than I require, I'm just looking for the bare minimum required to boot a ready-to-go sysprepped image without user interaction.

    So, my question is, do you know of any good resources out there that will help me wrap my head around SysPrep? I try not to rely on spoon-fed answers whenever possible, since I'm going to be supporting this environment for a number of years, so I want to have as much depth of knowledge as I can about how and why things are built the way they are.

    Also, as you stated in your article, thin-client OSD to flash is not exactly the fastest process, so every time I test this it takes a couple of hours, and I don't really have the time available to experiment with the answer file and get it sorted out by trial and error...

    ReplyDelete
  3. Nevermind, I finally stumbled across the OOBE settings after going through the WSIM interactive help content section by section. It's amazing that not a single one of the articles, youtube videos, etc. I checked had anything along the lines of this simple statement:

    "If you want your unattend.xml to skip all of the interactive setup on first-boot, just set all the OOBE options in Microsoft-Windows-Shell-Setup to False"

    Reading that somewhere would've saved me a great many hours of mucking about...

    ReplyDelete
    Replies
    1. Hi Ben, sorry fo late reaction, but that's because of all SPAM which is send to my blog address. Therefore I'm checking mails not all the time. Great that you find a way yourself to skip interactive setup by using the unattend.xml file. It's true that deploying WIM images on flash takes a very long time, no fun in deployment there.

      Did you check my other blogpost on WES8 also, which is http://henkhoogendoorn.blogspot.nl/2014/06/wes8-deployment-with-configmgr-2012-sp1.html > for it seems Microsoft changed something in WES8 and ADK so deployment of OEM versions is no longer supported. Therefore deployment quits after the "Setup Windows and ConfigMgr step".

      Later this month I will investigate the issue again and hope to find a way to pass this step during deployment. Otherwise you must still do things manually, which can be included in a task sequence normally. At the moment there are multiple companies which are stuck in deployment because of this change. Do you recognize it?

      Hope to hear from you again and thanks for mentioning.

      Delete
  4. Hi,
    Thanks for this great post. Only thing I'm missing is the TC-settings.ps1 script. Would be great if you can post it. Can't find a good description on how to activate the write-filter during OSD and how to configure it.

    ReplyDelete
    Replies
    1. Hi, trick is you must create it yourself. Just use "Export to PowerShell" for that. (see blogpost)

      Delete
  5. Dear Henk,

    I've created a capture media with sccm 2012 R2 and try to make a capture of a HP Thin Client T520.I've disabled UWF but I get the following errors

    Failed to get unique id (0x800700EA)
    Failed to convert Z: to unique volume id. Code : 0x800700ea
    Failed to convert protected paths to unqiue ID. Error code 0x800700ea
    Failed to reboot the system. Error 0x(800700ea)
    Failed to initialize a system reboot.

    Fatal error is returned in check for reboot request of the action (Prepare Operating System).
    More data is available. (Error: 800700EA; Source: Windows)

    regards

    Geert

    ReplyDelete
    Replies
    1. Did you disable SecureBoot on the thin client? As far as I know this must be done before capturing.

      Hope it helps!

      Delete
  6. Hi, I know is an old post, but we have a T620 with WES8, every time we capture it and we deploy it using WDS we are unable to manage the writer filter, we can only enable it and it will stay like that all the time the other commands do not work, we also have the T610 and they work fine using this way of capturing and deploying. Is there anything we might be missing?

    Thanks!

    ReplyDelete
  7. I forgot to mention we also disable UWF before sysprep.

    ReplyDelete