Category Archives: Windows 7

Windows Intune Wave D Jump Start Available For Download

Posted on by
Reply

Just a heads up that the recordings from a few weeks back are now posted to the Microsoft Virtual Academy.

Topics include:

(01) Big Picture with Windows Intune
(02) Architecture Design Considerations
(03) Extending your Identity to Windows Azure Active Directory
(04) Intune Administrator Roles, Users, and Groups
(05) Intune Policies
(06) Intune PC Setup and Enrollment
(07) Intune Mobile Device Management (MDM) Setup and Enrollment
(08) Intune Software Deployment
(09) Setting up Unified Infrastructure with Intune and SCCM
(10) Configuring Unified Infrastructure with Intune and SCCM
(11) Unified MDM setup and enrollment
(12) Unified MDM software deployment

Windows Intune Breaking News…

Posted on by
1

Some big announcements earlier today on the Microsoft Server And Cloud Blog, pasted below. One of the anticipated changes that was expected with Windows Intune moving into the Server & Tools business alongside System Center – the unbundling of Windows Enterprise Upgrades from Intune subscriptions will open up Windows Intune to a new base of customers, and the integration with System Center helps to position Windows Intune firmly as Microsoft’s solution for mobile device management, including Windows Phone 8 and Windows RT devices.

Obviously there is much more to be announced, but it’s great to see the Intune team discussing new capabilities prior to them being rolled out in beta or production.

Let the cut and pasting begin…

Interoperability of Windows Intune and System Center Configuration Manager Console

The proliferation of mobile devices presents unique challenges for organizations of all sizes.  These devices run various operating systems.  With the concept of Bring Your Own Device (BYOD), they’re likely to be owned and controlled by the individual and cannot be “managed” like a typical corporate-controlled PC.  They’re also typically not on the corporate network but instead utilize the Internet for connectivity, even to access corporate data.  These challenges require flexibility in the way corporate policies are defined, such as determining which policies can and should be applied to which devices, and how those devices should be managed.

Microsoft offers two separate endpoint management solutions – System Center 2012 Configuration Manager for on-premises management, and Windows Intune for management through the cloud.

With System Center 2012 Configuration Manager Service Pack 1 and the next version of Windows Intune, Microsoft is taking the first step in delivering interoperability between these products through Configuration Manager’s administration console.

This will enable customers to add mobile devices managed through the cloud with Windows Intune into their System Center 2012 Configuration Manager Service Pack 1 console and manage all the devices through one tool.

While you can continue to use Windows Intune as your “fully in the cloud” management solution for PC and mobile device managment, the interoperability of our on-premises and cloud services is a big step forward for organizations that want to manage all of their devices from one place.

Management of Windows RT devices and Windows Phone 8

If you already have System Center 2012 Configuration Manager, SP1 and the next version of Windows Intune will enable you to extend the reach of your management infrastructure to include mobile devices via the cloud.

Windows Phone 8 and Windows RT devices will be managed by the next release of Windows Intune.

IT Pros will have the flexibility of using either the Windows Intune or Configuration Manager 2012 SP1 console to set mobile security policies, distribute mobile apps and view reports.  We’ll share more details as we get closer to the next release of Windows Intune.

Windows Intune Licensing Changes

To help organizations benefit from our Windows Intune and Configuration Manager SP1 solution for BYOD and other device management scenarios, we are changing our licensing for Windows Intune in the next release:

  • We are shifting from a per-device to a per-user licensing model.  Each user license for Windows Intune covers up to 5 managed devices.
  • There will be a Windows Intune user license that includes the rights to System Center 2012 Configuration Manager, enabling organizations to manage those devices through either Windows Intune or Configuration Manager, or both.
  • Organizations that already own System Center 2012 Configuration Manager licenses, such as through the Core CAL, will have access to Windows Intune at a reduced price.
  • Today, all managed PCs covered by a Windows Intune license may be upgraded to Windows Enterprise as long as the qualifying OS is one of the following editions of Windows: Business, Professional, Ultimate, or Enterprise.  This will continue to be available, but we will also make a version of Windows Intune available without rights to Windows Enterprise, thereby lowering the cost for organizations that are not ready to move to the latest operating system.

Further details on pricing will be provide at a later date.

Bandwidth Savings With The Peer Distribution Service

Posted on by
Reply

One of the many new features introduced with the Windows Intune June 2012 release was the enablement of Peer Distribution of BITS content. While this is something that is usually thought of as being enabled by the combination of Active Directory, Group Policy and BrancheCache, Windows Intune is delivering this capability without any real infrastructure requirements, apart from having multiple client PCs with the same OS and app requirements on the same subnet.

Enabling Peer Distribution

You need to make sure that the appropriate firewall options are set via the Windows Intune console before you begin. In the following image, you will see the final option, BITS Peercaching, which is the important option to enable for the appropriate network types. In this case, I’ve allowed it on Public networks, only because the test virtual network environment is completely isolated from other traffic, in a real world scenario you wouldn’t enable this option.

Firewall Policy

Now that it’s set, make sure you apply the policy as needed, and refresh the policies on the required machines to make sure they get the setting sooner rather than later.

How To Tell If Peer Distribution Is Working

There are several ways, with the first including watching your internet traffic usage as new clients come online and download updates. If there are other active devices on the network, this could be hard to judge. In my isolated TMG Windows Intune test network I can monitor incoming and outgoing traffic on the appropriate NICs quite easily, and generally speaking, if I see lots of traffic, I know it’s not working. If I see hardly any traffic, yet the clients are pulling down several hundred megabytes of updates, I know that things are working well.

Secondly you can monitor how quickly the updates are being delivered to the client when you manually check. If the incoming traffic is faster than your connection allows, that’s a pretty good sign that it’s working. This isn’t the easiest one in the world to judge if you have a fast connection and the results could be interpreted either way.

That leaves the third option, which give a much more definitive answer, and without resorting to any command line utilities or advanced network tools. All you need is the Network Tab within Resource Monitor from within Windows 7, and you’re set.

Peerdist Resource Monitor

Looking carefully at this image, you can see that PeerDist is retrieving the content from the other machines on the network. By pulling from multiple machines at once, your client will receive the updates as quickly as possible, and without placing a huge load on each of the other PCs. All up this machine needed over 350MB of updates, which were easily delivered by other PCs on the network. Faster downloads and installations, and leaving your internet connection less utilised is an all around winner in anyone’s books.

In case you’re wondering, the 350MB of updates are all of the post Windows 7 SP1 updates, along with all of the .Net Framework updates, and other recommended updates – not just security or critical updates.

Getting The Most Out Of Peer Distribution

What makes for a good Peer Distribution environment? Firstly, the other machine or machines on the network with the content that you want need to be powered on. If you are in an environment where people tend to have all of their PCs turned on at the same time as your PC, you should see a benefit. Next, you need other PCs to be running the same OS as yours to benefit from PeerDist with Windows Updates that you approve through Windows Intune.

A network with one Windows XP 32 bit PC, one Windows XP 64 bit PC, one Windows Vista 32 bit PC, one Windows Vista 64 bit PC, one Windows 7 32 bit PC and one Windows 7 64 bit PC is not going to save you a huge amount of bandwidth on Patch Tuesday. All is not lost though, as you will find that some updates, such as .Net Framework and others, apply across multiple versions of operating systems, so there will still be some net benefit.

This scenario highlights that having a Standard Operating Environment, or at least minimising the number of client operating systems installed, is going to make this process more effective. In a Windows 7 environment, you only need Windows 7 Pro or higher installed for this feature to be enabled, so you don’t even have to roll out your Windows 7 Enterprise (or soon Windows 8 Enterprise!) upgrades in order to deliver this service.

You will always need to bring down each update at least once (twice or more if the machines hosting that update are unavailable when other machines require them), but the potential for bandwidth savings here are huge. As we move to a world where we are consuming more and more cloud service, any bandwidth savings we can make are a step in the right direction!

Now that you’ve got an understanding of the benefits, next up will be a review of two methods of distributing the Office 2013 beta, and whether PeerDist delivers…

TechEd North America Day 3 Summary

Posted on by
Reply

No keynote today, but still some great content.

First up was Windows Intune in the Enterprise, which touched on some of the new capabilities that were included with Monday’s release, including Active Directory integration and Mobile Device Management.

Next up was the upcoming MDOP UE-V session, which included some great demos of user settings following a user across a local application, a remote app session and App-V. For users who have to work across mixed environments like this there will be many benefits over and above what roaming profiles have offered in the path, especially in terms of performance.

After lunch was the Windows 8 Demo session. One of the messages that was repeated from yesterday’s keynote was around still being able to do all the things you need from desktop, which I interpreted as saying “let go of the Start Menu, people! It’s gone!”. The demos started a little too similar to the keynote session for my liking, but then they really picked up and I was able to learn some nice tips and tricks which will make life with Windows 8 much easier. I’ve got the latest build installed on my Iconia W500, and now have new things to try.

Enabling Disaster Recovery With Hyper-V Replicas was the next session, and it was great to see what will be included in the box with the next version of Windows Server and Hyper-V Server, very simple wizard driven cross site replication capabilitie. Having an off premise replica is really something that will be within the reach of customers of all sizes. This really has the potential to change the DR landscape in a very positive way.

The final session of the day was Windows 8 Image Validation with the ADK, which gave some great insight into the new performance troubleshooting tools. For any of you who worked with the Velocity tools in the early days will remember how bad an experience it was, but the ADK really does do a much better job. Highly recommended for investigation if you are building corporate images, building OEM images, or even testing your own personal builds to see just what components are misbehaving.

Tomorrow I’ll be attending some SMB sessions (both Small & Medium Business and System Message Block) sessions, along with more Windows Intune sessions and Windows 8 sessions. Then it’s time to figure out some travel plans…

Session Summary – Desktop to Cloud Office 365 and Windows Intune deployment session

Posted on by
2

While the session focused on the larger issue of IT folk capitalising on their existing skill sets to streamline cloud deployments, the technologies at the heart of the discussion were Windows Intune as the application and update delivery platform, and the Office 365 Professional Plus installable components as the bits being delivered.

The new Windows Intune user portal was highlighted for application deployment, with a real time download and installation kick off of Office Pro Plus which only took a few sessions due to the caching infrastructure I tend to promote during deployments.

Special thanks to those who attended, the room was at capacity, and there were plenty of great questions asked, many of them focused on some of the alternative solutions for getting PCs up to date with a minimum of fuss. Just to reiterate, the reasons why I like the Intune and TMG caching combination are as follows…

  • Not limited to the updates that Microsoft pushes via WU/MU/WSUS and derivative solutions, which means that additional MS hotfixes can be deployed easily.
  • Other applications can be installed, such as Office Pro Plus, the Office 365 sign in assistant, and Lync.
  • A single tool can be used for initial reporting of application inventory and required updates, and that tool is then used to deploy the required software, and provide ongoing reporting of what is currently running
  • I am biased

Once again, for those of you who attended, I extend my sincere thanks, it was great to be back out in front of an audience after a six month absence.

Using Windows Intune to stimulate Windows 7 upgrades

Posted on by
Reply

For all the praise that Windows 7 has received since it’s release, there’s still a great deal of Windows XP out there. You see it on people’s laptops in cafes and on planes, you see it in kiosks, you may have it in your own environment or see it when you visit your customers.

The benefit for partners

One of the big benefits of Windows Intune for the Microsoft partner community is that they can target many of their non-Software Assurance (SA)  customers to the latest version of Windows on the desktop, which otherwise may not have been a regular topic of conversation. For those of you who have been in the IT game for a while, you probably remember that back in the pre-Windows XP days, desktop upgrades, especially for the SMB market, were something that was more regularly done. Not necessarily in the same timeframes as Microsoft’s much more aggressive release cycles back then, but more regularly than today.

Most SMB customers don’t have SA on their desktops, which means retail upgrades are usually the option that needs to be investigated when new versions of Windows are required for upgrade scenarios, but for many of these customers the Enterprise upgrade within the Windows Intune subscription provides a good alternative.

What happened?

Two main things went wrong. Firstly the long delay between the release of Windows XP and the release of Windows Vista. Users got extremely comfortable with the Windows XP interface, and the technical teams that deployed and supported new versions of the OS got extremely adept at using the Windows XP deployment and management tools. Microsoft allowed XP and its ecosystem to become the status quo.

The second piece of the problem was Windows Vista itself. The initial release, along with the drivers that were available at launch time, left a great deal to be desired. Over time though, Windows Vista’s performance did get better, especially in the time leading up to and including the release of the first service pack. Microsoft’s anemic hardware requirements and recommendations also hurt that initial release, and some machines that were shipped as Vista capable were far from it.

By the time these performance issues were addressed, it was too late for Vista to succeed, no matter how Microsoft marketed it. IT departments breathed a sigh of relief as it bought them a few more years of being comfortable with their existing environment, and users were happy as they didn’t have to migrate and learn anything new.

During this time I was working a great deal with Microsoft’s OEM partners on the Vista OPK (the OEM version of the WAIK), and faced similar challenges here too. The resistance to moving across to new tools and deployment methods impacted their production images which they had been perfecting for years. Changes to unattended setup and a different approach to imaging and testing were just some of the issues OEMs had to overcome.

What was the impact?

For those who watched the Vista experience without getting involved, they missed some major updates to the support and deployment tools, so by the time Windows 7 was on their radar, they really had a great deal of learning to do. For those who had deployed or at least tested Vista in a limited scope, the learning curve was smaller.

This again meant that some felt alienated by the changes on the administration and deployment side clung to their XP world, while others rejoiced that they finally could see a valid replacement for the aging OS. The good thing for both groups though was that tools like the MDT and it’s forerunners got easier and more powerful, so the learning curve for new deployments continued to get easier.

Why isn’t everyone on Windows 7 already?

The list here is long and varied depending on who you talk to, but it may be as simple as time and money for some. For others it could be application compatibility issues that they fear. Others just may not care, happy to let their Windows XP environments run themselves into the ground before investigating alternatives.

Obviously you don’t want to have to work with those in the last category, as it means a rushed deployment of a new environment that is going to an absolute headache for all involved. Planning an upgrade, or in this case I prefer to see it was a migration, from XP to Windows 7, takes time and testing if it is to be a smooth process. Software and hardware compatibility testing , user training and more should all be part of the larger test plan.

What’s the solution?

Well, Windows Intune isn’t the answer for everyone looking to get Windows 7 licenses. If someone already has a management solution and anti malware software in place that they are happy with, they should perhaps look at some of Microsoft’s licensing programs to see what best suits their needs.

For those keen on Windows 7 now and needing the additional cloud services that Windows Intune provides, it should definitely be investigated. For those keen on Windows 7 upgrades, but getting distracted by all of the Windows 8 activity, Windows Intune is still a great option because the upgrade to Windows 8 is something that Intune subscribers will be able to take advantage of. Sure, it may not be an automated deployment through the cloud onto their desktop, but not too far into the Windows 8 release cycle I’m pretty sure this is going to be one of the options on offer, just make sure to bring your own Internet connection.

Just how effective is TMG as a caching solution for Windows Intune and Office 365?

Posted on by
1

As highlighted in previous posts, I’ve been following the advice of the Windows Intune team on setting up a caching solution, in this case ForeFront Threat Management Gateway as a means to accelerate the Windows Intune and Office 365 deployments.

What I’ve found is that the initial Windows Intune installation components that are installed don’t benefit greatly from the caching my setup. It seems to be hovering around 50MB for a Windows 7 Enterprise system that has been completely patched prior to the Windows Intune installation, but MS suggest it could be up to 120MB. The attraction is just how effectively it caches Windows Update and Microsoft Update downloads, as well as the packages that are being distributed via the Windows Intune online software distribution.

The simplest way to put it is that it works incredibly effectively in aiding the patching of multiple systems. Of course the more varied your Windows versions and service packs are, the more of a chance that there are some items that will be a one off download and hence not really benefitting, but overall you will still see some bandwidth savings.

Here are some numbers for those of you who like numbers. This is data I obtained from patching a bunch of Windows 7 Ultimate and Windows 7 Enterprise machines with varying degrees of updates installed..Note that a few new machines had already been using the cache at this point, so it had a head start.

Installing Windows Intune and allowing it to install all available updates on an RTM version of Windows 7 Ultimate would required roughly 1.5GB of data to the client, but only generated 165-205MB of Internet traffic. Windows 7 Ultimate and Enterprise with integrated SP1 generated 250MB of client traffic, but only 50MB of that came from the Internet, and that 50MB was the Windows Intune client downloads at the start of the upgrade process.

For a handful of machines these numbers are very impressive, but hopefully you aren’t encountering too many PCs out there that haven’t been updates since they were switched on. The other element  in play here is that these are just the numbers for Windows Updates, I hadn’t gotten around to installing Office 365 Pro Plus yet, which was one of the requirements for these machines.

I downloaded the 32 bit Office Pro Plus installer from the Office 365 portal, extracted the files out into their folder structure, and then downloaded and extracted Office 2010 SP1 into the Updates folder, and created a package that was just under 1GB in size. After the lengthy compress and upload process in the Windows Intune console I realised that this really wasn’t the best approach, so I removed the updates and created the new package. I will discuss the reasoning behind this in my next post. The Lync client was repackaged and uploaded into the online storage space, a much faster process due to the smaller file size.

Then it was time to ensure that all of the required, applicable updates were made available through Windows Intune. The ones that aren’t currently available through Windows Intune are as follows.

Microsoft Online Services Sign-In Assistant – Needed to  downloaded separately
KB2597011 – Hotfix not currently available via Windows Intune Updates, needs to be repacked and uploaded as managed software
KB2523130 – Hotfix not currently available via Windows Intune Updates, needs to be repacked and uploaded as managed software- EDIT - This update is included in Office 2010 SP1, so it isn’t required here
KB2597051 – Hotfix not currently available via Windows Intune Updates, needs to be repacked and uploaded as managed software

At this point the question becomes should we package them all up as one software package for Windows Intune to distribute, or should be upload them individually? I will go with individual, for reasons that I will outline in the next post. The Microsoft Online Services Sign-In Assistant is an MSI file, so we don’t need command line options for Windows Intune, while the other three, being hotfixes, all need to /quiet switch added before uploading. At this stage the Windows Intune Managed Software screen looks like this.

Software Updates

There are a couple of things that require further explanation at this point. The number of packages available has been minimised due to all of the clients being Windows 7 64 bit with Office 2010 32 bit installed. If I was deploying a 32 bit client OS, I would need the 32 bit Sign In Assistant as well as the 32 bit Lync client. If they were running the 64 bit version of Office 2010 they would need the 64 bit hotfixes deployed. This is just a small example of where implementing a standard desktop OS and application suite really does start reducing overhead, even in a simple manner if being compared to a full SOE.

Now that everything is prepared, it’s time to deploy the software to the appropriate computer groups, and for the first round of testing I just deployed it to a group with a single machine to ensure that all went smoothly. As you could imagine, the first time all of those software installs, as well as the additional Windows and Office updates they would trigger with my existing update approvals, the download process did take time, but then thanks to the caching, the subsequent installs onto additional PCs as I increased the deployment scope benefitted from all of the updates being delivered via the TMG cache, so the bandwidth savings were astronomical. There were a few teething issues with the hotfixes that I am still troubleshooting, but otherwise it’s been clear sailing.

Finally, going back to answer the question asked in the post name, just how effective is ForeFront TMG for caching Windows Intune? For approved updates and software distribution, the answer is outstanding. Having all of the patches and updates delivered out of the cache really does change how you can approach deployment moving forward. The initial deployment of the Windows Intune client pieces don’t really benefit, but the chances are that there are going to be some accompanying updates that will make that a non-issue for most people.

What does the Windows 8 CTP Mean For Windows Intune Today and Tomorrow?

Posted on by
Reply

Thus far the Windows Intune client won’t install on Windows 8, but that’s expected for something during this early stage of pre-release. The big benefit at this point in time is the eligibility to move to Windows 8 Enterprise or what the similarly capable version will be with Windows 8. It’s not a safe assumption that there will be 1:1 version mapping, below I give a couple of reasons why.

ARM Tablets are one of the obvious areas that the Windows Intune team will need to develop for, considering the strong push into enterprise that these tablets will have alongside the traditional Windows PCs. Now, at this stage of the game I’m not 100% convinced on the real viability of ARM based Windows Tablets, the reason being the thing that frustrates me with existing tablet solutions in the marketplace is that they don’t run all the Windows apps I want to run, and I still need my laptop. Over time my dependence on these PC only applications may be reduced, but it is going to take a while. During that period Intel and AMD aren’t going to be sitting on their hands, they will no doubt be chasing the power consumption numbers that ARM based systems tout. If someone from the Windows Intune team is looking for a tester if this is a real scenario, I’m more than happy to put my hand up for the task.

With Windows versions, some choice is good, but too much choice isn’t necessarily good, and can be quite detrimental. While Microsoft has been attempting to simplify its Windows lineup, Windows 7 leaves a lot to be desired, and Windows Intune is a great example where there is some confusion and some inconsistencies. While Windows 7 Enterprise and Windows 7 Ultimate provide the same  functionality, the primary differences are how they are sold/licensed, retail and OEM for Ultimate versus volume license for Enterprise, and they have different approaches to activation.

Where the pain comes in is that Enterprise needs to be a clean installation, whereas Ultimate can do an in place upgrade of lower end versions of Windows 7, as well as Windows Vista clients. In a well managed corporate environment, the upgrade discussion doesn’t usually happen, instead a pristine image, tweaked and tested, is deployed out to users when the time for a new OS rolls around. User data in these environments should be redirected, so the dependency on the physical machine and the OS are minimized.

But what about the SMB customer who doesn’t have the necessary infrastructure, and doesn’t necessarily want to invest in the data migration during the upgrade process, instead they just want to do a good old in place upgrade? Ultimate allows this with ease, but Enterprise isn’t in the running. To add insult to injury, many of the smaller customers out there may not have been domain joined, and not had a need for Professional or higher, so are in fact not eligible for the Windows 7 Enterprise Upgrade. To take advantage of these upgrade rights they need to purchase Windows 7 Professional upgrades in retail or via Windows Anytime Upgrade. I wouldn’t like to be the person who had to explain this to the customer who thought they were all set to move across to Windows 7 Enterprise.

Hopefully Windows 8 sees a further reduction in the SKU lineup. There is much speculation on this at the moment, and I’m sure there are groups within Microsoft and within OEMs who have these details, but the rest of us must wait. For OEMs, the more SKUs Microsoft makes available mean the more decisions they need to make in terms of matching the Windows version to the PC model, and that’s quite a large matrix when you look at the hardware lineup of major OEMs.

The flip side of this is what Apple do, one OS version, across a limited range of hardware choices. While some may scoff at the lack of choices that Apple offers compared to HP, Dell, Acer etc., but economies of scale benefits really favor the Apple approach. Suppliers can ramp up production, warehousing and shipping are simplified, resellers can reduce stock on hand, the right stock is more likely to be available in a short transit time. Sometimes it seems like the other OEMs are deliberately limiting their profitability, while Apple continues to make a very healthy margin.

One or two Windows options for OEMs would be a great start, preferably one, then using the Windows Marketplace, Windows Intune, Software Assurance, or even retail media to allow upgrades to a limited range of premium SKUs. This approach would make Windows Intune and desktop Software Assurance much more attractive to customers that have traditionally avoided SA on the desktop, as they would be seeing immediate value with a much more feature rich, business targeted upgrade to Windows. This would be a step in the right direction, but I think it could be just a bit too drastic.

The other issue that we currently see with the SKU lineup that impacts Windows Intune’s Windows 7 Enterprise upgrade rights is that customers on Windows 7 Professional don’t necessarily see the value in a new OS deployment so they can get BitLocker, BrancheCache, DirectAccess and Enterprise Search. If this is an SMB customer relying heavily on other cloud services, some of these capabilities just aren’t appealing or even terribly useful, and at this stage, SMB customers really are the best targets for Windows Intune. Consolidating the Professional and Enterprise/Ultimate versions would make this value clearer when adopted alongside a single version of Windows that is the default in the market.

Microsoft Deployment Toolkit 2012 RC1 Now Available

Posted on by
Reply

I’ve mentioned before that I’m a big fan of MDT, and using whatever tools possible to help with the automation and customisation of OS images, so was pleased to get this information today. SCCM 2012 and Windows 8 support are the two things that should get most people excited, and by most people, I mean a subset of most people, who like technology that helps deploy operating systems.

 

Reliable and Flexible OS Deployment-now with support for System Center Configuration Manager 2012 RC2

The Solution Accelerators team is pleased to announce Microsoft Deployment Toolkit (MDT) 2012 RC1 is available for download on Connect now.

Download the MDT 2012 RC1 release now

 

New features and enhancements make large-scale desktop and server deployments smoother than ever!

 

Support for Configuration Manager 2012 RC2: This update provides support for Configuration Manager 2012 RC2 releases. MDT 2012 fully leverages the capabilities provided by Configuration Manager 2012 for OS deployment. The latest version of MDT offers new User-Driven Installation components and extensibility for Configuration Manager 2007 and 2012. Users now also have the ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012.

 

Customize deployment questions: For System Center Configuration Manager customers, MDT 2012 provides an improved, extensible wizard and designer for customizing deployment questions.

 

Ease Lite Touch installation: The Microsoft Diagnostics and Recovery Toolkit (DaRT) is now integrated with Lite Touch Installation, providing remote control and diagnostics. New monitoring capabilities are available to check on the status of currently running deployments. LTI now has an improved deployment wizard user experience. Enhanced partitioning support ensures that deployments work regardless of the current structure.

 

Secure Deployments: MDT 2012 offers integration with the Microsoft Security Compliance Manager (SCM) tool to ensure a secure Windows deployment from the start.

 

Reliability and flexibility: Existing MDT users will find more reliability and flexibility with the many small enhancements and bug fixes and a smooth and simple upgrade process.

 

Support for Windows 8: The RC1 release of MDT 2012 provides support for deploying Windows 8 Consumer Preview in a lab environment.

Key Benefits:

  • Full use of the capabilities provided by System Center      Configuration Manager 2012 for OS deployment.
  • Improved Lite Touch user experience and functionality.
  • A smooth and simple upgrade process for all existing      MDT users.

 

New Features:

 

For System Center Configuration Manager customers:

  • Support for Configuration Manager 2012 (while still      supporting Configuration Manager 2007)
  • New User-Driven Installation components for      Configuration Manager 2007 and Configuration Manager 2012
    • Extensible wizard and       designer, additional integration with Configuration Manager to deliver a       more customized OS experience, support for more imaging scenarios, and an       enhanced end-user deployment experience
  • Ability to migrate MDT 2012 task sequences from      Configuration Manager 2007 to Configuration Manager 2012

 

For Lite Touch Installation:

  • Integration with the Microsoft Diagnostics and Recovery      Toolkit (DaRT) for remote control and diagnostics
  • New monitoring capabilities to see the progress of      currently running deployments
  • Support for deploying Windows to computers using      UEFIAbility to deploy Windows 7 so that the computer will start from a new      VHD file, “Deploy to VHD”
  • Improved deployment wizard user experience

 

For all customers:

  • Integration with configuration templates from the      Security Compliance Manager Solution Accelerator, ensuring Windows is      secure from the start
  • A simple mechanism for running Windows PowerShell      scripts during a deployment, with task sequence environment and logging      integration
  • Better partitioning support, creating the recommended      partitioning structures on new computers and ensuring deployments work      regardless of the current structure
  • A smooth and simple upgrade process for all existing      MDT users
  • Many small enhancements and bug fixes

 

Tell us what you think! Test drive our release and send us your constructive feedback through the Connect site. We value your input; this is the perfect opportunity to be heard.

Tell your peers and customers about Solution Accelerators! Please forward this to anyone who wants to learn more about OS deployment with MDT, and Microsoft Solution Accelerators.

Already using the Microsoft Deployment Toolkit? We’d like to hear about your experiences.

 

MDT Team

Microsoft Solution Accelerators

 

Project TWIAD Part 3

Posted on by
Reply

Today’s post is a recap of some of some of the testing and scenarios I’ve been through. All of this unscientific, not laboratory controlled, and can be interpreted many ways, and here is my take on it all… I’m not saying I understand exactly what I am seeing here, but am open to suggestions.

I originally started all of my testing running Windows 7 VMs against a single NIC, proxy/caching only solution, but I noticed that there was alot of traffic that was going outside of the proxy when I was using the Install approach for updating. If I was purely going through Windows Update, the results were as expected, exceptional caching of the Microsoft Update and Windows Update traffic, and incredibly high speed downloads of the updates. The issue that I was seeing was that I hadn’t configured the network to force activity outside of the logged on user to go via a proxy, and I could monitor this easily via Resource Monitor. Here’s a screenshot of what it should look like, note that all the connections are going through 8080, which I have forced via the following steps.

In order to start isolating the network traffic further, I set the TMG VM as the gateway with a private network in Hyper-V, which in my case is 10.10.10.1. If the traffic didn’t go via TMG, it didn’t go anywhere. The IE proxy was set to match TMG, which in my case is 10.10.10.1:8080. All fairly simple and standard for many network configurations. However, because I hadn’t gone through the process of setting up the whole test environment to match a working environment with domain users, domain joined PCs etc, I had to follow another step, which was to run netsh to configure the machine based proxy settings. This was required in order to avoid “The software cannot be installed, 0x80cf402c.” installation error…

Running the netsh command here is quite easy,  but first I want to make sure there are no other proxy settings already in place.

Defining a machine based proxy is easy to do.

Kicking off the Intune install succesfully now, and allowing it to update the latest signatures for Intune Endpoint Protection, my client VM NIC shows roughly 140MB of traffic, which matches the incremental traffic on my internally facing NIC on my TMG machine. So far so good. Only about 70MB is showing as moving through my ISP, which also includes traffic from some additional machines on the network, and the TMG TMG NIC is only showing 3MB of traffic.

It’s after this first round of the Intune installation, when I have 42 updates available for download and install, that some of the numbers don’t add up. Check the desktop screenshot below.

Apparently I received 42 updates, which are now installing, and they were less than 5MB of network traffic. Whether this issue is due to the accuracy of reporting traffic within the VM or some other reason I do not know yet, but would love to hear if you’ve seen the same or received an explanation. The external NIC on the TMG machine is showing less than 1MB of traffic, and the Hyper-V internal NIC is showing around 10MB. Again, at least from the internal NIC perspective, there is a bunch of traffic that just isn’t being reported. It’s not all bad though, this update, and my other network traffic, has generated less than 70MB of traffic. This means that there is definitely caching taking place, it’s the reporting that’s the issue. My TMG cache hit ration has moved up from 67% to 80% over the course of the afternoons testing, so it’s at reporting at least some of this activity.

The takeaways from all of this…
1. Simulating a real environment is going to give you better results when it comes to reproducing them outside of your sandbox
2. Route all traffic via the caching option you go for. There are huge benefits to be had here, both from a bandwidth savings perspective for those of you who pay per MB, and also from the perspective of speed of additional clients downloading the updates. The previous post to this had an image of a download coming down the wire at 111MB/s, which is close to the maximum download speed over Gigabit ethernet. This is what you want.
3. Part of this exercise was reacquainting myself with the Microsoft proxy/firewall family, which I had succesfully avoided for many years. While it had changed quite a bit, for the simple tasks I have it performing it has not been much of a roadblock or learning curve.
4. While I chose to start with a non-SP1 ISO of Windows 7 Ultimate as the base for my VM testing, you are going to save some time using the latest media with SP1 integrated, or manually adding SP1 during your build process.I just wanted the worst possible state for the machines to start with, ensuring that my TMG cache was getting very well used.
5.The numbers don’t lie. The caching works. Big thanks to the Intune team for posting the script on their blog site.