Note |
---|
The information in this topic applies only to System Center 2012 Configuration Manager SP1. |
Note |
---|
This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. |
This scenario demonstrates how you can manage write-filter-enabled Windows Embedded devices by using System Center 2012 Configuration Manager SP1. If you have Configuration Manager with no service pack, Configuration Manager cannot automatically disable and re-enable the write filters and you must take additional steps to do this before and after you install software. If your embedded devices do not support write filters, they behave as standard Configuration Manager clients and you do not have to take the steps in this scenario that are required to manage write filters.
Coho Vineyard & Winery is opening a visitor center and is interested in kiosks that run Windows Embedded to run interactive presentations. The building for the new visitor center is not close to the IT department, so it is important that the kiosks can be managed remotely. In addition to installing the software that runs the interactive presentations, these devices must run up-to-date antimalware protection software to comply with the company security policies. To make sure that the interactive presentations are always available for visitors, the kiosks must run 7 days a week, with no downtime while the visitor center is open.
Coho Vineyard & Winery already runs Configuration Manager SP1 to manage devices on their network. Configuration Manager is configured to run Endpoint Protection, and install software updates and applications. However, because the IT team has not managed Windows Embedded devices before, Jane, the Configuration Manager administrator, runs a pilot to manage two kiosks that are in the company’s reception lobby. If the pilot is successful in remotely managing these devices, the purchase order for the visitor center kiosks can be approved.
To manage these Windows Embedded devices that are write-filter-enabled, Jane performs the following steps to install the Configuration Manager client, protect the client by using Endpoint Protection, and install the interactive presentation software.
Process | Reference | ||
---|---|---|---|
Jane reads how Windows Embedded devices uses write filters, and how Configuration Manager SP1 can make this easier by automatically disabling and then re-enabling the writer filters, to persist a software installation. |
The Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic |
||
Before she installs the Configuration Manager client, Jane creates a new query-based device collection for the Windows Embedded devices. Because the company uses standard naming formats to identify their computers, Jane can uniquely identify Windows Embedded devices by the first six letters of the computer name: WEMDVC. She uses the following WQL query to create this collection: select SMS_R_System.NetbiosName from SMS_R_System where SMS_R_System.NetbiosName like "WEMDVC%" This collection allows her to manage the Windows Embedded devices with different configuration options from the other devices. She will use this collection to control restarts, deploy Endpoint Protection with client settings, and deploy the interactive presentation application. |
|||
Jane configures the collection for a maintenance window to ensure that restarts that might be required for installing the presentation application and any upgrades do not occur during opening hours for the visitor center. Opening hours will be 09:00 through 18:00, Monday through Sunday. She configures the maintenance window for every day, 18:30 through 06:00. |
|||
Jane then configures a custom device client setting to install the Endpoint Protection client by selecting Yes for the following settings, and then deploys this custom client setting to the Windows Embedded device collection:
When the Configuration Manager client is installed, these settings install the Endpoint Protection client and ensure that it is persisted in the operating system as part of the installation, rather than written to the overlay only. The company security policies require that the antimalware software is always installed and Jane does not want to run the risk of the kiosks being unprotected for even a short period of time if they restart.
|
Step 5: Configure Custom Client Settings for Endpoint Protection in How to Configure Endpoint Protection in Configuration Manager |
||
With the configuration settings for the client now in place, Jane prepares to install the Configuration Manager clients. Before she can install the clients, she must manually disable the write filter on the Windows Embedded devices. She reads the OEM documentation that accompanies the kiosks and follows their instructions to disable the write filters. Jane renames the device so it uses the company standard naming format, and then installs the client manually by running CCMSetup with the following command from a mapped drive that holds the client source files: CCMSetup.exe /MP:mpserver.cohovineyardandwinery.com SMSSITECODE=CO1 This command installs the client, assigns the client to the management point that has the intranet FQDN of mpserver.cohovineyardandwinery.com, and assigns the client to the primary site named CO1. Jane knows that it always takes a while for clients to install and send back their status to the site. So she waits before she confirms that the clients successfully install, assign to the site, and appear as clients in the collection that she created for Windows Embedded devices. As additional confirmation, on the Windows Embedded devices, she checks the properties of Configuration Manager in Control Panel and compares them to standard Windows computers that are managed by the site. For example, on the Components tab, the Hardware Inventory Agent displays Enabled, and on the Actions tab, there are 11 available actions, which include Application Deployment Evaluation Cycle and Discovery Data Collection Cycle. Confident that the clients are successfully installed, assigned, and receiving client policy from the management point, Jane then manually enables the write filters by following the instructions from the OEM. |
How to Install Clients on Windows-Based Computers in Configuration Manager |
||
Now that the Configuration Manager client is installed on the Windows Embedded devices, Jane confirms that she can manage them in the same way as she manages the standard Windows clients. For example, from the Configuration Manager console, she can remotely manage them by using remote control, initiate client policy for them, and view client properties and hardware inventory. Because these devices are joined to an Active Directory domain, she does not have to manually approve them as trusted clients and confirms from the Configuration Manager console that they are approved. |
|||
To install the interactive presentation software, Jane runs the Deploy Software Wizard and configures a required application. On the User Experience page of the wizard, in the Write filter handling for Windows Embedded devices section, she accepts the default option that selects Commit changes at deadline or during a maintenance window (requires restarts). Jane keeps this default option for write filters to ensure that the application persists after a restart, so that it is always available to the visitors using the kiosks. The daily maintenance window provides a safe period during which the restarts for installation and any updates can occur. Jane deploys the application to the Windows Embedded devices collection. |
|||
To configure definition updates for Endpoint Protection, Jane uses software updates and runs the Create Automatic Deployment Rule Wizard. She selects the Definition Updates template to prepopulate the wizard with settings that are appropriate for Endpoint Protection. These settings include the following on the User Experience page of the wizard:
Jane keeps these default settings. Together, these two options with this configuration allow any software update definitions for Endpoint Protection to be installed in the overlay during the day and not wait to be installed and committed during the maintenance window. This configuration best meets the company security policy for computers to run up-to-date antimalware protection.
Jane selects the Windows Embedded devices collection for the automatic deployment rule. |
Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client Computers in How to Configure Endpoint Protection in Configuration Manager |
||
Jane decides to configure a maintenance task that periodically commits all changes on the overlay. This task is to support the software update definitions deployment, to reduce the number of updates that accumulate and must be installed again, each time the device restarts. In her experience, this helps the antimalware programs run more efficiently.
Jane first creates a custom task sequence that has no settings other than the name. She runs the Create Task Sequence Wizard:
Jane then deploys this custom task sequence to the Windows Embedded devices collection, and configures the schedule to run every month. As part of the deployment settings, she selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. To configure this deployment, she selects the custom task sequence that she just created, and then on the Home tab, in the Deployment group, she clicks Deploy to start the Deploy Software Wizard:
|
|||
For the kiosks to run automatically, Jane writes a script to configure the devices for the following settings:
Jane uses packages and programs to deploy this script to the Windows Embedded devices collection. When she runs the Deploy Software Wizard, she again selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. |
|||
The following morning, Jane checks the Windows Embedded devices. She confirms the following:
|
Jane monitors the kiosks and reports the successful management of them to her manager. As a result, 20 kiosks are ordered for the visitor center.
To avoid the manual installation of the Configuration Manager client, which requires manually disabling and then enabling the write filters, Jane ensures that the order includes a customized image that already includes the installation and site assignment of the Configuration Manager SP1 client. In addition, the devices are named according to the company naming format.
The kiosks are delivered to the visitor center a week before it opens. During this time, the kiosks are connected to the network, all device management for them is automatic, and no local administrator is required. Jane confirms that the kiosks are functioning as required:
- The clients on the kiosks complete site
assignment and download the trusted root key from Active Directory
Domain Services.
- The clients on the kiosks are automatically
added to the Windows Embedded devices collection and configured
with the maintenance window.
- The Endpoint Protection client is installed
and has the latest software update definitions for antimalware
protection.
- The interactive presentation software is
installed and runs automatically, ready for visitors.
After this initial setup, any restarts that might be required for updates occur only when the visitor center is closed.