support for write filter enabled devices in configmgr 2012 sp1 why maintenance windows matter...

Managing Embedded Devices with Microsoft System Center 2012 SP1Hema Rajalakshmi

WCA-B326

AgendaSupport for write filter enabled devices in ConfigMgr 2012 SP1 Why Maintenance Windows MatterPersistence Other Improvements in SP1 and SP1+Questions and Feedback

GROWTH OF EMBEDDED DEVICES

PCs/SLATES PHONES EMBEDDED DEVICES

100’s MillionsIDC, Gartner

BillionsIDC, Consumer

Electronics Association

10’s BillionsVDC market reach, IDC

Updating the OEM embedded device/image

Write Filters are used to help maintain embedded devices

Embedded devices are widely varied vs. PCs/Servers

CHALLENGES MANAGING EMBEDDED DEVICES

Identifying Windows Embedded devices in ConfigMgr

Embedded devices OS are customized vs. the homogeneous OS in PCs/Servers

WINDOWS EMBEDDED DEVICE MANAGERWhat’s in the box?

Server installer Client installer

FunctionalityDevice Manager 2011

SP1 (For ConfigMgr 2007)

ConfigMgr 2012 SP1

Software Distribution

Software Updates

Compliance

Collections

Device Imaging

Legend

Full support

Partial support

Not available

What is supported in SP1?CM 2012 SP1 capabilities extended

Thin ClientsPOSDigital SignageKiosksThin PCs

Manage additional devicesAdditional software not required

Supported Embedded Operating Systems

Thin Clients

POS / Kiosk

Digital Signage

Repurposed PC

Windows XP

Embedded

Windows Embedde

d Standard

2009

Windows Embedde

dStandard

7

Windows XP

Embedded

Windows Embedde

d Standard

2009

Windows Embedde

dStandard

7

POS Ready 2009

POS Ready 7

Windows Embedde

d Standard

2009

Windows Embedde

dStandard

7

Windows Thin PC

System Center 2012 SP1 Embedded Management Capability OverviewOperating System Deployment

Software Update ManagementApplication Management

Settings/Configuration Management

Monitoring/Reporting

Uses Windows ADK

Endpoint Protection On-Premise- x86/64- Intel SoC

Cloud- Windows Phone- Windows RT

Single Pane of Glass

OS Servicing

Win32 / Windows 8

Baselines

Health/Compliance

Antimalware

Native Support for Key Embedded Scenarios in SP1Write filter orchestrationMaintenance windowsOpportunistic and forced persistenceSCEP client installationSCEP updatesNo additional software/license

Write Filters and Overlays

Why Maintenance Windows Matter

ASAP

Without a Maintenance Window

Get deployment noticeDownload contentReboot immediately to disable WFContent gone; re-downloadInstall contentReboot to enable WF

With a Maintenance Window

Get deployment noticeWaits for maintenance windowMaintenance window arrivesDisables WF; rebootsDownloads contentInstall contents; reboots

With Persistence

Translation: I want to commit this change ASAP, so do the write filter thing at the deadline, or, better yet, at the maintenance window

Without Persistence

Translation: Just put it in the overlay. When another deployment comes along with persistence, we’ll commit the change then.

What can be forced to persist?These have a forced persistence optionApplicationsPackages & programsSoftware UpdatesTask sequences

These are persisted opportunisticallyClient agent settingsSettings management (aka DCM set)Power management

One More Persistence Issue

? ! ? ! ?

First inventory dataDelta data

With File Based Write Filters

First inventory dataDelta data

Windows Embedded 8 - Write FiltersWindows Embedded 8 StandardWindows Embedded 8 Industry

Functionality UWF EWF FBWFFile/folder exclusions Yes No YesRegistry key exclusions Yes No* No*Sector-based filtering Yes Yes NoSupports HORM Yes No NoRAM-based overlay Yes Yes YesProviders for Windows Management Instrumentation (WMI) version 2 Yes No NoDisk-backed overlay Yes No NoCommit volume No Yes NoCommit file Yes No Yes

*You can use Registry Filter to make registry entries on volumes protected with EWF or FBWF persistent

Supported Write FiltersFile Based Write Filters (FBWF)Redirects all writes targeted for protected volumes to overlayFolder/file exclusions can be used

Enhanced Write Filters (EWF) RAMStores overlay information in RAMInformation on overlay discarded on reboot

Unified Write Filters (UWF)Sector-based write filter to protect storage mediaUse Hibernate Once/Resume Many (HORM) or file and registry filtering exclusionsServicing mode via the UWF WMI providerELM outside of Configuration Manager

Management Capabilities OverviewWindows Embedded 8 Standard with Write Filter enabled

Management Capability Write Filter Awareness Maintenance Windows + Policy

OS Deployment X

Software Update Management X

Application Management X

Setting Configuration Management   X

Monitoring / Reporting X X

Endpoint Protection X

Example – Software Update (with FBWF)Admin selects the updates to installAdmin selects the option to force persist the changesAdmin selects target devices and pushes updatesWrite filter orchestration happensUpdate applied

Example – Software Update (with UWF)Admin creates task sequenceAdmin selects task sequence and deploysDevices are updated

ELM to manage UWF deviceSnap-in to MMCELM detects the type(s) of write filter installedUses WMI to detect and change config settings

ImprovementsOperating System Deployment Improvements

“Apply operating system” “SMSTSPostAction”

Discovery ImprovementsWrite filter capable now identified in

Discovery Data Record

Client Side ImprovementsNon-admins cannot log on while device is being serviced

Software Center blocks installation if write filters are enabledUsers cannot change their business hoursUsers cannot postpone deployments to non-business hours

Write Filter considerationsSettings management not write filter awareManual write filter handlingOpportunistic persistence during maintenance window

Windows 8 applications registered during user loginFor fewer applications, re-registerAdmin to login to finalize app registration

Endpoint ProtectionSCEP installs will persist through the supported write filtersUpdates come frequently Write filter exceptions allow definition updates to persistCan be manually set or defined in a module

New setting for Endpoint Protection client installation

Best PracticesUse maintenance windowsMake sure your max run time fits inside the maintenance window

Plan for persistenceMake deployments “required” instead of “available”Use File Based Write FiltersConfigure these exceptions to persist state and inventory data CCMINSTALLDIR\*.sdfCCMINSTALLDIR\ServiceDataHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

Use WMI provider to manage other filters

Appendix - Exclusions for SCEPRegistry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware

Folders:%ProgramData%\Microsoft\Microsoft Antimalware\Definition Updates\%ProgramData%\Microsoft\Microsoft Antimalware\Scans\%ProgramData%\Microsoft\Microsoft Antimalware\Support\%ProgramFiles%\Microsoft Security Client\

Files:%Windir%\Windowsupdate.log%Windir%\Temp\MpCmdRun.log%SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun*.log%SystemRoot%\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun*.log

Thank you!

Q&A

Windows Track ResourcesWindows Enterprise: windows.com/enterprise

Windows Springboard: windows.com/ITpro

Microsoft Desktop Optimization Package (MDOP): microsoft.com/mdop

Desktop Virtualization (DV): microsoft.com/dv

Windows To Go: microsoft.com/windows/wtg

Outlook.com: tryoutlook.com

msdn

Resources for Developers

http://microsoft.com/msdn

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Resources for IT Professionals

http://microsoft.com/technet

System Center 2012 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33

Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buy

Windows Server 2012 http://www.microsoft.com/en-us/server-cloud/windows-server

Windows Server 2012 VDI and Remote Desktop Serviceshttp://technet.microsoft.com/en-us/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33

http://www.microsoft.com/en-us/server-cloud/windows-server/virtual-desktop-infrastructure.aspx

More Resources:microsoft.com/workstylemicrosoft.com/server-cloud/user-device-management

For More Information

Complete an evaluation on CommNet and enter to win!

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.