Deploying the Core Optimized Desktop Using the Microsoft Deployment Toolkit 2010

  • Article

Applies To: Windows 7

The optimized desktop enables flexible provisioning and management by integrating Windows® 7, the Microsoft® Desktop Optimization Pack (MDOP), Forefront™, and Office 2010. This white paper describes how to use the Microsoft Deployment Toolkit (MDT) 2010 to automate the installation and configuration of the core optimized desktop technologies. Core optimized desktop technologies include the Application Virtualization (App-V) client, the Diagnostic and Recovery Toolset (DaRT) recovery image, Forefront™ client, BitLocker™, and Office 2010 virtual application cache. By installing these technologies during deployment, client computers will be ready for optimized desktop management immediately after installation.

This white paper describes how to:

  • Add optimized desktop applications to a deployment share

  • Use DaRT to customize the Windows Recovery Environment

  • Configure Folder Redirection

  • Configure Roaming User Profiles

This white paper assumes that you have a server computer with MDT 2010 installed and a deployment share stocked with applications, operating system source files, and so on. It also assumes that you are able to configure Group Policy settings for your organization and have access to the MDOP installation files.

For a downloadable version of this document, see Deploying the Core Optimized Desktop Using the Microsoft Deployment Toolkit 2010 in the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=208124).

Add Optimized Desktop Applications to a Deployment Share

The first step is to add the optimized desktop applications to your MDT 2010 deployment share. These include the App-V client, Forefront client, and the Asset Inventory Service (AIS) client. Then, you create a deployment task sequence, customizing it to deploy the Office 2010 cache. The following sections describe each major step to add the optimized desktop applications to your deployment share.

Add the App-V Client

To add the App-V client to a deployment share:

  1. Start the Deployment Workbench. Click Start, Microsoft Deployment Toolkit, Deployment Workbench.

  2. In the Deployment Workbench console tree, click Applications. Applications is under Deployment Shares, Share Name, where Share Name is the name of the deployment share that you’re configuring.

  3. In the Actions pane, click New Application.

  4. On the Application Type page, click Application with source files and click Next.

  5. On the Details page, enter the following information, and click Next:

    • Publisher: Microsoft

    • Application Name: Application Virtualization ClientReplaceThisText

    • Version: 4.6

    • Language: English

  6. On the Source page, click Browse, and open the folder containing the App-V client, and then click Next.

  7. On the Destination page, click Next.

  8. On the Command Details page, in the Command line box, type the command to silently install the App-V client silently, and click Next. For example, type:

    msiexec.exe /I setup.msi ALLOWINDEPENDENTFILESTREAMING=TRUE SWIPUBSVRDISPLAY=”Woodgrove Bank” SWIPUBSVRYPE=RTSP SWIPUBSVRHOST=”SEA-DC-01” /q

    Where:

    • ALLOWINDEPENDENTFILESTREAMING allows applications to load regardless of how you’ve configured the client application source root.

    • SWIPUBSVRDISPLAY is the display name for the streaming server.

    • SWIPUBSVRYPE is the publishing server type: HTTP or RTSP. If using a secure protocol, the /secure switch must be used.

    • SWIPUBSVRHOST is the IP address or host name of the publishing server.

  9. On the Summary page, review the settings and click Next.

  10. Click Finish. The App-V Client requires the following prerequisites on the client computer:

    • Microsoft Application Error Reporting

    • Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)

    • Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)

    • Microsoft Core XML Services (MSXML) 6.0 SP1

Add the Forefront Client Security Agent

To add the Forefront client to a deployment share:

  1. If necessary, start the Deployment Workbench. Click Start, Microsoft Deployment Toolkit, Deployment Workbench.

  2. If necessary, in the Deployment Workbench console tree, click Applications. Applications is under Deployment Shares, Share Name, where Share Name is the name of the deployment share that you’re configuring.

  3. In the Actions pane, click New Application.

  4. On the Application Type page, click Application with source files and click Next.

  5. On the Details page, enter the following information, and click Next:

    • Publisher: Microsoft

    • Application Name: Forefront Client Security

    • Version: x86

    • Language: English

  6. On the Source page, click Browse, open the folder containing the Forefront client, and click then Next.

  7. On the Destination page, click Next.

  8. On the Command Details page, in the Command line box, type command to install the Forefront client silently, and then click Next. For example, type:

    ClientSetup /CG ForefrontClientSecurity /MS SEA-FCS-01

    Where:

    • /I InstallationFolder specifies the location in which you want to install Client Security. This parameter is optional. The default installation folder is %Program Files%\Microsoft Forefront\Client Security\client.

    • Application Name: Forefront Client Security

    • /L LoggingFolder specifies the location in which you want Client Security to log issues encountered during the installation. This parameter is optional. The default logging folder is %Program Files%\Microsoft Forefront\Client Security\client\logs.

    • /NOMOM installs everything except the MOM agent. If you use the /NOMOM flag, do not use the /CG and /MS flags.

    • /CG ManagementGroup specifies the name of the management group. If you do not specify the management group, the name will be retrieved automatically from the Client Security policy deployed to the client computer. This parameter must be used with the /MS parameter.

    • /MS CollectionServer specifies the name of the collection server. If you do not specify the collection server, the name will be retrieved automatically from the Client Security policy deployed to the client computer. This parameter must be used with the /CG parameter.

    • /R reinstalls the Client Security agent and the MOM agent. This parameter first verifies that the existing version is older than or equal to the currently installed version; then, it triggers a reinstall.

  9. On the Summary page, review the settings and click Next.

  10. Click Finish.

Add Asset Inventory Service Client

To add the AIS client to a deployment share:

  1. If necessary, start the Deployment Workbench. Click Start, Microsoft Deployment Toolkit, Deployment Workbench.

  2. If necessary, in the Deployment Workbench console tree, click Applications. Applications is under Deployment Shares, Share Name, where Share Name is the name of the deployment share that you’re configuring.

  3. In the Actions pane, click New Application.

  4. On the Application Type page, click Application with source files and click Next.

  5. On the Details page, enter the following information, and click Next:

    • Publisher: Microsoft

    • Application Name: Asset Inventory Service Client

  6. On the Source page, click Browse, open the folder containing the AIS client, and click Next.

    Note: The AIS client software installation package is unique to your enterprise and contains account identifiers, so you must download it from the AIS Web site after you have logged on with properly licensed account credentials.

  7. On the Destination page, click Next.

  8. On the Command Details page, type msiexec.exe /i “SCOnlineClient.msi” /q in the Command line box, and then click Next.

  9. On the Summary page, review the settings and click Next.

  10. Click Finish.

Create a Task Sequence for Deployment

To create a deployment task sequence:

  1. If necessary, start the Deployment Workbench. Click Start, Microsoft Deployment Toolkit, Deployment Workbench.

  2. In the Deployment Workbench console tree, click Task Sequences. Task Sequences is under Deployment Shares, Share Name, where Share Name is the name of the deployment share that you’re configuring.

  3. In the Actions pane, click New Task Sequence.

  4. On the General Settings page, enter the following information, and click Next:

    • Task sequence ID (such as: ODDeploy)

    • Task sequence name (such as: Optimized Desktop Deployment Task Sequence)

    • Task sequence comments (such as: This task sequence will be used to deploy the Microsoft Optimized Desktop Core Infrastructure)

  5. On the Select Template page, click Next.

  6. On the Select OS install, select a Windows 7 operating system image that you want to install, and then click Next.

    Note: This white paper assumes that you’ve already stocked the deployment share with Windows 7 images.

  7. On the Specify Product Key page, click Next.

  8. On the OS Settings page, enter the following information, and click Next:

  9. On the Admin Password page, type and confirm a password, and click Next.

  10. On the Summary page, review the settings and click Next.

  11. Click Finish.

Customize the Task Sequence for Cached Office 2010Subsection Heading

The last step is to add two custom actions to the task sequence. The first action adds Office 2010 to the App-V client by using the SFTMIME tool. To add an application, you specify the name of the package, the path to the application manifest, an XML file detailing information about the applications in the package, and the path to the SFT file which is the actual virtualized application bits. Finally, you define a logging path in case there are any problems with the command.

The second action streams the package to the cache on the client computer. You need to specify the security context under which this SFTMIME command is run. Since the application is already added locally, you use the LOAD PACKAGE command with the path to the SFT file to manually stream the virtualized application to the client and cache it locally.

To add custom actions for Office 2010 to the task sequence:

  1. If necessary, start the Deployment Workbench. Click Start, Microsoft Deployment Toolkit, Deployment Workbench.

  2. In the Deployment Workbench console tree, click Task Sequences. Task Sequences is under Deployment Shares, Share Name, where Share Name is the name of the deployment share that you’re configuring.

  3. Double-click the task sequence that you want to customize with Office 2010.

  4. In the Properties window, click the Task Sequence tab.

  5. In the console pane of the task sequence, under State Restore, click Custom Tasks.

  6. Click Add, General, Run Command Line.

  7. Enter the following information into the custom task Properties pane, and click Apply:

    • Name: Add Virtualized Application Package

    • Command line: SFTMIME ADD PACKAGE:”Microsoft Office 2010 Professional” /MANIFESTxmlfile**/OVERRIDEURLsftfile/LOG:**logfile, where:

      • xmlfile is the path and file name of the package’s manifest file.

      • sftfile is the path and file name of the package’s SFT file.

      • logfile is the path and file name of the log file to create.

    • Start in: C:\Program Files\Microsoft Application Virtualization Client

    • Run this step as the following account: Enabled (Click Set to provide credentials)

    • Organization (such as: Woodgrove Bank)

    • Load the user’s profile: Enabled

  8. Click Add, General, Run Command Line.

  9. Enter the following information into the custom task Properties pane, and click Apply:

    • Name: Add Virtualized Application Package

    • Command line: SFTMIME LOAD PACKAGE:”Microsoft Office 2010 Professional” /SFTPATHsftpath, where sftpath is the path and file name of the package’s SFT file.

    • Start in: C:\Program Files\Microsoft Application Virtualization Client

    • Run this step as the following account: Enabled (Click Set to provide credentials)

    • Load the user’s profile: Enabled

  10. Click OK to close the Properties window.

Use DaRT to Customize the Windows Recovery Environment

If you use an MDT 2010 task sequence to deploy BitLocker to a client computer as part of the deployment process, the Windows Recovery Environment (RE) will remain on the partition that is protected with BitLocker; therefore, it will be inaccessible when the F8 boot option is selected.

To move the Windows RE image from default location on the C:\ drive of the computer during a Windows 7 deployment using MDT 2010, you can use a custom script to move this boot image file. This section also shows you how to incorporate the DaRT tools into the Windows RE environment to provide additional resources for service desk technicians to use to support client computers.

Extract the Boot.wim File from an ERD

To extract the boot.wim from an ERD:

  1. Generate an Emergency Repair Disk (ERD) by using the DaRT ERD Commander.

  2. Copy the boot.wim file from the Sources folder of the ERD to the Scripts directory of your deployment share (such as: D:\DeploymentShare\Scripts).

  3. Rename the boot.wim file to winre.wim so that the Windows RE environment will work correctly.

Add the Custom Script Files to the Scripts Folder

Accompanying this white paper are three scripts:

The ZCustomWindowsRE.wsf script moves the winre.wim file from the C:\MDT_DS\Scripts directory to the hidden BDEDrive partition on the client computer. It uses a scripted Diskpart command to unhide and hide this hidden partition along with the ZDiskPart text files.

  1. Copy these three script files to the Scripts folder of your deployment share (such as: D:\DeploymentShare\Scripts).

  2. Using Notepad, open the ZCustomWindowsRE.wsf script file from the Scripts folder of your deployment share and review the script.

  3. Modify lines 136 and 137 of the ZCustomWindowsRE.wsf script file to support moving the newly created boot image to the correct location on the Windows 7 client computer (In Notepad, press Ctrl+G to go to a specific line number), and then save your changes:

Line Before After

136

oLogging.CreateEntry "move " & sSysPath & "Recovery\winre.wim S:\Recovery\WindowsRE", LogTypeInfo

oLogging.CreateEntry "copy " & sScriptRoot & "\winre.wim S:\Recovery\WindowsRE", LogTypeInfo

137

oExec.stdIn.WriteLine "move " & sSysPath & "Recovery\winre.wim S:\Recovery\WindowsRE"

oExec.stdIn.WriteLine "copy " & sScriptRoot & "\winre.wim S:\Recovery\WindowsRE"

Modify the New Deployment Task Sequence

To add the customer script to the deployment task sequence:

  1. If necessary, start the Deployment Workbench. Click Start, Microsoft Deployment Toolkit, Deployment Workbench.

  2. In the Deployment Workbench console tree, click Task Sequences. Task Sequences is under Deployment Shares, Share Name, where Share Name is the name of the deployment share that you’re configuring.

  3. Double-click the task sequence that you created earlier.

  4. In the task sequence’s Properties window, click the Task Sequence tab.

  5. In the console pane of the task sequence, under State Restore, click Custom Tasks.

  6. Click the Add, General, Run Command Line.

  7. Enter the following information into the custom task Properties pane, and click Apply:

    • Name: Install Windows RE with DaRT

    • Command line: cscript.exe “%SCRIPTROOT%\ZCustomWindowsRE.wsf”

  8. Click OK to close the Properties window.

Configure Folder Redirection

Folder Redirection enables specific folders within user profiles to be redirected to locations on network servers. Windows 7 supports the redirection of the following 13 folders found within user profiles:

  • AppData\Roaming

  • Documents

  • Links

  • Saved Games

  • Videos

  • Contacts

  • Downloads

  • Music

  • Searches

  • Desktop

  • Favorites

  • Pictures

  • Start Menu

Folder Redirection replicates file–based information, and you configure it by using Group Policy. You can apply different settings to different organizational units (OUs) in Active Directory® Domain Services (AD DS) to create customized solutions. Folder Redirection can also be used to significantly reduce the size of roaming user profiles, which results in faster logon/logoff times.

Create and Share the Root Path

Before configuring Folder Redirection, you must create and share a folder to which you want to redirect folders. Create a folder on the network and configure its access control list as shown in Table 1. Also, share the folder and give the security group of users that you’re redirecting Full Control.

User Account Minimum Permissions Required

Creator Owner

Full Control, Subfolders and Files Only

Administrator

None

Security group of users that need to put data on share

List Folder/Read Data, Create Folders/Append Data - This Folder Only

Everyone

No Permissions

Local System

Full Control, This Folder, Subfolders and Files

Create GPO for Folder Redirection

  1. In the Group Policy Management Console, create and edit a new GPO called Folder Redirection.

  2. In the Local Group Policy Editor, configure the following policy settings:

Policy Location Value

Use localized subfolder names when redirecting Start Menu and My Documents

Computer Configuration\Policies\Administrative Templates\System\Folder Redirection

Enabled

Verify old and new Folder Redirection targets point to the same share before redirecting

Computer Configuration\Policies\Administrative Templates\Windows Components \Windows Explorer

Enabled

Do not automatically make redirected folders available offline

User Configuration\Policies\Administrative Templates\System\Folder Redirection

Enabled

Use localized subfolder names when redirecting Start Menu and My Documents

User Configuration\Policies\Administrative Templates\System\Folder Redirection

Enabled

  1. Open User Configuration\Policies\Windows Settings\Folder Redirection, and do the following:

    1. Right-click AppData(Roaming) and click Properties.

    2. Select Basic – Redirect everyone’s folder to the same location.

    3. In the Root Path type the path of the network share to which you want to redirect folders (such as: \\SEA-DC-01\USERDATA$\).

    4. Click the Settings tab.

    5. Select the Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems check box.

    6. Click Apply and in the warning click Yes.

    7. Click OK.

  2. Repeat the previous steps for the following folders:

    • Contacts

    • Desktop

    • Documents

    • Downloads

    • Favorites

    • Links

    • Music

    • Pictures

    • Saved Games

    • Searches

    • Start Menu

    • Videos

Configure Settings for Offline Files

To configure settings for offline files:

  1. Edit the Folder Redirection GPO you created in the previous section.

  2. Open Computer Configuration\Policies\Administrative Templates\Network\Offline Files,and enable the following policy settings:

    • Configure Background Sync

    • Limit disk space used by offline files

    • Exclude files from being cached: In the Extensions field, add *.MP4

    • Enable Transparent Caching

    • Turn on economical application of administratively assigned Offline Files

Configure Roaming User Profiles

Roaming User Profiles enables user profiles to be stored in a folder shared from a network server and then downloaded to the user’s computer whenever the user logs on using their domain credentials. After the profile has been downloaded and applied to the user’s computer, the user will see his personalized desktop with all its application settings and operating system preferences, such as network drive mappings, printer connections, and wallpaper selections. When the user logs off, any updated profile information is uploaded to the network server.

Roaming User Profiles replicates user profiles that contain both user data files and user settings (registry–based information) to the server, and synchronizes it to users’ computers. It enables users to log on to any managed computer on the network and download their profiles to experience their personalized desktop environments.

Create and Share the Parent Folder

Before configuring Roaming User Profiles, you must create and share a folder to which you want to store them. Create a folder on the network and configure its access control list as shown in Table 2. Also, share the folder and give the security group of users with Roaming User Profiles Full Control.

User Account Minimum Permissions Required

Creator Owner

Full Control, Subfolders and Files Only

Administrator

None

Security group of users needing to put data on share

List Folder/Read Data, Create Folders/Append Data - This Folder Only

Everyone

No permissions

Local System

Full Control, This Folder, Subfolders and Files

Configure Roaming user Profiles

To configure Roaming User Profiles:

  1. In the Group Policy Management Console, create and edit a new GPO called Roaming User Profiles.

  2. Open Computer Configuration\Policies\Administrative Templates\System\User Profiles.

  3. Enable Set roaming profile path for all users logging onto this computer. In the Options pane, type the path of the network share to which you want to store roaming user profiles (such as: \\SEA-DC-01\USERDATA$\%USERNAME%).

  4. Enable Background upload of a roaming user profile’s registry file while user is logged on.

  5. Enable Set maximum wait time for the network if a user has a roaming user profile or remote home directory.