One of our first concerns when we migrated to SCCM was Deep Freeze and how it would interact with the SCCM client. For those who don't know, Deep Freeze keeps a computer "clean" by removing any changes that have been made on every boot. Here is the Wikipedia article about it: http://en.wikipedia.org/wiki/Deep_Freeze_(software). Similar products include SmartShield and Clean State. Microsoft had Windows Steady State in the Windows XP days, but this product is no longer offered.
The problem with using any of these products in conjunction with SCCM is that it "cleans" the SCCM client as well, wiping any new logs and the SCCM cache. We use a lot of concurrently licensed software, which means we must keep track of how much software is being used at any given time. To do this, we make a lot of use out of Software Metering in SCCM. This is a problem if Deep Freeze wipes the software metering logs on every reboot.
I solved this problem in two steps. Step one is installing Deep Freeze. The installer is set to freeze the C: drive and keep the U: drive thawed. I do this with a script and run it as the very last item in my task sequence. You can install Deep Freeze and NOT have it immediately reboot the computer frozen by running this command:
"DFinstall.exe /install /noreboot"
The Deep Freeze install script then kicks off a PowerShell script that I copy to the local machine in a previous task sequence step. This line is set to run (and not a run-wait) so that SCCM finishes the task sequence. I copy this script locally and run it in this manner so that SCCM completes the task sequence. If I did not run it locally and outside of the scope of SCCM, every task sequence would come back as failed. My Deep Freeze install script looks like this:
RunWait ('"DFinstall.exe" /install /noreboot')
Run ('cmd.exe /c "powershell.exe -executionpolicy bypass -file C:\finalize-ts.ps1 -noprofile"')
This local PowerShell script then uninstalls the SCCM client (located in C:\Windows\ccmsetup) by running:
"ccmsetup.exe /uninstall"
After the uninstall, it reinstalls the SCCM client to the thaw drive using this command (also executed from C:\Windows\ccmsetup):
ccmsetup.exe /noservice /mp:<FQDN of your SCCM management point> SMSSITECODE=<SCCM 3-digit site code> FSP=<FQDN of your fallback status point> CCMINSTALLDIR="<path to install the SCCM client>" SMSCACHEDIR="<path to put the SCCM cache>"
I am setting many options in this command line. First of all, the /noservice switch prevents the SCCM installer from restarting as a service. This is an issue when you are using a scripting type that allows you to do a run-wait command. When the SCCM installer restarts as a service, the scripting program thinks it is done an moves on to the next line in the script.
Second, /mp: sets the location of your management point. This must be the fully qualified domain name of the management point. Third, we set the SMS site code. This the three-digit site code for your site. Fourth, we set the fully qualified domain name of your fallback status point.
Fifth, we set the directory where the SCCM client will be installed. This should be set to a folder on your thaw space. Last, we set the directory where the SCCM cache will be. I would also set this to be on your thaw space, though it is not as critical as the client itself.
Here is a full list of command-line parameters for the SCCM client install: http://technet.microsoft.com/en-us/library/gg699356.aspx.
I would also recommend hiding the client directory and the cache directory. While not making it totally secure, the user would have to be a more advanced user to get into these directories. I create the directories before installing the client. You can set them to hidden by running: "cmd.exe /c attrib +H <path of folder>" from your scripting application of choice.
Lastly, I force a discovery data and machine policy refresh. This jump-starts the process of re-registering the computer with SCCM. With PowerShell, run these commands:
$comp = hostname
$SMSCli = [wmiclass] "\\$comp\root\ccm:SMS_Client"
$SMSCli.TriggerSchedule("{00000000-0000-0000-0000-000000000003}")
$SMSCli.TriggerSchedule("{00000000-0000-0000-0000-000000000022}")
From there, I reboot the computer. It computer comes back up frozen and ready to go with the SCCM client installed to the thaw space. I reboot the computer by running this command from PowerShell: cmd.exe /c "shutdown -r -t 45". I know that PowerShell has its own restart command, but I liked this command more because I could tell it to wait 45 seconds in the same line. This wait was key to allowing the discovery data and machine polices to finish their refresh.
Drop me an email (sccmhied@gmail.com) if you have questions about this process. I wrote it for Deep Freeze, but I would imagine the process would be similar for Clean State and SmartShield.
No comments:
Post a Comment