Step 1 Install the SHA

Install the SHA first, FcsNapSha86.msi or FcsNapSha64.msi depending on which version of windows you have. Reasoning is so that you don’t end up with a policy that none of the clients can comply to.

The easiest way to do this is to use a Group Policy.

So the first thing you need to do is created a distribution share with permission for Administrators, Authenticated Users and Domain Users.

Open GPMC and navigate the OU that contains the computers that require the SHA and create and link a GPO, specify a name e.g. Forefront SHA deployment policy.

Right click the new GPO and click edit. Navigate to: Computer Configuration- Policies – Software settings – Software Installation. Right click and create a new Package. In the dialog box type in the UNC path of the installer and choose assigned. e.g. \\myserver\software\fcsnapsha86.msi

However in my scenario I am using WDS to deploy client machines so I have added the SHA to the Deployment image so all the clients I roll out will have this preinstalled.

Note: You can use security filtering to apply the policy to specific users & computers if you wish.

Step2 Install the SHV

On the NAP server run FcsNapShv86.msi or FcsNapShv64.msi depending on which version of Windows Server you have installed. The install wizard will guide you through the process.

Step3 Configure the SHV

Open the NPS snap in. Navigate to: Policies – Health Policies. For all the policies both compliant and non-compliant you must enable the SHV, right click a policy, go to properties and tick the check box for forefront client security.

Navigate to: Network Access Protection – System Health Validators – Microsoft forefront client security system heath validator – Settings. Right click on the Default Configuration and go to properties and Enable all the Client Service Policy Settings, click the WSUS Server Policy Setting tab and enable Forefront Product Updates – 14 days, System health agent – 14 Days, Antivirus/antispyware updates – 3 Days.

Client Service Policy Settings

WSUS Server Policy Settings

First You need to have the windows 7 AIK installed.

In order to Make changes to windows 7 wim file you should mount the wim to an existing folder.

the tool we will use is DISM which is found in c:\Program Files\Windows AIK\Tools\x86\Servicing>

Dism /Mount-Wim /WimFile:f:.wim /index:1 /MountDir:f:test

add drivers to the image using add driver command

Dism /image:f:test /Add-Driver /driver:C:\driver\graphics (there should be an inf file in this folder)

Un-mount and commit changes

Dism /Unmount-Wim /MountDir:f:test /commit

PXE booting requires the following options in DHCP:

option 66 Boot server host name: “FQDN of WDS server”

option 67 Boot file name: \boot\x86\wdsnbp.com

This will work as is with DHCP and WDS on separate machines.

Note: if your DHCP server is on a different VLAN than the one you are booting from you must enable DHCP helper or IP helper.

WDS Server settings:

Not much you need to change here just a few things worth mentioning.

CLIENT Naming policy can be set with a variable to auto generate the machine name according to your requirements, i usually use something simple like Computer%03# which will increment 001,002 etc.. After the word Computer.

DHCP settings can all be left unchecked if you are using a separate DHCP server.

PXE response can be set to respond to all clients, known and unknown.

PXE boot policy can be set to always continue the PXE boot for all clients known and unknown.

Advanced setting, allow WDS to dynamically discover Directory Servers and authorize this WDS server in DHCP should be enabled.

The rest of the setting can be left as default for now.

Add a Boot image and create a capture image

From WDS right click boot image and select the boot.wim file from the windows 7 DVD and it will copy to WDS. Give it a decent name, e.g. Install Microsoft Windows

Now create a capture image, right click the boot image you just added and choose create capture image, again give it a good name e.g. Capture Microsoft Windows.

Note: I have tested capture and deploy with windows 7, Vista and XP using the capture image created from a Windows 7 boot.wim file and it works without issues.

Add an image group, right click install images and choose add image group, eneter the name for you new group.

Capturing an Image and upload to WDS server

In order to capture an image you need to Sysprep the machine first so from Windows 7 open the run box and type in Sysprep, it will open the Sysprep location C:WindowsSystem32sysprep. Double click on Sysprep, enable the generalize option and set shutdown option to shutdown (if it reboots and you’re not paying attention you will have to Sysprep again).

Now you can turn on the machine and boot from LAN (f12 button in most cases). Assuming you followed the previous steps You should now be prompted to choose to either install windows or capture windows, choose capture and it will boot the Windows PE capture image we made earlier. Follow the instructions in the image capture wizard, Choose a volume, there should only be one, enter a name and description & click next. Choose a location to save the image, its OK to save to the same drive you are capturing from or you may use a USB drive. Enter the FQDN of the WDS server and choose an image group. The image will now capture to the local location you chose and then upload directly to the WDS server image group you specified. Now you have an image ready to deploy.

Creating an imageunatend.xml file:

To truly make your Deployments unattended you need to create an answer file. For this you need to install the Windows 7 Automated Installation Kit – AIK, it doesn’t matter where you install it but I recommend on the WDS server for simplicity sake.

Windows System Image Manager – WSIM

WSIM is the tool of choice for creating the imageunattend.xml file.

You will need to select the install.wim file from the windows 7 DVD to get the catalogs; these are binary files that contain the settings and packages found in a windows image.  Because there are far too many catalogs to mention I will just go through the most basic ones required for an x86 version of windows 7.

1. WindowsPE
   1. x86_Microsoft-Windows-Internationa-Core-WinPE_neutral
      1. i.      InputLocale:          en-US
      2. ii.      UILanguage:         en-US
      3. iii.      SystemLocale:       en-US
      4. iv.      UserLocale:           en-US
   2. X86_Microsoft-Windows-Setup_neutral
      1. i.      AcceptEULA:       True
      2. ii.      Fullname:              YourName
      3. iii.      Organization:        YourOrgName
      4. iv.      ProductKey:          Win 7 Product Key
2. Generalize
   1. X86_Microsoft-Windows-Setup_neutral
      1. i.      RegisteredOrg:      YourOrganization
      2. ii.      RegisteredOwner: Owner of the License
3. Specialize
   1. X86_Microsoft-Windows-Shell-Setup_neutral
      1. i.      ComputerName:    %MACHINENAME%
      2. ii.      TimeZone:             Your Time zone e.g. (UTC+04:00) Abu Dhabi, Muscat
   2. X86_Microsoft-Windows-UnattendJoin_neutral
      1. i.      Domain:                Your FQDN e.g. domain.local
      2. ii.      Password:              Password for user
      3. iii.      Username:             Username with premision to join domain
      4. iv.      JoinDomain           Your FQDN e.g. domain.local
4. oobeSystem
   1. x86_Microsoft-Windows-Internationa-Core-WinPE_neutral
      1. i.      InputLocale:          en-US
      2. ii.      UILanguage:         en-US
      3. iii.      SystemLocale:       en-US
      4. iv.      UserLocale:           en-US
   2. X86_Microsoft-Windows-Shell-Setup_neutral
      1. i.      HideEULAPage:  True
      2. ii.      HideWireless:        True
      3. iii.      NetworkLocale:    Work
      4. iv.      ProtectYourPC:    1
      5. v.      TimeZone:             Your time zone

Note: use the tzutil command-line tool on windows 7 to list the time zone from an existing PC to get the correct entry.

Save the file and we are done here, now right click the windows 7 image in WDS and open properties, check the allow image to install in unattended mode box and select the xml file you just saved.

With this done you can now Deploy your image.