Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Video Series: Deploying Windows 7 from Windows XP

leave a comment »

This is a video series on Deploying Windows 7 from Windows XP using the Windows Automated Installation Kit (WAIK) and the Microsoft Deployment Toolkit (MDT) 2010.

The first time I knew Microsoft Deployment Toolkit was during Windows Vista days. I found this an awesome technology added to the fact that it is free. Unfortunately, not many organizations really embraced Windows Vista, thereby overlooking this technology, and others that are related to Windows client deployment (e.g., WAIK, WIM).

Microsoft has gone through great lengths in ensuring that Windows deployment would be a breeze in organizations that would have gone to Windows Vista, and will go to Windows 7. Therefore I have created this video series to share the best practices I gathered from the field on using these two free tools – MDT 2010 and WAIK – to deploy Windows 7 across the organization consisting of Windows XP machines.

A lot of folks may eventually figure out that Windows Automated Installation Kit (WAIK) is too cumbersome because of the fact that its tools are non-GUI, and that MDT is actually the GUI version of WAIK. However, I strongly recommend to technology professionals to familiarize themselves with at least the deployment cycle using WAIK alone, then adopting them to an automated process like MDT. This would give us the proper balance between automation and flexibility.

WAIK is cool, as follows:

  1. You get to learn stuff under the hood. Although you can create WIM using MDT, managing it would still be through WAIK, therefore if you don’t have WAIK knowledge, you will end up with default WIM and not really maximize the new and cool features of the Windows Imaging technologies.
  2. Text-based = scriptable and flexible. It’s not entirely difficult to automate Windows 7 Deployment using WAIK alone because you can script it, and your options are limitless as to customizing your deployment.
  3. Let’s face it: text-based commands are cool … makes you look geeky.

But then again, having too much human control exposes the deployment exercise to human error, especially the processes that deal with the target machines. Those should be automated as much as possible.

So with that, here are the videos of the Windows 7 Deployment from Windows XP Series

Part 1 – Generating WinPE Boot CD on WAIK

Part 2 – Using WAIK to Acquire Windows 7 Image into WIM

Part 3 – Using WAIK to Deploy Windows 7 WIM Image into a New Machine

Part 4 – Using MDT to Acquire Windows 7 Image into WIM

Part 5 – Using MDT to Import a WIM Image and Using PXE Boot to Deploy

Part 6 – Windows 7 Deployment via MDT 2010 Media

Part 7 – Deploying Windows 7 via MDT Network Share

jay paloma | 29 dec 2009 | singapore

Written by jpaloma

November 12, 2010 at 4:34 PM

MVP renewed for 2015 and this year’s major production

leave a comment »

Hello dear subscribers and readers of my techblog! First and foremost, I would like to inform all that I was awarded the Microsoft Most Valuable Professional for the 9th time. My thanks goes out to Microsoft, and to all of you who read and learn about these great technologies.

As I was looking through tech materials I had produced / written over the past years, the Windows 7 Deployment Video Series still top my list, and more than 5 years after it was published it is still getting monthly views. Part 1 had 153 views last March 2015 (it peaked at 1,949 last March 2011). But as I reflect on this graph, only one thing comes to mind: time to make a new one!

Video stats

Video stats of the Windows 7 Deployment Video Series Part 1

So new one it is! Still in the planning stages, but I’m thinking of collaborating on this project. It will still be in video, so those of you who don’t really like reading long, boring blogposts, and prefer visuals and audio (like me). And most probably will include Microsoft System Center 2012 R2 Configuration Manager as well!

Do leave a reply to this blog post if you wish to suggest tech topics you want covered, especially in the upcoming Deployment video.

Written by jpaloma

April 10, 2015 at 11:58 PM

Posted in Microsoft, MVP

Tagged with ,

Bring Your Own Device (BYOD) with Hyper-V and Citrix

leave a comment »

During last week’s System Center Universe Asia Pacific, there was a question raised during the Ask the Experts portion on how Microsoft can address BYOD while ensuring that corporate security is still maintained, the Experts in the panel were not really able to address the required architecture.

I was formerly connected with Citrix, and right there I immediately thought of Citrix XenDesktop. However being in a Microsoft event I decided to keep my mouth shut and just decided to share the solution by writing about it. So here it is!

Bring Your Own Device (BYOD) Architecture

Bring Your Own Device (BYOD) Architecture

The solution is to allow the personal devices to connect to VMs. These VMs are connected to the corporate network, while the personal devices are in some sort of protected network which is separate from the corporate network, and is only allowed to use the protocols necessary to allow the client to connect to the VMs.

Since the solution requires VMs. using Hyper-V is the way to go. No discussion here.

For this solution to work, there must be some technology that does VM provisioning. This is where the Citrix XenDesktop product comes in. You can dynamically provision VMs as needed.

The VMs can be shared VMs deployed with the same apps, or app deployment can be performed dynamically as the VM is being provisioned using either Citrix XenApp, or using Configuration Manager.

Just to be sure, some sort of health checking is prudent before the personal devices can be connected to the personal devices network. Also, they have to be enrolled to allow for authentication and encryption.

So does this solution work? Yes it does, and one great experience I had with Citrix is that BYOD and non domain joined devices are the norm!

Running Windows 8 on an iPad Mini with Citrix XenDesktop.

Running Windows 8 on an iPad Mini with Citrix XenDesktop.

Written by jpaloma

March 8, 2015 at 8:18 PM

Posted in BYOD, Citrix, Hyper-V, Microsoft

Configuration Manager RBAC – Testing and Potential Issues

leave a comment »

This blog post is about my personal gotchas! in implementing Role Based Access Control in System Center 2012 R2 Configuration Manager.

When implementing Role Based Access Control in Configuration Manager, I personally recommend that the consultant come up with conditions in the whole RBAC space and ensure thorough testing of these RBAC roles, with very specific success criteria.

Perhaps the first potential issue I would emphasize to the consultant is that Reporting Services would probably be the first collateral damage in implementing RBAC, so ensure that this one is your primary test criteria. Why? If we limit the RBAC roles, especially Security Scopes, to objects that directly affect the client (e.g., applications, DP, etc.), then Reporting Services will not work. I will write a separate blog post on this issue, but the quick solution is to ensure that a Security Scope is created that includes the Site container, and should be given also to all RBAC roles that require reporting.

If your primary RBAC requirement is that exclusive visibility to client computers for different client admins, your RBAC focus is on Collections. Your first move is to ensure that the client-administering RBAC roles do not have access to All Systems (which contain, of all things, all your servers that have installed CM client). But doing so would mean you cannot use All Systems as the Limiting Collection of all other collections required by these admins (the resulting collection will not contain any objects). Therefore, you need to create one collection each for the client-administering groups, and this collection should contain all the computers that the said group can administer, and should not contain any computer that should not be administered by that group. This collection will now be used as the Limiting Collection of all other collections that these admins will create.

  • EUROPE Client Admins – Collection that only contain EUROPE computers
  • APAC Client Admins – Collection that only contain APAC computers
  • EMEA Client Admins – Collection that only contain EMEA computers

It is highly recommended that you use Incremental Updates on these collections so that the memberships update every 5 minutes by default.

Written by jpaloma

January 12, 2015 at 10:19 AM

Configuration Manager RBAC – Security Scopes

leave a comment »

Security roles in Configuration Manager answer the question Where could the operation be done?

There are two built-in security scopes: All and Default. All is not assignable to any object. Default is initially assigned to new objects. It can be removed later on if the object is assigned another security scope.

You can assign security scopes to the following objects:

  • Alert subscriptions
  • Applications
  • Boot images
  • Boundary groups
  • Configuration items
  • Custom client settings
  • Distribution points and distribution point groups
  • Driver packages
  • Global conditions
  • Migration jobs
  • Operating system images
  • Operating system installation packages
  • Packages
  • Queries
  • Sites
  • Software metering rules
  • Software update groups
  • Software updates packages
  • Task sequence packages
  • Windows CE device setting items and packages

Examples of security scope applications

  • Security scopes for test and production applications.
  • Security scopes for different groups in the organization that are administered by a different team.
  • If different Sites are intended to be administered by different teams, create a security scope per site, and assign it to the respective teams.

Security scopes can be customized based on how they are intended to be applied. Ensure that your security scope design is simple as possible so as not to subject unnecessary load onto the Configuration Manager databases

Reference: http://technet.microsoft.com/en-us/library/gg712284.aspx#BKMK_PlanningForRBA

Written by jpaloma

January 11, 2015 at 9:57 PM

Configuration Manager RBAC – Security Roles

leave a comment »

Security roles in Configuration Manager answer the question What operation could be done?

The following are the default Security Roles available in Configuration Manager 2012 R2

  1. Application Administrator – Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, edit settings for user device affinity, and manage App-V virtual environments.
  2. Application Author – Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages, and App-V virtual environments.
  3. Application Deployment Manager – Grants permissions to deploy applications.  Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, conditional delivery rules, and App-V virtual environments.
  4. Asset Manager – Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
  5. Company Resource Access Manager – Grants permissions to create, manage and deploy company resource access profiles such as Wi-Fi, VPN and certificate profiles to users and devices.
  6. Compliance Settings Manager – Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
  7. Endpoint Protection Manager – Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
  8. Full Administrator – Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
  9. Infrastructure Administrator – Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
  10. Operating System Deployment Manager – Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
  11. Operations Administrator – Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
  12. Read-only Analyst – Grants permissions to view all Configuration Manager objects.
  13. Remote Tools Operator – Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
  14. Security Administrator – Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
  15. Software Update Manager – Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).

For details on each RBAC role, download the Matrix of Role-Based Administration Permissions for ConfigMgr 2012.

To copy an existing Security Role to a custom one

1. In Configuration Manager Console > Administration workspace > Overview > Security > Security Roles, right-click  the security role you want to customize, and click Copy

Copy Security Role 12. in Specify details for the customized copy of the selected security role, add a name and description, and modify the permissions as necessary. Click OK.

Copy Security Role 2

Written by jpaloma

January 4, 2015 at 7:25 PM

Configuration Manager 2012 R2 Role Based Access Control

leave a comment »

HAPPY NEW YEAR 2015! Role based access control (RBAC) has gone a long way in Configuration Manager 2012 R2. Some find it too complicated. In this series, let’s break RABC down into its more basic components so we could understand it better.

Written by jpaloma

January 1, 2015 at 3:00 PM

Understanding RBAC in Configuration Manager

leave a comment »

Role based access control in Configuration Manager 2012 R2 requires understanding on these three


  • Active Directory Groups are used to grant the Security Roles in Configuration Manager. Although User Accounts can be used as well, the best practice is that Active Directory Groups are assigned the permissions, and meanwhile user accounts can be added or removed from the AD Groups according to the needs of Configuration Manager
  • Security Roles assigns permitted operations on specific Configuration Manager objects.
  • Security Scopes are used to assign which instance of a specific object are the operations un Security Roles be performed. For example, without Security Scopes, a Security Role that could manage Distribution Points has the ability to perform the required operations on all DPs. However with Security Scopes, the operations could be limited to specific Distribution Points



Written by jpaloma

January 1, 2015 at 2:59 PM


Get every new post delivered to your Inbox.