Windows Desktop Deployment Service at LANL Mark Wingard

Windows Desktop Deployment Service at LANL Mark Wingard Central Services and Development Team CTN-1 Los Alamos National Laboratory LA-UR-08 -2667 UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA Slide 1

The History of Windows Deployment at LANL Central Services and Development (CSD) Efforts n 2000 – “Scripted Install” - Installation of a networked Ghost image with a DOS boot floppy • • n 2003 – “Expressway” - Installation of a networked Ghost image with a DOS boot CD • • n Slow Driver issues Drivers stored on CD Issues w/ maintaining drivers, especially NIC drivers 2005 – “Dynamic Expressway” - Network-based installation of applications and security hardening • Presumed XP was already installed Field Technician Effort n 2006 – Bart. PE CD with XP Ghost image with all applications pre-installed • • Not supported by CSD Unwanted/unlicensed applications had to be uninstalled Limited QA No version control UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 2

NLIT 2007 Sessions n XLoad Presentation by LLNL n Windows XP Setup Disk by SNL n Vista Deployment Presentation by ORNL UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 3

XLoad - LLNL n Windows. NET Framework 1. 1 Running on Win PE n Leveraged WMI n Custom Code by LLNL developers n No support for Vista at the time n LANL Management really liked it UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 4

Sandia’s XP Setup Disk n Custom application by SNL Developers n Used various installation methods for standard or customized XP install n No Application installation n Unique to Sandia UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 5

ORNL’s PC Loader n Used Microsoft’s BDD 2007 n Highly customizable n Free n How did we miss their presentation? ? ? UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 6

Microsoft’s Business Desktop Deployment (BDD) n New Deployment method (Solution Accelerator) from Microsoft based on “Best Practices” • • Collection of scripts Win. PE boot from various sources Operating system image building tools User State Migration (migrating users’ data and settings) Various installation scenarios: — Bare Metal — Refresh — Side-by-Side Microsoft Deployment Toolkit Works with or without SMS — LANL uses SMS 2003 (Upgrading to SCCM) Free and supported by Microsoft!! UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 7

Microsoft Deployment Toolkit 2008 n Highly customizable • • Lite Touch (without SMS/SCCM) Zero Touch (with SMS/SCCM) n Works with XP, Vista, 2003 Server, 2008 Server n Dynamic Driver injection n User State Migration n Additional application support n Security update support n Tools to build custom images (WAIK) • • • n File-based image Can be updated offline Images, application, drivers, etc. stored on network Win. Pe boot: • • CD USB Windows Deployment Server (PXE boot) Refresh from existing system UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 8

MS Deployment Flow n Build custom image • Install XP SP 2 on reference computer — Harden to NIST 800 -68 configuration guidelines and latest patches — Install base applications • Office Pro 2003, Adobe Acrobat, Symantec Anti. Virus, Windows Defender, SMS 2003 client, Utilities, Installers for other applications and security script n Capture image using Windows Automated Installation Toolkit (WAIK) tools and save to network n Gather drivers for supported hardware n Build installers for additional applications n Build ISO for Win. PE for new computer installs n Provide ISO to field technicians n Field techs install image and additional apps as desired n Computer reboots w/ auto-logon as Administrator n Tech joins computer to Active Directory n Runs script to rename/disable Administrator and Guest n New computer installed in less than 30 minutes! UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 9

Windows Desktop Deployment Service (DDS) Beta 1 n Restriction to support static IP addresses only n Custom code added to support static IPs n No ability to additional applications n New ISO/CD required when changes were made n Support for common Dell workstations models only UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 10

DDS Beta 1 UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 11

DDS Beta 1 Image Choices UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 12

DDS Beta 2 n New and existing systems are deployed through firewall router • • n Support for Refresh of existing computers • • n No CD boot required User settings and data migrated Two image choices • • n New computer boots from CD Router provides DHCP address New Computer with pre-installed, base applications Existing Computer with identical image as New Computer Menu of additional, optional applications UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 13

DDS Beta 2 Illustrated UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 14

DDS Beta 2 Illustrated Cont’ UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 15

DDS Communications n Internal Web Site n Change Control Board UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 16

DDS Future n Add support for • • • Laptops Other manufacturers (HP, IBM…) Vista Servers 64 -bit n Provision new computers as delivered to LANL n Continue to leverage NIST-approved settings to achieve security compliance n Integrate with SCCM UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 17

DDS Beta 2 Vs You be the judge! UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 18

Questions (and maybe Answers) UNCLASSIFIED Operated by Los Alamos National Security, LLC for NNSA 19