Configmgr 2007 and how to automate Windows 7 Backup Activation thru a task sequence

February 20, 2011 at 11:43 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Deployment, Installation, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Task Sequence, Windows 7, Windows 7 SP1 by Kenny Buntinx [MVP]

One of my customers is using a GHOST principle on their laptops, to restore an original image from a restore partition. This partition is right now visible for the end user. Now that we are migrating towards SCCM we want to do the same thing thru Configmgr.

To accomplish this, we only focus on the integrated windows 7 backup tools as they have a native build in wizard to restore as well .

Scenario to accomplish :

  1. We want to do a full backup at the end of the deployment task sequence , including the standard applications and save it locally. This one allows you to restore the machine as it was at the end of the task sequence.
  2. We want to let any user restore that image on an easy way with helpdesk support . Mainly this scenario is for end users that are sitting somewhere in the “bush bush” and no direct connection to a nearby office .
  3. We want to schedule for those kind of users a backup when he is working on his machine , based on VSS technology . ( impossible with ghost ).

Steps to accomplish the scenario :

First of all I want to thank Kim Oppalfens and George Simons ( both MVP ConfigMgr ) for helping me accomplish this scenario. We had some offline discussions to accomplish this scenario and it is not yet perfect .

The initial process we have in mind during the Operating system deployment phase when we stage an image to a machine for a user:

1. Creating the necessary partitions :

  • System partition (+/- 500 mb) that will hold the bootloader (think of Bitlocker ) and the WINRE environment. ( hidden )
  • C:\ OS partition
  • D:\ Data partition
  • E:\ IMAGE system image backup partition (drive letter will be removed in the process)

2. Create local admin user f.e. RECOVERY and added the local admins group. We have tested this with a power user or backup operator , however you need local admin rights to restore the image. For security purposes we investigate later to have a daily/weekly/monthly password changer based upon an algorithm.

3. Run the windows 7 built-in WBADMIN tool, with the following parameters : “wbadmin START BACKUP –BackupTarget:E: -include:c: -AllCritical –Quiet”

4. Remove drive letter of the “Image”Partition , in this case E:\ 

 

We don’t care about hiding the volume. Standard users have no permissions to reassign a drive letter, and hence won’t be able to see or use the partition. That is more than enough for us. Hiding the partition just complicates matters for us from an admin perspective.

The additional process we could have in mind is to send down a task sequence to back up his system when a user requests it. This could be performed with or without  any user interaction.

Task Sequence example :

</group>
      <group name="Backup" description="">
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Create Admin Recovery User" description="" timeout="900" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: net user recovery Helpdesk123 /add</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">net user recovery Helpdesk123 /add</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Add Recovery User to Local Admin" description="" timeout="900" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: net localgroup "Administrators" recovery /add</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">net localgroup "Administrators" recovery /add</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Create Backup" description="" timeout="1200" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: wbadmin START BACKUP -BackupTarget:e: -include:c: -AllCritical -Quiet</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">wbadmin START BACKUP -BackupTarget:e: -include:c: -AllCritical -Quiet</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
        <step type="SMS_TaskSequence_RunCommandLineAction" name="Hide Drive Letter" description="" timeout="900" runIn="WinPEandFullOS" successCodeList="0 3010">
          <action>smsswd.exe /run: Mountvol e: /D</action>
          <defaultVarList>
            <variable name="CommandLine" property="CommandLine" hidden="true">Mountvol e: /D</variable>
            <variable name="SMSTSDisableWow64Redirection" property="DisableWow64Redirection">false</variable>
            <variable name="_SMSTSRunCommandLineAsUser" property="RunAsUser">false</variable>
            <variable name="SuccessCodes" property="SuccessCodes" hidden="true">0 3010</variable>
          </defaultVarList>
        </step>
      </group>

End user experience :

1.When your Windows 7 machine gets broken it will automatically jump to the window shown below , otherwise Press F8 during boot :

image

2. When you start “Repair your computer” , WinRe will start up .

image

3. Once “WinRe”is loaded it will ask for your keyboard layout :

image

4. Fill in your credentials

image

5. Select “System Image Recovery”

image

6. Select the image that you want to restore and wait until the process has been completed .

image

 

Remarks / Improvements to make :

  1. The complete process works only once with a hidden drive letter…….until you do the restore. After the restore the drive letter is back and then a user could mess around and delete stuff. I have tried to remove the driveletter before running wbadmin , but I have no success to use the GUID as my drive is MBR and not GPT. Anyway the basic principle works .
  2. User security : We need a algorithm to change the custom local admin restore user  on a daily/weekly/monthly basis as a default password just isn’t secure enough .
  3. Now I am testing to get a function key on a Lenovo to do his magic ( Press F5 and it launches auto magically the recovery environment ) . More on that in a later blog post .

 

Hope it Helps ,

Kenny Buntinx

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest