Add computer AD Group during MDT/SCCM Sequence

[Matt Strickland]

Hi all,

Does someone here have a working script to add a device to an AD group during the task sequence? I've tried a few and they often end up broken (currently deploying 20H2)

I currently call a powershell script using ADSI to check membership first (ismember) then add to the group.

If not ill go hunting, but if someone has something that works in 20H2 it will save some testing time.

Matt

Karamu High School

[Alistair Baird]

I add to the group during MDT - normally add it to a staging AD group to add in software etc. Then when I commission it, just swap to the relevant group after that for GP. The group to join is setup in the bootstrap.ini.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/3681d8b5-aca3-4e62-be4a-e76810d82094n%40googlegroups.com.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 482 937

e bai...@stpeterspn.school.nz

[Tracy Briscoe]

Hi Matt

 

Attached are the two scripts we run in the State Restore stage of our task sequence.

 

The first script configures the workstation to trust the Windows Deployment Server – allowing authentication using Credssp to work.

In the second script we use PowerShell remoting to run some commands on the Windows Deployment Server.

 

I can’t remember if we had to do anything special on the  Windows Deployment Server to allow PowerShell remoting to work.

 

 

Regards,

 

Tracy  Briscoe
Senior Network and Systems Engineer
St Peter’s School, Cambridge

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/3681d8b5-aca3-4e62-be4a-e76810d82094n%40googlegroups.com.

Note: This communication may contain privileged and confidential information intended only for the addressee named above. Any views or opinions presented are solely those of the author. If you have received this message in error, we request you delete the message and notify the sender. Please do not distribute, copy or disclose any information. This e-mail has been scanned for viruses but all liability for viruses or similar in any attachment or message is excluded.

St Peter's, Cambridge, New Zealand
Telephone: +64 7 827 9899
Website: www.stpeters.school.nz

Please consider the environment before printing this email

[Matt Strickland]

Thanks Tracy,

I've take a look and adapt it to work.

I'm only adding to a pre-defined security group that's synced in Azure for O365 device based licencing (apps)

I use device based licences on our owned devices (rather than shared activation) so when its exam time I can use a non licenced or local account that's clean, but office still works without the outside world.

Devices that are not shared (eg Tela, supplied BYOD etc) I just use shared activation.

Matt

[Matt Strickland]

Hi Alistair,

Did you mean a specific OU in your case? Or an actual AD security group?

I do also have a Deployment OU that I use for initial deployment that has some policies to aid deployment, later moved to the correct OU to pickup printers etc.

Matt

[Alistair Baird]

An OU. having re-read your OP I am picking you want to add security groups.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/320dd961-4157-4cbb-8b5c-d62bbacdc8f2n%40googlegroups.com.

[Sam McNeill]

Matt,

Have you had a look at modern management using AutoPilot and Intune to deploy from the cloud, rather than using MDT and gold images?

Definitely worth checking out the recommended approach around zero touch deployment,

Cheers

Sam

[Matt Strickland]

Hi Sam,

Yes - I did the trial in a box a few years ago and covered zero touch. I have deployed some devices this way - but for speed in deploying and updating 3rd party apps I've stuck with trusty MDT.

Its really a time thing rather than convenience. 

Eventually at the point when local AD is decommissioned, and there's virtually nothing on-site I'd be down that path.

Matt

[Sam McNeill]

Good stuff Matt.

You're probably across hybrid joined devices, but just in case:

What is a hybrid Azure AD joined device? | Microsoft Docs

I actually see a lot of partners doing:

1) Hybrid joined where there is still AD on premise, but want to also leverage power of AAD/MEM

2) Laying down a "base image" on the device with MDT (or even just using MDT to wipe clean the device) and then using MEM/Intune to do dynamic updates on the fly in terms of policy  / apps etc. Even some of the Universities are trending in this direction.

Cheers

Sam

[Sam McNeill]

this thread, along with a discussion with a partner wanting help in this area, made me think having a single collection of resources in this space would eb helpful:

The Ultimate Collection of Intune / Endpoint Manager Resources For Education – SamuelMcNeill.com

I'll keep that one blog post updated with new information as it comes to light,.

Cheers

Sam

[te...@whs.ac.nz]

Hi Sam and others.

We too had the trial in a box and whilst we found it "easy" to plug USBs in each machine, we found there were issues around software in particular, as well as automation of deployments.

Having to walk around each machine with a USB and then wait for further deployment of software vs pushing a few buttons and knowing your deployment will kick off and be ready in an hour for students to sit down and have everything available is too great of a tradeoff from our perspective

Has this changed lately? Perhaps we can look at changing our approach but this was a significant factor in continuing with SCCM/MDT style 'gold' deployments

One thing we do regarding deployments is to have all the common software readily available and keep the gold image as slim as possible (a middle ground of most used, vs all apps), but for the likes of creative suite and other large apps, it can be an incredible waste of time waiting for those to deploy "later"

Interested in hearing thoughts around this

[Sam McNeill]

Morena.

The thing that's changed most since the "Trial in a box" a few of you had is the addition of Windows AutoPilot - 2min explanation video here:

(2) Microsoft Windows Autopilot deployment scenarios - YouTube

This allows the device to be registered to your school tenant / environment and then automatically have the appropriate deployment profile (think traditional image) pushed to the device when it first connects to the internet. This allows customisation i.e. differnt apps for devices in the library vs TELA devices for teachers vs junior school shared laptops.

Your reference to the USB driven deployment is using the Set up School PC App:

What's new in the Windows Set up School PCs app | Microsoft Docs

This is only one way, but for more hands off / zero touch deployment in edu I'd recommend:

1) Windows 10 Pro Education from factory (available from the www.aka.ms/shapethefuture program givning you lowest cost Win10 in education)

2) AutoPilot to have devices registered to your ecosystem (your reseller / OEM can even pre-load these or you based on Partner Centre affiliation)

3) Intune to build the deployment profile for the devices and push out automatically.

I know there are partners on this forum that use the above combo pretty much exclusively - they may / may not choose to weigh in, also an increasing number of schools taking this approach too. I don't want to hijack this too much but happy to talk more off thread if you wish.

Ultimately, thre's nothing wrong with sticking with MDT/SCCM if you want to, my only recommendation would be to pay attention to the trend MSFT (in fact, ALL device manufacturers) is trending - all moving towards cloud MDM and away from traditional management. Every release of Win10 has more and more cloud MDM features.

Cheers

Sam

[Matt Strickland]

"One thing we do regarding deployments is to have all the common software readily available and keep the gold image as slim as possible"

I do exactly the same here, the image is the latest Windows 10 fully patched with no 3rd party software, then I maintain an app folder with all the latest apps to deploy (Office/Chrome/Firefox/AcroPDF/Notepad++/Minecraft/VLC/Papercut etc)

For me this is still the fastest deployment method and especially for entire labs in one go.

As we migrate to take home devices / laptops, then yes MEM will play a better role.

Matt

[Jeffrey B]

We do a hybrid - hybrid approach, as devices still come with painfully old versions of windows 1909 etc. And the basic updates let alone an in place upgrade takes longer than a reimage we drop an FFU image of the latest updated windows and Office on them then use a provisioning package (not school join app) to join to AAD or AD depending on its role. Intune/endpoint manager is painfully slow in comparison to AD software deployment.  An FFU can be applied from a USB key in about 6 minutes on a quick machine or 15-20 on a slow one beating out WIM based images by an hour on very slow machines.  A USB key with provisioning package can be trusted to get it all the way to a logon screen without further intervention after the initial setting off of the imaging commands.

The biggest difference is in the exact kind of lower speed machines meant for 1 to 1.  Intune can take an hour plus to chew through its checks and installs after windows is on there, the same ones that will be done in 10 minutes on a better spec machine.  AD also just shows you a logon screen when it is done where there is no visible flag on aad.

Jeffrey.

Get Outlook for Android

---

From: techies-f...@googlegroups.com <techies-f...@googlegroups.com> on behalf of Matt Strickland <ma...@zebis.co.nz>
Sent: Thursday, April 1, 2021 12:22:03 PM

To: Techies for schools <techies-f...@googlegroups.com>

Subject: [techies-for-schools] Re: Add computer AD Group during MDT/SCCM Sequence

 

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/6b13610d-99c9-45ca-b926-32acb543ef60n%40googlegroups.com.