Real-world OS Deployment Samples Jörgen Nilsson Principal Consultant Onevinn @Ccmexec http://ccmexec.com Johan Arwidmark CTO Truesec @Jarwidmark http://deploymentreaserch.com

Jörgen Nilsson Johan Arwidmark @ccmexec @Jarwidmark MVP MVP 2x A lot! Liverpool FC, Beer, Meat Steak

Session takeaway Common Challenges Windows 10 Challenges Sample Task Sequence Walk-Through Real World examples & Scenarios And all the qeeky stuff you didn’t know you needed to know ;-)

Size matters!! Windows 10 Size Feature Update size Cumulative Update Size

Common Challenges

Webservice! Why Webservice Stabile Less ports open from clients to the Primary Site server, example Remove a computer from a collection script requires: RPC High-Ports WMI Webservice requires only 443 (NOT 80)

Community Webservices Web Service for OS Deployment https://gallery.technet.microsoft.com/Web-Service-for-OS-93b6ecb8 ConfigMgr WebService https://gallery.technet.microsoft.com/ConfigMgr-WebService-100-572825b2 Deployment Webservice (Maik Koster) http://mdtcustomizations.codeplex.com/

Updating definitions during OSD Windows Defender, Endpoint Protection Script to Schedule definition download and package update on a Server Script to deploy during OSD Remember different definitions for Endpoint and Defender

Microsoft Laps Great solution, if you don’t use it you should!! However during OSD you must clear the ”ms-mcs-admPwdExpirationTime” or else! … you will not now the password on the machine until the date there is passed

Pre start commands Boot Image Set system time! Delete any existing ”unknown” object Kick off OSDBackground.exe What is runsilent.exe?

Windows 10 Challenges

What is new under the surface in Windows 10 1607

Driver Signing

TPM Management changes in Windows 10 1607

TPM backup No Longer Possible? In Windows 10 1607 / Server 2016 ADMX files are the options to take backup of TPM is removed. MBAM the agent does not have access to the key by default in Windows 10 1607 anymore Solution!! - TPMPassTheHash _OSDOAF = Passwordhash If you use pre-provisioning PowerShell Script that writes the variable to the registry and sets the OSManagedAuthLevel = "4" And the last step that change it back to "2"

_OSDOAF

Language Support Managing Multiple languages during deployment Deployment, Offline or Online Windows 10 Servicing challenge

MBAM deployment Regfiles to control encryption level otherwise = default in PE version that is used = No Control MBAM TPM Pass the Hash The normal script to enable MBAM and encryption

Using App-v and UE-V Needs to be enabled now that it is builtin the operating system = Powershell Enable Ue-v and to get it to sync on first logon requires: Enable-Uev Set-uevconfiguration -computer -EnableWaitforSyncOnApplicationStart –enablewaitforsynconlogon We also need to register the UE-V templates we need.

Task Sequence walk through

Task Sequence groups Initilize section Format Disk, convert UEFI Sets default values in the TS, example SMSTSErrorDialogTimeout Format Disk, convert UEFI Error Handling Completion Section Error Section

Completion Section Remove from Collection Report completion Copy OSD Logs Stop OSD Background Process

Error Section Save TS Error Code (so we can use it later) OSDBackground Error Set OSD Variables Copy OSD Logs Remove From OSD Collection Disable computer account (a failed machine should never ever be used) SetError Fail the TS with the actual error code that caused the failure

Customer TS example

Real World Samples