Modern Workplace Management - Build Endpoints without SCCM Part 3

D Walsham • 24 June 2021

Consolidation of Build Checklists

Introduction

So just to recap on the previous part of this series we covered a base scenario of where we would utilise other products as a dependency to provision or even pre-provision endpoints before getting them to a state where they can be auto-enrolled and then into Autopilot - in this case this would be around SCCM.

We also detailed in a diagram form of where we ideally want to be, and that's to not have any dependency when it comes to the provisioning of the endpoints where its also soley performed within Intune.

This part we will be going into the nitty gritty of how this works.

The "Provisioning Phase"

This is the part which was not visible in the diagrams. Reason being is because we want this to be a seamless transition, embedded part of the process that gets you from point a to point b.

But first, lets explore how we see the provisioning phase working below.

This diagram gives a flow chart which mimics how we would see a typical build checklist would go, and then see it go through the motions where we would then have the machine prepared within this process and then we can say yes its ready to go through Autopilot or even the white glove process.

In real world cases this process is split up where prerequisite checks can be of a manual process, where as there are scripts which can easily add a machine into Intune & Autopilot, more notably the Get-WindowsAutopilotInfo.ps1 script

Manual Checklist

Depending on manufacturer these can range from various little tasks such as;

  1. Ensuring TPM is enabled and using 2.0 for using Bit locker
  2. Secure Boot if using a UEFI boot using something like SCCM
  3. Time & Date Settings in BIOS
  4. Standardised Boot Order
  5. BIOS Updates (optional but can vary)
  6. Removal of existing device records (i.e Active Directory, SCCM, Intune, Azure AD)
  7. Checking if device exists in Autopilot already

Now if you put that into practice of an extensive list like this and having to go through several thousands of devices the administrative effort can indeed be overwhelming. Now for new devices which are prepared from factory and already added into Autopilot then this list isn't necessarily an issue.

Having said that, that doesn't mean that any of these settings haven't changed in anyway so essentially an engineer would still have to double check just for the case of due dilligence.

Automatic Checklist (Task Sequence)

These are the somewhat obvious bits when looking to get machines enrolled in masses. A task sequence that would contain things like;

  1. Enroll into Intune
  2. Add device to Autopilot
  3. Check if Autopilot profile has been added

Of course these can be done manually, but you don't want to be doing this manually :)

Tasks such as these are consolidated within some form of a Task Sequence to be able to deploy to mass amounts of devices. But as you can see with both the manual checklist and automatic one we have a semi-automatic process altogether. There isn't anything wrong with this as semi-automatic approaches have a benefit of at least being checked over with some form of human interaction. But we would like to get to a point we can automatic and logically structure this process as close as possible.

How to Consolidate this phase and not using SCCM

To reiterate this section is applicable for management of all existing machines within your estate and not for machines which are brand new. These ideally would already be provisioned and ready to go. Having said this a new device will turn into an existing device so bear this in mind.

Reset PC/Wipe Device

Very simple and straight forward option to go with when needing to reset the device to go through the process again if giving the device to another user.

Of course this option is useful if you are absolutely certain that everything has had a check so that it had all of the standardised requirements, and that's more on the hardware front. Depending on the kind of setup you have whether it would be an Azure AD or even hybrid scenarios (will be covered in a later part) there are still other technologies you would have to consider to perform clean ups on before you can move forward.

Take for example Active Directory and SCCM/MEMCM. If you are going through the Autopilot and joining the machine to the domain whether the scenario you could run into issues where the record already exists and therefore has an issue joining it to the domain and that would have a knock on affect on the Autopilot process.

Then looking at the SCCM/MEMCM side of things, this isn't necessarily as critical but you could face duplicate device records and if deploying anything via SCCM still can also cause issues too.

The wipe device method is also great. Bear in mind your device would have to already be managed by Intune at this point, and is seen more of a security measured in case a device is lost. But it does have its benefits when wanting to reset a machine too.

Automated Reset PC Process

Here is where we want to add the magic.

What we ideally want to do is to turn those manual checks into a process which goes through these seamlessly and then prepare the machine to be reset. Best thing to compare this to would be similar to how you would have seen a Windows Feature update be applied.

First thing it does is check all of the prerequisites, mandatory ones of course if that fails then the upgrade will essentially stop but if any optional ones flag up it wouldn't halt the process. And this is what we want.

Figure 1.2 - Shows how we want it to be as just one process, and not split up into multiple tasks. But lets perhaps cover the tasks in which we have mentioned just to give a high level overview of how this can be automated into a process.

BIOS Checks
  So we mentioned earlier about things such as

  • Setting Date & Time
  • Enabling Secure Boot
  • Enabling TPM
  • Ensuring Virtualization is Enabled
  • Organising of Boot Order

Now the key part of any of the categories is not so much whether we can change them if they are not set correctly (we are aiming to do this too though!) but more of how this is communicated to you. To think of how the administrative effort is lowered by a process telling you rather than you having to manually check to see if that's actually the case or not.

So things like WMI classes can detect and set a lot of these. If we investigate the Lenovo manufacturer for example, you can use WMI classes to not only detect all the ones stated above but also to enable/disable them at leisure. More can be found about this here

As an example of what we mean of being told what the deal is with an endpoint or not, say we use BIOS passwords to lock down settings on endpoints. Now for the Lenovo WMI Class you cannot set a password for them if it was never set before .  You can only clear it or change it. So with that scenario we would engineer it where we are advised of what the password state is. And if it is set then we validate that it is using the correct password.

Now in a regular way of performing this you would have to shut the machine down, restart it and go into the BIOS to see if this is the case.

 Removing Device Records
  This can be tricky. Perhaps more on an Active Directory front.

  In an ideal world we would love to automate the removal of device records from technologies such as SCCM, AD etc but there are some factors you have to think about, especially since I've experienced this.

 Say for example you remove the computer from AD but you either accidently or purposely reboot the machine for whatever reason, you can't get back into the machine after that. Unless you have a local account on the machine you would have problems. Now you can wipe the device from Intune ONLY if its managed in Intune and you can ONLY Reset This PC if you haven't used anything such as Bitlocker. Why? because it will ask you for a recovery ID and if you don't have that at hand you will simply have a dead machine.

 So we want to have a process for a section such as this to do the following;

  • Detect whether the records exist or not
  • Detect whether a local account exists or not, if not then create it
  • Proceed to remove account in preparation
These are example steps of the logic, but we want to ensure that all basis are covered because these are key areas where automating could go wrong.

 Enrolling to Intune/Autopilot

This part is mostly in best practice done within an SCCM task sequence. And what we want to do is take SCCM out of the equation for this process.

So we utilise the scripts that perform this step, extract the commands out of it and then build the automated reset pc process with it which would do the following;

  • Obtain the device serial number
  • Connect to Intune
  • Produce the hardware hash
  • Check that the device is already in Autopilot
  • If not then upload it to the Autopilot
  • Check to see if the Autopilot Profile has been deployed (optional)
So the idea behind this logic is to really see what is happening so that we understand the devices current state in the enrolment side of things, and which is also the last part of the process to tie in altogether.

Next Part

Next part we will show a template which can be followed to automate this process for when it comes to re-provisioning devices and also cover the process parts in the Intune/Autopilot side. Will be quite a lengthy part so will be coming soon as!

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 4 - SQL Server Requirement Analysis

by D Walsham 13 December 2021
Looking through the current SQL Server topology and how it affects our decision

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 3 - Current Branch Upgrade Approaches

by D Walsham 19 November 2021
Impact of Current Branch Upgrades

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side - Part 2 - Operating System Considerations

by D Walsham 29 October 2021
Introduction

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side

by D Walsham 7 October 2021
Introduction

Endpoint Manager: Device Estate Cleanup

by D Walsham 6 October 2021
Introduction

Modern Workplace Management: Creating Applications Common Practices - LOB vs Win32 Package

by D Walsham 3 September 2021
Introduction

Modern Workplace Management: Build Endpoints Without SCCM Part 6

by D Walsham 12 August 2021
All the parts of the series we went into great detail about how we analyse an end to end solution and how we would design a solution in which would allow us to build endpoints without SCCM being a dependency. Whilst we did this, there is another scenario which we have not touched on yet, which is the hybrid scenarios. In a perfect world ideally you would have your Azure Active Directory within the cloud, every machine meets the recommended requirements for Windows 10, everything is imported into Intune/Autopilot and everyone is happy. But we know this isn't realistic in all cases. Many organisations cannot just simply up and go from on-premise into the cloud therefore the checkpoint here is of course getting into hybrid solutions such as; Co-Management Between Intune and SCCM Hybrid AD with Azure AD and On-Premise AD syncing together These things can play a very interesting part in how you would tackle this if you envisage the next step in the blueprint is to be in a position in which you can build and manage endpoints soley within Intune. With this final part of the series we will go in-depth in how the common hybrid setups look like and how we go about moving into the next step of being able to manage and build devices without SCCM.

Modern Workplace Management: Build Endpoints without SCCM Part 5

by D Walsham 29 July 2021
In continuation from the previous part where we had discussed how we create the "on site" piece of the solution, this was the part which would allow us to get our endpoints into a state in which they would essentially be ready to go through the Autopilot process. Which leaves our next piece of the puzzle, to begin the configuration of the actual backend side that resides within our Endpoint Management console. And you will see how everything ties up together to satisfy the full end to end process of getting an unknown (or known) device to proceed thorough the whole workflow to be finally managed by Intune without the aid of SCCM taking part in any of the prerequisites or preparation at hand.

Modern Workplace Management: Build Endpoints without SCCM Part 4

by D Walsham 15 July 2021
In this part we are now going to look into the technical step by step points on how we put everything together. In the previous part we spoke about the structure of how we would asses whether a machine was actually ready to be built with Autopilot or not with a build checklist process which would step through all areas which would cover an endpoints eligibility. Now with everything planned out we finally want to step into making things reality by putting everything together.

Endpoint Manager: Find machines not in Autopilot

by D Walsham 2 July 2021
When it comes to managing your endpoints in endpoint manager, one of the things you may be looking to do is to get all of your Intune registered machines to also be enrolled as Autopilot devices. Now we can of course just have the deployment profile deployed to all machines and then hit the "Convert targeted machines to autopilot" but this might not necessarily be feasible for every client. We may want to perform some due diligence first so we can at least understand what devices in Intune are not in Autopilot.
Show More