Loading...

Knowledge Center

/
centrexIT
Knowledge Center

San Diego Humane Society Windows Endpoint Provision

KB00032972
Ryan Moore Work Instruction Archived 1 min
ArchivedRyan Moorev2.0
Published Dec 29, 2023Expires Dec 29, 2024 (expired)

Purpose:

Section titled “Purpose:”

Usage of Install-ProvisionedSoftware is nonobvious

Scope:

Section titled “Scope:”

San Diego Humane Society

Responsibility:

Section titled “Responsibility:”

All service desk personnel

Completion Criteria:

Section titled “Completion Criteria:”
  • Endpoint is hybrid joined (verify with dsregcmd /status in a shell)
  • Endpoint has a hostname in accordance with standard convention
  • Endpoint is enrolled in Intune
  • Additional runs of Install-ProvisionedSoftware run without error (except on the MS Teams package if it is already installed)
  • If the endpoint is a laptop, the VPN and Umbrella client are both installed, with profiles for each in the appropriate locations

Records:

Section titled “Records:”
  • The device Entra ID and Intune objects
  • The device Active Directory Computer object
  • Installed software viewable via appwiz.cpl on the device

Steps:

Section titled “Steps:”

  1. Plug in and power on the endpoint

  2. Complete the Out-of-Box-Experience (OOBE)

    1. Choose Domain Join as the sign-in type
    2. Enter localuser for the user
    3. Enter SDHS-gm#5309 for the password
    4. For all security questions enter SDHS as the answer

  3. Launch Windows PowerShell as admin

  4. Enter the following into the shell:

    $cred = Get-Credential

  5. A dialog box will appear. Enter sdhs\sdhs_ctac for the username and the password for sdhs_ctac for the password. This can be found in password state in \Clients\San Diego Humane Society\Domain\Service Accounts

  6. Enter the following into the shell:

    Set-ExecutionPolicy RemoteSigned

  7. Accept the notice with y or a

  8. Enter the following into the shell:

    New-PSDrive -Name IT -PSProvider FileSystem -Root \\sdhsfs1\it$ -Credential $cred
    Import-Module 'IT:\Scripts\sd.ps-scripts.git\sd.ps-scripts.git.psd1'

  9. Determine the hostname prefix. This will depend on where the endpoint is being deployed. In the list below, the locations are on the left and the prefixes are on the right:

    • WFH => SDHS
    • Gaines Street => GSC
    • El Cajon => ECC
    • Escondido => ESC
    • San Luis Rey => SLR
    • Airport Road => APR
    • Project Wildlife Ramona => PWR

  10. Determine the OU the endpoint should fall under. The computer OUs are nested under OU=CAMPUS,OU=PROPOSED,DC=sdhumane,DC=net. They are as follows:

    • Airport 572
    • Airport 576
    • El Cajon
    • Escondido
    • Gaines 5433
    • Gaines 5465
    • Gaines 5480
    • Gaines 5485
    • Gaines 5500
    • Gaines 5545
    • PW Ramona
    • SLR

  11. Enter the following into the shell. (For ease of use, tab completion is supported for the Location (OU) parameter. For example, you can type G then press tab repeatedly to cycle through Gaines street locations)

    Join-DeviceToDomain -SitePrefix [prefix determined above] -Location [OU determined above] -Credential $cred

  12. The device should reboot automatically. Upon boot, sign in with an account that is an enrollment manager and that has access to the IT shared folder. This will kick off the Intune autoenrollment in the background

  13. Optionally, check that the DesktopAppInstaller provisioned package is up to date. This is usually necessary since our Lenovo partner almost never ships devices with an updated version of this package

    1. Launch the Microsoft Store

    2. Click Library

    3. Scroll to App Installer

    4. If there is an update, click Update

  14. Open another admin PowerShell window

  15. Enter the following into the shell (Include the -Mobile switch only if the endpoint requires VPN access):

    Import-Module '\\sdhsfs1\it$\Scripts\sd.ps-scripts.git\sd.ps-scripts.git.psd1'
    Install-ProvisionedSoftware [-Mobile]

  16. If there are winget-related errors, refer to the above about ensuring DesktopAppInstaller is up to date

  17. Wait for the prompt to reappear while winget installs the packages

  18. If the -Mobile switch was used, check the following:

    • Mouse over the blue orb system tray to check that umbrella is operating correctly. You should see Protected:

    • Start Cisco AnyConnect Secure Mobility Client. You should see SDHS Meraki VPN in the box next to Connect:

  19. Run Lenovo Commerical Vantage or Lenovo Vantage, or other system update software, to ensure hardware is up to date

    • Do not run Windows update at the same time. Both are CPU intensive processes that can conflict with each other

  20. Upon reboot, run system update software again to ensure there are no more updates

  21. Run Windows Update

  22. Upon reboot, run Windows update again to ensure there are no more updates

  23. Keep computer powered on until it enrolls into Intune

    • Tip: ensure the user you are logged in as has items on their desktop in OneDrive that do not match the local machine’s desktop. Then you need only wait for items from cloud storage to appear on the desktop, since part of the Intune configuration profile is to sync OneDrive with the Desktop folder

  24. If the machine will be used by Dispatch or Resource Center, install Edify

    • Installer is at \sdhsfs1\it$_New_windows_setup\Resource Center\edify-win-latest.exe

Process References:

Section titled “Process References:”
  1. Create a relationship back to related process. Note: Please add KB relationships to core process, process, SOPs or other WIs on the right.