Endpoint Services, MECM - Stand-alone task sequence
As an alternative to on-site imaging, a task sequence 'template' for stand-alone media (offline USB imaging) is available. This article outlines the structure of stand-alone task sequence media in our environment and provides recommendations based on your unit's needs. Copy the 'DEMO DAYS-Stand-Alone No Drivers' task sequence under '\Software Library\Overview\Operating Systems\Task Sequences\.DEMO DAYS' into your unit's folder and modify as needed.
Microsoft Endpoint Configuration Manager (MECM, formerly SCCM)
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
How does stand-alone task sequence media differ from a standard task sequence?
Please review the following and modify your stand-alone task sequence as needed:
- The computer object does not need to be imported into MECM
- The computer object will register via the MECM client post-OSD. The endpoint's name can be set using the OSDComputerName task sequence variable (covered later).
- Secure Boot may need to be disabled in the BIOS in order to boot to the USB media
- This was not an issue for the Dell models we have tested, but was an issue for Microsoft devices
- Since stand-alone task sequence media is designed to deploy the OS on a computer without a network connection, all steps that require a network connection must be completed post-OSD. This includes:
- Binding to the AD
- Installing apps, packages, or scripts that rely on a network location, such as Office 365 (an offline version of this installer is in-progress).
- Enabling BitLocker, as the endpoint cannot reach the AD to store its key. View the post-OSD steps for more information.
- If BitLocker is not used, disable these steps: 'Dell TPM Activation steps', 'Pre-provision BitLocker', 'Enable BitLocker'
- The local administrator account must be enabled in the 'Apply Windows Settings' step in order to log in to the machine post-OSD
- This step is currently configured to randomize the password in the Demo Days task sequence; select 'Enable the account...' and set the password
- The 'Cisco AnyConnect' and 'AnyConnect Start Before Login' applications must be installed (in that order)
- The latter application will allow a user to connect to the VPN at the login window so that they can subsequently login to the endpoint with their AD credentials.
- We recommend a driver-less approach, as the built-in drivers from the latest Windows 10 feature updates are sufficient for almost all modern enterprise devices
- Any missed drivers can be installed post-OSD, either manually or by leveraging a driver application such as Dell Command Update which can be installed during the task sequence
- Adding driver packages to the media will significantly increase the overall size and media creation time
- Since individual drivers within a package may cause Windows setup to fail for some types of hardware (e.g. Surface Pro devices), driver packages are an additional point of failure.
- Any changes made to the source task sequence will require the creation of a new .iso file and update of the USB drives.
- Due to the nature of stand-alone media, it is significantly more difficult and time consuming to troubleshoot this kind of deployment. While we will strive to provide support, we recommend that you do not undertake this method unless you are familiar with the mechanics of MECM OSD and your unit's task sequence, and are comfortable parsing MECM logs with the Support Center application.
Create stand-alone task sequence media
- We strongly recommend at least a USB 3.0 16GB drive, but a larger USB drive may be required depending upon the apps, drivers, and other content in your task sequence. USB 3.1 drives will offer the best overall performance.
- Ensure that all referenced content in your task sequence is available on your Distribution Point Group
- Navigate to \Software Library\Overview\Operating Systems\Task Sequences and select the relevant task sequence
- Select 'References' in the bottom-half of the console; right-click each item in the list and select 'View Content Status'
- In the console, navigate to '\Software Library\Overview\Operating Systems\Task Sequences', and select 'Create Task Sequence Media' under the 'Home' ribbon
- Select 'Stand-alone media'. Check 'Allow unattended operating system deployment' if you want your task sequence to run immediately after booting.
- Select 'CD/DVD set' and set the media size to 'Unlimited'. Select a location to store the .iso file and check 'Include autorun.inf file on media'.
- MECM will only format a bootable USB drive as FAT32, which has limitations on individual file sizes that are below the current size of the Windows 10 image file. A third-party program such as Rufus is required to load the .iso file onto a bootable USB drive.
- Password protecting the media is optional, but always recommended.
- Select the task sequence from the list and verify the content. Check 'Detect associated application dependencies and add them to this media'.
- The next three steps are for manually adding applications, packages, and drivers packages not included in the task sequence. We recommend having these steps in the task sequence instead to avoid confusion and so that these steps can be skipped.
- Select your distribution point(s).
- Select the sun icon to create a new task sequence variable. Enter 'OSDComputerName', leave the name field blank, and uncheck the box.
- This step instructs the task sequence to prompt for this value, so that the endpoint can be appropriately named as per your unit's naming standards. By default, MECM assigns a random name (typically with the 'MININT-' prefix) to an endpoint during OSD, via the OSDComputerName variable.
- Complete the wizard. It will take some time for the media to be created, as the content needs to be retrieved from your unit's distribution point(s) and compiled.
- Troubleshoot the media creation process by parsing the CreateTsMedia.log with the Support Center application; this log file is located in the directory where the MECM console is installed.
- Install Support Center from \Software Library\Overview\Application Management\Applications\MANAGED APPLICATIONS\Microsoft\MECM\Support Center
- Once the media has been created, use a program such as Rufus to load the .iso to your USB drive and make it bootable
- After booting from the USB drive, refer to the table below on task sequence log locations
Phase Location Windows PE (Before the hard disk is formatted) x:\windows\temp\smstslog\smsts.log Windows PE (After the hard disk is formatted) x:\smstslog\smsts.log and copied to c:\_SMSTaskSequence\Logs\Smstslog\smsts.log Windows Operating System (Before the SCCM client is installed) c:\_SMSTaskSequence\Logs\Smstslog\smsts.log Windows Operating System (After the SCCM client is installed) c:\windows\ccm\logs\Smstslog\smsts.log Windows Operating System (When the Task Sequence is complete) c:\windows\ccm\logs\smsts.log
- Login as the local administrator
- Connect to the local network, followed by the campus VPN
- Bind the endpoint to the Active Directory and reboot
- Login as the local administrator
- Connect to the campus VPN
- Wait for MECM policy to apply
- This is the longest step but does not require much attention
- We recommend manually updating your 'All Systems' collection's membership, as well as that of any collections the endpoint should be in due to AD Query rules, shortly after binding. Once the endpoint's object is visible, right-click the object and navigate to 'Client Notification' --> 'Download Computer Policy' to speed things along.
- If necessary, install additional apps and/or the 'DEMO DAYS-Post Stand-Alone BitLocker' task sequence
- The BitLocker task sequence can run from Software Center - only run it once
- Audit BitLocker compliance by navigating to '\Assets and Compliance\Overview\Compliance Settings\Configuration Baselines' and deploying the one of the two 'BitLocker C: Status' baselines
- Confirm that apps, MECM policy, GPOs, etc. have all applied correctly
- Disconnect and 'forget' the local network, and shutdown the PC