Setting computer name and more during a SCCM task sequence deployment
SCCM Task Sequence deployment Orchestrator is used by organizations to manage the deployment of Operating System Task Sequences effectively. It is a utility built on best practices, learnings & insights of industry experts.
The orchestrator helps IT Managers and SCCM administrators implement an Agile approach to SOE design and management. The engineers can move from Development, Test through to Production all within the same window and with the same set of Task Sequence variables and parameters.
The SCCM task sequence deployment orchestrator sets the stage for the deployment before the SCCM Task Sequence starts. Such an approach protects important user data saved on the computer from inadvertently getting deleted.
Watch the video on the right before reading the remaining content on this page. The video walks you through the operational view of the SCCM Task Sequence deployment Orchestrator.
Security and Authentication.
The SCCM Task Sequence deployment Orchestrator configuration file & tokens are digitally encrypted using encryption standards similar to those used by the U.S. government to protect classified information.
The intuitive login screen only allows users with authorization for a specific Realm to login and initiate a deployment for that Realm. The login window also has network controls wherein an SCCM SOE administrator, or Operator can change the Realm, disable a network card, modify the DNS Server or perform other local network-related activities.
The login module also prevents employees from performing unauthorized initiation of Operating System builds and prevents unintended mass deployment of Operating System Task Sequences.
The Broker account for the Realm does all the heavy lifting; the operator login accounts are for login purposes only. Thus disabling and enabling administrative access to the underlying infrastructure is done only for the Broker account. Third-party Operators performing machine builds will not need any access to the organizational authorization infrastructure.
Automatic device name identification.
The SCCM Task Sequence deployment orchestrator automatically identifies the HOSTNAME of the device either from the local filesystem or the Microsoft Endpoint Configuration Manager (SCCM) infrastructure.
The Task Sequence deployment orchestrator also has a feature using which SCCM administrators can either add a prefix or suffix or both to the HOSTNAME of the device.
The Orchestrator has an administrative feature which enables the SCCM SOE administrator to mandate the setting of HOSTNAME as UPPER case or lower case.
The SCCM Task Sequence deployment Orchestrator also checks if another device with the same name exists in SCCM or online on the local network. Such an action prevents unintended device deletions.
Unlock drives locked using Microsoft Bitlocker.
Time and time again, installation of device drivers or other activities that make changes to the boot drive cause a Bitlocked drive to lock and ask for a password or a passphrase.
While rebuilding a device, Bitlocked drives stop an SCCM SOE administrator or a Desktop engineer from backing up the Employees files and folders using automated processes because the drive is Bitlocked.
SCCM Task Sequence deployment Orchestrator allows an SCCM SOE administrator to retrieve the Bitlocker information from local Active directory, remote Active Directory, Bitlocker key, MBAM or by a manual entry automatically.
Many organizations use SCCM Task Sequence deployment orchestrator to unlock Bitlocker.
Task Sequence detection.
SCCM Tasks Sequence deployment Orchestrator for any specific realm would list all the Task Sequences deployed for that Realm.
This feature gives the SCCM SOE designers and administrators the ability to initiate one of many Task Sequences deployed to a given Realm. All of the Task Sequences started by the Tasks Sequence deployment orchestrator for a realm will use the same Task Sequence variables and configurations; standardizing the final Operating System build of the SOE Task Sequence. The engineers can move from Development, Test through to Production all within the same window and with the same set of Task Sequence variables and parameters.
The SCCM Task Sequence deployment Orchestrator sets and validates the parameters for the Task Sequence before it starts thus minimizing the possibility of Package missing errors, unknown errors or employee data loss.
Operating System detection.
The SCCM Task Sequence deployment Orchestrator automatically identifies all the Operating system packages referenced within the SCCM Task Sequence. The Orchestrator lists both Operating System images and Operating System upgrade packages.
If the Operator changed the selected Task Sequence, the list of available Operating System items would change accordingly.
The Operating System name or its PackageID can then be used in the task sequence to initiate the execution of the particular Operating System install step.
SCCM Task Sequence deployment Orchestrator only displays certain options when an Operating System image or package is selected.
SCCM Application and Office suite selection.
Traditionally, SCCM Applications are deployed during the Task sequence using Task Sequence variables or as a direct Application deployment step in the Task Sequence.
However, the setting of the Task Sequence variables is done on the SCCM Collection or is hard-coded into the Task Sequence.
With the advent of the SCCM Task Sequence deployment Orchestrator, Operators can choose real-time, multiple Applications and one Office suite application from a list of SCCM Applications configured for a given Realm.
The Orchestrator lists Applications only if they are categorized for the Realm and enabled for deployment via a Task Sequence.
Built into the SCCM Task Sequence deployment Orchestrator is the ability to make selections based on SCCM Application profiles or existing SCCM Application deployments. This feature allows SCCM SOE engineers and operators to copy deployments targeting another device by temporarily using another device name and then changing it back.
Add computers to SCCM Collections.
The Task Sequence deployment Orchestrator enables the SCCM administrator to add a device to one or more SCCM Collections configured for a specific Realm.
Many organizations use this feature to add devices into SCCM collections configured for Microsoft Endpoint Configuration (SCCM) Workload comanagement with Microsoft Endpoint Cloud Device management (InTune). Some of our clients also use this feature to create machines for Specific Time Zones or with a specific Power Option requirement.
Built into the SCCM Task Sequence deployment Orchestrator is the ability to use SCCM Collection profiles or existing SCCM collection membership to make a current selection. This feature allows SCCM SOE engineers and operators to copy Collection membership from another device by temporarily using another device name and then changing it back.
Active Directory group membership.
It is best practice to add devices into Active Directory security groups instead of adding a device as a direct member of an SCCM collection.
Thus, we build the Active Directory group membership feature right into the SCCM Task Sequence deployment Orchestrator; enabling the SOE engineers and operators to add a device as a member of an Active Directory group before the initiation of the Task Sequence.
Add the device as a member of the Active Directory group before the initiation of the Task Sequence has its advantages. Doing so allows the Active Directory replication, SCCM AD discovery routines and other time dependants processes to complete before the Task Sequence ends.
Built into the SCCM Task Sequence deployment Orchestrator is the ability to use Active Directory group profiles or existing Active Directory group membership to make a current selection. This feature allows SCCM SOE engineers and operators to copy Active Directory group membership from another device by temporarily using another device name and then changing it back.
User state migration.
User state migration is a complicated process. Many SCCM SOE engineers try and avoid USMT activities by configuring folder redirection or directing their users to save their files and folders into network drives.
However, in the age of ‘Work From Home‘ and ‘Bring Your Own Device‘, the User State Migration Process plays a vital role.
In the event of a system break down the SCCM Task Sequence deployment Orchestrator allows the administrator to rebuild the machine, copy existing SCCM Application deployments, copy existing SCCM Collection membership, copy existing AD group membership and restore the users‘ data in less than an hour.SCCM Task Sequence deployment Orchestrator makes the use of USMT easy. The default XML’s will suffice for most use cases. The SCCM Task Sequence deployment Orchestrator allows data capture to the following mediums USB drive, Network drive, Hard linking.
Primary User selection.
Many organizations fail to see the power of Primary device user association. The Primary device user association helps with enterprise Asset Management.
Who has got what device, is a question that SCCM SOE engineers grapple with, mainly within larger enterprise environments because Employees come and go at such rapid pace.
Primary user assignment also helps with security compliance reporting. Email correspondence with the employee, in the event of a possible security breach, gets more manageable, if an administrator can accurately tie a device to a user.
SCCM Task Sequence deployment Orchestrator makes adding primary user-device association easy. Using the deployment Orchestrator SOE administrators can add one or more Primary device users before the SCCM Task Sequence begins.
The SCCM Task Sequence deployment Orchestrator formats the designated primary Disk to the exact specification of the SCCM SOE administrator.
The layout of the Partition is done based on Microsoft Partition recommendations. The configuration file for the Realm contains the disk formatting information. Each Realm can have its unique disk formatting information.
SCCM Task Sequence deployment Orchestrator automatically identifies Legacy BIOS and UEFI devices and formats the disk drives accordingly.
The employee’s data back up is performed before the disk formatting operation begins, which mitigates the possibility of a data loss. The SCCM Task Sequence deployment Orchestrator notifies the SCCM SOE administrator If the underlying Disk is formatted differently.
The decommissioning process is an essential step in the Asset management life cycle. The following activities have to happen when an employee exits an Organization.
- The employee’s data has to be backed up and saved for seven years (based on your legal requirements).
- The removal of the device from Active Directory should happen.
- The removal of the device from SCCM should happen.
- The Disk should be deep formatted to prevent data theft.
SCCM Task Sequence deployment Orchestrator does all of the activities mentioned above according to industry standards.
The Orchestrator will wipe the hard disk drive and perform a secure erase during the decommissioning process.
There is always something that is lacking. Organizations buy great products which will provide for all their needs but one. That is a scenario which is quite common.
Thus the SCCM Task Sequence deployment Orchestrator has an Extension Attribute feature. Just like Microsoft Active Directory, SCCM Task Sequence deployment Orchestrator allows the use of up to 18 Extension Attributes.
These Extension Attributes can change the direction of the Task Sequence and provide a solution for almost all the logical problems that SOE design engineers face when designing a Task Sequence.
Each of the SCCM Task Sequence deployment Orchestrators Extension Attributes can have one or more values. Set these values in the SCCM Task Sequence deployment Orchestrators configuration file for the Realm.
Content Validation, Adds, Removals, Staging and more.
SCCM Task Sequence deployment Orchestrator checks if the Packages and Applications referenced in the Task Sequence and items that are chosen real-time by the Operator are available in the distribution point(s) assigned to the devices’ boundary. If not available, notifies the SCCM SOE administrator by email. The email notifies the SCCM administrator about the missing package names along with their ID’s and the FQDN of the distribution point(s) that need them.
All of the Moves, Adds and Changes follow best practice methods. The order of events focus on data loss prevention and object precedence models. For example, Active Directory object deletion is the final task undertaken by the Orchestrator.
As mentioned in one of the sections above; Disk formatting is one of the last activities performed by the SCCM Task Sequence deployment Orchestrator. The deferral of this action prevents accidental data loss.
All of the above scrutiny on the Task Sequence environment before its initiation increases the success rate of the Task Sequence.
The email notification feature is used for compliance and audit purposes. The notification modules are trigged in 4 different phases if enabled in the SCCM Task Sequence deployment Orchestrator’s configuration file. Click to see an example.
- At the login: Notifies the central administrative email account and (or) the current Operators email account about a possible login using SCCM Task Sequence deployment Orchestrator.
- During failure: Notifies the central administrative email account and (or) the current Operators email account about failure during the execution of some activity by the SCCM Task Sequence deployment Orchestrator.
- After success: Notifies the central administrative email account and (or) the current Operators email account about the successful execution of all the automatic actions within the SCCM Task Sequence deployment Orchestrator.
- A final build report: Sends a final build report to the central administrative email account and (or) the current Operators email account. The SCCM Task Sequence deployment Orchestrator build report is a comprehensive as-built report with details regarding AD group membership, SCCM applications, Disk format, SCCM variables, Services running, running processes, start-up items, PNP drivers, local users, local groups and a lot more.