[corrections_edu_it] Laptop Deployment Tools and Tips

Henness, Brandon J. 'GHC' (DOC) brandon.henness at doc1.wa.gov
Wed Mar 13 10:44:25 PDT 2024 

One thing I forgot to mention. The current image provided by SBCTC doesn't deploy properly using MDT. So, if you're having any issues with MDT not deploying your image with the proper computer name or the deployment is completing with errors, then you will need to create your own Image from scratch. I did this by copying the OPE folder from the C:\ProgramData directory on an existing laptop image to a fresh image.

Thank you,

Brandon Henness
IT Customer Support
Grays Harbor College
Stafford Creek Corrections Center
191 Constantine Way
Aberdeen, WA 98520
(360) 537-2018
brandon.henness at ghc.edu<mailto:brandon.henness at ghc.edu>
Brandon.henness at doc1.wa.gov<mailto:Brandon.henness at doc1.wa.gov>

From: Henness, Brandon J. 'GHC' (DOC)
Sent: Wednesday, March 13, 2024 10:05 AM
To: corrections_edu_IT at lists.ctc.edu
Cc: Peterson, Jayme L. 'GHC' (DOC) <jlpeterson at DOC1.WA.GOV>
Subject: Laptop Deployment Tools and Tips

Hello everyone, this is probably going to be a long email, but the information and tools contained in it should be invaluable to you and your site. From the day I started working in this position I've been slowly optimizing and automating the deployment of windows images at my site using Microsoft Deployment Toolkit (MDT). I've almost torn my hair out on plenty of occasions because of the countless quirks with automated deployment of windows but I think I've finally gotten it mastered. So, if you have questions about setting up your own site to use MDT, I can help you. For the rest of this email, I'll break it up into sections so that you can skip the section that pertain to your particular site.


Group Policy to Enable Microsoft Store Apps
Setting this group policy to "Enabled" on the laptops will allow your students to use built in Microsoft apps like Calculator and Photos.


  1.  On a locked and credentialed laptop set the group policy to "Enabled" using the attached "Enable or Disable Microsoft Store Apps in Windows 10 _ Tutorials" pdf file.
  2.  Open an elevated CMD prompt.
  3.  Run the command "mgmt export_group_policy".
  4.  Run the command "mgmt unlock_machine".
  5.  Open file explorer and enable hidden files.
  6.  Navigate to "C:\ProgramData\OPE\Services\mgmt\rc\exported_gpo".
  7.  Copy this GPO export folder contained here to a flash drive or a network share.
  8.  On your base laptop image navigate to "C:\ProgramData\OPE\Services\mgmt\rc\post_gpo" and past the exported GPO folder here.
  9.  Capture a new base image.

Any time you credential a laptop with your new image it will use these new GPOs which means Calculator and Photos will work for all your students. While you're doing this, I would also make sure the "Turn off the Store Application" group policy<https://www.thewindowsclub.com/turn-off-windows-store-application> is also enabled. If there are specific store apps you don't want your students having access to you can block these individually using Group Policy Editor<https://www.thewindowsclub.com/how-to-block-exe-files-from-running-using-group-policy-in-windows-11-10> or you can completely remove them from the image by uninstalling the Appx package<https://learn.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=windowsserver2022-ps> for that windows store app. I used a script called Windows Decrapifier that I can't seem to find the GitHub Page for. So, here is an alternative debloater script<https://github.com/Sycnex/Windows10Debloater>.


The remaining instructions require you to have MDT installed and a Deployment Share set up. If you don't, go ahead and do that now.
All scripts linked in the email can be downloaded from this GitHub Gist<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210> by clicking the Download ZIP button.

Automatically Setting Computer Names on Deployment
Using this UserExit script it will automatically set your deployed computer's name to the OSN required naming convention. "OSNE + S/N" This script used to be a lot more complicated when I was trying to handle GEN2 laptops as well. But now that we don't need to worry about GEN2 laptops the script is really simple now.


  1.  Navigate to the "Scripts" directory of your deployment share.
  2.  Paste the "GetComputerName.vbs<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210#file-getcomputername-vbs>" script in it.
  3.  Add the following lines to your deployment share rules under the [Default] section:
(You can find a full copy of my deployment share rules here.<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210#file-rules-txt>)
     *   UserExit=GetComputerName.vbs
     *   OSDComputerName=#GetOSDComputerName("%SERIALNUMBER%")#
     *   _SMSTSORGNAME=Deploying Image to %OSDCOMPUTERNAME%
  4.  Run the "Update Deployment Share Wizard".
  5.  Choose "Completely regenerate the boot images".
  6.  Open Windows Deployment Services (WDS).
  7.  Right Click your Boot image and choose "Replace Image..."
  8.  Navigate to and select your newly generated boot image.

Your computers will now be named automatically on deployment.
Laptop Setup Script
The "MDTLaptopSetupScript.bat<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210#file-mdtlaptopsetupscript-bat>" batch file automates a few tasks when deploying laptops like disabling Secure Time Seeding, syncing the laptop's time automatically with the time server, activate windows with your KMS server, and activate office with your KMS server.


  1.  Modify the configuration section of the "MDTLaptopSetupScript.bat<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210#file-mdtlaptopsetupscript-bat>" batch file to point to your time server and your KMS server.
  2.  Navigate to the "Scripts" directory of your deployment share.
  3.  Paste the modified "MDTLaptopSetupScript.bat<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210#file-mdtlaptopsetupscript-bat>" script in it.
  4.  Open the "Properties of the Task Sequence you use for deploying images to your laptops.
  5.  Navigate to the "Task Sequence" tab at the top of the window.
  6.  Add a new task sequence step to the bottom of the "State Restore" section.
  7.  Edit the new task sequence to match the following picture:
%SCRIPTROOT%\MDTLaptopSetupScript.bat
[Graphical user interface, application  Description automatically generated]
  8.  Press "Apply"

When you deploy an image using this task sequence it will now run this script at the end of the deployment.

Start Credential Script Task Sequence Step
The following task sequence will automatically start the laptop credentialing script on deployment allowing you credential the laptop immediately after deployment without needing to run the script manually. Only apply this task sequence step to task sequences that are for file deployment.


  1.  Open the "Properties of the Task Sequence you use for deploying images to your laptops.
  2.  Navigate to the "Task Sequence" tab at the top of the window.
  3.  Add a new task sequence step to the bottom of the "State Restore" section.
  4.  Edit the new task sequence to match the following picture:
cmd /c start "" "C:\ProgramData\OPE\tmp\ope_laptop_binaries\CredentialLaptop.cmd"
[cid:image002.png at 01DA7533.69D59D80]
  5.  Press "Apply"

On deployment, the laptop credentialing script will automatically start running and by the time the computer is done deploying the script will already be on the SMC login step of the script.
Additional Files
This "Bootstrap.ini<https://gist.github.com/Henness0666/3e2e9a72902e7ddd64967be864609210#file-bootstrap-ini>" is the boot strap settings I use for my deployment share you can use this if you're setting up your own deployment share.

Hope this helps!

Brandon Henness
IT Customer Support
Grays Harbor College
Stafford Creek Corrections Center
191 Constantine Way
Aberdeen, WA 98520
(360) 537-2018
brandon.henness at ghc.edu<mailto:brandon.henness at ghc.edu>
Brandon.henness at doc1.wa.gov<mailto:Brandon.henness at doc1.wa.gov>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ctc.edu/pipermail/corrections_edu_it_lists.ctc.edu/attachments/20240313/bf98ee33/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 28724 bytes
Desc: image001.png
URL: <http://lists.ctc.edu/pipermail/corrections_edu_it_lists.ctc.edu/attachments/20240313/bf98ee33/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 28110 bytes
Desc: image002.png
URL: <http://lists.ctc.edu/pipermail/corrections_edu_it_lists.ctc.edu/attachments/20240313/bf98ee33/attachment-0003.png>

More information about the Corrections_Edu_IT mailing list