Installing Windows 10 (SDX) on MDP desktops and managed laptops for admin staff

Preparation of Infrastructure

  • Only supported hardware can be installed, see list of Select devices
  • Create entry in dns file for the hostname. Wire ATMDT if installing in AT, otherwise MDT
  • Create lcfg file. Use appropriate header: managed-desktop.h or managed-laptop.h
  • Follow IS instructions (but don't tick register with DHCP): to register the machine in the EdLAN DB
NOTE that wire M is no longer in use. AT machines actually go on Wire G in EdLAN

Important step for laptops

Please make sure to add laptops to SDX Mobile Desktop group In Active Directory, our group is under ed.ac.uk/UoEX/Auth/INF or look at the properties of an existing laptop to find this group. This is important so that DirectAccess can kick in when working remotely which will map the user's datastore home drive (M:\) without the need to be on Uni VPN

Install Windows 10

  • There should already be up-to-date install sticks in AT and IF support offices, otherwise Create SCCM USB Build Media .
  • If brand new out-the-box, a machine should already have the correct select BIOS password and UEFI boot from usb enabled. If installing on an older platform, then manually configure this in BIOS. This will allow the installation to modify BIOS settings to enable TPM (for encryption). Select PCs may have the speakers turned off in the BIOS. HP 800 G2 mini pc (the tiny ones) will likely require a BIOS update before they will boot from UEFI stick.
  • Connect machine to ethernet on appropriate wire - MDT or ATMDT
  • Boot from usb stick. Follow instructions from Step 4 to install new machine
  • The usb stick can be removed once the task sequence starts, but doesn't seem to cause conflict leaving it in.
  • If any errors encountered, see Diagnosing SDX build issues

After Installation

  • Remove boot from usb from BIOS.
  • Run Windows Update to pick up all the updates
  • Desktops: Right-click on the C:/ drive and select Bitlocker - follow the wizard to enable encryption - just click next on all the defaults
  • Laptops: The C:/ drive should be automatically encrypted shortly after the build process using BitLocker.
  • Check the decryption key appears in Active Directory. From a support MDP launch Active Directory Computers and Users, do Action -> Find , change drop-down to Computers and in ed.ac.uk. Enter the hostname and search. Right-click on the machine found in the results, select Properties and look in Bitlocker Recovery
  • Install Auristor only if the user requires access to afs filesystem
  • Advise user they can install PDFsam and Acrobat Reader themselves from the Software Centre
  • Grant the user remote access to their Win10MDP office desktop

Decommissioning machines

Once a desktop or laptop has been decommissioned from use as an MDP then please remember to delete it from EdLan and also from Active Directory Users and Computers, or via TaskPad from a support MDP

Small detail about automatically forgetting WIFI details.

Windows10 does not seem to be automatically forgetting wifi details.

This is fine but some people want to share laptops, so you would need to auto-forget wifi details at logout and reboot.

You can make a file with the following script:

  • netsh wlan delete profile name="eduroam".

Then in Group Policy: User Configuration -> Windows Settings -> Scripts -> Logoff add the script to automatically remove the wifi details. If you log off or reboot, the system will ask again for credentials to connect to the eduroam network. (Following https://www.digitalcitizen.life/how-delete-or-forget-wireless-network-profiles-windows-10)

-- JenniferOxley - 04 May 2020

Topic revision: r18 - 04 May 2020 - 15:52:55 - JenniferOxley
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies