Last year, I was lucky enough to attend VMWorld and host an incredible session on Delivering Secure and Seamless Access to Apps and Data, which was one of the highlights of my mobility career. My 2nd favorite thing about VMWorld besides hanging out with my best friend (No I’m not talking about VMWare) was the huge announcement that would turn imaging on its head for years to come!
So what did I do? I was texted my boss telling him how this is a legit game changer. I started my harassment of everyone with a Dell name tag at VMWorld trying to get information about it, but that was a bit of a poopshow. Nobody knew anything, but I guess perhaps I was just a bit too excited. I knew that I was progressive enough to say we don’t need SCCM, we don’t need some silly imaging software. I was tired of seeing people on our team waste hours of their day or say “I have to get PCs ready for 5 new hires on Monday so I have to block out my entire calendar on Friday!” Don’t turn into this guy!
Big Hurdles for Dell Provisioning
People don’t like new things let’s face it. We are surrounded by people in every company that are stuck in their ways and absolutely will not believe that SCCM could ever be obsolete. Group Policy is irreplaceable. The naysayers are sitting there saying “we couldn’t possibly replace provisioning” I’ve spent years watching people take 2-3 hours to image and setup a PC for a new employee. They think “this process is pretty good!” or “this is way faster than it used to be”
The whole thing frankly is silly. Technologists need to start thinking for themselves and challenge the status quo. Unified endpoint management as a discipline is the idea that you can take every device and have it under a single pane of glass and manage all of them with ease. What if I told you that I can image a device in TEN minutes?
How Dell Provisioning Works
Dell Provisioning is the harmony of two items working together. One is a PPKG (provisioning package) and the other is a unattend file (unattend.xml). You can think of them as the software and the seamless provisioning of a PC during the initial setup process. We’re going to discuss each of these items and how to make them work harmoniously together to eliminate humans from the imaging process altogether. You can go to Devices > Lifecycle > Staging > Windows in newer versions of WorkspaceONE to get some help with building the files that will make Dell Provisioning a reality. Once you finish building the perfect packages and unattend file, Dell can help deliver something that will resonate with any Debbie Downer in the room!
At its core, delivering someone their new PC is all about the apps. There are two trains of thought when it comes to applications. One is “they can just get the apps they need after they connect to our network (aka enroll)” and the other one is the right answer. It’s not just that, you also need to realize it’s not one size fits all. The perfect design is:
- One Package per Department
- One Package per Office
You need to customize and refine your packages to meet each users requirements. I recommend setting proper baselines and then deliver applications that require account setup like WebEx or Zoom to be delivered after enrollment. Even though the idea of 100 different packages sounds like a good idea it ISN’T. It’s entirely possible that all IT users in all offices have the same package so you don’t need to re-invent the wheel. Contrary to popular belief it’s not about proving how smart you are. It’s about showing how well you know the users in your company. Cultivating that experience is the best way to set yourself up for success here.
Provisioning Package Requirements
You should consider a few key requirements for this PPKG to actually work. The first one is that your package MUST be completely made up of offline installers. You will need to test them in audit mode without a network connection. You will also need to be careful about dependencies. There are a number of installers that may require to install other frameworks like .net or C++ etc. It’s vital to be very careful. You also want to make sure the checks you have implemented to call installs successful are correct. One of the big gaps that I’ve found with WorkspaceONE UEM is they don’t support greater than/less than like SCCM does. Most times migrations of apps go fairly well with AirLift, but there are certain gaps you want to be certain of. The Zero Touch Windows 10 USB Key can really be your friend when testing/certifying that your applications are bullet-proof. Most importantly do NOT forget Dell Command Update, because that’s a game changer!
Building an Offline Installer for Office 365
Office 365 will likely be one of the most vaunting parts of preparing your package. You have a few things you need to do:
- Open a ticket with the WorkspaceONE UEM team to increase your max upload size for applications to 2.5-3 GB so you can account for the installers
- Build an Offline Package for O365
I’m going to run through the process for building that offline package so you understand what’s involved. The steps are below and should be mostly straight-forward:
- Create a folder called C:\ODT (I called it NewODT) on your PC
- Download the Office 2016 configuration tool, run it, and chose the folder you created to dump the files.
3. Rename the x64 configuration file to be configuration.xml and customize it for your deployment similar to what I did below:
Note: If your users need Visio, you will need a separate package for Visio that looks like this below: (Don’t forget to put in your Visio Standard Key in here to ensure activation is seamless)
4. Once done, you will zip up the setup.exe and the configuration.xml file which are then added to WorkspaceONE UEM and configured accordingly to deploy it successfully.
Feel free to reach out if you need help with the WorkspaceONE UEM side configuration, but most people will be in decent shape there.
Unattend is your Friend
The unattend.xml is the most important part of Dell Provisioning so we will spend some significant time with it and break down the whole thing with some best practices to give you something special. The unattend will completely dictate how the process goes when your new Dell PC arrives.
The Initial Logon
We can see below, what part of the unattend dictates how you will land at the end of the setup process.
A few things to think about here:
- If your GPO disables the built-in administrator account (IT BETTER!), you will need to change the username to whatever your company specific admin account is.
- LogonCount is the number of times it will log you in with this account without needing credentials. I typically recommend leaving this at one because if you do it right, after one reboot it will be time to login with your AD account.
Elegance and simplicity is the trend you are shooting for with Dell Provisioning. Their canned solution can get you about 75% of the way there, but with my help you can make it 100!
The PC name is another challenge in Windows 10. Essentially the “registered organization” is what the first part of your PC name will be (e.g. MobileJon-AEWRRGVD). You can’t invoke a pop-up window or anything to set the PC name like you could in the Win7 days and that’s okay. It’s time for us to evolve and adapt. Remember the goal is zero touch!
Domain Join and GPO Synergy
The domain join happens very early on in the setup process, which will lead to GPOs applying properly. You can see that section below and the key thing to focus on is ensuring you are putting your PCs into the correct OU. Group Policy is all about where things live. If you walk into your neighbor’s house, then you can’t eat the leftover Chinese food in your fridge.
Setting up Local Accounts
Remember how I was saying that you should be disabling the local administrator account? There’s only one way to create true synergy! That is to have your unattend file create a new enterprise local administrator account. I’m sure you are asking yourself, why is this so important?
By doing this, at the end of the setup process it will log you in automatically to this account and keep your provisioning moving along its merry way. Just like these fine gentlemen!
Now we set a few Out of Box Experience (OOBE) keys. VMWare’s utilities setup the deprecated network key which you leave it because that’s irrelevant, but hiding the EULA and Protect your PC screens help things run clean and smooth.
The final part are your logon commands. I will provide a few tips in here to make it easy.
You need to pay special attention to the silent enrollment configuration. The key part here is that your username must be in UPN format, which you will find in WS1 UEM under Devices & Users > Windows > Window Desktop. That’s not documented particularly well, but you need it to be configured like this to actually work.
Elevate your Game with PowerShell
It’s one thing to deliver Dell Provisioning, but something else ENTIRELY to deliver a zero touch enrollment. In the image below, you will see that I hosted some powershell scripts in my Github repo. I use my old friend Invoke-WebRequest to download the content and output it to a powershell file. Afterwards, I execute that script which I use to install all windows updates and reboot.
Depending on how creative you are, these steps can be quite compelling to deliver customized experiences. A few examples of how you can use these are:
- Deploy registry keys
- Install Windows Updates
- Remove Bloatware
- Create Accounts
- Set Security Settings and GPO Settings locally
WorkspaceONE Provisioning Tool is your Friend
You can get the WS1 Provisioning Tool here which will save you from a painful back and forth with Dell professional services. Simply, you put this tool, your PPKG, and unattend.xml on a USB thumb drive and validate the files you have been putting together. It can be a very painful process, but the end result can be something truly magical
Bringing it All Together
Dell Provisioning can be so-so or it can be something game-changing. I hate to say it, but if you deliver this properly you could actually reduce headcount or invest in other areas because in some companies you will save so much time it will be remarkable. This is by no means a sales pitch for Dell or their services, but let’s be honest with ourselves. This is what my Dell Provisioning design gives you:
- Unbox PC
- Plug in Network Cable
- Press Power
- Come back in 10 minutes
That’s it! You will login with your AD account and it will update your apps from the package, deploy any profiles or configurations assigned to your user account, and you are off and running. The true beauty is how you can ship PCs to the field in retail. A field specialist could just walk into one of your corporate stores, plug it into the network, and be up and running quickly without ever talking to IT.
The year is 2019 people! It’s time that we start empowering users and driving self-service experiences that are seamless and transparent to the user. They feel like they did something easy and you have saved them the pain of on-boarding. Sure, it’s up to you to decide what you want to be. I challenge each of you to be agents for change. Dell Provisioning is a tool and can either be terrible or amazing based on your ability to visualize every part of your on-boarding checklist into automation.
I challenge you to think outside the box and don’t give up. Technology is not that hard. We can do anything we want to. It’s all about effort and being collaborative. Ask for help and help each other. We only move forward together.