ToolBox Guide to
Update Feb 2018
- Added additional variables at the top of script used in AWAgent command line for easier configuration
- Added additional screenshots and considerations about some SCCM attributes in the SQL script
Update Jan 2018
- Included a more robust deployment with a powershell script.
AirWatch has the ability to silently enroll Windows 10 systems using command line parameters on the AirWatch Agent msi. You can use SCCM to deploy the AirWatch msi to your Windows 10 systems to automatically enroll them into AirWatch without any user interaction. AirWatch just needs a bulk-import template uploaded to the console and then a staging account setup which will be used in our command line switch. The basic steps for this process are:
1. Setup a staging account setup in the AirWatch console
2. Run SQL query on your SCCM SQL server to output username and serial number information for each device into the correct AirWatch bulk-import template
3. Import the devices into AirWatch
4. Deploy the AirWatch agent to those systems with SCCM
- Script must be run as the current logged in user
- This user must have administrative rights
- Domain membership NOT required (Although it makes it a lot easier to do serial/username mapping)
Setup Staging Account
If you use VMware Workspace One (WS1) for identity management and authentication you will need to do a couple extra steps to setup the staging account. This is because the staging account can't use WS1 for authentication and instead must use a simple username/password.
1. Create a Staging Organization Group (OG) as a "Sibling" to your production OG
2. As you can see in my instance, we have "Production" and "Staging"
3. Once the OG is created, simply create a "Basic" user account with the following settings:
Note: If you look at the dropdown by "Single User Devices" setting, it might make sense to change it to "Advanced", but this actually needs to stay as "Standard". I'm not 100% why on this but this is what the Product team has told me.
4. Click save and this account is ready to go.
In this blog post, I will outline how to forcefully but elegantly upgrade remote systems to Windows 10 using SCCM task sequences. I will be using 3 task sequences working together to accomplish this. This process can also be used for clients on the LAN as well as for win10 feature upgrades. The main benefits of this process are as follows:
- All content gets pre-downloaded silently in the background
- Win10 assessment is run silently before hand and sends email based on pass/fail
- If it passes, a reg key will be created with which an SCCM compliance rule can be queried. Systems with the reg key can get automatically placed into a "Win10 Ready" collection.
- The real upgrade Task Sequence can be deployed manually or automatically to systems in the "Win10 Ready" collection
- A nice window will popup on the real upgrade TS which allows users to defer the upgrade up to 5 times before it will run automatically
- Model specific drivers are pre-downloaded as well
- Clients must be on a reliable VPN connection in order for this to work well. We have an "always on VPN" that connects so remote clients are always on the VPN unless the user manually disconnects.
- Because this is a lot of content going over your VPN, be mindful of the bandwidth impact. We use Adaptiva for content distribution and it takes care of all of the bandwidth management automatically for us so there is no load placed on our VPN gateways.
- While you CAN include the MBR2GPT process to this, I would recommend against it. This is simply because if there are any issues you're gonna get a system that won't boot. Troubleshooting that remotely is a huge pain and a poor experience. Just flip them to UEFI once they visit a real office.
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.