ToolBox Guide to
This blog post will detail how to automatically enroll a Windows 10 system into AirWatch WorkspaceONE that has been newly imaged with MDT. This solution will work with though any imaging solution as well as in-place upgrades task sequences.
First, enable REST API in the AirWatch console and setup an API user per the steps in this post. I recommend creating an API admin role that is locked down to only a few functions so it reduces the risk of anything happening if the credentials get discovered somehow.
Specify application details
Select source directory
Specify the name of the target directory that will be created
Enter this for command line:
Powershell.exe -executionpolicy bypass -file AW-RegisterDevice.ps1
Click Next, verify details on Summary page and then Finish.
Add to Deployment Task Sequence
Open up your deployment task sequence and add it toward the end of the sequence. I usually create a "Custom Tasks" folder and put any post OS deployment tasks there.
Configure your MDT wizard to prompt for administrator accounts by adding "SkipAdminAccounts=No" to custom settings.ini (Rules tab of Deployment Share properties).
This will enable the "Local Administrators" wizard page to show up (off by default) and allow you to specify who will be the local admin on the system. I pull this information into the AW-RegisterDevice.ps1 script and pre-register the device into AirWatch with this user and the serial number. The MDT variable associated with this field is Adminstrators001. I also strip off the "domain\" part of the input in the script. This field must be used otherwise the script will exist as it will not know who to pre-register the device to.
After the script runs, it will copy 3 files into different places:
First, the Airwatch Agent and actual enrollment script to $localscriptpath variable at the top of script. Then it copies a VB script to the default user startup folder. This will cause the "AWEnrollLogin.ps1" script to run on first user login and complete the actual enrollment. I did this as VBS so that there is no black-screen popup when the powershell script runs. It also elevates the script. You can certainly configure this login script via Scheduled tasks or group policy as well.
Be sure to update the VBscript to point to the location of the AWEnrollLogin.ps1 script placed in $localscriptpath
xcopy .\AirwatchAgent.msi $localscriptpath /y xcopy .\AWEnrollLogin.ps1 $localscriptpath /y xcopy .\AWEnrollLogin.vbs "C:\Users\default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" /y
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.