ToolBox Guide to
Update 4/17/18: This process does NOT require the end user to be local admin as I orginally thought. You can deploy via SCCM in the system context.
AirWatch 9.3 brings a number of new features to the WorkspaceONE UEM platform on Windows 10 including improved silent enrollment features. This will greatly simplify enrollment over the previous method. The new 9.3 agent brings the following updates to silent enrollment:
The primary use cases for this process are:
Update March 2018
Check out my new blog which includes AirWatch 9.3 agent enhancements as that is the preferred way to do enrollment on Windows 10. If that method doesn't work or you prefer to statically assign Windows 10 devices to an OG, then continue reading.
AirWatch has the ability to silently enroll Windows 10 systems using command line parameters on the AirWatch Agent msi. You can use SCCM to deploy the AirWatch msi to your Windows 10 systems to automatically enroll them into AirWatch without any user interaction.
1 - Setup Staging OG and Staging Account
If you have SAML enabled you will need to do a couple extra steps to setup a staging OG and staging account. This is because the staging account can't use SAML for authentication and instead must use a simple username/password.
Follow the detailed steps outlined in my other blog on how to setup these things.
Note: If you look at the dropdown by "Single User Devices" setting, it might make sense to change it to "Advanced", but this actually needs to stay as "Standard". I'm not 100% why on this but this is what the Product team has told me.
4. Click save and this account is ready to go.
In this blog post, I will outline how to forcefully but elegantly upgrade remote systems to Windows 10 using SCCM task sequences. I will be using 3 task sequences working together to accomplish this. This process can also be used for clients on the LAN as well as for win10 feature upgrades. The main benefits of this process are as follows:
- All content gets pre-downloaded silently in the background
- Win10 assessment is run silently before hand and sends email based on pass/fail
- If it passes, a reg key will be created with which an SCCM compliance rule can be queried. Systems with the reg key can get automatically placed into a "Win10 Ready" collection.
- The real upgrade Task Sequence can be deployed manually or automatically to systems in the "Win10 Ready" collection
- A nice window will popup on the real upgrade TS which allows users to defer the upgrade up to 5 times before it will run automatically
- Model specific drivers are pre-downloaded as well
- Clients must be on a reliable VPN connection in order for this to work well. We have an "always on VPN" that connects so remote clients are always on the VPN unless the user manually disconnects.
- Because this is a lot of content going over your VPN, be mindful of the bandwidth impact. We use Adaptiva for content distribution and it takes care of all of the bandwidth management automatically for us so there is no load placed on our VPN gateways.
- While you CAN include the MBR2GPT process to this, I would recommend against it. This is simply because if there are any issues you're gonna get a system that won't boot. Troubleshooting that remotely is a huge pain and a poor experience. Just flip them to UEFI once they visit a real office.
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.