Many services such as Active Directory, Group Policy, Imaging tools, Configuration Management, and Windows Updates tools are managed centrally by University Technology Services (UTS) but can benefit Desktop Support Professionals (DSP) in all areas of Oakland University. This is a guide to for both UTS and DSP to how to facilitate this cooperation.

I will attempt to structure this document by creating a section for each resource, but in reality these resources will overlap.

Overview of Technologies

The Microsoft Deployment Toolkit (MDT) Lite Touch allows for Windows 10 desktop deployments, it provides a driver repository and combined with Chocolatey for Oakland's Windows-based Software (COWS) allows software to be selected for automatic install when you deploy Windows. COWS is a locally managed Chocolatey repository that enables silent install scripts to be created for software. This works at deploy time (using Lite Touch) and can be run on remote computers without requiring the end user to log off. The Local Administrator Password Solution (LAPS) is a tool for managing local administrator accounts on desktops, with LAPS implemented every computer has a unique randomly generated password for the administrator account. As a desktop support professional, you have the ability to use the LAPS tools to look up the password when needed. Group policy and Active Directory allow desktop support professional to push out settings, configuration, and software to a group of computers.

Related Documentation

• Windows10

• Deployments

Prerequisites

Desktop Support Professionals may need access to the following tools:

• Gitlab

• Lite Touch Deployemnt

• Group Policy / Active Directory

• LAPS

• Desktop Local Administrator Group Membership
• COWS

Getting Started

The following will get an IT department started with access to MDT, LAPS, Group Policy, Active Directory, COWS, Desktop Local Admin Group membership.

DSP Responsibility

• Create a ticket with the following information:
  • Department short name (must be less the 4 characters)
  • Department Full Name
  • Department Head Position Title
  • Department Head
  • List of users who should have administrator access and what level (1-3 with 3 having the most access)

• Download and install the Remote Server Administration Tools

• Download and install the Assessment and Deployment Kit version 1607

• Install Microsoft Deployment Toolkit from \\wds\mdtproduction$

• Download and install LAPS

• Review the Managing Clients section of the associated LAPS_operations guide (an optional download when downloading the LAPS installer)
• Review the following recommended resources:

  • Group Policy for Beginners

  • How to use Chocolatey: A delicious Windows package manager

• Join the Slack group and find the appropriate channels

UTS Responsibility

• Run New-OUDepartment with the appropriate parameters based on the request

• Deploy a new Group Policy object from the "Department Delegation Template" to the new Organizational Unit (OU)

• Add the newly created ps_deptName_admin and make a member of BUILTIN\Administrators group

• Provide the DSP with the OU path
• Schedule a demo of the technologies

Active Directory Delegation

Computer Objects

The new lite-touch deployment process creates computers objects as part of the deployment process. If computer objects need to be created outside of that process pleas use utstoolbox.oakland.edu, you will need to request access.

Troubleshooting and Feature Requests

Please use the appropriate slack channel for asking questions and making feature requests.

FAQ

1. Are previous versions of Windows going to be supported by MDT?

• While previous versions of Windows will be supported by MDT, focus will be placed more on Windows 10.

2. How will drivers be managed? Is the driver repository structure limited to each department or does the University share one repository for drivers?

• Drivers in the future will hopefully be managed by you! The University will share one repository where each department can add their own device drivers so that each department won't have to install those same drivers. This also means that if a bad driver is added to the repository, it will affect only those devices that are being deployed with Windows 10 via MDT.

3. How often does the LAPS password reset?

• Every 2 weeks. This ensures that Desktop support professionals have enough time to complete quick tasks without the need to look up the password. After the 2 weeks, the password can be found by using the LAPS GUI client by entering in the computer name.

4. In the future, how would I deploy Windows to a machine that I do not want to be joined to the domain?

• For this case, a deployment from an offline installer would be appropriate. With this type of installation, however, you lose the benefits that MDT has to offer.

5. What's the difference between COWS and Chocolatey?

• While Chocolatey works by connecting to the internet in order to retrieve installer packages, COWS is Oakland's implementation of Chocolatey that allows us to install packages only from our repository. Any packages that will be installed through Chcocolatey will be managed and reviewed by UTS. This ultimately means that there is less of a security risk since the software is hand-selected and ensured not to be malicious.

6. How would I go about installing COWS to preexisting machines?

• The simplest method of installation on preexisting hardware would be through group policy.