How to show OOBE for AzureAD Join after OSD with SCCM
Updated 2021-06-09
– Added some additional cleanup in the script to make sure it removes the CM client, otherwise the computer will be “co-managed” in Intune even if it isn’t. Also added info about the SkipOOBE in unattend.xml
I am writing this post because I am lazy and already have Configuration Manager in my lab. But it is useful in other scenarios as well to get the latest version of Windows 10 on a computer before testing AzureAD Join/Autopilot for example. It is also useful in Self-deploying Autopilot scenarios which isn’t supported by the existing Autopilot Task sequence for existing devices.
When I am testing more and more scenarios with AzureAD Join and Autopilot I ended up doing this little workaround to be able to deploy Windows 10 using Configuration Manager, uninstall the SCCM client and then reboot the machine and come up in OOBE.
Fellow MVP Per Larsen wrote a blog post on how to do it with MDT a while back which is great, if you use MDT have a look at it https://osddeployment.dk/2016/08/26/how-to-show-oobe-for-azuread-join-after-mdt-deployment/
I use a little Powershell script that uninstalls the SCCM client and then run Sysprep on the machine which I trigger using the SMSTSPostAction command.
The PowerShell script. In this example I use /OOBE as the computer is newly deployed, then it will keep the computername we assigned during OSD. I we change it the command to include /Generalize then it will of course not keep the name and generalize the installation again.
Start-Process -FilePath "C:\Windows\ccmsetup\ccmsetup.exe" -ArgumentList "/Uninstall"
Start-Sleep -Seconds 60
Wait-Process -Name "ccmsetup" -ErrorAction SilentlyContinue
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\CCM -Recurse -Force -EA SilentlyContinue
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\CCMSetup -Recurse -Force -EA SilentlyContinue
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\SMS -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\CCM -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\CCMCache -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\CCMSetup -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\SMSCFG.ini -Force -EA SilentlyContinue
Remove-item -Path C:\Windows\sms*.mif -Force -EA SilentlyContinue
Start-Process -FilePath "C:\windows\system32\sysprep\sysprep.exe" -ArgumentList "/oobe"
I created a package of the script and added a small file called copy.cmd file to copy the PowerShell script to C:\Windows\temp so it can be executed from there.
I run the script the last thing I do and then I let the SMSTSPostAction execute the script.
NOTE: the “Apply operating System” step must include an unattand.xml file which includes SkipOOBE otherwise our SMSTSPostaction will fail.
The end result is as expected a Windows 10 machine in OOBE and can be AzureAD Joined.
It saved me time when testing AzureAD Join and Autopilot in my lab, with different versions of Windows 10. I hope it will save you time as well.
Session Recordings from TechED Australia is now available
Set AD Computer Description during OSD
Building new boot images with the hotfix for WinPe based on 10.0.10586
About Author
Jörgen Nilsson
Add a Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Hello I was wondering what the contents of copy.cmd is? and is there a way to just stop at SMSTSPostAction and delete the tasks at the bottom of that?
Thanks!
Hi,
It is simply
copy /y “%~dp0prepareOOBe.ps1” “C:\Windows\Temp”
Just to copy the Powershell script.
Regards,
Jörgen
Thanks, worked like a charm! It does however leave the ccmsetup.exe and log file, but Autopilot didn’t recognize the device as SCCM maneged anymore so everything worked out.
I confused about the task order. The copy.cmd is at the bottom and the task to run the PowerShell script is in the top series of tasks. Is this the correct order or should the PowerShell script be run after it is copied to the device.
I’ve confused on this as well.
Are they the right way round?
This is correct. The call to the script itself is listed as a task sequence variable; SMSTSPostAction. This runs at the conclusion of the task sequence. In this case it’s the command to call the script via PowerShell. At the end of the task sequence (prior to SMSTSPostAction executing) the copy.cmd script runs and makes sure the PowerShell script is present.
Do you have any information on the whole task sequence process? I would like to see the settings for each task in the whole sequence to make sure I am setting this up right? I have been struggling with using SCCM to deploy the image to my devices and get them joined to Intune and would love to see the whole process step by step.
I have made some Autopilot configuration JSON files that I would like to deploy to my devices to get them to auto-join at the OOBE screen and make so I do not have to use flash drives.
I think I am getting close as the device gets to the OOBE Screen and when I put in the configuration flash drive it joins up to Intune/AzureAD fine but under managed by it says “MDM/ConfigMgr Agent” and when I try to sign in it sits on Account Setup Identifying forever.
Hi,
While in OOBE, I do not get the Shift F10 funtionality to work. Have you come across this?
Thanks for the info, works great! I do have a strange side effect when using this with AutoPilot.
For some reason Intune will not deploy Win32 Apps to computers I have setup via AutoPilot after re-imaging this way. Intune reports them as “Waiting for Install Status”, and they never install.
If I setup the system with a clean install of Windows from a USB key, AutoPilot + Install of Win32 Apps works flawlessly.
Strange issue, just thought I would throw it out there in hopes that someone has dealt with this before.
What Configuration Manager version are you using?
Regards,
Jörgen
Is there any reason that you can think of, that this wouldn’t work when using White Glove?
No, maybe only if there are some leftovers from the cmclient.
Regards,
Jörgen
Hi
Im seeing a strange error using this method which results in a failed AutoPilot Enrollment with the error code 0x800705b4.
I get this on a Hyper-V User Driven Enrollment the same on a physical device. I understand this is meant to be something with the TPM and despite disabling Bitlocker in the SCCM TS before deploying the new OS for AutoPilot it fails every time.
Do you have any idea why this could be happening.
Thanks
hi.
Problem with this approach is that sometimes 3rd party may prevent from successful sysprep. For example, sometimes you can get an error :
Sing-in process Initialization Failure
interactive sign-in process initializaiton has failed
Please check the even log for details
This is caused by SMSTSPostAction running prior the logonUI, thus breaking the whole process.
Depending how the image is built, most usual issue we found is with Office package included.
Approach that worked for me was to add Autologon to Unattend.xml with logon count : 1 and add RunOnceRegistry to run your OOBE script after Administrator logs in for the 1st time.
Hi, Correct, I used a custom unattend.xml file with SKipMachineOOBE in which solves the issue.
Regards,
Jörgen
The install + reset to OOBE works fine. But uninstalling CM agent doesnt work in my environment. CCMSetup.exe is removed and the Agent becomes bricked, only service is removed, but the software is still installed(Agent GUI). Any Ideas?
Hi, sorry for the late reply, it should be solved with the update I did now.
Regards,
Jörgen