How to show OOBE for AzureAD Join after OSD with SCCM
Updated 2021-06-09
– Added some additional cleanup in the script to make sure it removes the CM client, otherwise the computer will be “co-managed” in Intune even if it isn’t. Also added info about the SkipOOBE in unattend.xml
I am writing this post because I am lazy and already have Configuration Manager in my lab. But it is useful in other scenarios as well to get the latest version of Windows 10 on a computer before testing AzureAD Join/Autopilot for example. It is also useful in Self-deploying Autopilot scenarios which isn’t supported by the existing Autopilot Task sequence for existing devices.
When I am testing more and more scenarios with AzureAD Join and Autopilot I ended up doing this little workaround to be able to deploy Windows 10 using Configuration Manager, uninstall the SCCM client and then reboot the machine and come up in OOBE.
Fellow MVP Per Larsen wrote a blog post on how to do it with MDT a while back which is great, if you use MDT have a look at it https://osddeployment.dk/2016/08/26/how-to-show-oobe-for-azuread-join-after-mdt-deployment/
I use a little Powershell script that uninstalls the SCCM client and then run Sysprep on the machine which I trigger using the SMSTSPostAction command.
The PowerShell script. In this example I use /OOBE as the computer is newly deployed, then it will keep the computername we assigned during OSD. I we change it the command to include /Generalize then it will of course not keep the name and generalize the installation again.
Start-Process -FilePath "C:\Windows\ccmsetup\ccmsetup.exe" -ArgumentList "/Uninstall"
Start-Sleep -Seconds 60
Wait-Process -Name "ccmsetup" -ErrorAction SilentlyContinue
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\CCM -Recurse -Force -EA SilentlyContinue
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\CCMSetup -Recurse -Force -EA SilentlyContinue
Remove-Item -Path HKLM:\SOFTWARE\Microsoft\SMS -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\CCM -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\CCMCache -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\CCMSetup -Recurse -Force -EA SilentlyContinue
Remove-Item -Path C:\Windows\SMSCFG.ini -Force -EA SilentlyContinue
Remove-item -Path C:\Windows\sms*.mif -Force -EA SilentlyContinue
Start-Process -FilePath "C:\windows\system32\sysprep\sysprep.exe" -ArgumentList "/oobe"
I created a package of the script and added a small file called copy.cmd file to copy the PowerShell script to C:\Windows\temp so it can be executed from there.
I run the script the last thing I do and then I let the SMSTSPostAction execute the script.
NOTE: the “Apply operating System” step must include an unattand.xml file which includes SkipOOBE otherwise our SMSTSPostaction will fail.
The end result is as expected a Windows 10 machine in OOBE and can be AzureAD Joined.
It saved me time when testing AzureAD Join and Autopilot in my lab, with different versions of Windows 10. I hope it will save you time as well.
SCCM 2007 hotfixes – June 2010
Move the computer to the correct OU during OSD – PS version
Creating a dynamic Azure AD Group for Corporate owned devices
About Author
Jörgen Nilsson
Add a Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Hello I was wondering what the contents of copy.cmd is? and is there a way to just stop at SMSTSPostAction and delete the tasks at the bottom of that?
Thanks!
Hi,
It is simply
copy /y “%~dp0prepareOOBe.ps1” “C:\Windows\Temp”
Just to copy the Powershell script.
Regards,
Jörgen
Thanks, worked like a charm! It does however leave the ccmsetup.exe and log file, but Autopilot didn’t recognize the device as SCCM maneged anymore so everything worked out.
I confused about the task order. The copy.cmd is at the bottom and the task to run the PowerShell script is in the top series of tasks. Is this the correct order or should the PowerShell script be run after it is copied to the device.
I’ve confused on this as well.
Are they the right way round?
This is correct. The call to the script itself is listed as a task sequence variable; SMSTSPostAction. This runs at the conclusion of the task sequence. In this case it’s the command to call the script via PowerShell. At the end of the task sequence (prior to SMSTSPostAction executing) the copy.cmd script runs and makes sure the PowerShell script is present.
Do you have any information on the whole task sequence process? I would like to see the settings for each task in the whole sequence to make sure I am setting this up right? I have been struggling with using SCCM to deploy the image to my devices and get them joined to Intune and would love to see the whole process step by step.
I have made some Autopilot configuration JSON files that I would like to deploy to my devices to get them to auto-join at the OOBE screen and make so I do not have to use flash drives.
I think I am getting close as the device gets to the OOBE Screen and when I put in the configuration flash drive it joins up to Intune/AzureAD fine but under managed by it says “MDM/ConfigMgr Agent” and when I try to sign in it sits on Account Setup Identifying forever.
Hi,
While in OOBE, I do not get the Shift F10 funtionality to work. Have you come across this?
Thanks for the info, works great! I do have a strange side effect when using this with AutoPilot.
For some reason Intune will not deploy Win32 Apps to computers I have setup via AutoPilot after re-imaging this way. Intune reports them as “Waiting for Install Status”, and they never install.
If I setup the system with a clean install of Windows from a USB key, AutoPilot + Install of Win32 Apps works flawlessly.
Strange issue, just thought I would throw it out there in hopes that someone has dealt with this before.
What Configuration Manager version are you using?
Regards,
Jörgen
Is there any reason that you can think of, that this wouldn’t work when using White Glove?
No, maybe only if there are some leftovers from the cmclient.
Regards,
Jörgen
Hi
Im seeing a strange error using this method which results in a failed AutoPilot Enrollment with the error code 0x800705b4.
I get this on a Hyper-V User Driven Enrollment the same on a physical device. I understand this is meant to be something with the TPM and despite disabling Bitlocker in the SCCM TS before deploying the new OS for AutoPilot it fails every time.
Do you have any idea why this could be happening.
Thanks
hi.
Problem with this approach is that sometimes 3rd party may prevent from successful sysprep. For example, sometimes you can get an error :
Sing-in process Initialization Failure
interactive sign-in process initializaiton has failed
Please check the even log for details
This is caused by SMSTSPostAction running prior the logonUI, thus breaking the whole process.
Depending how the image is built, most usual issue we found is with Office package included.
Approach that worked for me was to add Autologon to Unattend.xml with logon count : 1 and add RunOnceRegistry to run your OOBE script after Administrator logs in for the 1st time.
Hi, Correct, I used a custom unattend.xml file with SKipMachineOOBE in which solves the issue.
Regards,
Jörgen
The install + reset to OOBE works fine. But uninstalling CM agent doesnt work in my environment. CCMSetup.exe is removed and the Agent becomes bricked, only service is removed, but the software is still installed(Agent GUI). Any Ideas?
Hi, sorry for the late reply, it should be solved with the update I did now.
Regards,
Jörgen
Good moring, I have just used this method to get our custom image to reboot and enter the OOBE, The above method would not work for me however by spliting the steps up and after OD install copy the PS to temp, then at the end of the TS run the PS script it works great.
The issue i have is that once the device is in intune it works perfectly, however upon reboot the device will not boot, it just sits at black screen with revolving progress dots but will never procede.
If i remove the Steps above the device works fine.
I have enabled bootlogging but as i cant get in i can access it just now, i am about to try winpe to access the logs and will report back.
Has anyone else had this issue or can think of what could be going on?
Thanks.
Turns out the bootlogging gave up that the DXGKRNL.SYS driver is not loading.
I cant understand what is being done during the running of the script, that the device will work great until its first reboot then fail to load a Graphics Driver.
Any input would be welcome.
Thanks
Hi, was doing this Task sequence for an offline PC (has internet but off from SCCM) using an ISO via USB. The OOBE appears to work but it doesn’t remove the sccm client. Reason why is because I need to join the PC to Azure AD. Thanks in advance for your inputs.
Hi,
Check and make sure that the SMSTSPOstaction ran succesfully
Regards,
Jörgen
Did you get this working? I have the exact same issue (black screen spinning wheel after reboot)
Hi,
Just tested it again works great. Must use a Custom Unattend.xml file that does NOT skip Machineboobe.. Otherwise it will fail.
Regards,
Jörgen
I’m confused, in the screenshot it says skipmachineoobe TRUE. I’m running 21H1 and the script removes de SCCM client and does a sysprep fine. after a users logs in, completes the enrollement process and reboots the device it hangs on a black screen with the spinning wheel just like @Kevin McG.