cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Zero Touch Deployment

shawnshakir
Novitiate I

I was wondering if JumpCloud has a zero-touch like experience for windows machines. Essentially, we are a fully remote company with users all across the world, so having a machine shipped to IT to setup and then ship to the user wouldn't be ideal. Providing steps to users to change user names, machine names and then binding their OKTA account and having them reboot is also quite of a task. I know there is no way to do it like DEP for macOS, but something a bit cleaner would be nice. Open to all ideas here! 

3 REPLIES 3

JuergenKlaassen
Novitiate II

Hi Shawn

By reading your message, I assume that you're ok if your users have some tool/configuration for them to get started (self-serve manner)?

The first 3 approaches coming to my mind here are: 
a) a Windows Provisioning Package
b) a custom script using JumpCloud's PS-Module (I wrote about that previously here)
c) a custom factory image loaded to your machines before shipping them to users
(or even a combination a to c)

More on a)

Provisioning Packages for Windows are very similar to Mobile Configuration Files for Macs (mobileconfig).
They are based on an XML-structure carrying configurations and payloads which can be applied to a computer.

In the case of Provisioning Packages for Windows such will be packaged and encrypted (optional).
Once done, these packages are distributed and applied in the following ways:

Packages are created by using the Windows Configuration Designer (WCD) which is freely available either via Windows ADK or the Windows Store.
There’s also a PS-module available to create simple packages. 

You can follow the wizard or create very custom settings and configurations when using the WCD.
The default "Desktop Wizard" can do the following:

  • Set device name (i.e. PREFIX-%SERIAL%)
  • Upgrade the Windows Product edition
  • Configure the device for shared use
  • Remove pre-installed software
  • Configure a wifi network
  • Create a local administrator account
  • Add applications -> This can be used to install our JumpCloud Agent
  • Add certificates

If you would want to bundle the agent, this would bloat the package quite a fair bit, but you can also bundle a powershell script which downloads/installs the agent.
Scripts can't be interactive though (they will not be shown during execution). 

More on c:
If you're working with Dell (for example) you could make use of their offerings around Image Assist.
(Registration and Download). 
You could consider to 'just' make use of a custom Unattend.XML which will be bundled into your OS out of the factory - or you can submit a fully customised image if it's worth effort. 
If you would use a custom Unattend.XML, it can control the OOBE experience (set the computer name, create an admin etc) and you also have the option add Commands. 
For example a Synchronous Command (before Logon of a user) could download our agent and a First Logon Commands triggers the installation of the agent. 
Alternatively you could also download a script from a bucket and the second command would trigger that script once logged on.
Screenshot 2022-08-03 at 2.35.03 PM.png


One question I got from your initial post: You don't assign users via JumpCloud, but binding Okta accounts instead?




 

narbeh
Novitiate I

Great idea @JuergenKlaassen ,

regarding bind the user automatically to the device (JIT provisioning of user account in windows) rather than running a PS script or manual intervention would be nice.

is there any workarounds?

Thanks @narbeh 

The only option I've figured out until now to 'automatically' bind the user is by running a PS script using the JumpCloud PS-module. 
I'm extracting the System ID and then look it up (set in a custom attribute on the user). 
I wrote about it here a while ago. In the meantime I'm reading the System ID straight from the config of the agent instead querying the SN. 

To do it automatically, there would need to be a 'lookup table' within JumpCloud itself.