Who can do this?
Configuration Manager administrators with permissions to create Task Sequences in Configuration Manager.
What is it for?

When an In-Place upgrade is not possible, and you need to wipe the old operating system before installing the new operating system and migrate user data and applications.

What you need to do

In Configuration Manager, create the WSA Script Package first. Next, create the base task sequence and then customize it with logic to execute the Capture Data and Settings Task Sequence

What is the Wipe and Load Non-destructive Task Sequence?

For some types of migration, use of the Windows 10 In-place Upgrade type deployment is not possible. Migrating from x86 to x64 architectures, third party disk encryption to Bitlocker or base OS languages, will all require a Wipe and Load type Task Sequence deployment.

A Wipe and Load type Task Sequence deployment is designed to perform a fresh installation of the OS with user applications being installed and data restored. In performing these tasks, a Wipe and Load Task Sequence can be either Destructive or Non-Destructive. A Non-Destructive Task Sequence implements the 'Refresh' OSD scenario, and will apply the OS image to the disk without reformatting and the existing disk partitions are preserved. In this case, the Apply OS Image Task Sequence step will perform a file level wipe of the boot partition before applying the OS image. The Apply OS Image step is able to preserve portions of the original file system, allowing data such as previously downloaded content and captured user state to remain on the disk.

WSS supports the configuration of separate Destructive and Non-Destructive Task Sequences. Both Task Sequences support WSA and non-WSA type deployments. The task sequences are also configured to support BIOS to UEFI conversion and firmware configuration. Although not yet supported by WSA, the Destructive Task Sequence also supports the Bare-Metal deployment scenario. Using boot media or PXE, this allows a deployment to be launched  from within WinPE i.e. an existing OS installation is not required.

On this page:

Before creating the Wipe and load Non-destructive task sequence, create the following Packages in Configuration Manager:

  1. An Operating System Image Package. Refer to https://docs.microsoft.com/en-us/sccm/osd/get-started/manage-operating-system-images for further details.
  2. A WSA Scripts package. Refer to Windows Servicing Assistant Scripts package for further details.
  3. A Setup WinPE Boot package. Refer to Setup WinPE Boot Package for further details.
  4. The 1E OEM Toolkit package. Refer to BIOS to UEFI 1.4 - Installation: Launching the Create 1E OEM Toolkit Package wizard for details of creating this package.

Wipe and load without user state migration

The Task Sequence detailed below assumes the Windows Servicing Assistant will be used to capture data and settings from the current OS and migrate these, along with applications, to the new OS. If you only want to migrate applications using the Windows Servicing Assistant and want to skip user state migration, you can add a condition to the Capture Files and Settings group and Restore User Files and Settings group so they only execute if the TS variable 1ESkipUserStateCapture is not true. 1ESkipUserStateCapture is set by the WSA Actions - Initialize step if the option Do not capture user files and settings is enabled in the Data Capture tab of the Wipe and Load Non-destructive WSA Application settings. If you will never use user state migration, you can remove the Capture Files and Settings group and Restore User Files and Settings group altogether, but you must still enable the option Do not capture user files and settings in the Data Capture tab of the Wipe and Load Non-destructive WSA Application settings, otherwise WSA will fail as it will attempt to locate these steps in the Task Sequence when it determines how much space is required.

This feature requires Nomad hotfixes Q20391 (Nomad Branch client) and Q20393 (Nomad Branch Tools), which update the WSA Actions - Initialize step to create the 1ESkipUserStateCapture variable.

Creating the Wipe and Load Non-Destructive base task sequence

Nested Task Sequences

The Windows Servicing Assistant (WSA) does not currently support nested Task Sequences (Task Sequences that include the Run Task Sequence step). If your Task Sequence includes Run Task Sequence steps, WSA will fail. You will need to copy the steps from the included Task Sequence and paste them into a group in the WSA Task Sequence.

The process and procedure is described below.

To create the Wipe and Load Non-Destructive Task Sequence:

  1. From the Configuration Manager console, select the Software Library workspace.
  2. Expand the Operating Systems tree and choose Task Sequences.

    Creating a new task sequence in Configuration Manager

    1. Right-click Task Sequences.
    2. From its context menu, choose Create Task Sequence.
  3. On the Create New Task Sequence screen:

    Creating a new custom task sequence

    1. Select the Install an existing image package option.
    2. Click Next.
  4. On the Task Sequence Information screen:

    1. In Task sequence name, enter a logical name for it. For example, Computer Refresh.
    2. In Description, enter a description for it.
  5. On the Install Windows screen:

    1. In Image package, select the image package you want.
    2. In Image index, select the image index you want.
    3. Uncheck the option Partition and format the target computer before installing the operating system. As this is a non-destructive Task Sequence, the disk partition/format cannot be changed.
    4. In Product key, enter your Windows operating system licence key.
    5. Select the administrator password option that suits your security policy - enter and confirm the local admin password if the administrator account is to be enabled..
    6. Click Next.
  6. On the Configure Network screen:

    1. Select the Join a domain option.
    2. Enter or browse for the Domain and Domain OU that the machine should be joined to. Note that you must specify a valid OU and cannot use the Computers container
    3. In Account, enter the name of the account you want to use to join the domain.
    4. Click Next.
  7. On the Install Configuration Manager screen:

    1. If required, add any Installation Properties specific to your environment and click Next.
  8. On the State Migration screen:

    1. Ensure the Capture user settings and files option is selected.
    2. Ensure the USMT Package refers to the correct USMT package (click Browse to locate the USMT package if necessary).
    3. Select the Save user settings and files locally option and check the option Capture locally by using links instead of by copying files
    4. Click Next.
  9. On the Include Updates screen:

    1. Select the Required for installation – Mandatory software updates only option.
    2. Click Next.
  10. On the Install Applications screen:

    1. Define the applications to be installed by the task sequence after the OS has been upgraded.
    2. Click Next.
  11. On the Nomad Settings screen:

    1. Select the Enable Nomad – Modifies currently associated reference packages option.
    2. Click Next.
  12. On the Summary screen:

    1. Review your settings.
    2. Click Next.
    3. When the Create Task Sequence wizard completes, click Close.

The process for customizing the base task sequence

The base task sequence

The Task Sequence to the left is the base task sequence created from the previous steps. We are going to use this base task sequence and extend its functionality by adding action steps as well groups and sub groups with their own action steps to extend its functionality. As you build the task sequence, define the behavior for groups and add the logic to each of the steps you create.

In our example, at the root of the task sequence we are going to create:

  • (2) two 1E WSA Actions steps (one to initialize the task sequence and the other to finalize it)
  • (3) a Main group (to contain all the other actions, groups and their sub-groups and associated task sequences actions)

Within the Main group, we are going to customise by:

  • adding new groups to it
  • adding new steps to it
  • moving groups from our base task sequence into it
  • renaming some of the groups from our base task sequence

 

The process and procedures follows:

  1. On the Configuration Manager console, right-click the Wipe and Load Non-Destructive Task Sequence from the list of task task sequences.
  2. From its context menu, choose Edit.

  1. Add the 1E WSA Actions step and customize it.
  2. Create the Main group and define its behavior.
    1. Add the Set Nomad as Download Program step
    2. create the Test Connection group, define its behavior and add its child steps.
      1. add the Validate WiFi VPN Credentials step.
      2. add the Filter return codes from Validation script step
      3. add the 1E WSA Connect VPN step.
    3. Add the Set OSDBitLockerStatus step
    4. Add the Set SMSTSPostAction step
    5. Move the Capture Files and Settings group up so it becomes a direct child of the Main group
      1. add the Set DEPLOYMENTTYPE=Refresh step to the Capture Files and Settings group.
      2. In the Capture User Files and Settings group, remove the Set Local State Location step
        1. add the Get Migration Settings step.
        2. add the Update OSDMigrateAdditionalCaptureOption step.
        3. add the Set OSDMigrateAdditionalCaptureOptions step.
        4. configure the Capture User Files and Settings step.
    6. Create the Restart group, define its behavior and add its child steps.
      1. add the Disable BitLocker step.
      2. add the Setup WinPE Boot step.
      3. add the Install RasdialDisconnect Service step.
      4. add the Restart in Windows PE step.
      5. add the 1E WSA Actions step.
      6. add the Install and Configure Nomad in Windows PE step.
      7. add the Save Nomad Cache step.
      8. add the Delete temporary USB disk fill step.
    7. modify the Install Operating System group by renaming it to the Install and Setup Operating System group and remove the Restart in Windows PE step
      1. modify the conditions on the Pre-provision BitLocker step
      2. add the Cleanup Folders step.
      3. configure the Apply Operating System step.
      4. configure the Apply Windows Settings step to suit your environment.
      5. rename Apply Network Settings to Apply Network Settings (Wired in Office) .
      6. copy Apply Network Settings (Wired in Office) and rename it to Apply Network Settings (Remote or on WiFi) .
      7. create the Drivers sub group and add steps for the drivers.
      8. add the Copy CMTrace step.
      9. add the Stage Nomad Package step.
      10. configure the Setup Windows and Configuration Manager step.
      11. add the Install Nomad step.
      12. add the Restart Computer step.
      13. add the 1E WSA Actions step.
      14. add the Restore Nomad Cache step.
      15. create the Remote/Wfi Domain Join group, define its behavior and add its child steps:
        1. add the Connect to VPN step.
        2. add the Install RasdialDisconnect Service step.
        3. add the Join Domain or Workgroup step.
    8. Create the 1E BIOS to UEFI group, define its behavior and add its child steps.
      1. add the Disable Bitlocker step.
      2. add the Restart in Windows PE step.
      3. add the 1E WSA Actions step.
      4. add the Install and Configure Nomad in Windows PE step.
      5. add the MBR2GPT in WinPE step.
      6. Create the Firmware Settings sub group. The steps arranged here within this group are for example purposes only. Further information on using the1E BIOS2UEFI application can be found here.
        1. add the 1E BIOS to UEFI Define Password step.
        2. add the 1E BIOS to UEFI Boot Order step.
        3. add the 1E BIOS to UEFI OEM - with Secure Boot step.
        4. add the 1E BIOS to UEFI Password set step.
      7. add the Restart Computer step.
    9. add the 1E WSA Actions step .
    10. add the Connect to VPN step.
    11. add the Create Nomad Application Policy step.
    12. add the Restart CM Service step .
    13. add the Enable BitLocker step.
    14. add the Install Updates step.
    15. add the 1E WSA Actions step.
    16. add the Connect to VPN step.
    17. add the Restart CM Service step.
    18. add the Sleep time for CM client initialize step.
    19. add the Install Tachyon Agent step.
    20. Rename the Setup Operating System group to Install Migrated Applications .
      1. add the Get Migration Settings step.
      2. add the 1E Application Migration step.
      3. Create the Install Migrated Apps group, and add its child steps:
        1. add the Sleep Time for CM Client Initialize step.
        2. add the Install Migrated Applications step.
      4. add the Install Migrated Packages step.
    21. Move the Restore User Files and Settings group so that it becomes a direct child of the Main group.
      1. Configure the Restore User Files and Settings step.
    22. add the Uninstall RasdialDisconnect Service step.
  3. Add the 1E WSA Actions step.

 

 

Customizing the base task sequence

To customize the newly created task sequence with sequential steps to specifically address the destructive wipe and load:

  1.  Initializing the task sequence

    In the Task Sequence Editor, click Add and from the menu, choose 1E OSD > 1E WSA Actions

    This step connects to 1E Shopping to determine if the deployment was initiated through the Windows Servicing Assistant (i.e. if a WSA order exists for this PC). If so, and the installed Nomad version supports WSA, it will define a number of Task Sequence variables based on the WSA deployment settings and selections made by the user when they ran the assistant. If there is no WSA order for the PC, the step will simply exit and the Task Sequence will continue as a standard deployment. Refer to Nomad 6.3 - 1E WSA Actions  for further details on using this step.

    On the Properties tabOn the Options tab
    1. Select the Initialize option.
    2. In Shopping URL:, enter the location for the Shopping Web. For example, http://<ShoppingHostHeader>/Shopping
    1. Choose Add Condition > Registry Setting.
    2. Enter the following details:

      Root KeyHKEY_LOCAL_MACHINE
      KeySOFTWARE\1E\NomadBranch
      Conditiongreater than or equals
      Value nameProductVersion
      Value tupeREG_SZ
      Value6.3.200
    3. Click OK.
    4. Click Apply.
  2.  Create the Main group

    With the 1E WSA Actions step highlighted, click Add and choose New Group.

    Each WSA enabled task sequence is configured with a Main group where the majority of the task sequence actions occur. The behavior of the Main group is Continue on error, meaning that should any step fail within the group or any of its child groups, the task sequence will continue with the groups and steps defined outside this group, i.e. the 1E WSA Actions ( Finalize) step. This ensures WSA is able to report on any task sequence failures.
    On the Properties tabOn the Options tab

    Creating the Main group

    • Name the group Main and ensure that it is positioned just below the 1E WSA Action step.
    • Select the Continue on error option and click Apply.
    1.  Setting Nomad as the download program

      With the Main group selected, click Add and from the menu, choose 1E > Nomad > Set Nomad as Download Program. Right-click the step and from the context menu, choose Move Up so it becomes a child of the Main group and click OK. No additional settings are required for this step.

      This step sets Nomad as the download program for all Task Sequence content so should be added at the top of the Main group before any content is required. Refer to Nomad 6.3 - Set Nomad as download program for further details on using this step.

    2.  Creating the Test Connection group

      With the Set Nomad as Download Program step selected, click Add and choose New Group.

      This group contains steps that will validate the WiFi and VPN credentials entered by the user in the Windows Servicing Assistant. If the Task Sequence was not initiated through WSA (i.e. 1EWSA is no true), this group will be skipped. If the Task Sequence was initiated through WSA, this group will validate the credentials by disconnecting WiFi and VPN (if applicable) and attempting to reconnect using the supplied credentials. If the validation fails, the Task Sequence will fail and the user will be notified through the final WSA page that there was a problem with either the WiFi or VPN credentials. This group is included in the Task Sequence to fail before doing anything destructive on the PC if there are any problems with the supplied credentials.

      On the Properties tabOn the Options tab
      • Name the group Test Connection
      1. Choose Add Condtion > Task Sequence Variable.
      2. Enter the following details:

        Variable1EWSA
        Conditionequals
        ValueTrue
      3. Click OK.
      4. Click Apply.

      When the task sequence runs, connectivity to the Configuration Manager site must be maintained after any system restart into the full OS. Throughout the task sequence, the 1E WSA Actions step attempts to automatically establish WiFi connections (using WSA gathered credentials) when either of the Refresh Content Locations or Switch Between online and offline content options are selected.

      For locations using VPN, the Connect to VPN step uses the ConnectVPN.PS1 PowerShell script to establish a VPN connections. Provided the VPN profile name has been defined in the task sequence, VPN connection credentials have been entered during running of the Assistant  and an external network exists, the script will attempt to establish the connection.

      Currently, WSA has been developed for use with the Microsoft VPN Client. The VPN connection process within WSA can be extended to accommodate other VPN client solutions. Future releases of WSA will also supports solutions implementing two factor authentication, where user input may be required at the time the connection is established.

      The steps defined within the Test Connections group are designed to exercise those connection credentials supplied by the user when they ran WSA wizard and establish their validity before proceeding any further in the task sequence.

      1.  Validating the WiFi and VPN credentials

        With the Test Connection group highlighted, click Add and from the menu, choose General > Run PowerShell Script.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step ParameterValue
          NameValidate WiFi VPN Credentials
          DescriptionValidate WiFi and VPN connections using WSA gather credentials.
          PackageBrowse to the WSA Scripts package
          Script nameValidateWiFiVPNCreds.ps1
          Parameters-VPNProfile <VPNProfile>
          PowerShell Execution PolicySet this to Bypass
        2. Click Apply.

        Set Continue on error

         

        There is a known issue where a Run PowerShell Script step can erroneously return 1 to the Task Sequence, causing this step to fail even though the script completes successfully. This step is configured to continue on error, but the next step will report back any actual error to the Task Sequence if the return code from this step is neither 0 or 1.

        Both the ValidateWiFiVPNCreds.ps1 script and the  VPN connection script  ConnectVPN.PS1 require a VPN profile name in order to establish the connection. <VPNProfile> must be the same name defined in the rasphone.pbk included in the WSA Scripts Package. If the profile name includes spaces, surround it in single quotes (e.g. '1E (UK)'). If rasphone.pbk includes multiple profiles (e.g. US and UK), the parameter can be configured to use a Collection variable (e.g.  -VPNProfile '%VPNProfile%' ) - if you use this approach, ensure there is a Collection variable named VPNProfile defined for all clients that will run WSA otherwise this step in the Task Sequence will fail.

      2.  Filtering the return codes from the validation script
        • With the Validate WiFi VPN Credentials step selected, click Add and from the menu choose General > Run Command Line.

          This step is to work around an issue when running PowerShell script steps where a command in the script returns 1 but the script does not error and completes successfully. CM reports this as an error even though the ValidateWiFiVPNCreds.ps1 script finally exits with 0. The step will be skipped if the last action (Validate WiFi VPN Credentials) returns either 0 or 1 and the Task Sequence will continue to execute. Otherwise it will return the actual return code from the Validate WiFi VPN Credentials and the TS will fail.

          On the Properties tabOn the Options tab
          1. Enter the following details, leaving the remaining options unchecked.

            Step parameterValue
            NameFilter return codes from Validation script
            DescriptionAllows TS to continue if the previous step returns 0 or 1, otherwise fails with the return code of the previous step
            Command linecmd /c exit %_SMSTSLastActionRetCode%
          2. Click Apply.

          Click Add Condition and choose Task Sequence Variable, configure the condition as follows and click OK.

          Variable_SMSTSLastActionRetCode
          Conditionnot equals
          Value1

          Click Add Condition and choose Task Sequence Variable, configure the condition as follows and click OK.

          Variable_SMSTSLastActionRetCode
          Conditionnot equals
          Value0
      3.  Adding the Connect to VPN step

        Click Add and from the menu, choose General > Run PowerShell Script. Browse to the VPN connection script package

        This step establishes a VPN connection if the Task Sequence was initiated by a remote user through WSA
        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step ParameterValue
          NameConnect to VPN
          DescriptionConnect VPN using WSA collected credentials
          PackageBrowse to the WSA Scripts package 
          Script NameConnectVPN.ps1
          Parameters-VPNProfile <VPNProfile>
          PowerShell Execution PolicySet this to Bypass

          <VPNProfile> must be the same name defined in the rasphone.pbk included in the WSA Scripts Package

        2. Click Apply.
        1. Choose Add Condtion > Task Sequence Variable.
        2. Enter the following details:

          Variable1EWSA_RemoteUser
          Conditionequals
          ValueTrue
        3. Click OK.
        4. Click Apply.
    3.  Setting the OSD BitLocker status

      Click Add and from the menu, choose General > Set Task Sequence Variable.

      This step sets the OSDBitLockerStatus variable to Protected if the C: drive is protected when the Task Sequence starts. It is used later in the Task Sequence to enable BitLocker if it was enabled and the drive was protected before the upgrade when the Task Sequence started.
      On the Properties tabOn the Options tab
      1. Enter the following details:

        Step parameterValue
        NameSet OSDBitLockerStatus
        Task Sequence VariableOSDBitLockerStatus
        ValueProtected
      2. Click Apply.
      1. Click Add Condition and choose WMI Query.
      2. Enter the following details:

        WMI Namespace: root\cimv2\security\MicrosoftVolumeEncryption
        SELECT *
        FROM win32_encryptablevolume
        WHERE driveletter = 'c:'
        AND protectionstatus = '1'
      3. Click OK.
      4. Click Apply.
    4.  Adding the SMS task sequence post action step

      Click Add and from the menu, choose General > Set Task Sequence Variable.

      This optional step causes the system to reboot after completion of the Task Sequence by setting the SMSTSPostAction variable.

      On the Properties tabOn the Options tab
      1. Enter the following details:

        Step parameterValue
        NameSet SMSTSPostAction
        Task Sequence VariableSMSTSPostAction
        Valueshutdown.exe /r /t 30Select
      2. Click Apply.
      • No action required.
    5.  Relocating the Capture Files and Settings group
      Locate the Capture Files and Settings group (created in the original base task sequence) and move it up so it is a child of the Main group at the same indent level as the Test Connection group and starts after the Set SMSTSPostAction step.
      1.  Setting the deployment type to Refresh

        With the Capture Files and Settings group highlighted, click Add and from the menu, choose General > Set Task Sequence Variable.

        This step sets the variable DEPLOYMENTTYPE to Refresh to indicate that this is a refresh type deployment. The Capture Files and Settings group that contains this step is only executed if the Task Sequence starts in the full OS, which implies this is a Refresh (Wipe and load) scenario. The DEPLOYMENTTYPE variable is used by the 1E Get Migration Settings step later in the TS. For more information refer to Nomad 6.3 - Get migration settings.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameSet DEPLOYMENTTYPE=Refresh
          Task Sequence VariableDEPLOYMENTTYPE
          ValueRefresh
        2. Click Apply.
        • No action required
      2. In the Capture User Files and Settings group, remove the Set Local State Location step

        1.  Setting the Get Migration step

          Click Add and from the menu, choose 1E Nomad > Get Migration Settings.

          The Get Migration Settings step is responsible for setting the USMT encryption key and also the source computer name (stored in both PBAComputer and SourceComputerName variables) that will be used later in the Task Sequence. For further information on using this step, refer to Nomad 6.3 - Get migration settings.

          On the Properties tabOn the Options tab
          1. Select the Capture user state option.
          2. Click Apply.
          • No action required
        2.  Updating the OSD Migrate Additional Capture Option step

          Click Add and from the menu, choose General > Set Task Sequence Variable.

          This optional step defines additional configuration options for USMT data capture. The native OSD task sequence variable OSDMigrateAdditionalCaptureOptions is used to modify the behavior of the user state capture process. By default, USMT will capture domain and local user account data and settings defined by the built-in capture files, migapp.xml and migdocs.xml. The example below shows how to exclude local user accounts (migrating local user profiles can be problematic if the local user account does not exist in the new OS). There may be other changes you want to make to the capture options. The Update OSDMigrateAdditionalCaptureOptions step executes if the variable has already been set (for example by the 1E WSA Actions step during initialization to configure user folder capture and encryption) and appends the new options to the existing variable value.
          On the Properties tabOn the Options tab
          1. Enter the following details:

            Step parameterValue
            NameUpdate OSDMigrateAdditionalCaptureOptions
            Task Sequence Variable OSDMigrateAdditionalCaptureOptions
            Value %OSDMigrateAdditionalCaptureOptions% /ue:%computername%\*
          2. Click Apply.
          1. Click Add Condition and choose Task Sequence Variable.
          2. Enter this detail:

            VariableOSDMigrateAdditionalCaptureOptions
            Conditionexists
          3. Click OK.
          4. Click Apply.
        3.  Setting the OSD Migrate Additional Capture Options step.

          Click Add and from the menu, choose General > Set Task Sequence Variable.

          This step is similar to the previous step, but it only executes if the OSDMigrateAdditionalCaptureOptions does not already exist. It sets the variable to whatever additional options you want to include - the example shown will exclude local user accounts.
          On the Properties tabOn the Options tab
          1. Enter the following details:

            Step parameterValue
            NameSet OSDMigrateAdditionalCaptureOptions
            Task Sequence VariableOSDMigrateAdditionalCaptureOptions
            Value/ue:%computername%\*
          2. Click Apply.
          1. Click Add Condition and choose Task Sequence Variable.
          2. Enter this detail:

            VariableOSDMigrateAdditionalCaptureOptions
            Conditionnot exists
          3. Click OK.
          4. Click Apply.
        4.  Configuring the Capture User Files and Settings step

          Select the Capture User Files and Settings step

          If the Task Sequence is initiated through a WSA application that enabled the user to select files and folders to back up, the files and folders that the user selected will be captured in addition to whatever options are defined in this step. For example, if this step has the option Capture all user profiles by using the standard options selected then the Task Sequence will execute the capture using MigApp.xml and MigDocs.xml (note that MigDocs.xml will capture most files wherever they are on the PC, which in most makes the user selection in WSA redundant). If the option Customize how user profiles are captured is selected, the Task Sequence will execute the capture using whatever configuration files are defined in the step, in addition to the custom configuration file created based on the user selections in the Windows Servicing Assistant. If you are using WSA, a good starting point would be to select Customize how user profiles are captured and add MigApp.xml and MigUser.xml to the list of files. If you are using WSA and only want the user-selected files and folders to be captured, select Customize how user profiles are captured  but do not define any files.
          On the Properties tabOn the Options tab
          1. Ensure the correct USMT package is selected. If necessary click Browse to locate the USMT package
          2. Ensure Capture locally by using links instead of by copying files is checked. As this Task Sequence will not format or repartition the disk, USMT data can be linked into the temporary Task Sequence data store and preserved until it needs to be restored.
          3. Configure the step to suit your user data and settings capture requirements (see info panel above). 

          1. Select the Continue on error option.
          2. Click Apply.
    6.  Creating the Restart group

      Click Add and from the menu choose New Group. Move the new group down so it is a child of the Main group. i.e. appears at the same indent level as Capture Files and Settings.

      On the Properties tabOn the Options tab

      Creating the Restart group

      • Name the group Restart.
      1. Click Add Condition and choose Task Sequence Variable.
      2. Enter the following details:

        VariableStartedInWinPE
        Conditionnot equals
        ValueTrue
      3. Click OK.
      4. Click Apply.
      1.  Adding the Disable BitLocker step

        Locate and delete the Disable BitLocker step created in the base Task Sequence (Capture Files and Settings group). Select the Restart group, click Add and from the menu, choose General > Run Command Line. Ensure the new step appears as the first step in the Restart group.

        This step replaces the native Disable BitLocker step with a command-line step that uses the manage-bde command-line interface to disable BitLocker protection for all reboots until configured otherwise. The default CM step will only disable BitLocker for the next reboot.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameDisable BitLocker
          Command linemanage-bde -protectors -disable C: -RC 0
        2. Click Apply.
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          VariableOSDBitLockerStatus
          Conditionequals
          ValueProtected
        3. Click OK.
        4. Click Apply.
      2.  Adding the Setup WinPE Boot step

        Click Add and from the menu, choose General > Run PowerShell script.

        This step is a workaround for an issue where Configuration Manager may stage the Windows PE boot image on a connected USB disk if it is larger than the local disk and then not be able to boot from it. The step creates a temporary file on the USB drive that fills it so CM cannot stage the boot image on the disk. The temporary file is later removed with the Teardown.ps1 script.

         

        On the Properties tabOn the Options tab
        1. Browse to the script package and enter these details:

          Step parameterValue
          NameSetup WinPE Boot
          DescriptionPrevents TS staging the boot image onto a large USB disk by temporarily filling it.
          PackageBrowse to the Setup WinPE Boot  package
          Script nameSetupWinPEBoot.ps1
          Parameters
          PowerShell Execution PolicySet the PowerShell execution policy to Bypass.
        2. Click Apply.

        No Action Required.


      3.  Installing the RasDialDisconnect service

        Click Add and from the menu, choose General > Run Command Line.

         

        This is an optional step to work around an issue identified on some Dell PCs where restarting the PC when connected to VPN on a wireless connection would cause the PC to blue-screen. It installs a service that disconnects the VPN connection when a shutdown is requested by the OS, which has been observed to prevent the blue-screen. The RasdialDisconnect service is installed using InstallRasdialDisconnectService.bat. A step is included towards the end of the TS to uninstall the service
        On the Properties tab
        On the Options tab
        1. Enter the following details:

          Step parameter
          Value
          Name
          Install RasdialDisconnect service
          Command lineInstallRasdialDisconnectService.bat
        2. Check the Package option and browse to the WSA Scripts package.
        3. Click Apply.
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          Variable
          1EWSA_RemoteUser
          Conditionequals
          ValueTrue
        3. Click OK.
        4. Click Apply.
      4.  Restart in Windows PE

        Click Add and from the menu, choose General > Restart Computer.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameRestart in WinPE
          The boot image assigned to this task sequenceSelected
          Notifiy the user before restartingChecked
          Notification MessageA new Microsoft Windows operating system is being installed. The computer must restart to continue.
        2. Click Apply.
        • No action required
      5.  Adding the 1E WSA Actions step

        Click Add and from the menu choose 1E OSD > 1E WSA Actions.

        The WSA Actions step must be executed after each reboot where drive letters may change or when switching between the full OS and Windows PE
        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          Name1E WSA Action
          Refresh Content LocationChecked
          Switch Between online and offline contentChecked
        2. Click Apply.
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          Variable1EWSA
          Conditionequals
          ValueTrue
        3. Click OK.
        4. Click Apply.
      6.  Installing and configuring Nomad in WinPE

        Click Add and from the menu, choose 1E Nomad > Install and Configure Nomad in WinPE.

        This step installs the Nomad agent in Windows PE. Refer to Nomad 6.3 - Install and configure Nomad in WinPE for further details on using this step.

        On the Properties tabOn the Options tab
        1. In License key, enter your license key.
        2. Enter the location for ActiveEfficiency in the ActiveEfficiency URL field.
        3. Configure the remaining parameters to suit your environment. It is important that the settings defined in this step correspond with the settings for existing Nomad peers on the network, otherwise the Task Sequence may not be able to obtain content from local Nomad peers.
        4. Click Apply.
        • No action required
      7.  Saving the Nomad cache

        Click Add and from the menu, choose 1E Nomad > Save Nomad Cache.

        This step saves the Nomad cache to the temporary Task Sequence storage. Refer to Nomad 6.3 - Save Nomad cache for further details on using this step

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          OperationMove
          Wipe CCM CacheChecked
        2. Click Apply.
        • No action required
      8.  Deleting temporary files created to fill large USB drive to prevent boot image being staged on USB

        Click Add and from the menu, choose General > Run PowerShell Script.

        If the Setup WinPE Boot step created a temporary file to fill an attached USB disk (to prevent CM from staging the boot image on the USB disk), this step deletes that file.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step ParameterValue
          NameDelete temporary USB disk fill
          DescriptionDeletes the temporary file created to fill large USB drive to prevent boot image being staged on USB
          PackageBrowse to the WSA Scripts package
          Script NameTeardown.ps1
          Parameters 
          PowerShell Execution PolicySet this to Bypass
        2. Click Apply.
        No action required
    7.  Setting up the Installing and Setup Operating System group

      Select the Install Operating System group from our base task sequence and rename it Install and Setup Operating System – for simplicity we are combining the OS installation and Setup steps into a single group. Move it up so it appears as a direct child of the Main group and starts after the Restart group. Remove the Reboot in Windows PE step (this is no longer required as the Restart group takes care of it).

      Modifying the

      1.  Configure Pre-provision BitLocker step

        Select the Pre-provision BitLocker step and configure the following conditions.

        On the Properties tabOn the Options tab

        No changes required

        Click Add Condition and choose Task Sequence Variable

        Enter the following details

        VariableOSDBitLockerStatus
        Conditionequals
        Valuetrue
      2.  Cleaning up folders to remove files paths with trailing spaces

        Click Add and from the menu, choose General > Run Command Line.

        The Windowsapps folder may contain files paths with trailing spaces. This can cause the disk wipe and Apply OS installation task sequence step to fail. This is a known issue when performing a non-destructive installation of the new operating system and removal of the file before attempting to do so is advised.This step removes the WindowsApps folder found on any driver letter.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameCleanup Folders
          Command linecmd.exe /c for %a in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do @if exist %a:\"program files"\Windowsapps rmdir %a:\"program files"\Windowsapps /Q /S
        2. Click Apply.
        • No action required
      3.  Configure the Apply Operating System step

        Ensure the Apply Operating System task reflects the correct image package and Windows edition.

      4.  Applying Windows settings that best reflects your environment

        Highlight the Apply Windows Settings step.

        On the Properties tabOn the Options tab
        1. Populate the fields to suit your environment.
        2. Click Apply.
        • No action required
      5.  Setting up the Apply Networks Settings (Wired in Office) with settings that best reflects your environment

        Rename the Apply Network Settings step to Apply Network Settings (Wired in Office)

        The domain join is a critical part of the deployment process and is required to be configured differently within the TS depending on location and connection type. The domain join is usually attempted directly after the new OS image has been applied using the native Apply Network Settings step. This step not only performs a domain join, but is also responsible for making other configuration changes to the host and must be allowed to complete successfully. At the point when Apply Network Settings typically runs, when operating over wireless or VPN, connectivity to the required domain will not exist.

        In order to allow the Apply Network Settings step to complete successfully at all locations and when using all types of connection, the Apply Network Settings step is used multiple times within the TS. The step is configured with the Join a domain setting and is conditioned to only execute when the deployment is running in an Office location with a wired connection. For a deployment at a Remote location or on wireless, an additional Apply Network Settings step is set to Join a workgroup. In this case network connectivity is not required and the step will complete successfully. For Remote or wireless locations, the domain join is performed later in the TS once connectivity to the domain has been established, using a native Join domain or Workgroup step.

        On the Properties tabOn the Options tab
        1. Populate the domain fields to suite you environment.
        2. Click Apply.
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          Variable1EWSA_RemoteUser
          Conditionnot equals
          ValueTrue
          Variable1EWSA_WiFiSSID
          Conditionnot exists
        3. Click OK.
        4. Click Apply.
      6.  Creating the Apply Network Settings (Remote or on WiFi)

        Copy and paste the Apply Network Settings (Wired in Office) step so that it is positioned directly beneath the original. Rename it to Apply Network Settings (Remote or on WiFi)

        This step executes if the user is remote or if the PC is connected only to WiFi (in either of these scenarios the Task Sequence will not have access to a domain controller at this point). It joins the PC to a workgroup (the PC needs to be joined to a workgroup or domain for the CM client setup to succeed). Later, when connectivity is established, an additional step will be executed that will join the PC to the domain.

        On the Properties tabOn the Options tab
        1. Select the Join a workgroup option.
        2. In Workgroup, enter the name WORKGROUP.
        1. Modify the If statement from All to Any.
        2. Modify the Task Sequence Variable conditions as follows:

          Variable1EWSA_RemoteUser
          Conditionequals
          ValueTrue
          Variable1EWSA_WiFiSSID
          Conditionexists

          The conditions should appear as follows

        3. Click OK.
      7.  Creating the Drivers group

        With the Apply Network Settings (Remote or on WiFi) step highlighted, click Add and from the menu, choose New Group.

        On the Properties tabOn the Options tab
        Creating the Drivers group
        • Name the group Drivers – driver installation steps such as those using the Apply Driver Package step should be positioned within this group.
        • No action required

        Where device drivers are concerned, each hardware model targeted by the task sequence will require its own set of device drivers to be installed. The most common means of doing this is to use one or more native Apply Driver Package steps. Typically, organisations will be using many different models of computers. Within the task sequence, each model will requires it's own Apply Driver Package step, with the step conditioned using a WMI query referencing the correct make and model. For example, an Apply Driver Package step supporting a DELL Latitude 7480 is conditioned as follows:

        WMI NamespaceWQL Query
        root\cimv2Select * from Win32_ComputerSystem WHERE Model Like '%Latitude 7480%'

        Task sequence driver installation implemented in this way is supported in WSA insofar as only that driver package whose WMI query matches the host make and model will be downloaded as part of WSA readiness. WSA also provides the option of failing the readiness, should it not be able to identify a matching driver package in the Task Sequence.

        Other means do exist of installing the correct set of device drivers during the running of the task sequence. The native Auto Apply Drivers step will download individual drivers based on the plug and play requirements of the host. However, this method of driver identification does have it's disadvantages. Drivers that may be required later to access external devices will not be installed. Also, although in the main reliable, plug and play detection has been known to give unpredictable results, on occasion. 

        Third parties have created custom solutions to allow the identification of the make and model and download of the relevant driver package, during the running of the task sequence. Such solutions are designed to streamline the Task Sequence reducing the overall number of steps required. However, they do require backend setup and configuration to configure the necessary web services and allow the correct driver package to be identified.

      8.  Adding the Copy CMTrace step

        With the Drivers group selected, click Add and from the menu, choose General > Run Command Line. Move the step down so it appears outside of the Drivers group but inside the Install and Setup Operating System group.
        Adding steps to the Install and Setup OS group

        This optional step copies CMTrace from the boot image to the Windows\System32 folder in the new OS. CMTrace is useful for diagnosing log files. This step should only be included if CMTrace.exe has been included in the boot image (in the sms\bin\x64 folder).

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameCopy CMTrace
          Command linexcopy x:\sms\bin\x64\CMTrace.exe %OSDTargetSystemDrive%\Windows\System32\ /Y /F
        2. Click Apply.
        • No action required
      9.  Staging the Nomad package

        Click Add and from the menu, choose 1E Nomad > Stage Nomad Package.

        The Stage Nomad Package step is used in conjunction with the Install Nomad step. The steps alleviates the requirement of embedding the Nomad agent into the OS image in order to ensure the Nomad agent can be used as soon as the new OS has been installed.

        Refer to Nomad 6.3 - Stage Nomad package and Nomad 6.3 - Install Nomad for further details on using this step.

        On the Properties tabOn the Options tab
        1. In Nomad Package, browse to the Nomad installation package.
        2. Click Apply.
        • No action required
      10.  Setting up Windows and Configuration Manager
        Cut the Setup Windows and Configuration Manager step from the Setup Operating System group in the base task sequence. Select the Stage Nomad Package step, right-click and from its context menu, choose Paste.
      11.  Installing Nomad

        With the Setup Windows and Configuration Manager step highlighted, click Add and from the menu, choose 1E Nomad > Install Nomad.

        This step installs the Nomad agent in the new OS, using the package files staged in the earlier Stage Nomad Package step. Refer to  Nomad 6.3 - Install Nomad  for further details on using this step.

        On the Properties tabOn the Options tab
        1. Enter Additional Installation Commands if required and click Apply.

          Any transform contained within the Nomad package referenced in the  Stage Nomad Package  step, will be automatically applied. If no other properties need be applied then the Additional Installation Commands field can be left blank

          If a transform is not used, or if additional Nomad installation properties must be specified, then these will be appended to the installation command-line if a transform is used. Note that additional MSI installation switches must not be specified in the Additional Installation Commands field.

        • No action required
      12.  Restarting the computer

        Click Add and from the menu, choose General > Restart Computer.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameRestart Computer
          The currently installed default operating systemSelected
          Notifiy the user before restartingChecked
          Notification Message A new Microsoft Windows operating system is being installed. The computer must restart to continue.
        2. Click Apply.
        • No action required
      13.  Adding the 1E WSA Action step

        With the Restart Computer step highlighted, click Add and from the menu, choose 1E OSD > 1E WSA Actions. 

        The 1E WSA Actions step must be included whenever drive letters may have changed and when switching between Windows PE and the full OS.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          Name1E WSA Actions
          Refresh Content LocationChecked
          Switch Between online and offline contentChecked
        2. Click Apply.
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          Variable1EWSA_RemoteUser
          Conditionequals
          ValueTrue
        3. Click OK.
        4. Click Apply.
      14.  Restoring the Nomad cache

        With the 1E WSA Actions step highlighted, click Add and from the menu, choose 1E Nomad > Restore Nomad Cache.

        This step restores the Nomad cache that was saved before the new OS image was installed. This ensures any content required by the Task Sequence is available to other peers when the Task Sequence completes. Refer to Nomad 6.3 - Restore Nomad cache  for further information on using this step.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          OperationLink
          Activate All ContentUnchecked
        2. Click Apply.
        • No action required
      15.  Creating the create the Remote/Wfi Domain Join group

        With the Restore Nomad Cache step highlighted, click Add and from the menu, choose New Group.

        This group is executed if the Task Sequence was initiated through WSA and either the user is remote or the PC is on a WiFi connection. As the PC is now running in the full OS we can establish the VPN and WiFi connection to complete the domain join in this group.

        On the Properties tabOn the Options tab

        • Name the group Remote/Wifi Domain Join
        1. Click Add Condition > If statement
        2. Select Any condition, then add the following Task Sequence Variable conditions to the If statement

          Variable1EWSA_RemoteUser
          Conditionequals
          ValueTrue
          Variable1EWSA_WiFiSSID
          Conditionexists
        3. Click OK
        1.  Connecting to VPN

          Copy the Connect VPN step from the Test Connection group and paste it as the first step in the Remote/WiFi Domain Join group. 

           

          This step establishes a VPN connection using credentials supplied by the user if the Task Sequence was initiated through WSA by a remote user.
        2.  Install the RasdialDisconnect service

          Click Add and from the menu, choose General > Run Command Line.

          This is an optional step to work around an issue identified on some Dell PCs where restarting the PC when connected to VPN on a wireless connection would cause the PC to blue-screen. It installs a service that disconnects the VPN connection when a shutdown is requested by the OS, which has been observed to prevent the blue-screen.

           

          On the Properties tabOn the Options tab
            1. Enter the following details:

              Step parameter 
              NameInstall RasdialDisconnect service
              Command lineInstallRasdialDisconnectService.bat
            2. Check the Package option and browse to the WSA Scripts package.
            3. Click Apply.
          Check Continue on error

        3.  Adding settings to a join a domain or workgroup in your environment

          Click Add and from the menu, choose General > Join Domain or Workgroup

          At this point in the Task Sequence, the remote user will be connected to the corporate network via VPN and the machine can be joined to the domain using this step.

          On the Properties tabOn the Options tab
          1. Populate the fields to suit your environment.
          2. Click Apply.
          • No action required
    8.  Creating the BIOS to UEFI group

      With the Join Domain or Workgroup  step highlighted, click Add and from the menu, choose New Group. Move the group down so it appears as a child the Main group. i.e. it appears at the same level as Install and Setup Operating System.

      On the Properties tabOn the Options tab

      Creating the BIOS to UEFI group

      • Name the group 1E BIOS to UEFI
      1. Click Add Condition and choose Task Sequence Variable.
      2. Enter the following details:

        Variable_SMSTSBootUEFI
        Conditionequals
        ValueFalse
      3. Click OK.
      4. Select the condition just created.
      5. Click Add Condition and choose If Statement > Any Condition
      6. Click Add Condition and select Query WMI
      7. Add each of the following so as separate WMI conditions

        WMI Namespace: root\cimv2
        SELECT * FROM Win32_ComputerSystem WHERE Manufacturer LIKE "%Dell%"
        SELECT * FROM Win32_ComputerSystem
        WHERE Manufacturer LIKE "%HP%"
        SELECT *
        FROM Win32_ComputerSystem
        WHERE Manufacturer LIKE "%Lenovo%"
        Select *
        FROM Win32_ComputerSystem
        WHERE Manufacturer LIKE "%Hewlett-Packard%"

        The conditions should appear as follows:

         

      The 1E BIOS to UEFI group is responsible for converting the host system disk from legacy BIOS to UEFI and configuring the firmware settings required to implement the associated security features and settings.

      UEFI is a firmware standard required to support modern security features such as Secure Boot, Device Guard and Credential Guard. In configuring this task sequence, the BIOS to UEFI conversion is performed using the native Windows utilityMBR2GPT.exelocated inC:\Windows\System32on Windows 10 1703 editions and later.

      In the task sequence, conversion is conditioned to take place only if the host is running legacy BIOS. The 1E BIOS to UEFI application is a packages and ready set of task sequence steps that automate the necessary firmware reconfigurations on Dell, Lenovo and HP systems in order to allow Secure Boot, Device Guard, Credential Guard. and other settings to be turned on once the disk has been converted.  Full details on how to use 1E BIOS to UEFI and the supported hardware models, can be found here.

      1.  Disabling BitLocker

        Copy the Disable BitLocker step from the Restart group and paste it as the first step in the 1E BIOS to UEFI group.

        This step replaces the native Disable BitLocker step with a command-line step that uses the manage-bde command-line interface to disable BitLocker protection for all reboots until configured otherwise. The default CM step will only disable BitLocker for the next reboot.
      2.  Restarting in WinPE

        Click Add and from the menu, choose General > Restart Computer.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameRestart in WinPE
          The boot image assigned to this task sequenceSelected
          Notifiy the user before restartingChecked
          Notification MessageBeginning the UEFI and MBR2GPT conversion. The computer must restart to continue
        2. Click Apply.
        • No action required
      3.  Adding a 1E WSA Action step

        Click Add and from the menu, choose1E OSD > 1E WSA Actions.

        The 1E WSA Actions step must be included whenever drive letters may have changed and when switching between Windows PE and the full OS.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          Name1E WSA Action
          Refresh Content LocationChecked
          Switch Between online and offline contentChecked
        2. Click Apply.
        1. Click Add Condition > Task Sequence Variable.
        2. Enter the following details:

          Variable1EWSA
          Conditionequals
          ValueTrue
        3. Click OK.
        4. Click Apply.
      4.  Installing and configuring Nomad in Windows PE

        Copy the Install and Configure Nomad in Windows PE step from the Restart group and paste it directly after the 1E WSA Actions step.

        This step installs the Nomad agent in Windows PE. Refer to Nomad 6.3 - Install and configure Nomad in WinPE for further details on using this step.

      5.  Adding MBR2GPT to Windows PE

        Click Add and from the menu, choose General > Run Command Line.

        This step converts the disk format from MBR to GPT to support UEFI. Refer to https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt for further information on the MBR2GPT tool.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          ParameterValue
          NameMBR2GPT in WinPE
          Command lineMBR2GPT.EXE /disk:0 /convert /AllowFullOS /logs:%_SMSTSLogPath%
        2. Click Apply.
        1. Click Add Condition > Task Sequence Variable.
        2. Enter the following details:

          Variable_SMSTSInWinPE
          Conditionequals
          ValueTrue
        3. Click OK.
        4. Click Add Condition > Query WMI.
        5. Create the WQL query condition shown:

          WMI Namespace: root\cimv2
          select * from win32_diskpartition where deviceid like '%partition #0%' AND type like '%Installable%'
        6. Click Ok
        7. Apply.
      6.  Creating the Firmware Settings group

        Click Add and from the menu, choose New Group.

        This group configures the firmware if the MBR2GPT conversion completed successfully.

        On the Properties tabOn the Options tab
        Creating the Firmware Settings group
        • Name the group Firmware Settings
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          Variable_SMSTSLastActionSucceeded
          Conditionequals
          ValueTrue
        3. Click OK.
        1.  Defining 1E BIOS to UEFI password

          Click  Add  and from the menu choose  1E OSD > 1E BIOS to UEFI Password Setup

          This step defines the BIOS admin password(s) that will be attempted when the subsequent 1E BIOS to UEFI steps attempt to make changes to the firmware settings. Refer to Automating password authentication for changing BIOS settings for further details on using this step.

          On the Properties tabOn the Options tab
          1. Browse for the OEM Toolkit Package
          2. Name the step 1E BIOS to UEFI Define Password
          3. In the Password List, add any BIOS passwords that are used in the environment.
          4. Ensure the option No change is selected.
          5. Click Apply.
          • No action required
        2.  Setting the boot order

          Click Add and from the menu, choose 1E OSD > 1E BIOS to UEFI Boot Order.

          This step sets the boot order in the firmware. For further information on using this step, refer to Changing the BIOS boot order.

          On the Properties tabOn the Options tab
          1. Browse for the OEM Toolkit Package.

          2. Select Windows Boot Manager from the drop list.
          3. Click Apply.
          • No action required
        3.  Setting the secure boot order step

          Click Add and from the menu, choose 1E OSD > 1E BIOS to UEFI OEM.

          This step configures the firmware settings to enable UEFI, Secure Boot and other options. Refer to Working with BIOS to UEFI for further details on using this step. In order to ensure builds are successful when you enable Secure Boot, we recommended that client firmware is updated to the latest version and that you test Secure Boot on those hardware models targeted by the task sequence before deploying into a production environment.

          On the Properties tabOn the Options tab
          1. Browse for the OEM Toolkit Package.

          2. Select the UEFI Configuration option.
          3. Select the UEFI Native with Secure Boot option.
          4. Click Apply.

          When enabling Secure Boot, in order to ensure that builds are successful, we recommend:

          • Client firmware is updated to the latest version
          • Before deploying into production, Secure Boot is tested on those hardware models targeted by the task sequence.
          • No action required
        4.  Setting BIOS to UEFI passwords

          Click Add and from the menu, choose 1E OSD > 1E BIOS to UEFI Password Setup.

          This optional step sets the BIOS password to a predefined password and can be used to standardize on a single BIOS password. Refer to Automating password authentication for changing BIOS settings for further details on using this step.

          On the Properties tabOn the Options tab
          1. Browse for the OEM Toolkit Package.
          2. Add the BIOS passwords that is to be used in the environment. 
          3. Select the Set New Password option and choose the password from the list.
          4. Click Apply.
          • No action required
      7.  Restarting the computer
        Click Add and from the menu, choose General > Restart Computer. Move the step down so it appears outside of the Firmware Settings group but inside the 1E BIOS to UEFI group.
    9.  Adding a 1E WSA Action step

      Click Add and choose 1E OSD > 1E WSA Actions. Move the step down to position the step in the Main group.
      Adding steps for the 1E BIOS to UEFI group

      On the Properties tabOn the Options tab
      1. Enter the following details:

        Step parameterValue
        Name1E WSA Action
        Refresh Content LocationChecked
        Switch Between online and offline contentChecked
      2. Click Apply.
      1. Click Add Condition and choose Task Sequence Variable.
      2. Enter the following details:

        Variable1EWSA
        Conditionequals
        ValueTrue
      3. Click OK.
      4. Click Apply.
    10.  Adding Connect VPN step

      Copy any instance of the Connect to VPN step (e.g. in the Remote / WiFi Domain Join group and paste it directly after the 1E WSA Actions step.

      This step establishes a VPN connection using credentials supplied by the user if the Task Sequence was initiated through WSA by a remote user.

    11.  Add the Create Nomad Application Policy step

      Select the Connect VPN step, click Add and from the menu, choose 1E Nomad Pre 6.0 > Create Nomad Application Policy. Move the step down so it appears outside the Install and Setup Operating System group but inside the Main group (at the same level as the Install and Setup Operating System group). There are no options to configure on this step.

      At this point in the Task Sequence the CM client does not properly use Nomad for Application deployments. This step creates a local client policy to enable Nomad for Applications, so subsequent Install Application steps in the Task Sequence use Nomad to obtain the content. Refer to Nomad 6.3 - Create Nomad application policy for further information about using this step.

    12.  Restart the CM service

      Select the Create Nomad Application Policy step, click Add and from the menu, choose General > Run Command Line.

      Restarting the CM agent service at this point, once network connectivity has been established, is necessary to enable subsequent software update and software installation steps to complete successfully.

      On the Properties tab
      On the Options tab
      1. Add these details:

        Step parameterValue
        Command linecmd /c "net stop ccmexec && net start ccmexec"
        NameRestart CM service
        Description 
      2. Click Apply.
      • No action required
    13.  Relocate the Enable BitLocker step
      Cut the Enable Bitlocker step from the Setup Operating System group in the base task sequence and paste it directly after the Create Nomad Application Policy step. 
    14.  Relocate the Install updates step
      Cut the Install Updates step from the Setup Operating System group in the base task sequence and paste it directly after the Enable Bitlocker step.
    15.  Adding the 1E WSA Action step

      With the Install Updates step highlighted, click Add and choose 1E OSD > 1E WSA Actions.

      On the Properties tabOn the Options tab
      1. Enter the following details:

        Step parameterValue
        Name1E WSA Action
        Refresh Content LocationChecked
        Switch Between online and offline contentChecked
      2. Click Apply.
      1. Click Add Condition and choose Task Sequence Variable.
      2. Enter the following details:

        Variable1EWSA
        Conditionequals
        ValueTrue
      3. Click OK.
      4. Click Apply.
      A software update may require one or more restarts of the host to complete it's installation. For a WSA deployment, it is important to note that in order for the Install Updates step to complete successfully, only a single restart of the host is permissible at completion of the step. If multiple restarts are anticipated, then multiple Install Update steps must be configured with intervening 1E WSA Actions and Connect to VPN steps. This allows a site connection to be established, before the next update is installed. In this task sequence it is anticipated that no update will require more than one restart of the host.
    16.  Connecting to VPN

      Copy any instance of the  Connect to VPN  step (e.g. in the Remote / WiFi Domain Join group and paste it directly after the 1E WSA Actions step.

      This step establishes a VPN connection using credentials supplied by the user if the Task Sequence was initiated through WSA by a remote user.

    17.  Copy the Restart the CM service step

      Copy the Restart CM Service step from above and paste it directly after the Connect to VPN step

      Restarting the CM agent service at this point, once network connectivity has been established, is necessary to enable subsequent software installation steps to complete successfully.

    18.  Add sleep time for CM agent

      With the Restart CM Service step selected, click Add and from the menu, choose General > Run Command Line.

      Once the ConfigMgr agent service has been restarted, pausing the TS allows application policy processing to be completed by the ConfigMgr agent, before execution of the TS Install Application step takes place.

      On the Properties tabOn the Options tab
      1. Enter the following details.

        Step parameterValue
        NameSleep time for CM Client Agent Initialization
        Command linecmd /c ping localhost -n 180 > NUL
      2. Click Apply.
      • No action required
    19.  Installing the Tachyon Agent

      Click Add and from the menu, choose Software > Install Application.

      This step installs the Tachyon Agent. The Tachyon Agent monitors the execution of the Task Sequence and reports back success or failure to Shopping.

      On the Properties tabOn the Options tab
      1. Enter the following details:

        Step parameterValue
        NameInstall Tachyon Agent
        Install the following applicationsBrowse to the Tachyon Agent application
      2. Click Apply.
      • No action necessary

      If there are other applications that need to be installed on all machines, add them after the Install Tachyon Agent step. If applications were added when the Create Task Sequence wizard was run, move those steps up so they appear after the Install Tachyon Agent step.

    20.  Renaming the Setup Operating System group to Install Migrated Applications

      Select the Setup Operating System group in the base task sequence and configure it as follows

      This group contains the steps necessary to implement the 1E Application Migration feature.

      On the Properties tab
      On the Options tab
      • Rename the group Install Migrated Applications
        1. Click Add Condition > If statement.
        2. Select Any condition, then add the following Task Sequence Variable conditions

          Variable
          1EWSA
          Conditionnot equals
          ValueTrue
          Variable1EWSA_AppMigrationEnabled
          Conditionexists
        3. Click Apply.
      1.  Getting the migration settings

        With the Install Migrated Applications group highlighted, click Add and from the menu, choose 1E Nomad > Get Migration Settings.

        The Get Migration Settings step in a wipe and load scenario will obtain the encryption key for USMT and will also set the SourceComputerName variable used by Application Migration. Refer to Nomad 6.3 - Get migration settings for more information about using this step.

        On the Properties tabOn the Options tab
        1. Select the Restore user state option.
        2. Click Apply.
        • No action required
      2.  Adding the 1E Application Migration step

        With the Get Migration Settings step selected, click Add and from the menu, choose 1E OSD > AppMigration.

        The AppMigration step calls the 1E Application Migration API to obtain a list of applications and packages that need to be installed based on the original inventory of the device and the Application Migration rules defined by the administrator. The step results in a series of variables (APPMIGxx and PKGMIGxxx) that identify the applications and packages to be installed. These variables are processed by teh Install Migrated Applications and Install Migrated Packages steps later in the Task Sequence. Refer to Using Application Migration in a task sequence for further information.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          Web Servicehttp://<SLA Platform Server>:<Port>/Platform/api/applicationmigration/getApplicationsToBeInstalled
          Domain\User NameThe credentials of a user defined in the SLA platform
          DomainThe FQDN of the domain that the current machine is in
          Source Computer Name VariableSourceComputerName
          Application VariableAPPMIG
          Package VariablePKGMIG
        2. Click Apply.
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details:

          VariableSourceComputerName
          Conditionexists
        3. Click OK.
        4. Click Apply.
      3.  Creating the Install Migrated Apps group

        With the 1E Application Migration step highlighted, click Add and from the menu, choose New Group.

        On the Properties tabOn the Options tab
        Creating the Install Migrated Apps group
        • Name the group Install Migrated Apps
        1. Click Add Condition and choose Task Sequence Variable.
        2. Enter the following details below:

          VariableAPPMIG01
          Conditionexists
        3. Click OK.
        4. Click Apply.
        1.  Setting the sleep time for CM client initialize step

          Click Add and from the menu, choose General > Run Command Line.

          This step waits for 3 minutes to allow the CM client to properly initialize before attempting to install applications.

          On the Properties tabOn the Options tab
          1. Enter the following details.

            Step parameterValue
            NameSleep Time for CM Client Agent Initialization
            Command linecmd /c ping localhost -n 180 > NUL
          2. Click Apply.
          • No action required
        2.  Installing applications according to the dynamic variable list

          Click Add and from the menu, choose Software > Install Application.

          On the Properties tabOn the Options tab
          1. Enter the following details:

            Step parameterValue
            NameInstall Migrated Applications
            Install applications according to the dynamic variable listSelected
            Base variable nameAPPMIG
            If an application installation fails, continue installing other applications in the listCheck
          2. Click Apply.

           

          1. Select the Retry this step if computer unexpectedly restarts option.
          2. Click Apply.

            This step should only be executed if the variable APPMIG01 exists. In this Task Sequence it is included in the Install Migrated Apps group, which has the condition applied. If the step is included in a Task Sequence outside of a group that has the condition, then the condition should be applied to this step.

           

      4.  Installing software packages in accordance with the dynamic variable list

        With the Install Migrated Applications step highlighted, click Add and from the menu, choose Software > Install Package. Move the step down so that is appears as a child of Install Migrated Applications i.e. at the same level as the Install Migrated Apps group.

        On the Properties tabOn the Options tab
        1. Enter the following details:

          Step parameterValue
          NameInstall Migrated Packages
          Install software packages according to the dynamic variable listSelected
          Base variable namePKGMIG
          If installation of a software package fails, continue installing other packages in the listCheck
        2. Click Apply.
          1. Click Add Condition and choose Task Sequence Variable.
          2. Enter the following details below:

            Variable
            PKGMIG001
            Conditionexists
          3. Click OK.
          4. Click Apply.
    21. Move the Restore User Files and Settings group down so that it becomes a direct child of the Main group.
    22.  uninstalling the RasDialDisconnect service

      Click Add and from the menu, choose General > Run Command Line.

       

      This step uninstalls the RasdialDisconnect service and is only required if you have included the Install RasdialDisconnect Service step earlier in the Task Sequence.
      On the Properties tab
      On the Options tab
        1. Enter the following details:

          Step parameter
          Value
          Name
          Uninstall RasdialDisconnect service
          Command lineUnInstallRasdialDisconnectService.bat
        2. Check the Package option and browse to the WSA Scripts package.
        3. Click Apply.
      1. Click Add Condition and choose Task Sequence Variable.
      2. Enter the details below.

        Variable1EWSA_RemoteUser
        Conditionequals
        Valuetrue
      3. Click OK.
      4. Click Apply.
  3.  Finalizing the task sequence

    Click Add and from the menu, choose 1E > OSD > 1E WSA Actions. Move the step down to the root of the task sequence – at the same level as Main.

    The 1E WSA Actions step is the last step to execute in the Task Sequence. At this point it executes the Finalize actions, which for a wipe and load task sequence cleans up the USB (if used and the administrator enabled the option to clean up USB). If o steps in the Main group failed, this step will return 0 (success). If any step in the Main group failed and was not configured to continue on error, this WSA Actions step will return the exit code that the failed step returned.

    On the Properties tabOn the Options tab

    Select the Finalize option

    Click Add Condition > Task Sequence Variable.

    Enter the following details:

    Variable1EWSA
    Conditionequals
    ValueTrue

    Click OK.

    Click Apply.

  4. Click OK to save the task sequence.