Skip to content

New Device Setup Processes

Windows Computers

Procurement

New Windows laptops deployed in the organization should be from Lenovo's ThinkPad line. Micro Center in Saint Louis Park usually has very good deals on open box or manufacturer refurbished ThinkPads, this is the primary vendor we have been sourcing from. At the current time, we have not standardized across a specific model or specification, instead tailoring purchases to the computing needs of their role - plus user preferences for screen size, numpad, etc.

After a device has been purchased, device and purchase info should be added to the HOURCAR Asset Management database, and an asset ID (e.g. HC-00123) will be assigned to the device.

Imaging

Note

We are using OSDCloud for device imaging and deployments on compatible systems. Some of the older HP computers in our office are incompatible with OSDCloud. In those instances, use the old steps.

Overview (Old Process)

Staff computers should be wiped after procurement and used with a new installation of Windows 11 Pro, as from the store it may come preinstalled with unsupported software (e.g. vendor, antivirus software).

An .iso of Windows 11 can be downloaded directly from Microsoft at this website.

By default, the Windows 11 .iso may not contain all necessary drivers for the computer to work out of the box. This can result in a situation where Windows installation can not complete without an Ethernet connection, and which prevents Autopilot Reset from working properly. To prevent this situation and to ensure all staff have a fully functional computer, we must rebuild the Windows 11 image to include necessary drivers for that device.

For Lenovo computers, these are available in the Drivers section of the support website for that specific model. Download the .exe for the correct model, ensuring that you have the correct Type / Revision - as those can include different components and require different drivers. Run the .exe to extract the drivers to a new directory on your computer.

The process below describes the process of building and installing a custom Windows image that includes these device drivers.

Driver Injection

We currently use NTLite to compile custom builds of Windows 11. Gunnar has a single-seat license for the software installed on his computer. This could be done with a free trial license if that's not available.

Open NTLite, and select Add > Image (ISO, WIM, ESD, SWM), then select and add the Windows 11 .iso downloaded from Microsoft's website.

After it has been added, find the .iso under Read-Only section of the main screen, then open Content > Operating systems | install.wim.

Select Windows 11 Pro from the list of editions, select Load in the top toolbar, and OK from the popup to create a reference image and cache. It will take some time to process the selection. This will first be populated in the section Edit cache, then Mounted, where Windows 11 Pro should be loaded - identified with a green dot.

Open the Integrate > Drivers tab on the left-hand sidebar. On the top toolbar, select Add > Directory containing drivers, then navigate to the directory where you extracted the device drivers downloaded from Lenovo.

Hardware checklist

The hardware checklist feature found on the right-hand side of this screen can be ignored. This is a list of the hardware on your current computer, not the computer you are building this image for. Ignore any warnings about missing drivers.

Lastly, open the Finish > Apply tab from the left-hand sidebar. Select the following settings:

  • Saving mode > Save the image and trim editions
  • Image format > Standard, editable (WIM)
  • Options > Create ISO
  • Save the .iso with a file name that identifies the model you created.

USB Creation

The .iso should be written to a bootable flash drive using Rufus. Insert a USB flash drive to the computer, open Rufus, and ensure that both the flash drive and the .iso created with NTLite are selected.

Ensure that the following options are selected:

  • Partition Scheme: GPT
  • Target System: UEFI (non-CSM)

All other options can be left as default. Press START. All options to customize the Windows installation should not be selected. Press OK to begin writing to the drive. The process will take a few minutes to complete.

Windows Installation

Once the USB has been created, it is time to begin the process of installing it to the target device.

While the computer is off, insert the USB drive. Power on the computer, and when the manufacturer logo is displayed, enter boot options. The process for doing this varies between devices. On ThinkPads, this can typically be done through pressing the ENTER or F10 key. In the boot options menu, select the USB drive and press ENTER to boot. You may be prompted to press any key to begin installation - if missed, it will boot into Windows and you will have to repeat this process.

Note

Some devices are configured to not boot into modified versions of Windows by default. If when attempting to boot to the USB drive, you are returned to the boot menu screen, you will need to enter the BIOS options and ensure that Accept Third Party Secure Boot CAs is enabled. This is found in the Security section of the BIOS menu on Lenovo devices.

Continue through the Windows setup and installation process. Ensure that the old drive partitions are erased, and install Windows to Partion 0.

Once installation has been completed, the USB drive can be removed and the Windows setup process will begin.

When the setup process asks for a Microsoft account, the IT staff preparing this device should sign in with their account.

When prompted to name the device, set the device name to the Asset ID generated in the Asset Database.

After this has been completed, Windows should be installed and you should now be able to boot to the Windows desktop.

Autopilot and Intune enrollment

In the Windows enviornment, you will be collecting some data from the device to assign it to HOURCAR's Microsoft enviornment. This locks the device to our domain and ensures that it can only be set up and used by HOURCAR staff.

Open Terminal or PowerShell, and run the PowerShell script found in section "Directly upload the hardware hash to an MDM service" from this Microsoft Learn article: Manually register devices with Windows Autopilot. This will automatically collect all needed information from the machine, and enroll the device in our Intune enviornment.

You can set this computer aside, as the remaining process can be completed from the web browser on your device.

In the Microsoft Intune Admin center, you should find this new device in the list of Autopilot registered devices (Found here). The device can be identified by it's serial number.

Select the device, and in the menu that will appear on the left side of the screen, set the Device name field to the asset ID generated in our asset database, and Group tag to 0. Then, select Assign User and select the user account of the HOURCAR staff who will be receiving this device. Save these fields.

Then, add this new device to the "Hardware - Windows - User Assigned" Security Group. This will ensure that all necessary configuration policies are assigned to the device.

In Intune's list of registered Windows devices, this computer should appear. Select the device, and select "Autopilot Reset" to trigger final device preparation for the user. This may take some time, as long as 60 minutes, to complete.

After this process begins, enter the Properties of this device in Intune, and unassign yourself as the primary user of the device.

Device Handoff

After handing off the device to the user, remember to check out the device to them in the Asset Database to ensure accurate records. Be available for the user to answer any questions or assist with any final setup. Some staff may require specialized software that requires Admin permissions. This would be a good time to complete those!

Mac Computers

Documentation under construction

The process for setting up a Mac computer in Intune is still being developed and refined. Please consider this section of the documentation to be a work in progress.

Add to Apple Business Manager

macOS devices should be registered in HOURCAR's Apple Business Manager account.

This is done by using the Apple Configurator app (iOS) during device setup, following the steps listed in this Apple support article.