, ,

SCCM: Magic Offline Imaging Jumpdrive

Overview

This is a “Magic Offline Imaging Jumpdrive” I put together that can be used for OEM imaging or offline imaging where you still need to join PC’s to the domain but don’t have access to the network when the computer is being imaged. The idea is this “Magic Jumpdrive” would allow a trusted party to image your equipment without needing access to your network, broadening where and when a machine could be imaged.

Process

Create the Magic Offline Imaging Jumpdrive SCCM Package

First, download the Magic Offline Imaging Jumpdrive and unzip the contents


Magic Offline Imaging Jumpdrive

Create a new source location for content in your SCCM data directory, and all of the files found within the OFFLINE_PACKAGE_CONTENTS folder from the file you just downloaded:

Next, create an SCCM Package (or application if you prefer) and add two programs for each of the CMD files. The command line for each program only needs to point to the name of the file:

Setup the Magic Offline Imaging Jumpdrive OS Task Sequence

Next, choose the task sequence in SCCM that you would like to be available offline and copy it as a new Task sequence with “(OFFLINE)” in the name appended after it, such as “Windows 10 (OFFLINE)”.

Now, add two steps to this task sequence after the image has been applied, yet before anything you want installed on a “Domain Joined” machine. Point each step to the package you created earlier, with the STEP 1 and 2 in sequence:

Create the Magic Offline Imaging Jumpdrive

Now, create an offline Jumpdrive of this OFFLINE task sequence using the built in Create Task Sequence Media SCCM task sequence wizard:

Put your Jumpdrive aside as we’ll need it again in a few moments.

Creating the Offline Computer Provisioning Files

Now, within the file you download, inside the ADMINISTRATIVE_TOOLS directory modify the contents of the Add_Offline_Machine.cmd file to include the OU and Domain you want the machine placed in:


djoin /provision /domain "fqdn.company.com" /machine "%computerName%" /savefile .\%computerName%.txt /machineou "OU=Offline Domain Join,OU=Workstations,OU=con,DC=corp,DC=contoso,DC=com"

and the security group you want the machine placed in:


dsmod group "CN=ISE - Offline Domain Join,OU=Your Special Offline Security Group,OU=Security Groups,OU=con,DC=corp,DC=contoso,DC=com" -addmbr "CN=%computerName%,OU=Offline Domain Join,OU=Workstations,OU=cor,DC=corp,DC=contoso,DC=com"

If you don’t care to have the machine placed in a security group, just REM out this line. However, I recommend you do add it to a special security group with restricted permissions. You can then remove it from this group later once you’ve determined the computer is in safe hands.

Now launch the tool Add_Offline_Machine.cmd which will pre-provision offline domain objects for a serious of computers. These will be the names of the computers you want to be available to offline domain join:

You’ll notice two things happened. One, you’ll find a new COMPUTERNAME.txt file in the same directory you ran the tool. This is the offline provisioning file, and you’ll want to copy it to the ROOT of the Jumpdrive:

Second, you’ll notice a computer object was created inside the OU you specified earlier. This .txt file and computer object are a special pair. Our .txt offline provision file has a trusted key inside of it that Active Directory will recognize and trust, and associate to this computer object later on during the process. It’s all automated, so you don’t need to worry.

Booting and Imaging the Offline Computer with the Magic Offline Imaging Jumpdrive

Now comes the fun part. Take your Jumpdrive to a computer that is not connected to the network and boot it from the Jumpdrive. Image the computer in the normal fashion. Later on in the process, you’ll be prompted with a wizard where you can choose the Offline Provision File you created earlier:

This list is generated from all of the offline provisioning .txt files you added to the root of the Jumpdrive earlier. Once you select a file, the computer will join the domain as that name, even when there is no network access. That’s the magic part! Also, the file will be renamed from .txt to .old, indicating it has been used so the wizard does not make it available again the next time the Jumpdrive is used.

Joining the Domain

When the computer connects to the corporate network, the special key/AD Computer object pair will be linked, and the computer is joined to the domain as that computer object.

Once you have confirmed the computer is in good hands, the computer can be placed into a proper Security Group where it would get the standard security policies.

Administrative Tool: Add_Offline_Machine.cmd


echo off
color 9F
cls
echo ==============================================================
echo Offline Domain Join Tool (dmaiolo v2017-04-28)
echo ==============================================================
echo.
echo This tool is used to add a computer object that can be used
echo during an offline domain join for purposes of imaging OEM equipment
echo when not joined to the network.
echo.
SET /P computerName=[Enter Hostname To Add to Offline Domain Join:]
REM Set your OU below where you want the computers placed. For security, you could stick these in a stagging OU that only allows access to resources once the machine has been approved by an administrator
djoin /provision /domain "fqdn.company.com" /machine "%computerName%" /savefile .\%computerName%.txt /machineou "OU=Offline Domain Join,OU=Workstations,OU=con,DC=corp,DC=contoso,DC=com"
echo Adding %computerName% to Jump Drive Save File...
echo Adding %computerName% to Security Group...
dsmod group "CN=ISE - Offline Domain Join,OU=Your Special Offline Security Group,OU=Security Groups,OU=con,DC=corp,DC=contoso,DC=com" -addmbr "CN=%computerName%,OU=Offline Domain Join,OU=Workstations,OU=cor,DC=corp,DC=contoso,DC=com"
pause

Offline Join Tool: Choose_Machine_Join_File_STEP1.cmd


color 9f
@echo off
setlocal enabledelayedexpansion
set mediaroot=d:
set djoinfile=CURRENT_OFFLINE_MACHINE.DJOIN

:START
cls
echo ===========================================================================
echo JOIN MACHINE TO DOMAIN (OFFLINE) (v20160413 dmaiolo)
echo ===========================================================================
if exist %mediaroot%\%djoinfile% (
    GOTO END
) else (
    GOTO CHOOSEFILE
)
:CHOOSEFILE
if exist %mediaroot%\*.txt (
    GOTO CHOOSEFILESTART
) else (
    echo ERROR! No Domain Join files were found on the media root.
    echo Please add a domain join file using the djoin.exe command and try and again.
    echo This process will continue to look for this file every time you press any key.
    echo To bypass this entire process presss CTRL+C. You if you do, this computer will
    echo not join the domain.
    pause
    GOTO START
)
:CHOOSEFILESTART
echo Choose the the file associated to this machine from the list below. If you
echo do not see your machine file listed, please contact the helpdesk to have
echo it created, and then add it to the root of this installation media.
echo -

set count=0
set "choice_options="

for /F "delims=" %%A in ('dir /a:-d /b %mediaroot%\*.txt') do (
    REM Increment %count% here so that it doesn't get incremented later
    set /a count+=1

    REM Add the file name to the options array
    set "options[!count!]=%%A"

    REM Add the new option to the list of existing options
    set choice_options=!choice_options!!count!
)

for /L %%A in (1,1,!count!) do echo [%%A]. !options[%%A]!
echo -
choice /D 1 /T 60 /c:!choice_options! /n /m "Enter Number From Above (Option 1 Chosen in 60 Seconds): "

set var1=!options[%errorlevel%]!
echo %var1% > %mediaroot%\%djoinfile%
set /p var1=<%mediaroot%\%djoinfile%

choice /D y /c yn /T 60  /n /m "Proceed With %var1%? (y/n) (y Chosen in 60 Seonds): "
if %errorlevel%==1 (GOTO END) else GOTO CHOOSEFILE
:END

Offline Join Tool: Choose_Machine_Join_File_STEP1.cmd


color 9f
@echo off
setlocal enabledelayedexpansion
set mediaroot=d:
set djoinfile=CURRENT_OFFLINE_MACHINE.DJOIN
cls
set /p var2=<%mediaroot%\%djoinfile%
echo ===========================================================================
echo JOIN MACHINE TO DOMAIN (OFFLINE) (v20160413 dmaiolo) STEP 2
echo ===========================================================================
if exist %mediaroot%\%djoinfile% (
    GOTO STARTJOIN
) else (
    GOTO NOFILEFOUND
)
:STARTJOIN
echo Joining %var2% to Domain...
djoin /requestODJ /loadfile %mediaroot%\%var2% /windowspath %systemroot% /localos
echo Removing %var2% from the future list of options...
rename %mediaroot%\%var2% *.old
del %mediaroot%\%djoinfile%
GOTO END
:NOFILEFOUND
echo No File Was Found
:END
/0 Comments/by
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

Link to: Get in touch

Let’s collaborate!

Contact Me

DAVID MAIOLO

 The content on this website, including text, photographs, and any other media, is the property of David Maiolo unless otherwise noted. No part of this website may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the owner.

DISCLAIMER

The information provided on this website is for general informational purposes only. While I strive to keep the information up-to-date and correct, I make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. *This website may include links to other websites which are not under the control of David Maiolo. I have no control over the nature, content, and availability of those sites.

© 2024 David Maiolo

SCCM: Spectre / Meltdown DetectionIntune Data Warehouse Connector Application