IBM Security MaaS360

 View Only
  • 1.  Windows 10 Bulk Enrolment Tool || Existing Local User Enrolment Question

    Posted Tue July 13, 2021 10:54 AM
    Hi All,

    I'm having a bit of trouble with the Bulk Enrolment Imaging Tool which I'm using to capture an image with an Existing, pre-configured Local User. I want to capture and then deploy this image so that when I log into the pre-configured user, MaaS begins the enrolment process, however I'm not able to get this to work.

    I'm wondering if I'm not understanding how this functionality works correctly or whether I'm doing something wrong and am looking for a bit of guidance


    Here are the steps I'm following

    1. I start with a completely fresh install of Windows 20H2, fully patched, updated, etc. FWIW this is a VM that I'm using
    2. While logged in as the default Local Administrator account, I create a new user - lets call this EnrolMeLocalUser
    3. I then promote EnrolMeLocalUser to the Local Administrators group so that it has Admin privileges ready for the enrolment
    4. Log into EnrolMeLocalUser and perform some customizations and personalization's (set desktop background, install Notepad++, etc.)
    5. Log out of EnrolMeLocalUser account
    6. While logged in as the default Local Admin account, I run the BulkEnrollment Imaging Tool and configure it to use the Imaging Process. I also configure the Computer Account Type for Enrolment to be an Existing User and I select the EnrolMeLocalUser from the dropdown list.
    7. I capture the image for the machine.

    Here is my expected outcome:

    1. Deploy the captured image to a completely wiped, no OS installed machine.
    2. As part of the OOBE, I have to create a new local account called TmpLocalUser 
    3. Finish OOBE and I'm automatically logged into TmpLocalUser
    4. Logout of TmpLocalUser
    5. Log into EnrolMeLocalUser account
    6. MaaS begins the enrolment process as I'm logging into the configured account (EnrolMeLocalUser).

    However, here is my actual outcome

    1. Deploy the captured image to a completely wiped, no OS installed machine.
    2. As part of the OOBE, I have to create a new local account called TmpLocalUser
    3. Finish OOBE and I'm automatically logged into TmpLocalUser
    4. Logout of TmpLocalUser
    5. Log into EnrolMeLocalUser account
    6. MaaS does NOT start the enrolment. Logs are created, however there is no obvious error that I can see or any obvious reason for the enrolment not to continue.
    The logs indicate that no valid user for enrolment has been found.

    If anyone has any ideas, that would be greatly appreciated!

    Thanks in advance!

    Dave


    ------------------------------
    David Burtton
    ------------------------------


  • 2.  RE: Windows 10 Bulk Enrolment Tool || Existing Local User Enrolment Question

    Posted Mon July 26, 2021 05:04 AM
    Hi David
    Apologies for delay in response, just seeing this today. 
    OOBE works on the basis of the computer being joined to the domain rather than using a local user. 
    You need Azure AD and for the credentials to exist on the Azure directory. 
    Please have a look at this documentation:
    https://www.ibm.com/docs/en/maas360?topic=wobeoe-setting-up-windows-oobe-in-maas360-portal-microsoft-azure

    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM Security
    Dublin, Ireland
    ------------------------------



  • 3.  RE: Windows 10 Bulk Enrolment Tool || Existing Local User Enrolment Question

    Posted Fri July 30, 2021 11:56 AM
    Hi Eamonn,

    Thanks for the reply - I'm not sure if I was perhaps as clear as I could have been on this. I'm actually using the Windows 10 Bulk Provisioning Tool rather than the OOBE / AutoPilot process. 

    The documentation I'm following is:

    Configuring the Windows 10 Bulk Provisioning Tool configuration wizard to create a bulk provisioning tool executable - IBM Documentation

    And it's during the configuration of the Bulk Provisioning Tool that I'm selecting the option for Existing User.

    I also want to make sure I've I understood the use case for this particular option - can this tool and this option actually be used for Existing Local Users or is it designed to be used for AzureAD / Domain Users.

    Thanks in advance

    ------------------------------
    David Burtton
    ------------------------------



  • 4.  RE: Windows 10 Bulk Enrolment Tool || Existing Local User Enrolment Question

    Posted Thu August 05, 2021 11:52 AM
    Edited by Eamonn O'Mahony Thu August 05, 2021 11:55 AM
    Hi David
    I've asked our Development team about this, in order to ensure I have an accurate response. 
    Please see documentation on this topic: 
    https://www.ibm.com/docs/en/maas360?topic=process-associating-users-bulk-enrolled-windows-10-devices
    Note that for Windows pc's they can be enrolled to either a domain user or MaaS360 local user, when you are using a non-automated (manual, individual) enrollment.
    However when you are trying to 'fetch' a user, the process for Bulk Enrollment Tool requires that MaaS360 can 'fetch' the users from a system such as an OnPrem AD or Azure AD directory.
    These domain integrations, then, can be used to 'fetch' users and assign the user during the enrollment process. The configuration is limited, however - you can only leverage a domain 'fetch'. This means that you won't be able to retrieve non-domain (local MaaS360) users during the Bulk Enrollment Tool process.
    As such this enrollment/setup type would only work for users which can be retrieved from a corporate directory system. 
    Best

    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM Security
    Dublin, Ireland
    ------------------------------



  • 5.  RE: Windows 10 Bulk Enrolment Tool || Existing Local User Enrolment Question

    Posted Mon August 16, 2021 11:59 AM
    Thanks Eamonn, appreciate the help as always!

    ------------------------------
    David Burtton
    ------------------------------