Loading...

Task Sequence AD Protect: Protect a TS with an AD account


In this post I will show you a PowerShell GUI I created for SCCM or MDT that allows you to protect a Task Sequence with an AD account.

Context
You don't want anyone can run a TS and install a computer, for instance by mistake.
For that you want that only people from a specific AD group are allowed to deploy a computer.
On the GUI, ad username and password are prompted.
If 5 bad credentials have been typed, then the TS will exit and the computer will reboot.
If not the TS will continue to the next step.
In this post I will explain both SCCM and MDT way.

Prerequisites
- Add PowerShell and .NET components in your boot image
- Check the the WinPE and WPF bug is fixed, see here.
- Add AD module in your boot image, for that check links below:
https://mickitblog.blogspot.com/2016/04/import-active-directory-module-into.html
http://www.osdnerd.com/?p=170
https://daviddawsonsblog.wordpress.com/2017/03/03/powershell-active-directory-module-in-winpe-10/

How to get it ?

How it looks like ?
The GUI looks like as below:

1. Type the AD user name
2. Type the AD password
3. Click on Run the TS
4. If bad account has been typed the lock icon will become red.
An icon in the tool bar allows you to change the main theme: Dark or Light.

See it in action from MDT


How it works ?
The downloaded folder contains two scrips:
- TS_password.ps1: Script that run the GUI
- Run_PS_Wizard.ps1: Script that call the first script

Some parameters have to be added to the script TS_password.ps1
- AD_Server: add the AD server in order to query AD using the module
- Group: add the group containing user that are allowed to run TS

For that, open the script Run_PS_Wizard.ps1 and add those parameters as below:

What's next ?
Multi language
Allows you to customize all text from an XML file. This way you will be able to customize it easily with your own language.

Active Directory part
1. In my Active Directory lab I created a group TS_Deploy
2. Add user that are allowed to deploy computer in this group
3. In my case I added user dvr-adm

Create the GUI content
1. Download the wizard
2. Copy the folder to your server
3. Go to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64
4. Copy the file ServiceUI.exe in the wizard folder: 

So far we have seen how to create the wizard content and how to customize it. Now let's see how to implement it in our SCCM environment.

Create the SCCM package
1. Go to Software Library
2. Go to Application Management then Packages
3. Do a right click and select Create Package
4. Type a name like TS Password Protect GUI
5. Check This package contains source files
6. Click on Browse, then select the folder containing the wizard

7. Click on Next
8. Select Do not create a program

9. Click on Next
10. Click on Next
11. Click on Close

Distribute the package
1. Do a right-click on your package
2. Select Distribute Content
3. Click on Next

4. Click on Add and select Distribution Point
5. Select your DP and click on OK

6. Click on Next
7. Click on Next
8. Click on Close

Task Sequence implementation
In this method we will create two Run command Line steps that will work as below:
- Run the TS Password Protect GUI

1. Edit your TS
2. Click on Add, General then Run Command Line
3. Type a name like Run TS Password Protect
4. In the command line part, configure as below:
5. Check package and select the previously created package.
6. See below how looks like the step:


Do it for MDT
In this part I will explain how to use it with MDT.
1. Edit your TS
2. Click on Add, General then Run PowerShell script
3. Type a name like Run TS Password Protect
4. Copy the GUI folder in the Deploy folder, for instance
5. Type the below command line
Task Sequence password 6154928405254642121

Publier un commentaire

Accueil item

Award

Mes articles en français

Author of Books

PowerShell GUI & WPF Group

PowerShell GUI & WPF Group

Join the FPSUGR

Join the FPSUGR

Stats