sccmtspsi

SCCM Task Sequence deployment Orchestrator is a free front-end tool used by organisations to effectively manage the deployment of Operating System Task Sequences. It is a utility built on best practices, learnings & insights of industry experts.

The orchestrator is secure by design and helps IT Managers and SCCM administrators implement an Agile approach to SOE design and management. SCCM engineers can move from Development and Test through to Production within the same window and with the same Task Sequence variables and configurations set.

The SCCM task sequence deployment orchestrator sets the stage for the deployment before the SCCM Task Sequence starts. Such an approach protects important user data saved locally on the computer from inadvertently getting deleted.

Your donation will contribute toward overheads such as web hosting, digital certificates,  feature updates and security updates.

About

SCCM Task Sequence deployment orchestrator is actively developed and maintained by OSD365 Limited. OSD365 Limited was incorporated in Wellington, New Zealand in the year 2019. Click here to read more about us. OSD365 Limited is a Microsoft partner that helps public and private organizations with their end-user computing needs like desktop support, application packaging, desktop imaging and SOE management.

SCCM Task Sequence deployment orchestrator used to be offered exclusively to OSD365’s shared services customers as a free SCCM OSD add-on. In March 2020, the software was made available for free for public downloads. Since the general availability, the Orchestrator has been downloaded thousands of times, and the positive feedback has been overwhelming. A big thank you to our partners for making this possible.

osd365 Microsoft partner

Security and Authentication.

The SCCM Task Sequence deployment Orchestrator configuration file & tokens are digitally encrypted using encryption standards similar to those used by the U.S. government to protect classified information.

The intuitive login screen only allows users with authorisation for a specific Realm to log in and initiate a deployment for that Realm. The login window also has network controls wherein an SCCM SOE administrator or Operator can change the Realm, disable a network card, modify the DNS Server or perform other local network-related activities.

The login module also prevents employees from performing unauthorised initiation of Operating System builds and prevents unintended mass deployment of Operating System Task Sequences.

The Broker account for Realm does all the heavy lifting; the operator login accounts are for login purposes only. Thus disabling and enabling administrative access to the underlying infrastructure is done only for the Broker account. Third-party Operators performing machine builds will not need any access to the organisational infrastructure.

Automatic device name identification.

The SCCM Task Sequence deployment orchestrator automatically identifies the HOSTNAME of the device either from the local filesystem or the Microsoft Endpoint Configuration Manager (SCCM) infrastructure.

The Task Sequence deployment orchestrator also has a feature using which SCCM administrators can either add a prefix or suffix or both to the HOSTNAME of the device.

The Orchestrator has an administrative feature that enables the SCCM SOE administrator to mandate the setting of HOSTNAME as UPPER or lower case.

The SCCM Task Sequence deployment Orchestrator also checks if another device with the same name exists in SCCM or online on the local network. Such an action prevents unintended device deletions.

Unlock drives locked using Microsoft Bitlocker.

The installation of device drivers or other activities that make changes to the boot drive cause a Bitlocked drive to lock and ask for a password or a passphrase.

While rebuilding a device, Bitlocked drives stop an SCCM SOE administrator or a Desktop engineer from backing up the Employee’s files and folders using automated processes because the drive is Bitlocked.

SCCM Task Sequence deployment Orchestrator allows an SCCM SOE administrator to retrieve the Bitlocker information from the local Active Directory, remote Active Directory, Bitlocker key, MBAM or by a manual entry automatically.

Many organisations use the SCCM Task Sequence deployment orchestrator to unlock Bitlocker.

Task Sequence detection.

SCCM Task Sequence deployment Orchestrator for any specific realm would list all the Task Sequences deployed for that Realm.

This feature allows the SCCM SOE designers and administrators to initiate one of many Task Sequences deployed to a given Realm. All of the Task Sequences started by the Tasks Sequence deployment orchestrator for a realm will use the same Task Sequence variables and configurations, standardising the final Operating System build of the SOE Task Sequence. The engineers can move from Development and Test through to Production within the same window and with the same Task Sequence variables and parameters set.

The SCCM Task Sequence deployment Orchestrator sets and validates the parameters for the Task Sequence before it starts, thus minimising the possibility of Package missing errors, unknown errors or employee data loss.

Operating System detection.

The SCCM Task Sequence deployment Orchestrator automatically identifies all the Operating system packages referenced within the SCCM Task Sequence. The Orchestrator lists both Operating System images and Operating System upgrade packages.

If the Operator changed the selected Task Sequence, the list of available Operating System items would change accordingly.

The Operating System name or PackageID can then be used in the task sequence to initiate the execution of the particular Operating System install step.

SCCM Task Sequence deployment Orchestrator only displays appropriate options when an Operating System image or package is selected or is not selected.

SCCM Application and Office suite selection.

Traditionally, SCCM Applications are deployed during the Task sequence using Task Sequence variables or as a direct Application deployment step in the Task Sequence.

However, the setting of the Task Sequence variables is done on the SCCM Collection or is hard-coded into the Task Sequence.

With the advent of the SCCM Task Sequence deployment Orchestrator, Operators can choose real-time, multiple Applications and one Office suite application from a list of SCCM Applications configured for a given Realm.

The Orchestrator lists Applications only if they are categorised for the Realm and enabled for deployment via a Task Sequence.

Built into the SCCM Task Sequence deployment Orchestrator is the ability to make selections based on SCCM Application profiles or existing SCCM Application deployments. This feature allows SCCM SOE engineers and operators to copy deployments targeting another device by temporarily using another device name and then changing it back.

Add computers to SCCM Collections.

The Task Sequence deployment Orchestrator enables the SCCM administrator to add a device to one or more SCCM Collections configured for a specific Realm.

Many organisations use this feature to add devices into SCCM collections configured for Microsoft Endpoint Configuration Manager (SCCM) Workload co-management with Microsoft Endpoint Cloud Device management (InTune). Some of our clients also use this feature to create machines for Specific Time Zones or with a specific Power Option requirement.

Built into the SCCM Task Sequence deployment Orchestrator is the ability to use SCCM Collection profiles or existing SCCM collection membership to make a current selection. This feature allows SCCM SOE engineers and operators to copy Collection membership from another device by temporarily using another device name and then changing it back.

Active Directory group membership.

It is best practice to add devices into Active Directory security groups instead of adding a device as a direct member of an SCCM collection.

Thus, we build the Active Directory group membership feature right into the SCCM Task Sequence deployment Orchestrator, enabling the SOE engineers and operators to add a device as a member of an Active Directory group before the initiation of the Task Sequence.

Adding the device as a member of the Active Directory group before initiating the Task Sequence has its advantages. Doing so allows the Active Directory replication, SCCM AD discovery routines and other time dependent processes to complete before the Task Sequence ends.

Built into the SCCM Task Sequence deployment Orchestrator is the ability to use Active Directory group profiles or existing Active Directory group membership to make a current selection. This feature allows SCCM SOE engineers and operators to copy Active Directory group membership from another device by temporarily using another device name and then changing it back.

User state migration.

User state migration is a complicated process. Many SCCM SOE engineers avoid USMT activities by configuring folder redirection or directing their users to save their files and folders into network drives.

However, in the age of ‘Work From Home and ‘Bring Your Own Device‘, the User State Migration Process plays a vital role.

In the event of a system breakdown, the SCCM Task Sequence deployment Orchestrator allows the administrator to rebuild the machine, copy existing SCCM Application deployments, copy existing SCCM Collection membership, copy existing AD group membership and restore the users‘ data in less than an hour. SCCM Task Sequence deployment Orchestrator makes the use of USMT easy. The default XMLs will suffice for most use cases. The SCCM Task Sequence deployment Orchestrator allows data capture to the following mediums USB drive, Network drive, and Hard linking.

Primary User selection.

Many organisations fail to see the power of Primary device user association. The Primary device user association helps with enterprise Asset Management.

Who has got what device is a question that SCCM SOE engineers grapple with, mainly within larger enterprise environments because Employees come and go at a rapid pace.

Primary user assignment also helps with security compliance reporting. Email correspondence with the employee, in the event of a possible security breach, gets more manageable if an administrator can accurately tie a device to a user.

SCCM Task Sequence deployment Orchestrator makes adding primary user-device association easy. Using the deployment Orchestrator, SOE administrators can add one or more Primary device users before the SCCM Task Sequence begins.

Disk formatting.

The SCCM Task Sequence deployment Orchestrator formats the designated primary Disk to the exact specification of the SCCM SOE administrator.

The layout of the Partition is done based on Microsoft Partition recommendations. The configuration file for the Realm contains the disk formatting information. Each Realm can have its unique disk formatting information.

SCCM Task Sequence deployment Orchestrator automatically identifies Legacy BIOS and UEFI devices and formats the disk drives accordingly.

The employee’s data backup is performed before the disk formatting operation begins, which mitigates the possibility of data loss. The SCCM Task Sequence deployment Orchestrator notifies the SCCM SOE administrator If the underlying Disk is formatted differently.

Device decommissioning.

The decommissioning process is an essential step in the Asset management life cycle. The following activities have to happen when an employee exits an Organization.

  • The employee’s data must be backed up and saved for seven years (based on legal requirements).
  • The removal of the device from the Active Directory should happen.
  • The removal of the device from SCCM should happen.
  • The Disk should be deep formatted to prevent data theft.

SCCM Task Sequence deployment Orchestrator does all of the activities mentioned above according to industry standards.

The Orchestrator will wipe the hard disk drive and perform a secure erase during decommissioning.

Extension attributes.

There is always something that is lacking. Organisations buy great products which will provide for all their needs but one. That is a scenario which is quite common.

Thus the SCCM Task Sequence deployment Orchestrator has an Extension Attribute feature. Like Microsoft Active Directory, SCCM Task Sequence deployment Orchestrator allows the use of up to 18 Extension Attributes.

These Extension Attributes can change the direction of the Task Sequence and provide a solution for almost all the logical problems that SOE design engineers face when designing a Task Sequence.

Each SCCM Task Sequence deployment Orchestrators Extension Attributes can have one or more values. Set these values in Realm’s SCCM Task Sequence deployment Orchestrators configuration file.

Content Validation, Adds, Removals, Staging and more.

SCCM Task Sequence deployment Orchestrator checks if the Packages and Applications referenced in the Task Sequence and items that are chosen real-time by the Operator are available in the distribution point(s) assigned to the devices’ boundary. If not available, notifies the SCCM SOE administrator by email. The email notifies the SCCM administrator about the missing package names along with their ID’s and the FQDN of the distribution point(s) that need them.  

All of the Moves, Adds and Changes follow best practice methods. The order of events focus on data loss prevention and object precedence models. For example, Active Directory object deletion is the final task undertaken by the Orchestrator.

As mentioned in one of the preceding sections; Disk formatting is one of the last activities performed by the SCCM Task Sequence deployment Orchestrator. The deferral of this action prevents accidental data loss.

All of the above scrutiny on the Task Sequence environment before its initiation increases the success rate of the Task Sequence.

Email notification.

The email notification feature is used for compliance and audit purposes. The notification modules are trigged in 4 different phases if enabled in the SCCM Task Sequence deployment Orchestrator’s configuration file. Click to see an example.

  • At the login:  Notifies the central administrative email account and (or) the current Operators email account about a possible login using SCCM Task Sequence deployment Orchestrator.
  • During failure:  Notifies the central administrative email account and (or) the current Operators email account about failure during the execution of some activity by the SCCM Task Sequence deployment Orchestrator.
  • After success:  Notifies the central administrative email account and (or) the current Operators email account about the successful execution of all the automatic actions within the SCCM Task Sequence deployment Orchestrator.
  • A final build report: Sends a final build report to the central administrative email account and (or) the current Operators email account. The SCCM Task Sequence deployment Orchestrator build report is a comprehensive as-built report with details regarding AD group membership, SCCM applications, Disk format, SCCM variables, Services running, running processes, start-up items, PNP drivers, local users, local groups and a lot more.

SCCM Task Sequence deployment Orchestrator features at a glance.

Input system name

Automatically identify or input computer name by exploring the file system or querying the SCCM database.

Office suite application

Select your preferred office suite application from a list of office suite SCCM applications that are made available for the realm.

Advanced email notification

Select options to notify operator and/or administrator at login, build start and build completion.

Task sequence selection

Select from multiple task sequence deployments that are targeting the machine; all from within a single user interface.

SCCM application

Select multiple SCCM applications from a list of SCCM applications. Select from multiple SCCM applications marked to be displayed for the chosen realm.

DNS and SCCM conflict

sccmtspsi can check DNS entry conflicts and duplicate SCCM objects thereby reducing build failures and increases SOE health.

Unlock bitlocker

Bitlocked drives can be unlocked automatically from active directory, MBAM, password key or using a password.

SCCM collections

Add machine to one or more SCCM collections from a list of available SCCM collections. sccmtspsi broker adds the computer into these SCCM collections.

Content availability check

Validates content availability and lists all applications, packages and other items that are not available in the distribution points.

Select operating system

Select a operating system image or package that is available within the selected task sequence.

Active directory groups

Add machine to one or more active directory groups from a list of available active directory groups for the realm.

18 extension attributes

Extension attributes provide an SCCM administrator with the ability to plot multiple paths for each of their task sequence deployments.

User data migration

The user state migration process just got a whole lot easier. Capture and restore files from a good old Windows XP device to a new and powerful Windows 10 device using hardlink, USB or network options.

Primary users

Select one or more primary users for the device from the sccmtspsi task sequence user interface. Primary users will be set at the end of the task sequence deployment.

System decommission

sccmtspsi helps manage asset life cycle by helping SCCM administrators to format system drives, delete AD machine objects and SCCM device objects.

Curious? Want to know more?

Did you know that this SCCM Task Sequence deployment Orchestrator is free to use?

The free license expires every month but can be downloaded free again indefinitely.

Optionally, if you are an enterprise organization and require a license for a longer duration, click the “Get 365 days license” button below to buy a license which has a 365-day expiry.

You could also submit ideas and request new features using our forums.

Did you know that this SCCM Task Sequence deployment Orchestrator is free to use?

You could also submit ideas and request new features using our forums.

DCOM hardening issue.

This application fails to authenticate with WMI on the SCCM server because Microsoft has not yet hardened DCOM on their Windows Preinstallation Environment. We are working on a different approach, but it will only be released during the first quarter of 2024. But until that time, the only workaround will be to uninstall the update corresponding to KB5004442.