Should We Use Unknown Computer Support?
I have had a few interesting discussions around enabling unknown computer support for operating system deployment. It is one of these subjects that is very subjective, everyone has their own ideas, I thought I would share mine and my experiences.
Unknown computer support has been around for a while now. It is a feature which allows us to deploy operating systems to resources which do not exist inside ConfigMgr. It has been a very useful feature for many of my customers however some recent events have changed this. Not particularly the fault of unknown computers but more a lack of knowledge of how it all fits together in the bigger picture.
Here are a few lessons and tips for when your looking at using unknown computer support.
Never enable mandatory deployments when you use unknown computer support. My customer learned this when I plugged my laptop into their network for Internet access, rebooted and up came a task sequence during PXE boot.
If you must use mandatory deployments then put a password on the task sequence, this will prevent it from just running. It doesn’t have to be a big secret, but it just prevents it from starting by mistake.
In a higher security environment such as a government establishment or maybe a bank it’s common to setup operating system deployment so that clients must already be imported into ConfigMgr before they build, these are imported into a collection which has a mandatory deployment on it. This just means the resources need to be imported, you can do this in the console and even import a bulk CSV if you wish.
This links into the above section really. However I have also setup the past week or so that when we import a machine we set a variable on that, something like CanBuild and set it to yes. We then check the value of this condition at the top of the task sequence and clear down the variable using some code from the SDK later in the task sequence. This is all part of a bigger automated process where the variable is set when the build is requested or imported.
In summary, you should be very careful with this feature, if it’s not setup properly things can go very wrong. Make sure you plan out how this works and how it will react not just to your equipment but third party machines which may also get plugged into the network that you have no control over.