Apply a Provisioning Package Silently via MDT/SCCM

After imaging a machine with MDT, it does not get group policy settings until after rebooting. This posed a problem for certain workflows where some settings were needed immediately. The easiest workaround I could find was to create a provisioning package with Windows Configuration Designer. However Microsoft's documentation regarding silent installs lacks the depth needed to be successful (see blue note here). Below are the steps I took to successfully deploy provisioning packages silently with MDT.

I highly recommend completing the below steps on a clean install of Windows 10.

  1. First, install the Windows Configuration Designer by downloading the Windows ADK (link).

  2. According to Microsoft documentation, you must enable trusted provider certificates. I incorrectly guessed they meant you must add a signing certificate to Trusted Publishers certificate store. What they actually mean is you need to specify an expected certificate by setting the TrustedProvisioners in a provisioning package. But wait - how do I set that? Well we can do it by setting a registry key but the key is encoded so we will need to capture the key by first making a second provisioning package so...

  3. Create a new desktop provisioning package and switch to the advanced editor.

  4. Go to Certificates -> TrustedProvisioners. This tutorial assumes you have a basic PKI infrastructure in AD and have provisioned yourself a code signing cert. Open up your cert and find its thumbprint:
    codecert

  5. Copy the thumbprint to the CertificateHash textbox in WCD:
    trustedprovisionersppkg

  6. Go ahead and export/build the ppkg package and run it on your machine

  7. Open regedit and navigate to HKLM\Software\Microsoft\Provisioning and export the TrustedProvisioners key to a .reg file. This will let us add the trusted provider certificate to the client before we attempt to install our provisioning package.
    trustedprovisionersregedit

  8. Create a new provisioning package and go ahead and configure what settings you would like to deploy. When you are finished, build your package. Make sure you sign it!
    certselect

  9. Now create a folder in your MDT share and put your .reg export and your provisioning package files. Remember it's path!

  10. Now create a powershell script in that MDT share folder - adjust the lines below to match the folder you created:

Start-Process -filepath "C:\windows\regedit.exe" -argumentlist "/s <your MDT share>\trustedprovision.reg"
Add-ProvisioningPackage -Path "<your MDT share>\mysettings.ppkg" -ForceInstall

The first line imports the .reg file to set your trusted provider and then the second line does the actual running of your provisioning package.

  1. Lastly, open up your MDT task sequence and add the Run Powershell Script step to your Custom Tasks section of your task sequence. For your script, input the path and script name of the folder where you saved the Powershell script from step 11.
    mdt_step

When you run the task sequence, you shouldn't see any prompts and your provisioning package should install correctly. To see if it installed after the sequence finishes, open a Powershell window and run Get-ProvisioningPackage -AllInstalledPackages (some other useful commands can be found here).

I wrote this article pretty quickly so please let me know if you have any questions down in the comments. Hope this helps!

comments powered by Disqus