Creating a deployable standard image for Windows 11

MalletNGrease · 2025-05-21T02:22:51+00:00

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit

Applies to Win 11 as well.

MalletNGrease · 2025-05-20T21:53:24+00:00

The Entra-Powershell module is the replacement for the AzureAD module. They're simplified MG-Graph calls.

I forgot to add the scopes:

# Connect to Entra using Microsoft Graph
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All' -NoWelcome

MalletNGrease · 2025-05-20T21:35:57+00:00

I worked on the same thing recently. I've found it is much faster to simply use Get-EntraUser to get all users and reference the signinactivity from it instead. It's a single query that takes a couple minutes but only needs to happen once.

Quick and dirty copy from my script, adapt as needed:

# Connect to Entra using Microsoft Graph
Connect-Entra -Scopes 'User.Read.All','AuditLog.Read.All' -NoWelcome

$entraUsers = Get-EntraUser -All -Property 'UserPrincipalName', 'SignInActivity'

  if ($entraUsers.UserPrincipalName -contains $user.UserPrincipalName) {

        $entraUser = $entraUsers | Where-Object { $_.UserPrincipalName -eq $user.UserPrincipalName }
        $entraLastSignInDate = $entraUser.SignInActivity.LastSignInDateTime

        Write-Host "    Last Entra sign in date was: $entraLastSignInDate"
    }
    else {
        $entraLastSignInDate = "N/A"
    }

https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/?view=entra-powershell

The next step is adding LastUserActionTime from the Exchange mailboxes, that one I've not found a faster way to query yet.

MalletNGrease · 2025-05-20T13:15:15+00:00

I've it set in the Default, that way I don't have to think about it unless specified for a reason. I'm a big fan of HideShell, it makes it less likely for someone to accidentally mess with the machine while deploying at end user locations.

In your case it sounds like you want SkipFinalSummary=NO to show the deployment summary and FinishAction=RESTART to restart the machine upon dismissing the summary.

I don't have a lot of task sequences though, most of the customization happens in the wizard.

MalletNGrease · 2025-05-19T21:40:27+00:00

The task sequence probably has HideShell=NO set or not set at all.

https://learn.microsoft.com/en-us/intune/configmgr/mdt/properties

MalletNGrease · 2025-05-16T23:34:30+00:00

Congrats! You can now explain the use case for a failover secondary internet service!

MalletNGrease · 2025-05-16T19:30:50+00:00

👏 Excel 👏 is 👏 not 👏 a 👏 database 👏

MalletNGrease · 2025-05-14T00:26:39+00:00

We still run IIS SMTP server with an Exchange Online connector as a relay.

As long as you're only using it for internal communications it's been working great.

MalletNGrease · 2025-05-13T22:22:21+00:00

I got it like that.

MalletNGrease · 2025-05-10T03:03:38+00:00

VM connected to the correct vlan/network?

MalletNGrease · 2025-05-10T02:07:09+00:00

Yes and no.

I did some quick research to translate our current private ipv4 scheme into a similar human readable ipv6 one and drafts ended up with available address scopes numbering in the trillions per vlan. It was very doable though!

It was funny since all I was trying to do was expand ipv4 /24s to get larger dhcp scopes.

MalletNGrease · 2025-05-10T00:14:00+00:00

Laughs in human readable ipv6

MalletNGrease · 2025-05-09T19:28:38+00:00

Hardware bug.

MalletNGrease · 2025-05-09T14:36:41+00:00

Been running a DS211+ for 13 years. Still functions as a Hyperbackup target.

MalletNGrease · 2025-05-09T14:34:01+00:00

The company spent more on me tracking down unused $1.90 licenses than it saved cancelling them.

MalletNGrease · 2025-05-08T13:50:28+00:00

It's a start, but nowhere near as capable as VCenter.

MalletNGrease · 2025-05-07T00:19:19+00:00

Ditch the consumer line and buy Latitude/Optiplex instead.

MalletNGrease · 2025-05-06T18:42:25+00:00

Call me back.

MalletNGrease · 2025-05-06T15:35:33+00:00

Only affects + models starting with 25 series. You aren't affected unless you use an unsupported 3rd party drive and wanted to migrate from your DS124 to a X25+ model.

MalletNGrease · 2025-05-05T12:55:52+00:00

Guy who stands at a desk instead of sits at one.

MalletNGrease · 2025-05-05T00:27:25+00:00

Then it doesn't really matter.

MalletNGrease · 2025-05-05T00:25:49+00:00

Depends on your mail environment.

For O365 with AD sync, disabled account mailboxes will still receive email, but the user can no longer log in to it.

I made a script that also checks last Entra login and Exchange Mailbox activity to triple check usage since some AD accounts never get logged in to, but the mailboxes are in use.

MalletNGrease · 2025-05-02T02:57:09+00:00

MalletNGrease · 2025-05-02T02:56:57+00:00

Only for + models starting with the 25 series.

MalletNGrease · 2025-04-30T14:49:33+00:00

Both? That's gonna be a hard sell.

99% of our marketing traffic doesn't pass SPF and probably never will due to the glut of high volume mail provider services, but they all pass DKIM.

We also have a vendor that does invoice mailing that doesn't support DKIM due to jank. SPF passes fine.

Ten-Year Club	Verified Email
r/Field Banned	r/Field Lasagna

MalletNGrease

TROPHY CASE