Best practices for self-modifying onboarding script

Building new workstations and servers often involves repetitive tasks that traditionally include a checklist and an engineer’s time to complete. It’s a task many MSPs perform manually. Fortunately, for Datto RMM users, most of the process can be automated using the initial audit job scheduler.

Let’s look at how to set up this type of automation.

Starting the build process for new workstations and servers

As follows is an example checklist of items for a new build process:

Remove toolbars and third-party software.
Disable the guest account.
Create a new MSP local admin account.
Install Java, Shockwave, Adobe Acrobat Reader, and Google Chrome.
Enable BitLocker, encrypt the drive, and take note of the recovery key.
Take note of the Windows license key.
Install all available Windows updates.

However, certain steps can be omitted if the new device is a server, for example.

Workstations only:

Remove toolbars and third-party software.

Install Java, Shockwave, Adobe Acrobat Reader, and Google Chrome.

Enable BitLocker, encrypt the drive, and take note of the recovery key.

Both servers and workstations:

Disable the guest account.
Create a new MSP local admin account.
Take note of the Windows license key.
Install all available Windows updates.

Next steps: The script

Next, you can use some PowerShell code in the new build component. This will help determine the operating system (OS) type, which will dictate the next steps the script will take.

You can determine if you are executing on a server or workstation using PowerShell:

$osInfo = Get-WmiObject -Class Win32_OperatingSystem

You can now extract the product type from the ProductType object:

$osInfo.ProductType

Return values:

1: Workstation
2: Domain controller
3: Server

The next step is to make the return value from the query useful. To do this, you'll evaluate the variable $osInfo.ProductType with an IF statement.

Two operators can be used with the IF statement:

-eq: Equal
-ne: Not equal

Determine if the script is running on a workstation OS:

if ($osInfo.ProductType -eq 1){
	write-host Workstation OS Detected
}

Determine if the script is not running on a workstation OS:

if ($osInfo.ProductType -ne 1){
	write-host Server OS Detected
}

If you wish, you could further define what type of server the script is running on (domain controller or member server) by testing for a return value of 2 or 3 as previously detailed.

Using ELSE in your IF statement

To simplify the PowerShell code, you could use ELSE in your IF statement rather than testing for each OS type in turn. For example, if the script is not running on a server OS, it must therefore be running on a workstation OS.

if ($osInfo.ProductType -ne 1){
	write-host Server OS Detected
}
else {
	write-host Workstation OS Detected
}

Now that you can determine what OS type the script is executing against, you can start to perform the automated actions:

if ($osInfo.ProductType -eq 1){
	write-host Workstation OS Detected
	# Insert your custom PowerShell code here
}

Next, run this automatically against all new devices that join a site. If you've been using Datto RMM for a while, you will likely have sites with existing agents you don’t want to execute your new computer prep script against.

In that case, you could create a new site named Workshop (or similar) and use it as the staging area for all new builds. Once the build process is complete, you'd move the devices to their correct site.

IMPORTANT Remember to disable all the Monitoring policies for the new Workshop site and ensure it does not sync to any external applications.

Download the agent installer for the Workshop site and use it for all new devices you are building. This ensures all the new devices first join the Workshop site.

Setting up the initial audit job

To run the new onboarding script, you need to assign an initial audit job to the new Workshop site as follows:

From the left navigation menu, navigate to Automation > Jobs.
Click Create Job.
Name the job.
Select your new onboarding component.
Set the targets. (This example shows both Windows servers and workstations because the script is being used to decide what executes based on the discovered OS.)
Limit this job to the new Workshop site you created using the pencil icon.
Set the schedule. (This example uses the Initial Audit recurrence to trigger the new onboarding script.)
Once the machine prep component has finished running, you can move the device from the Workshop site to the applicable customer site.

Now, you have a self-modifying onboarding script that will change its behavior based on the device it is being executed against.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Kaseya Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.