When setting up a new computer you must ask the user to add a Local administrator account with the name Admin and no password, then Setup TeamViewer host to configure the pc as "Managed by Agrofresh":
After Intallation and with the program running as admin
From CMD (as admin):
"C:\Program Files\TeamViewer\TeamViewer.exe" assignment --id 0001CoABChCh5x3gAmcR772txRGrXstJEigIACAAAgAJAB5Mnhcwnx6r8ZW9V_8PiMoaQpiMY7R-1BOZmDL9isf0GkBwzzhI0ZUBOi_Fp9dd_CgqdvlnrQ0BDqF64PC6KlMzvX16IZ2C23fib6yy61tflFC9EJhrM4X-7CkVpe8BgAeTIAEQx_Dgkws=
After this you should have no problems taking control and installing all the applications before joining the computer to the domain.
------------------------------
Create a local limited user:
LIMACC
password: vGJ"vA4U
-------------------------------
Install the following software (CHECKLIST):
==============================================
=CONFIGURATION STEPS=
==============================================
- In the computer as .\Admin:
- Establish a connection to the vpn with your agrofresh user
- Run sysdm.cpl as administrator
- Click on change button and check computer name availability in AD on premises (Follow the name scheme)
- Click on Domain and type: corp.agrofresh.com than click ok
- The system will ask for domain (agrofresh) credentials to approve the request i.e. agrofresh\johndoe
- Click on ok and then on close (The computer will prompt to restart)
- Sign in with the local admin account again
- Connect to the vpn
- In AD On-Prem:
- Click on view tab
- Click on advance features to enable them
- Move the object to respective country's computer OU (i.e. /Employees/Chile/Curico/Computers)
- In the computer as .\Admin:
- Habilitar Windows update (In CMD as admin):
reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v SetDisableUXWUAccess /t REG_DWORD /d 0 /f - Update windows.
- Set the reg key SetDisableUXWUAccess as 1
- To setup user account on the computer:
- In entra ID: disable MFA - Agrofresh for the user (Ask Supervisor)
- Switch accounts to sign in with the user credentials (Is important to leave VPN connected)
- Sign in with the user credentials
- Configure appgate profile
- Enable: start appgate on computer startup in the settings menu of the software
- Sign in with user credentials and enable the stay sign in checkbox
- Install Office from Login Office.com | Microsoft 365
(The user must have an Office 365 license assigned): - Update Office
- Sign in to Office suite (Outlook, teams, one drive.) with user credentials
- Configure Outlook, Chrome and Adobe as default apps in windows.
- From Run: shell:common programs. Copy Outlook shortcut
- From Run: shell:startup. Paste the Outlook shortcut so Outlook can startup whenever the user signs in.
- Run Analysis for excel from the start menu.
- In cmd run: gpupdate /force
- Check policies applied with (in cmd as admin): gpresult /Scope User /h %userprofile%\Downloads\GPresult_User.html && gpresult /Scope Computer /h %userprofile%\Downloads\GPresult_Computer.html
-
Query the new computer's name in AD and look up for the Bitlocker tab check if a key is present.
=============================================================================================
|| [Issue These commands Only if the recovery key was not stored in AD]:
||
|| Get bitlocker key (In Powershell as admin):
|| $BitID = (Get-BitlockerVolume -MountPoint C).KeyProtector
||
|| Send BitLocker information to AD (In Powershell as admin):
|| manage-bde -protectors -adbackup C: -id $BitID.KeyProtectorId[0]
============================================================================================
- After the user's session has been created in the local machine. Enable user's MFA as Enforced in Azure.
- Finally, add the new hostname to the closing remarks as a private note:
Installed software:
Appgate
Adobe Reader
Crowdstrike
Google Chrome
Office suite
SAP front-end
SAP Analysis for Office
TeamViewer
Windows Updates
######################################################
Computer joined with Agrofresh AD On-Prem.
Hostname:
Moved to OU:
Admin user created: Admin
User created: LIMACC
Group policies applied
Bitlocker enabled and Key backed up to AD On-Prem.
User's MFA Enabled