Adding these drivers will:

• Enable Wake-on-LAN (standard Microsoft drivers do not work).

• Allow computers to build where the network driver is missing.

Procedure

For Intel drivers:

1. Download the network driver from the manufacture website:

Wired_Driver_XX.X_x64.zip

2. On your laptop or a school workstation, extract the zip file > run Wired_Driver_XX.X_x64.exe > do not click OK, but leave the window open.

3. Start > Run > type %temp% > OK > open the folder named WZSE0.TMP.

4. Open PRO1000 \ Winx64 > copy the NDIS68 folder (these are Windows 10 x64 drivers) to K9Server in D:\Interm IT\Drivers and rename to Intel LAN Drivers.

5. Continue from step 6 below.

For Realtek LAN drivers

1. Download the network driver from the manufacture website:

Win10 Auto Installation Program (NDIS)

2. On your laptop or a school workstation, extract the zip file > run Install_Win10_10060_08222022.exe > do not click Next or Cancel, but leave the window open.

3. Start > Run > type %temp% > OK > open the folder named 7zS8C03F3FC.

4. Open the WIN10 folder > copy the 64 folder (these are Windows 10 x64 drivers) to K9Server in D:\Interm IT\Drivers and rename to Realtek LAN Drivers.

https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software and download Win10 Auto Installation Program (NDIS)

5. Continue from step 6 below.

Instructions continued...

6. On K9Server > open Deployment Workbench > K9 Deployment Share > right-click Out-of-Box Drivers > New Folder > enter Intel / Realtek LAN Drivers > Next > Next > Finish.

7. Right-click the Realtek / Intel LAN Drivers folder > Import Drivers > browse to D:\Interm IT\Drivers > select the Intel / Realtek LAN Drivers folder > OK > Next > Next > Finish.

8. Update the deployment share > right-click K9 Deployment Share > Update Deployment Share > select Completely regenerate... > Next > Next > Finish.

9. Import image into WDS > open Windows Deployment Services > expand Servers > K9Server > Boot Images.

10. Right-click on an existing boot image > Replace Image

OR

Right-click Boot Images > Add Boot Image

Browse > navigate to D:\K9DeploymentShare\Boot > select LiteTouchPE_x64.wim > Open > Next x 2 > name the image K9 Windows 10 > Next x 2 > Finish.

Adding these drivers will:

• Automatically attempt installation of Intel display drivers to all 6th gen or newer processors.

• Older system will attempt installation, fail installation and automatically continue.

Procedure

1. Navigate and download the latest Intel DCH drive in EXE format.

   • Intel DCH driver (6th Gen - 12th Gen).

   • Intel DCH driver (11th Gen - 14th Gen)

2. Copy the file to D:\Interm IT\Drivers\Intel DCH Driver.

3. Open the Deployment Workbench > expand K9 Deployment Share > right-click Applications > New Application > Next > enter the Application Name as Intel DCH Driver <date> (e.g. Intel DCH Driver 2022.07.22) > Next > select Browse > select D:\Interm IT\Drivers\Interm DCH Driver > Next > change the entry so it just reads Intel DCH Driver > Next > enter the following:

Command Line: <fileName>.exe -s -f (e.g. igfx_win_101.1994.exe -s -f)

Next > Next > Finish.

4. Open your existing build task sequence > select a step after Install Applications and before Remove HTTP Proxy.

5. Select Add > General > Install Application > Install a single application > Browse > Intel DCH Driver > OK > Options tab > tick Continue on error > OK.

Instructions courtesy of Mark Foale.

For any of you with servers that use AAD Sync, there is now a compulsory upgrade required.

Firstly, if your K9Server is running on server 2016 you will need to ensure .NET Framework 4.7.2 is installed. Link to the offline installer is below:

https://go.microsoft.com/fwlink/?linkid=863265

The link to download and run the latest copy of EntraID Sync is below:

https://download.microsoft.com/download/b/0/0/b00291d0-5a83-4de7-86f5-980bc00de05a/AzureADConnect.msi

Please note that Microsoft still call the file AzureAD Sync. All you need to do is run the installer, and follow the instructions.

When you run the installer it may ask you to enable TLS 1.2. If it does, there is a Powershell script below:

https://intermitcouk.sharepoint.com/:t:/r/sites/intermit.co.uk/Shared%20Documents/Instructions/Azure%20AD%20Connect%20Upgrade/Enable-TLS1.2.txt?csf=1&web=1&e=J7IhuZ

You can open the text file, copy and paste the text into the PowerShell ISE app and run it from there. You should see that it is enabled at the end of the script running.

Please note that both the .NET framework and the TLS 1.2 script will require a reboot of the server to complete installation.

Symptoms

If the Google Chrome browser is not logged into by the user, then the bookmarks will be stored in the local user profile on only that machine. This script runs on logon and logoff to backup the bookmarks to N:\My Settings and makes them transferable between computers.

Login the script checks for an existing bookmarks backup, if it exists and is newer than the current file, it will copy the bookmarks from N:\My Settings to the local user profile, otherwise, no changes will be made.

Logoff the script checks for an existing bookmarks backup, if it exists and is older than the current file, it will copy the bookmarks from the local user profile to N:\My Settings, otherwise, no changes will be made.

Procedure:

1. From the iDrive, download a clean copy of GPO - HKCU - Google Chrome Bookmarks Backup.

2. Extract the zip file to a known location on K9Server (e.g. D:\Interm IT)

3. Open Group Policy Management > right-click on Group Policy Objects > New > set the name to IIT Google Chrome Bookmarks Backup > OK.

4. Right-click IIT Google Chrome Bookmarks Backup > Import Settings > Next > Next > Browse > select the IIT Google Chrome Bookmarks Backup folder > OK > Next > Next > Next > Finish > OK.

5. Expand the Managed OU > right-click the Users OU > Link an existing GPO > select IIT Google Chrome Bookmarks Backup > OK.

Symptoms

When logging on to a computer, GPOs containing scripts are failing to run. E.g. SetUserFTA runs a batch script to adapt to x86 and x64 versions of Adobe Reader following an update; K9 Dock fails to load without an error, but opens if the EXE is run manually.

Procedure:

1. From the iDrive, download a clean copy of GPO - Computers - Remove Login Script Delay.

2. Extract the zip file to a known location on K9Server (e.g. D:\Interm IT)

3. Open Group Policy Management > right-click on Group Policy Objects > New > set the name to IIT Remove Login Script Delay > OK.

4. Right-click IIT Remove Login Script Delay > Import Settings > Next > Next > Browse > select the IIT Remove Login Script Delay folder > OK > Next > Next > Next > Finish > OK.

5. Expand the Managed OU > right-click the Computers OU > Link an existing GPO > select IIT Remove Login Script Delay > OK.

For each K9 Dock GPO, perform the following:

1. Open Group Policy Management > select Group Policy Objects > Right-click a K9 Dock GPO > Edit.

2. Expand User Configuration > Preferences > Windows Settings > Files > double-click the K9 Dock entry.

3. Change the Destination folder to: %appdata%\K9 Dock > OK.

Manual profile cleanup method:

1. Make a copy of the user's profile in C:\Users to C:\Temp (if you think that they may have local data stored).

2. From System > Advanced System Settings > User Profiles - Settings > select any profiles with the user's name and select Delete.

3. Check C:\Users to ensure that there are no folders with the user's name - if there are, delete them. If you cannot delete them, restart the computer and try again.

4. Check C:\Users to ensure that there are no folders named TEMP - if there are, delete them.

5. Open RegEdit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

6. For each S-1-5 entry, check the ProfileImagePath for a value with the user's name OR Temp in. If you find one, right-click the corresponding S-1-5 folder and delete it.

7. Log off of the computer and back in, the dock should now appear.

Complete this step to ensure that pupils are created in the correct OUs

If entering a new academic year, you may need to update the INI file within K9 User Manager to ensure pupils are created in the correct OUs.

1. Login to K9Server > open K9 User Manager > select the Add User(s) button.

2. 
   

Create new OU in AD

Note: If you are creating a user at an unfamiliar school, check some existing users to ensure that username and emails are created in the format matching other users.

1. Login to K9Server > open K9 User Manager > select the Add User(s) button.

2. Select the type of user to create:

   • Student

   • Teacher - For Teachers / Teaching Assistants / Learning Support Assistants / Teaching Staff / Supply Staff.

   • Admin - Office staff / School Business Manager / Finance users.

3. Enter the First Name and Last Name of the user

4. If creating a pupil user, in the OU=Intake field, use the up and down arrows to select the correct year group.

Adjust groups (member of)

5. Login to K9Server and open Active Directory Users and Computers.

6. Locate the user in Managed > Users > (whichever type the user has been created in).

7. Double-click on the user > Account tab > under User logon name, select the drop-down and select the school's domain name > select OK.

Note: If the school's domain name is not listed, they will not be AD-synced.

8. Expand the OU where the new user is located to see if there's a Sync folder. If there is, drag the user to this folder. 

Note: After the user has been moved, the user will appear within the Microsoft 365 Admin console within 30 minutes. This can be forced if a "Force AD Sync" Powershell scipt on the server desktop.

9. To assign a Microsoft 365 licence to the user, navigate to the Microsoft 365 Admin Center > Users > Active Users, or 

Send the following email to the relevant person (usually the person that requested for the user to be made):

Subject: New User Account Creation

Dear <Recipient>,

Here are the login details for the new user / users.

They will need to login within school on a school device using the credentials below. If they would like to access the system or emails offsite before visiting site, please let me know and a strong temporary password can be set for them to use.

When setting a password, the following is required:

• 12+ characters in length

• Includes the following characters - uppercase, lowercase, number, and symbol

• Cannot include their name or the school name.

K9 Username: <Username>

Email Username: <Username>@school.sch.uk

Password: 

Thank you!

Optional: change the profile and document paths (otherwise the user profiles / documents will still use the old name)

10. Right click the user > Properties > select the Profile tab > change the User Profile and Home Folder paths to match the new username > OK.

11. Open K9 User Manager > select the user and select Reset Profile.

12. Open the old user documents in the H drive > cut and paste the documents to the new user documents.

13. If the user had desktop documents > open the old user profile in the H drive > cut and paste the documents to the new user profile.

The user can now login.

14. For tidiness, delete the old user documents and profiles (which should have been transferred and be empty).

Mark / Terry instructions:

1. Check user email field in AD matches M365 email account.

2. Move user to Sync folder and force sync.

3. Check that correct licence is assigned in M365.

4. Login to Bromcom > Modules > Setup > System Users > locate user > Remove SSO > check email address > Enable SSO.

Important: The effects of performing the steps below have not been tested with Azure AD Sync.

Before renaming the user, please ensure that they are logged out of all machines while these changes are made.

1. Login to K9Server and open Active Directory Users and Computers.

2. Locate the user in Managed > Users.

3. Right click the user and select Rename > update the name in all fields > OK.

Optional: change the profile and document paths (otherwise the user profiles / documents will still use the old name)

4. Right click the user > Properties > select the Profile tab > change the User Profile and Home Folder paths to match the new username > OK.

5. Open K9 User Manager > select the user and select Reset Profile.

6. Open the old user documents in the H drive > cut and paste the documents to the new user documents.

7. If the user had desktop documents > open the old user profile in the H drive > cut and paste the documents to the new user profile.

The user can now login.

8. For tidiness, delete the old user documents and profiles (which should have been transferred and be empty).

IMPORTANT: Check the following before proceeding with a rebuild

• Google Chrome / Microsoft Edge Bookmarks are backed up

1. Login to the WSUS server (normally K9Server-RDS) as Domain Administrator.

2. Open the Start Menu > Administrative Tools > Windows Server Update Services.

Selecting products to update

1. Expand the tree on the left to <ServerName> > Options > from the middle pane, select Products and Classifications.

2. Select the following products depending on what software/OS versions you have on your network:

All Products > Microsoft > Office 

• Office 2016

• Microsoft 365 Apps/Office 2019/Office LTSC

Note: for the Windows Server selection, select products if they exist on your network (e.g. a 2012 R2 admin server, a 2016 print server).

All Products > Microsoft >  SQL Server

• Microsoft SQL Server 2016

• Microsoft SQL Server 2012 (end of life in Summer 2022)

All Products > Microsoft >  Windows

• Windows 10, version 1903 and later (for all builds of Windows 1903 and newer)

• Windows 10 (superceded - if you have builds of Windows 10 1809 or older)

• Microsoft Server operating system-21H2 (Server 2022)

• Windows Server 2019

• Windows Server 2016

• Windows Server 2012 R2

3. If you have changed any selections, in the left pane select Synchronizations > in the right pane select Synchronize Now.

Synchronisation configuration

The steps below will ensure that updates are downloaded from Microsoft's servers ready for deployment on-site locally.

1. Check the source and proxy settings if applicable in (left pane) Options > (middle pane) Update Source and Proxy Server.

2. Select the Update Source tab > check Synchronize from Microsoft Update is selected.

3. Select the Proxy Server tab > if applicable, check that the correct Server name and Port number has been entered > OK.

Automatic approval rule

The step below will ensure that updates will be automatically approved for installation.

1. Check (left pane) Options > Automatic Approvals > check Default Automatic Approval Rule is ticked > select Run Rule.

Installing the WSUS Cleanup script

WSUS shouldn't require more than 200GB on a server for storing updates. This script will remove any updates that have been superceded or are not in the product selection.

1. Download WSUS Cleanup.zip to  your WSUS server (normally K9Server-RDS).

2. Extract the zip file to C:\Interm IT on your WSUS server.

3. If your server is not named K9Server-RDS, open/edit the WSUS Cleanup.ps1 > modify the line $UpdateServer = "K9Server-RDS" to the name of the server > Save and Close.

4. On the WSUS server, run  _Create Task.bat - this will create and run the cleanup task immediately. This task can be run manually from Task Scheduler at any time. Please note that any running synchronisations will need to be restarted.

Configuring K9 WSUS GPO

1. Login to K9Server as Domain Administrator.

2. Open Start Menu > Group Policy Management.

3. (Left pane) expand <Domain>.internal \ Managed \ Computers > right-click K9 WSUS > Edit

4. (Left pane) expand Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

The steps below change the deployment of updates from the default of 12:00 everyday to deploying immediately in the background. The installation will not prompt the user or restart the machine after installation.

1. Change Configure Automatic Updates > set to Not Configured.

2. Change Allow Automatic Updates immediate installation > set to Enabled.

Note: to revert the changes, set the following:

1. Change Configure Automatic Updates > set to Enabled.

• • Select 4 - Auto download and scheduled the install.

  • Set Scheduled install day to  0 - Every day.

  • Set Scheduled install time to 12:00.

2. Change Allow Automatic Updates immediate installation > set to Disabled.

The step below checks the IP address pointer to the WSUS server.

4. • Open Specify intranet Microsoft update service location >  in the first 2 text fields, check the IP address is set to the WSUS server e.g. http://172.XXX.XXX.243:8530 > OK.

Checking proxy/system proxy on WSUS server and workstations

Incorrect proxy settings on the server or workstations can cause computers to not report into WSUS. Please follow the steps to check and correct the issue.

1. Login to a K9 domained workstation as SystemAdmin.

2. Right-click Start Menu > Run > type cmd > OK.

3. Type the following command:

netsh winhttp show proxy

The response should return Direct access (no proxy server).

4. If the command above does not return with Direct access, type the following command:

netsh winhttp reset proxy

5. Right-click Start Menu > Run > type inetcpl.cpl> OK > Connections tab > LAN Settings button > Advanced button > the Exclusions section should exclude the school's IP range > OK > OK.

Adding servers to WSUS

Note: DO NOT move K9Server from the Domain Controllers OU!

1. Login to K9Server as Domain Administrator.

2. Open Start Menu > Administrative Tools > Active Directory Users and Computers (ADUC)

3. Expand (left pane) <Domain>.internal > Managed - check if a Servers OU exists.

4. If the Servers OU is not present > right-click Managed OU > New > Organizational Unit > tick Protect container from accidental deletion > OK.

5. Locate the OU containing the servers (should be <Domain>.internal \ Computers) > select the server(s) and right-click > Move > select the <Domain>.Internal \ Managed \ Servers OU > OK.

6. Open Start Menu > Group Policy Management > (Left pane) expand Managed \ Servers > right-click Servers OU > Link an Existing GPO > select K9 WSUS > OK.

7. While still in Group Policy Management > right-click Domain Controllers OU > Link an Existing GPO > select K9 WSUS > OK.

8. While still in Group Policy Management > right-click Managed \ RDS OU > Link an Existing GPO > select K9 WSUS > OK.

This method should only be used if there 

Prerequisites:

1. Ensure there is enough free space to 

Installation process:

1. Copy the latest Windows 10 ISO file to a shared location on the network or locally into C:\Temp.

2. Right click on the ISO file > Mount.

3. In File Explorer, open the mounted disk > run Setup.exe.

4. Select Change how Windows Setup downloads updates > select Not right now.

5. Untick I want to help make the installation of Windows better > Next.

6. Select Accept > Install.

This process can take around 30 - 60 minutes to complete, during which time the computer will be unusable.

7. When the upgrade completes and displays the login screen, sign in as SystemAdmin.

8. Right-click Start > Run > type cleanmgr > OK.

9. Select the following options (and any others that are taking up large amounts of space):

• Windows upgrade log files.

• Previous Windows installation(s).

10. Select OK > Delete files > Yes (regarding deleting files for old version of Windows).

11. Run a manual Windows Update to bring the computer to being fully up-to-date.

These commands should be run on K9Server via a Command Prompt with administrative privileges.

Set NTP server:

w32tm /config /syncfromflags:manual /manualpeerlist:"ntp.thegrid.org.uk"

Use the following depending on your ISP:

• HfL Broadband ntp.thegrid.org.uk

• RM Broadband 0.uk.pool.ntp.org

Set server as reliable time source for domain devices:

w32tm /config /reliable:yes

To check the current time source:

w32tm /query /source

Symptoms

Sysprep runs for longer than 15 minutes at the generalise phase and does not restart to capture. The error in c:\windows\system32\sysprep\panther\setuperr.log shows:

Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f

Error [0x0f00ae] SYSPRP WinMain:Hit failure while processing sysprep cleanup external providers; hr = 0x8007001f

Solution

1. Restart the computer while holding the Shift key > select option to reboot in Safe Mode.

2. When on the desktop, press Ctrl + Shift + Esc to open Task Manager.

3. Select File > Run new task > type cmd > OK.

4. Type net user administrator /active:yes

5. Restart the computer.

6. At the desktop > open Regedit > navigate to HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus:

   • Check CleanupState is set to 2.

   • Check GeneralizationState is set to 7.

7. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform:

   • Check SkipRearm is set to 1.

8. Back at cmd type:

   • msdtc -uninstall

   • msdtc -install

9. Run the capture sequence again from C:\Temp.

Source: http://terenceluk.blogspot.com/2019/03/windows-10-fails-to-sysprep-with-error.html

1. Speak with your schools about changing domain. They'll need to know:

• To access the RDS website, they'll need to use the new URL.

• The old RDS website will load, but show a certificate warning.

2. Email Mark Whitman with the following information:

To: mark.whitman@intermit.co.uk

Subject: RDS domain change to intermit.cloud

Dear Mark,

Please can you change the following school's domain name:

• School name: <schoolName>

• Current RDS URL: https://remote.<school>.sch.uk

• Proposed RDS URL: https://<school>.intermit.cloud 

Many thanks.

3. Wait for a response email to confirm that the DNS record has been set up.

4. Logon to the RDS Server > right-click Start > select Run > type inetmgr > OK.

5. From the tree, expand K9Server-RDS > Sites > select Default Website > in the right pane, select HTTP Redirect > change to the new intermit.cloud address - for example:

From: https://remote.<school>.sch.uk

To: https://<school>.intermit.cloud (at the end add /rdweb for legacy RDS, OR for HTML5 RDS add /RDWeb/webclient)

e.g. https://stmarys.intermit.cloud/rdweb/webclient

6. Select Apply.

7. Open Server Manager > select Remote Desktop Services > from the dropdown, select Tasks > select Edit deployment properties > change RD Gateway to new intermit.cloud address > OK.

8. Login to RDS server as the domain administrator.

9. Download the Interm IT (UK) SSL 2023.pfx file to C:\SSL Certificates.

10. Download the script Import-RDS-Certificate-v2.11.ps1 file to C:\SSL Certificates.

11. Run the script in PowerShell.

12. Enter the b******** password and press enter.

13. Check that the certificate's expiry date is showing as next year (instructions above).

14. Test logging in remotely, or by tethering through mobile data.

1. Login to Microsoft 365 Admin Console

2. In left menu, select Billing > Your Products > Volume Licensing tab > under Product and Services, select View downloads and keys.

This process will link a standard user account (e.g. mwhitman@school.sch.uk) with a generic user account (e.g. head@school.sch.uk).

1. In an OU that is not AD synced, create the initial username in AD as a standard user.

2. In AD, open the user properties > Attribute Editor > Proxy Addresses > modify to:

   • SMTP:<genericAccount> e.g. SMTP:head@school.sch.uk

   • smtp:<userAccount> e.g. smtp:mwhitman@school.sch.uk

3. Move the user to an AD Synced OU and perform a sync.

The following attributes will be applied:

• The user will login to their computer and email with their user account (e.g. mwhitman@school.sch.uk)

• The primary email address that will be emailed will be the generic account (e.g. head@school.sch.uk)

•