u/Character_Village801

Hi everyone,

I’m building an OSD Task Sequence in SCCM (no MDT) for Windows 11 24H2 and I need advice on the best way to handle a specific requirement before installing the CCM client.

Environment:

•	Pure SCCM OSD, no MDT  
•	Hybrid Azure AD Join  
•	HTTPS-only site with PKI

Requirements:

Before the CCM client can be installed, the following steps must be completed in the right order:

1.	Computer naming — machines must follow our naming convention  
2.	Domain join  
3.	AD group membership — the machine must be added to a specific static AD security group  
4.	Machine certificate — we use a certificate template scoped to that AD group. Auto-enrollment only triggers once the machine is a member of the group. This certificate is unique per machine and required by the CCM client to authenticate against the Management Point over HTTPS

Questions:

1.	What is the recommended TS step ordering for this kind of scenario?  
2.	How do you handle the AD group membership during OSD (no RSAT available in WinPE)?  
3.	How do you deal with auto-enrollment timing — how do you make sure the certificate is actually delivered before the CCM client install starts?  
4.	Should there be a reboot between domain join and certificate enrollment?

Thanks in advance!