New Workstation Deployment without Imaging Process

Document Type: Standard Operating Procedure Audience: All Technicians (T1 / T2 / T3) Last Updated: February 2026 Version: 1.0

---

1. Purpose

This SOP covers deploying a brand-new workstation into an existing client environment — from out-of-box to production-ready. This is for fresh hardware only, not replacement of an existing machine (which involves data/profile migration and imaging hardware reassignment).

Deployment Scenarios: This procedure applies regardless of where the work happens:

Scenario	Workflow
In-house prep	Tech configures at DTC office, ships or delivers to client site, final steps on-site or remote
On-site	Tech configures at the client office start to finish
Remote	PC shipped to client, someone at the office powers it on and connects to network, tech completes setup via Splashtop or NinjaRMM remote

Note: For remote deployments, someone at the client site must complete the initial Windows OOBE (out-of-box experience), connect the workstation to the network, and install the NinjaRMM agent. Once Ninja is installed and checking in, the tech can complete the remaining setup remotely via Ninja remote access or Splashtop. Coordinate this with the office contact ahead of time.

---

2. Pre-Deployment Information

Gather this from the HALO ticket or Account Manager before you start. Don't unbox the PC until you have it.

Item	Details	Got It?
Client name and site	_________________	☐
What role is this workstation?	Front desk / Operatory / Back office / Provider	☐
Computer name to assign	Follow client naming convention (check AD for pattern)	☐
Domain name	_________________ (check existing workstations or AD)	☐
Domain join credentials	Domain admin username and password	☐
IP assignment	DHCP or static? If static: IP, subnet, gateway, DNS	☐
NinjaRMM organization	Which Ninja org/location to register this device under	☐
Dental software to install	PMS name + version, imaging software + version	☐
Printers needed	Which printers? GPO-deployed or manual mapping needed?	☐
Network shares needed	Any shares that aren't GPO-deployed? UNC paths?	☐
Monitors	How many, what resolution? (Affects display settings)	☐
Special hardware	Sensor, scanner, label printer, signature pad, etc.?	☐

---

3. Hardware Verification

Before you start configuring, verify what arrived matches what was ordered.

Check	Details	Pass?
Correct model received	Match against PO / order confirmation	☐
Windows Pro pre-installed	Check sticker on case or boot to OOBE and verify edition. Home edition = stop and escalate — needs Pro for domain join.	☐
RAM meets minimum	16 GB minimum. 16 GB for operatory workstations running imaging or CBCT viewing.	☐
SSD installed	HDD is not acceptable for new builds	☐
All accessories present	Keyboard, mouse, power cable, DisplayPort/HDMI cables, mounting hardware if wall-mount	☐

If the PC shipped with Windows Home: Do NOT proceed with setup. Either return for exchange or purchase a Pro license key. Document in the HALO ticket and notify the Account Manager. Domain join requires Windows Pro, Enterprise, or Education.

---

4. Windows Initial Setup (OOBE)

4.1 First Boot

Power on the workstation and walk through the Windows Out-of-Box Experience:

Step	What to Do	Notes
Region	United States	—
Keyboard	US	Skip second keyboard layout
Network	Connect to client network (Ethernet preferred)	If remote deployment: office staff does this step
Windows Update	Let it check — but skip if it wants to do a major feature update during OOBE	You'll do updates after setup
Sign-in	Do NOT sign in with a Microsoft account	—
Account type	Select "Set up for work or school" if prompted, then choose "Domain join instead" (bottom-left link)	This creates a local account — domain join happens in Section 6
Local account name	DTCADMIN — this is the DTC standard local admin account	This account persists post-domain-join. Password is managed by LAPS via NinjaRMM.
Password	Set a temporary password to complete OOBE. LAPS will rotate this automatically once the Ninja agent is installed and checking in.	Do NOT document the temp password in the ticket — LAPS handles it.
Privacy settings	Disable all telemetry/tracking toggles	Location, diagnostics, inking, activity history — all off
Cortana / OneDrive / etc.	Skip or decline all promotional offers	—

4.2 Verify Windows Edition

Once at the desktop, confirm Windows edition:

Right-click Start → System (or run winver)

Field	Expected
Edition	Windows 11 Pro (or Windows 10 Pro)
Version	Latest release (verify against current Windows release)
System type	64-bit operating system
RAM	Matches expected (8 GB+ minimum)

If edition says "Home" — STOP. See note in Section 3.

---

5. Base Configuration

5.1 Computer Name

Rename the PC to match the client's naming convention before domain join:

1. Right-click Start → System
2. Click Rename this PC
3. Enter the assigned computer name
4. Restart when prompted — the restart is required before domain join

Naming convention: Check Active Directory for the client's existing pattern. Common formats: FRONTDESK1, OP1, OP2, BACKOFFICE1, DR-SMITH, or site-prefixed like MAIN-OP3. Match what's already there.

5.2 Network Configuration

If DHCP (most workstations): No action needed — verify connectivity with ping to the server/DC.

If static IP is required:

1. Open Settings → Network & Internet → Ethernet → Edit (or right-click NIC → Properties in ncpa.cpl)
2. Set to Manual and enter:

Field	Value
IP address	Assigned IP (from HALO ticket or UniFi portal)
Subnet mask	Usually 255.255.255.0 (/24)
Default gateway	Client's gateway (usually .1)
Preferred DNS	Client's Domain Controller IP
Alternate DNS	Secondary DC or 8.8.8.8 as fallback

3. Verify: ping [DC hostname] and nslookup [domain name] — both should resolve

DTC Standard: DNS should point to the Domain Controller first, not external DNS. If DNS points to 8.8.8.8 only, domain join and GPO processing will have issues.

5.3 Power Settings

Dental workstations should not sleep during patient hours:

1. Open Settings → System → Power & sleep (or search "Power Plan")
2. Set:

Setting	Value
Screen timeout (plugged in)	15 minutes (or per client preference)
Sleep (plugged in)	Never
Hard disk turn off	Never (especially for operatory workstations with imaging)

Why: A workstation that sleeps mid-acquisition can corrupt imaging data, drop sensor connections, and cause PBS Endo / DEXIS / Sidexis service faults. "Never sleep when plugged in" is non-negotiable for clinical workstations.

5.4 Display Settings

If multiple monitors are connected:

1. Right-click desktop → Display settings
2. Arrange monitors to match physical layout (drag and drop)
3. Set resolution to native for each monitor
4. Set Scale to 100% (or 125% if the client has accessibility needs) — some dental software has display issues at non-standard scaling

5.5 Time Zone

Verify time zone is correct:

1. Settings → Time & Language → Date & time
2. Set time zone (should auto-detect, but verify)
3. Ensure "Set time automatically" is ON
4. Ensure "Set time zone automatically" is ON (or manually set if auto-detect is wrong)

Why: Kerberos authentication (domain login) is sensitive to time skew. If the workstation clock is off by more than 5 minutes from the DC, domain logins will fail.

---

6. Domain Join

6.1 Join the Domain

1. Right-click Start → System
2. Click Domain or workgroup (or "Access work or school" → "Connect" → "Join this device to a local Active Directory domain")
3. Enter the domain name (e.g., contoso.local or clientname.local)
4. Enter domain admin credentials when prompted
5. When asked about account type, select Administrator for the initial domain account
6. Restart when prompted

6.2 Verify Domain Join

After restart, log in with domain credentials:

Check	Expected	Pass?
Login screen shows domain name	DOMAIN\username or domain listed in sign-in options	☐
systeminfo shows domain	Domain field shows correct domain name (not "WORKGROUP")	☐
gpresult /r runs without error	Shows applied GPOs	☐
Workstation appears in AD	Check Active Directory Users and Computers on the DC	☐

6.3 Move to Correct OU

If the workstation landed in the default Computers container in AD:

1. Open Active Directory Users and Computers on the DC (or use RSAT from another workstation)
2. Find the new computer object in the Computers container
3. Right-click → Move → select the correct OU for this client/site/role
4. Run gpupdate /force on the workstation to pick up OU-specific GPOs

Why this matters: GPOs are linked to OUs. If the workstation sits in the default Computers container, it won't receive printer deployments, drive mappings, or any other OU-targeted policies.

---

7. NinjaRMM Agent Installation

The NinjaRMM agent is the first post-domain-join install. Once Ninja is on, it handles:

• Endpoint protection (EDR) deployment via policy
• Windows patching via patch management policy
• Third-party application patching
• Monitoring and alerting
• Remote access (Ninja remote or Splashtop via Ninja)

7.1 Install the Agent

1. Log into the NinjaRMM dashboard (or use the installer URL for the client's organization)
2. Navigate to the correct Organization → Location for this client
3. Download the installer for this organization/location
4. Run the installer on the workstation as Administrator
5. Wait for the agent to check in — verify the device appears in the Ninja dashboard under the correct org/location

7.2 Verify LAPS Password Rotation

The DTCADMIN local admin account password is managed by LAPS via NinjaRMM. After the agent checks in:

1. Open NinjaRMM dashboard → Device details for this workstation
2. Navigate to the LAPS / Local Admin section
3. Verify a LAPS-managed password is present for the DTCADMIN account
4. The temporary password set during OOBE is now irrelevant — LAPS has rotated it

To retrieve the DTCADMIN password later: NinjaRMM dashboard → Device → LAPS section. This is the only way to get the current password. Do not attempt to set it manually — LAPS will overwrite it on the next rotation cycle.

7.3 Verify Ninja Policies Are Applying

After the agent checks in, verify:

Check	Where	Pass?
Device appears in correct org/location	Ninja dashboard	☐
Patch policy is assigned	Ninja → Device → Policies tab	☐
EDR/AV agent deploying or installed	Ninja → Device → Security tab (or check local Services)	☐
Monitoring active	Ninja → Device → shows online with green status	☐

If the agent doesn't check in within 10 minutes: Verify the workstation has internet access, check for firewall or proxy blocking Ninja's cloud endpoints, and confirm the installer was for the correct organization.

---

8. Windows Updates

Run Windows Updates now — after domain join and Ninja agent, but before dental software installation.

8.1 Run Updates

1. Settings → Windows Update → Check for updates
2. Install all available updates
3. Restart when prompted
4. Repeat — check again after restart. Some updates only appear after prerequisites are installed.
5. Continue until "You're up to date" with no pending items

8.2 Verify

Check	Expected	Pass?
No pending updates	"You're up to date"	☐
No pending restart	No restart banner	☐
.NET Framework current	Check via Programs and Features or Get-WindowsFeature output	☐

Why before dental software: Many dental applications depend on specific .NET Framework versions and Visual C++ runtimes that come via Windows Update. Installing dental software on a machine that's 6 months behind on updates leads to runtime errors, missing dependencies, and wasted time troubleshooting.

---

9. GPO Verification

After domain join, OU placement, and a restart, verify that Group Policy is applying correctly:

9.1 Force GPO Refresh

gpupdate /force

9.2 Verify Key GPOs

GPO Function	How to Verify	Applied?
Printers deployed (if via GPO)	Open Printers & Scanners — GPO printers should appear	☐
Drive mappings (if via GPO)	Open File Explorer — mapped drives should appear	☐
Power policy (if via GPO)	powercfg /list — should show managed plan	☐
Wallpaper / branding (if set)	Visual check — desktop wallpaper matches client standard	☐
Windows Update policy	Settings → Windows Update — should show "Some settings are managed by your organization"	☐

Run gpresult /r and review the output. Look for:

• Applied GPOs — confirm expected policies are listed
• Denied GPOs — should be empty or only intentionally filtered policies
• Security group membership — confirm the computer is in the expected groups

---

10. Non-GPO Mappings

Some clients have printers or file shares that aren't deployed via GPO. Handle these manually.

10.1 Network Printers (Non-GPO)

If printers need to be mapped manually (not via print server GPO):

1. Get the printer IP from the HALO ticket, UniFi portal, or Advanced IP Scanner
2. Settings → Printers & Scanners → Add a printer → "The printer that I want isn't listed"
3. Select "Add a printer using a TCP/IP address"
4. Enter the printer IP, uncheck "Query the printer" (speeds up detection)
5. Install the correct manufacturer driver (download from vendor website — don't use Windows built-in)
6. Print a test page

DTC Standard: Static IP, TCP/IP Standard Port. No WSD. If this printer should be on the print server and deployed via GPO, flag it in the HALO ticket for the next maintenance window. See Network Printer GPO Deployment SOP.

10.2 Network Shares (Non-GPO)

If file shares need to be mapped manually:

1. Open File Explorer
2. Right-click This PC → Map network drive
3. Select drive letter and enter UNC path (e.g., \\SERVER\SharedDocs)
4. Check "Reconnect at sign-in"
5. Enter credentials if prompted (use the user's domain credentials)
6. Verify the share opens and files are accessible

---

11. Dental Software Installation

Install the client's dental software stack. This SOP does not cover dental software installation details — refer to the platform-specific SOPs and the client's configuration documentation.

11.1 What to Install

Confirm with the HALO ticket or Account Manager:

Software Type	Name & Version	Install?
Practice Management Software (PMS)	_________________	☐
Imaging software	_________________	☐
Imaging bridge (if separate from PMS)	_________________	☐
Patient communication software	_________________	☐
Other specialty software	_________________	☐

11.2 General Installation Order

For most dental environments, install in this order:

1. PMS first (Dentrix, Eaglesoft, Open Dental, PBS Endo, TDO, etc.)
2. Imaging software second (DEXIS, Sidexis 4, DTX Studio, CS Imaging, etc.)
3. Bridges or integrations third (if the imaging software bridges to the PMS)
4. Ancillary software last (patient communication, document scanners, etc.)

Why this order: PMS often installs database drivers and frameworks that imaging software depends on. Imaging bridges configure connections to the PMS, so the PMS must be present first.

11.3 Reference SOPs & Vendor Support

Refer to the platform-specific SOP in BookStack for installation and configuration details. If you need vendor assistance during installation, use the support numbers below.

Practice Management Software:

Platform	BookStack SOP	Vendor Support
Dentrix	BookStack → SOPs → Dentrix Imaging Center Sensor Compatibility	Henry Schein: 800-824-6375
Eaglesoft	BookStack → SOPs → Eaglesoft Imaging Hardware	Patterson Technology Center: 800-475-5036
Open Dental	BookStack → SOPs → Open Dental Imaging & Sensor Compatibility	Open Dental: 503-363-5432
SoftDent	BookStack → SOPs → SoftDent Practice Management	Carestream: 800-944-6365
PBS Endo	BookStack → SOPs → PBS Endo Enterprise Imaging & Sensor Compatibility	PBS Endo: 800-535-0198
TDO	BookStack → SOPs → TDO Imaging & Sensor Compatibility	TDO Software: 858-558-3696
WinOMS	Contact vendor for installation guide	Carestream: 800-944-6365
Dolphin	BookStack → SOPs → Dolphin Imaging Sensor Compatibility	Dolphin/Patterson: 800-548-7241

Imaging Software:

Platform	BookStack SOP	Vendor Support
DEXIS Imaging Suite	BookStack → SOPs → DEXIS Imaging Suite Sensor Compatibility	KaVo Kerr / Envista: 888-883-3947
DTX Studio Clinic	BookStack → SOPs → DTX Studio Clinic Compatibility	KaVo Kerr / Envista: 888-883-3947
Sidexis 4	BookStack → SOPs → Sidexis 4 Compatibility	Dentsply Sirona: 800-659-5977
Carestream CS Imaging 8	BookStack → SOPs → Carestream CS Imaging 8 Sensor Compatibility	Carestream: 800-944-6365
Romexis	Contact vendor for installation guide	Planmeca: 630-529-2300
EzDent-i	BookStack → SOPs → EzDent-i Sensor Compatibility	Vatech America: 888-396-6288
Apteryx XrayVision	BookStack → SOPs → Apteryx XrayVision Sensor Compatibility	Planet DDS: 800-861-5098
i-Dixel	BookStack → SOPs → J. Morita i-Dixel Compatibility	J. Morita: 888-566-7482

Cross-Platform References:

Document	BookStack Location
Cross-Platform Imaging Troubleshooting Decision Tree	BookStack → SOPs → Cross-Platform Imaging Troubleshooting
Schick TWAIN → IOSS v3.2 Migration SOP	BookStack → SOPs → Schick TWAIN to IOSS Migration
Dental Software Antivirus Exclusions Master List	BookStack → SOPs → AV Exclusions Master List

---

12. Final Verification Checklist

Before handing the workstation to the client, run through this checklist. Every box should be checked.

12.1 System

Check	Pass?
Windows Pro confirmed (not Home)	☐
Correct computer name	☐
Domain joined and verified	☐
Correct OU in Active Directory	☐
Windows fully updated — no pending updates or restarts	☐
NinjaRMM agent installed and checking in	☐
EDR/AV deployed via Ninja policy and running	☐
Time zone correct	☐
Power settings: sleep = Never (plugged in)	☐
Display configured (resolution, scaling, multi-monitor layout)	☐

12.2 Network

Check	Pass?
Network connectivity confirmed (ping DC, ping internet)	☐
DNS pointing to Domain Controller	☐
IP assignment correct (DHCP or static per plan)	☐
GPOs applying ( gpresult /r clean)	☐

12.3 Printers & Shares

Check	Pass?
All required printers mapped and test printed	☐
All required network shares mapped and accessible	☐
GPO-deployed printers appearing (if applicable)	☐
GPO-deployed drives appearing (if applicable)	☐

12.4 Dental Software

Check	Pass?
PMS installed and launches	☐
PMS connects to server/database	☐
Imaging software installed and launches	☐
Imaging software connects to image repository	☐
Bridge configured (if applicable — PMS ↔ imaging link works)	☐
Patient communication software installed (if applicable)	☐
Other specialty software installed (if applicable)	☐

12.5 User Experience

Check	Pass?
Domain user can log in successfully	☐
Login time is reasonable (under 30 seconds)	☐
Default printer set correctly for this workstation's location	☐
Desktop shortcuts present for dental software	☐
No error pop-ups on login	☐
Local staging account ( DTCADMIN ) — LAPS password rotating via Ninja	☐

---

13. HALO Ticket Documentation

When closing the deployment ticket, document per the HALO Ticket Documentation Standard:

RESOLVED:

DEPLOYMENT: New workstation — [Role: Front Desk / Operatory / Back Office]
HARDWARE: [Make/Model], [RAM], [SSD Size], Windows [Version] Pro
COMPUTER NAME: [Name]
DOMAIN: [domain.local]

COMPLETED:
1. Windows OOBE — DTCADMIN local account created, privacy settings configured
2. Renamed to [computer name], domain joined to [domain]
3. Moved to OU: [OU path]
4. NinjaRMM agent installed — org: [org name], location: [location]
5. LAPS confirmed rotating DTCADMIN password via Ninja device details
6. Windows Updates — fully patched as of [date]
7. GPO verified — printers: [list], drives: [list]
8. Dental software installed:
   - PMS: [name, version] — connected to [server]
   - Imaging: [name, version] — connected to [image path]
   - Bridge: [if applicable]
9. Non-GPO mappings: [printers/shares if any]
10. Verified: user login, app launch, print test, imaging connection

NOTES: [Any special configuration, issues encountered, or follow-up needed]

---

14. Troubleshooting Quick Reference

Issue	Likely Cause	Fix
Domain join fails — "domain cannot be contacted"	DNS not pointing to DC, or workstation can't reach DC on network	Verify DNS is set to DC's IP. Verify network connectivity. nslookup [domain] should resolve.
Domain join fails — "access denied"	Wrong credentials or account doesn't have join permissions	Verify domain admin creds. Check if there's a computer account limit per user (default is 10).
GPOs not applying after domain join	Workstation in default Computers container, not target OU	Move to correct OU in AD. Run gpupdate /force . Restart.
Printers not appearing after gpupdate	GPO targets a different OU, or security filtering excludes this machine	Check GPO scope and filtering. Verify with gpresult /r .
NinjaRMM agent won't check in	Firewall blocking outbound, wrong installer for org, or DNS issue	Verify internet access. Check Windows Firewall isn't blocking Ninja. Confirm installer matches org.
Dental software won't connect to server	Firewall blocking port, wrong server name in config, missing SQL client tools	Check firewall rules on workstation and server. Verify server name/IP in software config. Check SQL connectivity.
Login takes 3+ minutes	GPO processing overload, network issue, or user profile problem	Run gpresult /r to check processing time. Verify DNS. Check for drive mapping failures. Reference Ticket 1117316 if profile-specific.
"This PC can't be upgraded to Windows Pro"	Hardware doesn't meet requirements, or Windows edition lock	Check if manufacturer sold as Home-only SKU. May need clean install with Pro media + key.
Time sync errors / Kerberos failures	Workstation clock off by more than 5 minutes from DC	Run w32tm /resync . Verify time zone. Check NTP settings.

---

15. Related Documents

Document	When to Reference
Network Printer GPO Deployment SOP	Standardizing printer deployment via print server and GPO
HALO Ticket Documentation Standard	How to document the deployment ticket
Windows In-Place Upgrade SOP (Dental Environment)	If an existing workstation needs OS repair (not applicable for new builds, but referenced in troubleshooting)
Platform-specific imaging SOPs	See Section 11.3 for full list
Dental Software Antivirus Exclusions Master List	AV exclusions after EDR deploys via Ninja
Network Assessment Guide & Checklist	Reference for client environment details

---

16. Document Control

Version	Date	Author	Changes
1.0	February 2026	IT Support Engineering	Initial release. Covers out-of-box through production-ready deployment for new workstations. Includes Windows OOBE, domain join, NinjaRMM agent installation, GPO verification, non-GPO printer/share mapping, dental software reference, and final verification checklist. Supports in-house, on-site, and remote deployment scenarios.

---

Confidential — Internal Use Only