# Post-Deployment Validation Checklist

**Imaged:** `____________________`  **Tech:** `____________________`  **Date/Time:** `____________________`
**Model / Serial:** `____________________` / `____________________`
**Computer Name:** `____________________`

> Pass = ✓, Fail = ✗ (open ticket + capture log path)

---

## A. Hardware / Firmware
- [ ] **A1.** Device Manager: **zero yellow bangs / unknown devices**
  - Verify: `devmgmt.msc` → expand all → no warnings.
- [ ] **A2.** `Get-WindowsDriver -Online` returns no drivers in **Unsigned** state.
  ```powershell
  Get-WindowsDriver -Online | Where-Object { -not $_.Inbox -and -not $_.DriverSignature } | Format-Table
  ```
- [ ] **A3.** HP Image Assistant **Analyze** reports **0 Critical / 0 Recommended** outstanding.
  - Run: `HPImageAssistant.exe /Operation:Analyze /ReportFolder:C:\OSDLogs\HPIA-Validate /Silent`
- [ ] **A4.** TPM 2.0: ready, owned, enabled.
  - Verify: `Get-Tpm` → `TpmReady=True, TpmEnabled=True, ManagedAuthLevel=Full`.
- [ ] **A5.** Secure Boot **enabled**.
  - Verify: `Confirm-SecureBootUEFI` → `True`.
- [ ] **A6.** BitLocker on `C:` is **Protected**, encryption ≥ 99 %, key escrowed to AD.
  ```powershell
  Get-BitLockerVolume -MountPoint C:
  manage-bde -protectors -get C:
  ```

## B. OS / Patching
- [ ] **B1.** Build = **Windows 11 24H2 Enterprise (10.0.26100.x)**.
  - Verify: `winver`.
- [ ] **B2.** `Get-HotFix` shows the latest LCU KB applied.
- [ ] **B3.** `Get-WindowsUpdate -MicrosoftUpdate` (PSWindowsUpdate) returns **no missing critical** updates.
- [ ] **B4.** Time zone & locale match site standard.
  - Verify: `Get-TimeZone`, `Get-WinSystemLocale`.
- [ ] **B5.** Computer name matches `<SiteCode>-<Last10Serial>`.

## C. Domain / SCCM
- [ ] **C1.** Domain joined to `contoso.local`.
  - Verify: `(Get-CimInstance Win32_ComputerSystem).PartOfDomain` = `True`.
- [ ] **C2.** SCCM client installed and **assigned** to site `P01`.
  - Verify: `Get-WmiObject -Namespace root\ccm -Class SMS_Client | Select-Object ClientVersion, AssignedSiteCode`.
- [ ] **C3.** Management Point reachable, policy received.
  - Verify: `C:\Windows\CCM\Logs\LocationServices.log` and `PolicyAgent.log` clean for last 15 min.
- [ ] **C4.** Hardware inventory reported within last 24 h.
- [ ] **C5.** Software Center opens, shows assigned Required apps in **Installed** state.

## D. Security Baseline
- [ ] **D1.** Defender Real-time Protection **On**, signatures ≤ 7 days old.
  - Verify: `Get-MpComputerStatus | Select RealTimeProtectionEnabled, AntivirusSignatureAge`.
- [ ] **D2.** Firewall: all 3 profiles enabled, default inbound = Block.
  - Verify: `Get-NetFirewallProfile | ft Name, Enabled, DefaultInboundAction`.
- [ ] **D3.** RDP enabled with **NLA**, listening on 3389.
  - Verify: `(Get-Item 'HKLM:\System\CurrentControlSet\Control\Terminal Server').GetValue('fDenyTSConnections')` = 0
  - `Get-NetTCPConnection -LocalPort 3389 -State Listen`.
- [ ] **D4.** Cortana / Widgets / Consumer features disabled (registry policies present).
- [ ] **D5.** No consumer bloat present (no Bing News/Weather, no Xbox apps, no Solitaire, no Teams consumer).

## E. Applications
- [ ] **E1.** Microsoft 365 Apps installed; Outlook, Word, Excel, PowerPoint launch; activation OK
  (`HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\ProductReleaseIds` contains `O365ProPlusRetail`).
- [ ] **E2.** Microsoft Teams (new) installed machine-wide; launches under user context.
- [ ] **E3.** Adobe Acrobat Reader DC installed; opens a sample PDF.
- [ ] **E4.** Google Chrome Enterprise installed.
- [ ] **E5.** Mozilla Firefox ESR installed.
- [ ] **E6.** 7-Zip, Notepad++, VLC installed.
- [ ] **E7.** HP Image Assistant present (`C:\Program Files\HP\HPIA\HPImageAssistant.exe`).
- [ ] **E8.** HP Hotkey Support and HP Notifications running (services).
- [ ] **E9.** HP Wolf Security present (or removed per license decision).
- [ ] **E10.** All required VC++ Redistributables (2012/2013/2015-2022, x86+x64) present in ARP.
- [ ] **E11.** .NET Desktop Runtime 6 LTS and 8 LTS x64 present.
  - Verify: `dotnet --list-runtimes`.

## F. Hardware functional smoke tests
- [ ] **F1.** Audio: play sample → both speaker and headphone jack output.
- [ ] **F2.** Webcam: open `Camera` app → preview live, no driver error.
- [ ] **F3.** Microphone: capture in `Voice Recorder` app → playback OK.
- [ ] **F4.** Wi-Fi: associate to enterprise SSID, DHCP, DNS resolution.
- [ ] **F5.** Bluetooth: pair to a test device, audio routes correctly.
- [ ] **F6.** Dock hot-plug: connect HP Thunderbolt/USB-C dock — external displays light up; USB peripherals enumerate; Ethernet on dock gets DHCP within 30 s.
- [ ] **F7.** Battery (laptops): `powercfg /batteryreport` → no design/full capacity anomaly.
- [ ] **F8.** Fingerprint reader / IR camera (where present): enroll Windows Hello PIN + biometric.

## G. Logs to capture if any item fails
- `C:\Windows\CCM\Logs\smsts.log`
- `C:\OSDLogs\*.log`
- `C:\OSDLogs\HPIA\Report\*.xml`
- `C:\Windows\Logs\DISM\dism.log`
- `Get-WinEvent -LogName 'Microsoft-Windows-Bitlocker/BitLocker Management' -MaxEvents 50`

## H. Sign-off
- Tech signature: `____________________`
- Reviewer signature: `____________________`
- Asset record updated: ☐ Yes ☐ No
- Device released to user: `____________________` (date)