/build/static/layout/Breadcrumb_cap_w.png
05/23/2019 343 views

Hello,

I've been using the K2000 for imaging for many years, but I would like to switch over to Scripted Installations and I see many on here have made that switch so I'm hoping I can get some help.


I've made a scripted image of Windows 10 1809 and LTSB 2019 with post-install tasks to install software (Office, VLC, Acrobat, etc.), and remove some of the bloatware, etc., but I'm wondering how you can better configure Windows for an educational environment (~600PCs).

1)    How  can you set the "default" desktop background, desktop shortcuts, the start menu groups and tiles, the taskbar shortcuts (have Cortana icon only on taskbar, remove MSStore, Edge, etc.), and other Windows settings?

Are you somehow doing this in the unattend file? or as Post-Install tasks? I want to set the defaults, but allow the user to make changes if desired.

I know I can set the Start/taskbar with an XML Group policy, but that does create some overhead and I want users to be able to modify it.


2)    Secondly, the computers join the domain as the last PI task, but I want the built-in local administrator to remain active with a complex password.  It comes in handy when there are network issues, etc. Our Group Policy does rename it after it joins the domain.

Currently, this works with my images. For my Scripted install it does autologon 3 times with the built-in admin (in unattend) to perform the PI Tasks, but it doesn't stay active. It could be a setting I'm missing in the unattend.

Any sample unattend or PI tasks that help with this would be most welcome.

Thank you



0 Comments   [ + ] Show comments

Comments



Community Chosen Answer

2

1. Check out my Blog on the Start & Taskbar config.

https://www.itninja.com/blog/view/import-startlayout-kace-sda


2.  The admin account you put in the unattend should stay active, it's the built-in 'Administrator' account which will be inactive.


You can add a post install task which enables the built in administrator and sets password.

net user administrator /active:yes

net user administrator <complexpassword>


You can also delete the admin account you created in the unattend also.

Answered 05/24/2019 by: Ziggi
Purple Belt

  • FYI, Microsoft considers this against best practice. They recommend creating a separate local administrator account and leaving the original account disabled.
    • Thanks for that.
    • Thanks, I realize that Microsoft recommends against that, but we do rename the account through policy and provide a complex password. There are a few things that work better with the built-in admin and I cannot really see any major security issue as a local admin account that is not used often.
  • Thanks, I'll take a look at that.
  • Thanks Ziggie. That info was awesome as I was already working on a startlayout for group policy and this is even better.
    That worked well for for the Start menu for the most part. Edge unfortunately remains in the taskbar. I guess Microsoft is somehow locking that shortcut. Have to live with it I guess. And the Internet Explorer shortcut I added to the Start doesn't come in. I tried a few variations. Maybe it's an 1809 thing. There's lots of complaints about these two specific issues on the web. A fix for the IE issue is to copy a shortcut to the ProgramData\Microsoft\Windows\Start Munu\Programs folder, default desktop, or other location and then point the start Menu cell to that shortcut in the layout XML. I can script some desktop shortcuts to the default desktop.
    As for the other customizations like desktop background to a solid color, Cortana icon-only on taskbar (no search bar) and other Windows settings I'll look at Chuck's link to see if I can find some unattend settings for them.
    Thanks again.
    • How strange, Edge normally removes for me as long as the taskbar xml part is replace. Yes, I can confirm that the IE fix is to either copy across. It's straightforward to do some PowerShell scripting for it. If you'd like, send me a email with the XML you created and I can take a look, you can also add in cortana and a bunch of other stuff such as removing edge shortcut and creating shorcuts. drop me an email and i'll be happy to take a look and go through with you.

      adam.zignani@indigomountain.co.uk
      • Thank you Ziggi and Chuck! Oddly when I performed the install again without making any changes Edge was gone now. I'd bet it might return when Edge gets an update though. I've set up a task for students (LTSC) and staff (1809) for the start menu and taskbar, optimized the unattend some more(manually), and have most things set up now.
        I've seen many on this forum like SMal (who also works in Education) say they have switched from imaging to scripted install so I figured I'd give it a try.
        I'm still curious as to how well a scripted install can be customized as compared to an image, especially when it comes to applications that like to prompt the user the first time they open, etc.
        I'll keep working on it to see if I can remove as many prompts as I can so that students don't have to see them on every computer they log onto.
        If anyone has any good tips for making a great scripted install that is working for them please pass them along.
        Thanks

All Answers

1

Some of the things you are asking about in question 1 can be done via the unattend file. One way to explore the possibilities is to use the Windows System Image Manager tool that comes with the Windows ADK (https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install). It includes basic documentation on every possible setting.


Answered 05/24/2019 by: chucksteel
Red Belt

  • I'll look into this more, but I hadn't noticed many customizations for the look and feel of Windows in the past. If you have a sample unattend that does much of this I'd love to see it.
    Here is my current basic unattend:
    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <settings pass="windowsPE">
    <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <UseConfigurationSet>true</UseConfigurationSet>
    <UserData>
    <AcceptEula>true</AcceptEula>
    <FullName>XXXXXXXX</FullName>
    <Organization>XXXXXXXX</Organization>
    </UserData>
    <ImageInstall>
    <OSImage>
    <InstallToAvailablePartition>true</InstallToAvailablePartition>
    <InstallFrom>
    <MetaData>
    <Key>/IMAGE/Name</Key>
    <Value>Windows 10 Enterprise</Value>
    </MetaData>
    </InstallFrom>
    </OSImage>
    </ImageInstall>
    </component>
    <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <UILanguage>en-us</UILanguage>
    <SetupUILanguage>
    <UILanguage>en-us</UILanguage>
    </SetupUILanguage>
    <InputLocale>en-us</InputLocale>
    <SystemLocale>en-us</SystemLocale>
    <UserLocale>en-us</UserLocale>
    </component>
    </settings>
    <settings pass="specialize">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <RegisteredOwner>XXXXXXXX</RegisteredOwner>
    <RegisteredOrganization> XXXXXXXX </RegisteredOrganization>
    <TimeZone>Eastern Standard Time</TimeZone>
    <AutoLogon>
    <Enabled>true</Enabled>
    <Username>administrator</Username>
    <Password>
    <PlainText>true</PlainText>
    <Value> XXXXXXXX </Value>
    </Password>
    <LogonCount>3</LogonCount>
    </AutoLogon>
    <ComputerName>*</ComputerName>
    </component>
    <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <Identification>
    <JoinWorkgroup>WORKGROUP</JoinWorkgroup>
    </Identification>
    </component>
    <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <RunSynchronous>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v Category /t REG_DWORD /d 00000000 /f</Path>
    <Description>Setting Network Location</Description>
    <Order>1</Order>
    <WillReboot>OnRequest</WillReboot>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f</Path>
    <Description>Hide First Logon Animation</Description>
    <Order>2</Order>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f</Path>
    <Description>Hide First Logon Animation</Description>
    <Order>3</Order>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /d 1 /t REG_DWORD /f</Path>
    <Description>Disable Consumer Features</Description>
    <Order>4</Order>
    </RunSynchronousCommand>
    </RunSynchronous>
    </component>
    </settings>
    <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <OOBE>
    <HideEULAPage>true</HideEULAPage>
    <SkipMachineOOBE>true</SkipMachineOOBE>
    <SkipUserOOBE>true</SkipUserOOBE>
    <NetworkLocation>Work</NetworkLocation>
    <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
    <ProtectYourPC>3</ProtectYourPC>
    </OOBE>
    <!--
    <UserAccounts>
    <LocalAccounts>
    <LocalAccount wcm:action="add">
    <Name>NWXXXXXX</Name>
    <Group>Administrators</Group>
    <Password>
    <Value>XXXXXXXX</Value>
    <PlainText>true</PlainText>
    </Password>
    </LocalAccount>
    </LocalAccounts>
    </UserAccounts>
    -->
    </component>
    </settings>
    </unattend>