/build/static/layout/Breadcrumb_cap_w.png

Configuring Windows 10 during a Scripted Installation

Hello,

I've been using the K2000 for imaging for many years, but I would like to switch over to Scripted Installations and I see many on here have made that switch so I'm hoping I can get some help.


I've made a scripted image of Windows 10 1809 and LTSB 2019 with post-install tasks to install software (Office, VLC, Acrobat, etc.), and remove some of the bloatware, etc., but I'm wondering how you can better configure Windows for an educational environment (~600PCs).

1)    How  can you set the "default" desktop background, desktop shortcuts, the start menu groups and tiles, the taskbar shortcuts (have Cortana icon only on taskbar, remove MSStore, Edge, etc.), and other Windows settings?

Are you somehow doing this in the unattend file? or as Post-Install tasks? I want to set the defaults, but allow the user to make changes if desired.

I know I can set the Start/taskbar with an XML Group policy, but that does create some overhead and I want users to be able to modify it.


2)    Secondly, the computers join the domain as the last PI task, but I want the built-in local administrator to remain active with a complex password.  It comes in handy when there are network issues, etc. Our Group Policy does rename it after it joins the domain.

Currently, this works with my images. For my Scripted install it does autologon 3 times with the built-in admin (in unattend) to perform the PI Tasks, but it doesn't stay active. It could be a setting I'm missing in the unattend.

Any sample unattend or PI tasks that help with this would be most welcome.

Thank you




0 Comments   [ + ] Show comments

Answers (2)

Posted by: Ziggi 5 years ago
Blue Belt
2

1. Check out my Blog on the Start & Taskbar config.

https://www.itninja.com/blog/view/import-startlayout-kace-sda


2.  The admin account you put in the unattend should stay active, it's the built-in 'Administrator' account which will be inactive.


You can add a post install task which enables the built in administrator and sets password.

net user administrator /active:yes

net user administrator <complexpassword>


You can also delete the admin account you created in the unattend also.


Comments:
  • FYI, Microsoft considers this against best practice. They recommend creating a separate local administrator account and leaving the original account disabled. - chucksteel 5 years ago
    • Thanks for that. - Ziggi 5 years ago
    • Thanks, I realize that Microsoft recommends against that, but we do rename the account through policy and provide a complex password. There are a few things that work better with the built-in admin and I cannot really see any major security issue as a local admin account that is not used often. - Geoff25 5 years ago
    • I know this is a year old post, but Do you have a source for this?

      I need it for documentation purposes. - Channeler 4 years ago
  • Thanks, I'll take a look at that. - Geoff25 5 years ago
  • Thanks Ziggie. That info was awesome as I was already working on a startlayout for group policy and this is even better.
    That worked well for for the Start menu for the most part. Edge unfortunately remains in the taskbar. I guess Microsoft is somehow locking that shortcut. Have to live with it I guess. And the Internet Explorer shortcut I added to the Start doesn't come in. I tried a few variations. Maybe it's an 1809 thing. There's lots of complaints about these two specific issues on the web. A fix for the IE issue is to copy a shortcut to the ProgramData\Microsoft\Windows\Start Munu\Programs folder, default desktop, or other location and then point the start Menu cell to that shortcut in the layout XML. I can script some desktop shortcuts to the default desktop.
    As for the other customizations like desktop background to a solid color, Cortana icon-only on taskbar (no search bar) and other Windows settings I'll look at Chuck's link to see if I can find some unattend settings for them.
    Thanks again. - Geoff25 5 years ago
    • How strange, Edge normally removes for me as long as the taskbar xml part is replace. Yes, I can confirm that the IE fix is to either copy across. It's straightforward to do some PowerShell scripting for it. If you'd like, send me a email with the XML you created and I can take a look, you can also add in cortana and a bunch of other stuff such as removing edge shortcut and creating shorcuts. drop me an email and i'll be happy to take a look and go through with you.

      adam.zignani@indigomountain.co.uk - Ziggi 5 years ago
      • Thank you Ziggi and Chuck! Oddly when I performed the install again without making any changes Edge was gone now. I'd bet it might return when Edge gets an update though. I've set up a task for students (LTSC) and staff (1809) for the start menu and taskbar, optimized the unattend some more(manually), and have most things set up now.
        I've seen many on this forum like SMal (who also works in Education) say they have switched from imaging to scripted install so I figured I'd give it a try.
        I'm still curious as to how well a scripted install can be customized as compared to an image, especially when it comes to applications that like to prompt the user the first time they open, etc.
        I'll keep working on it to see if I can remove as many prompts as I can so that students don't have to see them on every computer they log onto.
        If anyone has any good tips for making a great scripted install that is working for them please pass them along.
        Thanks - Geoff25 5 years ago
Posted by: chucksteel 5 years ago
Red Belt
1

Some of the things you are asking about in question 1 can be done via the unattend file. One way to explore the possibilities is to use the Windows System Image Manager tool that comes with the Windows ADK (https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install). It includes basic documentation on every possible setting.



Comments:
  • I'll look into this more, but I hadn't noticed many customizations for the look and feel of Windows in the past. If you have a sample unattend that does much of this I'd love to see it.
    Here is my current basic unattend:
    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <settings pass="windowsPE">
    <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <UseConfigurationSet>true</UseConfigurationSet>
    <UserData>
    <AcceptEula>true</AcceptEula>
    <FullName>XXXXXXXX</FullName>
    <Organization>XXXXXXXX</Organization>
    </UserData>
    <ImageInstall>
    <OSImage>
    <InstallToAvailablePartition>true</InstallToAvailablePartition>
    <InstallFrom>
    <MetaData>
    <Key>/IMAGE/Name</Key>
    <Value>Windows 10 Enterprise</Value>
    </MetaData>
    </InstallFrom>
    </OSImage>
    </ImageInstall>
    </component>
    <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <UILanguage>en-us</UILanguage>
    <SetupUILanguage>
    <UILanguage>en-us</UILanguage>
    </SetupUILanguage>
    <InputLocale>en-us</InputLocale>
    <SystemLocale>en-us</SystemLocale>
    <UserLocale>en-us</UserLocale>
    </component>
    </settings>
    <settings pass="specialize">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <RegisteredOwner>XXXXXXXX</RegisteredOwner>
    <RegisteredOrganization> XXXXXXXX </RegisteredOrganization>
    <TimeZone>Eastern Standard Time</TimeZone>
    <AutoLogon>
    <Enabled>true</Enabled>
    <Username>administrator</Username>
    <Password>
    <PlainText>true</PlainText>
    <Value> XXXXXXXX </Value>
    </Password>
    <LogonCount>3</LogonCount>
    </AutoLogon>
    <ComputerName>*</ComputerName>
    </component>
    <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <Identification>
    <JoinWorkgroup>WORKGROUP</JoinWorkgroup>
    </Identification>
    </component>
    <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <RunSynchronous>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\FirstNetwork" /v Category /t REG_DWORD /d 00000000 /f</Path>
    <Description>Setting Network Location</Description>
    <Order>1</Order>
    <WillReboot>OnRequest</WillReboot>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f</Path>
    <Description>Hide First Logon Animation</Description>
    <Order>2</Order>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f</Path>
    <Description>Hide First Logon Animation</Description>
    <Order>3</Order>
    </RunSynchronousCommand>
    <RunSynchronousCommand wcm:action="add">
    <Path>reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /d 1 /t REG_DWORD /f</Path>
    <Description>Disable Consumer Features</Description>
    <Order>4</Order>
    </RunSynchronousCommand>
    </RunSynchronous>
    </component>
    </settings>
    <settings pass="oobeSystem">
    <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
    <OOBE>
    <HideEULAPage>true</HideEULAPage>
    <SkipMachineOOBE>true</SkipMachineOOBE>
    <SkipUserOOBE>true</SkipUserOOBE>
    <NetworkLocation>Work</NetworkLocation>
    <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
    <ProtectYourPC>3</ProtectYourPC>
    </OOBE>
    <!--
    <UserAccounts>
    <LocalAccounts>
    <LocalAccount wcm:action="add">
    <Name>NWXXXXXX</Name>
    <Group>Administrators</Group>
    <Password>
    <Value>XXXXXXXX</Value>
    <PlainText>true</PlainText>
    </Password>
    </LocalAccount>
    </LocalAccounts>
    </UserAccounts>
    -->
    </component>
    </settings>
    </unattend> - Geoff25 5 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ