Dealing with Windows 7 Deployment Issues
description
Transcript of Dealing with Windows 7 Deployment Issues
© The Association of Independent Schools of NSW
Dealing with Windows 7 Deployment Issues
KMS, SOEs, Sysprep and Group Policy
© The Association of Independent Schools of NSW
Welcome
Introduction
Not best practice or complete solution
Not dealing with deployment solutions
Windows 7 deployments?
Challenges?
© The Association of Independent Schools of NSW
Tools for the job
Windows Automated Installation Kit (WAIK)
Remote Server Administration Tools (RSAT)
Sysinternals (Autoruns)
Deployment Solution (Ghost, Altiris, WDS etc)
© The Association of Independent Schools of NSW
SOE Development
Things I’ve found to help
Make a checklist & keep it updated
Do more through group policy means less steps on each image
When initially developing images / testing Sysprep it’s a good idea to take a backup image before sysprepping
Any others?
© The Association of Independent Schools of NSW
Installing Windows 7
We choose to remove system partition and have the one partition
Remove the boot partition, create a new 100MB partition in its place, remove the main partition then extend the partition you just created to the maximum size of the hard disk.
Add a technician account (in addition to the Administrator account)
Choose ‘Work’ as location. This tweaks network, firewall and security settings appropriately.
© The Association of Independent Schools of NSW
SOE General suggestions / ideas
Drivers
Use latest versions of video, network and wireless
Install others one by one as needed – don’t bloat.
Unlock the international desktop backgrounds
mctadmin /a [ AU | CA | GB | US | ZA ]
Customised logon screen utility
Win7LogonBackgroundChanger (google it)
Customised theme packs
© The Association of Independent Schools of NSW
Suggestions / ideas continued…
Enable the local admin account
Tweak UAC to required level (off)
Basic Software to include Adobe Reader, Shockwave, Flash & Air Microsoft Silverlight & DirectX Java Runtime PDFCreator Antivirus Codec Pack Client management software agent
Disable Updates (Msconfig/Control Panel/In app) Clean up with Autoruns (be careful)
© The Association of Independent Schools of NSW
Edit C:\Users\Default directly
Customise Administrator profile and set CopyProfile=true in sysprep
Manually copy profile (unsupported and fiddly)
Some ideas for profile customisation…
Profile customisation options
© The Association of Independent Schools of NSW
Customise Explorer shortcut default location
Go to start and type in explorer, don't hit enter, but right click on Windows Explorer and click properties. Change the target from “%SystemRoot%\explorer.exe” to “%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}”. Click apply and then open the explorer shortcut on the quicklaunch and ensure it opens to My Computer instead of libraries. (Note, it may be %windir% instead of %SystemRoot%, if so, keep with this convention)
Set chosen theme
Organise desktop icons
Customise Explorer favourites
Profile customisation ideas
© The Association of Independent Schools of NSW
Customise Taskbar and IE links bar
Open all programs and run through Introductory wizards
Clean up history / recycle bin etc
Tidy up icons on desktop
Tweak local group policy if you don’t want to do it from the network.
More profile customisation ideas
© The Association of Independent Schools of NSW
Change product key of your chosen server (Server 2008 R2) to the KMS server key and voila you have a KMS server supporting Windows 7
Check _VLMCS SRV dns record under _tcp subdomain to check for multiple servers
WAIK has Volume Activation Management Tool
Minimum of 25 Windows 7 / Vista machines in order to activate properly, otherwise use an MAK product key.
Doesn’t count to total if SkipReam feature is set. Manually rearm with ‘slmgr.vbs /rearm’
KMS / Activation
© The Association of Independent Schools of NSW
Much more complex than XP version
System Image Manager (SIM) in the WAIK
Need Windows 7 DVD or the install.wim file
Create or open an existing answer file
Sysprep
© The Association of Independent Schools of NSW
Broken up into passes – focus on main three
generalize
specialize
oobeSystem
Set Tools->Hide Sensitive Data to encrypt passwords
Answer files
© The Association of Independent Schools of NSW
Runs in windows immediately after running sysprep
Required / recommended settings are:
Microsoft-Windows-Security-SPP\SkipRearm = 1
Microsoft-Windows-PnpSysprep\ PersistAllDeviceInstalls=true
generalize
© The Association of Independent Schools of NSW
Runs at the beginning of the Windows setup after generalizing (after imaging too usually)
Required / recommended settings are:
Microsoft-Windows-Security-SPP-UX_neutral\SkipAutoActivation=true
Microsoft-Windows-Shell-Setup_neutral ComputerName=* CopyProfile=false/true ProductKey ShowWindowsLive=false
specialize
© The Association of Independent Schools of NSW
Required / recommended settings are:
Microsoft-Windows-UnattendedJoin_neutral
Identification\JoinDomain=domainname.com
Identification\MachineObjectOU=ou (optional)
Identification\Credentials\Domain=domainname.com
Identification\Credentials\Password=userpassword
Identification\Credentials\Username=userpassword
specialize continued
© The Association of Independent Schools of NSW
Runs during the windows ‘Welcome’ section
Required / recommended settings are:
Microsoft-Windows-International-Core_neutral
InputLocale = en-us
SystemLocale = en-au
UILanguage = en-au
UILanguageFallback= en-us
UserLocale = en-au
oobeSystem
© The Association of Independent Schools of NSW
Required / recommended settings are:
Windows-Shell-Setup_neutral
RegisteredOrganization
RegisteredOwner
TimeZone = AUS Eastern Standard Time
OOBE\HideEulaPage=true
OOBE\NetworkLocation=Work
OOBE\ProtectYourPC=1
UserAccounts\AdministratorPassword\Value=password
UserAccounts\LocalAccounts (Add at least 1 and populate values and password)
oobeSystem continued
© The Association of Independent Schools of NSW
sysprep.exe /generalize /oobe /shutdown /unattend:x:\unattend.xml
If no xml file specified, it searches multiple places including C:\Windows\Panther\Unattend\unattend.xml and removable media etc.
Copies unattend.xml to C:\Windows\Panther\unattend.xml and runs from there (sensitive data deleted after finishing)
After setup wizard runs, it runs SetupComplete.cmd from C:\Windows\setup\scripts\ if it exists. This can be useful for deleting any xml files not wanted on the image.
Running Sysprep
© The Association of Independent Schools of NSW
Can’t supply computer name during sysprep AND join domain properly
Pre-staging the supposed solution
Can automate first login and run a VBScript
MySysprep2 is an option
Computer Names
© The Association of Independent Schools of NSW
Hotfix KB981542
Take backup image before sysprep
If using rearm, you can’t sysprep more than 3 times or you’ll brick the image. Without rearm, you have a limit of 8 times (apparently)
If you copy the xml file to C: with passwords in it, be sure to remove it using SetupComplete.cmd file or another script
Comments?
Precautions
© The Association of Independent Schools of NSW
Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions" to disabled
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security
Configure the Domain Profile settings
Any other preferred firewall settings
Group Policy
© The Association of Independent Schools of NSW
Computer Configuration\Administrative Templates\
System/Logon – Don’t display the Getting started welcome screen at logon
Windows Components/Internet Explorer – Configure new tab page default behaviour
Windows Components / Internet Explorer – Prevent performance of first run customize settings
Windows Components / Windows Defender – Turn off Windows Defender
Group Policy continued…
© The Association of Independent Schools of NSW
User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog – Items displayed in Places Bar
MyComputer, H:\, Desktop, MyDocuments etc
Computer Configuration\Windows Settings\Security Settings\Wireless Network Policies (If previously only Windows XP machines)
User Configuration\Administrative Templates\Windows Components\Windows Logon\Options – Set action to take when logon hours expire
Group Policy Continued…
© The Association of Independent Schools of NSW
Group Policy Preference Client Side Extensions are needed for XP and Vista – available as a feature pack in WSUS
Preferences can be applied once, or refreshed constantly
Overwrites local settings, and doesn’t change it back – there is an option to remove the setting upon removal of the policy
Very granular targeting – like WMI query except user friendly – very easy to use.
Group Policy Preferences
© The Association of Independent Schools of NSW
Contact Details
Andrew CullenNetwork ManagerKnox Grammar School
[email protected](02) 9487 0416