© the association of independent schools of nsw dealing with windows 7 deployment issues kms, soes,...

© The Association of Independent Schools of NSW

Dealing with Windows 7 Deployment Issues

KMS, SOEs, Sysprep and Group Policy


Welcome

Introduction

Not best practice or complete solution

Not dealing with deployment solutions

Windows 7 deployments?

Challenges?


Windows 7?


Windows 7


Tools for the job

Windows Automated Installation Kit (WAIK)

Remote Server Administration Tools (RSAT)

Sysinternals (Autoruns)

Deployment Solution (Ghost, Altiris, WDS etc)


SOE Development

Things I’ve found to help

Make a checklist & keep it updated

Do more through group policy means less steps on each image

When initially developing images / testing Sysprep it’s a good idea to take a backup image before sysprepping

Any others?


Image Checklist


Installing Windows 7

We choose to remove system partition and have the one partition

Remove the boot partition, create a new 100MB partition in its place, remove the main partition then extend the partition you just created to the maximum size of the hard disk.

Add a technician account (in addition to the Administrator account)

Choose ‘Work’ as location. This tweaks network, firewall and security settings appropriately.


SOE General suggestions / ideas

Drivers

Use latest versions of video, network and wireless

Install others one by one as needed – don’t bloat.

Unlock the international desktop backgrounds

mctadmin /a [ AU | CA | GB | US | ZA ]

Customised logon screen utility

Win7LogonBackgroundChanger (google it)

Customised theme packs


Suggestions / ideas continued…

Enable the local admin account

Tweak UAC to required level (off)

Basic Software to include Adobe Reader, Shockwave, Flash & Air Microsoft Silverlight & DirectX Java Runtime PDFCreator Antivirus Codec Pack Client management software agent

Disable Updates (Msconfig/Control Panel/In app) Clean up with Autoruns (be careful)


Edit C:\Users\Default directly

Customise Administrator profile and set CopyProfile=true in sysprep

Manually copy profile (unsupported and fiddly)

Some ideas for profile customisation…

Profile customisation options


…maybe not…


Customise Explorer shortcut default location

Go to start and type in explorer, don't hit enter, but right click on Windows Explorer and click properties. Change the target from “%SystemRoot%\explorer.exe” to “%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}”. Click apply and then open the explorer shortcut on the quicklaunch and ensure it opens to My Computer instead of libraries. (Note, it may be %windir% instead of %SystemRoot%, if so, keep with this convention)

Set chosen theme

Organise desktop icons

Customise Explorer favourites

Profile customisation ideas


Customise Taskbar and IE links bar

Open all programs and run through Introductory wizards

Clean up history / recycle bin etc

Tidy up icons on desktop

Tweak local group policy if you don’t want to do it from the network.

More profile customisation ideas


Change product key of your chosen server (Server 2008 R2) to the KMS server key and voila you have a KMS server supporting Windows 7

Check _VLMCS SRV dns record under _tcp subdomain to check for multiple servers

WAIK has Volume Activation Management Tool

Minimum of 25 Windows 7 / Vista machines in order to activate properly, otherwise use an MAK product key.

Doesn’t count to total if SkipReam feature is set. Manually rearm with ‘slmgr.vbs /rearm’

KMS / Activation


Slmgr.vbs /dlv on activation server


VAMT 1.2


Much more complex than XP version

System Image Manager (SIM) in the WAIK

Need Windows 7 DVD or the install.wim file

Create or open an existing answer file

Sysprep


Windows SIM


Broken up into passes – focus on main three

generalize

specialize

oobeSystem

Set Tools->Hide Sensitive Data to encrypt passwords

Answer files


Runs in windows immediately after running sysprep

Required / recommended settings are:

Microsoft-Windows-Security-SPP\SkipRearm = 1

Microsoft-Windows-PnpSysprep\ PersistAllDeviceInstalls=true

generalize


Runs at the beginning of the Windows setup after generalizing (after imaging too usually)


Microsoft-Windows-Security-SPP-UX_neutral\SkipAutoActivation=true

Microsoft-Windows-Shell-Setup_neutral ComputerName=* CopyProfile=false/true ProductKey ShowWindowsLive=false

specialize



Microsoft-Windows-UnattendedJoin_neutral

Identification\JoinDomain=domainname.com

Identification\MachineObjectOU=ou (optional)

Identification\Credentials\Domain=domainname.com

Identification\Credentials\Password=userpassword

Identification\Credentials\Username=userpassword

specialize continued


Runs during the windows ‘Welcome’ section


Microsoft-Windows-International-Core_neutral

InputLocale = en-us

SystemLocale = en-au

UILanguage = en-au

UILanguageFallback= en-us

UserLocale = en-au

oobeSystem



Windows-Shell-Setup_neutral

RegisteredOrganization

RegisteredOwner

TimeZone = AUS Eastern Standard Time

OOBE\HideEulaPage=true

OOBE\NetworkLocation=Work

OOBE\ProtectYourPC=1

UserAccounts\AdministratorPassword\Value=password

UserAccounts\LocalAccounts (Add at least 1 and populate values and password)

oobeSystem continued


sysprep.exe /generalize /oobe /shutdown /unattend:x:\unattend.xml

If no xml file specified, it searches multiple places including C:\Windows\Panther\Unattend\unattend.xml and removable media etc.

Copies unattend.xml to C:\Windows\Panther\unattend.xml and runs from there (sensitive data deleted after finishing)

After setup wizard runs, it runs SetupComplete.cmd from C:\Windows\setup\scripts\ if it exists. This can be useful for deleting any xml files not wanted on the image.

Running Sysprep


Can’t supply computer name during sysprep AND join domain properly

Pre-staging the supposed solution

Can automate first login and run a VBScript

MySysprep2 is an option

Computer Names


Hotfix KB981542

Take backup image before sysprep

If using rearm, you can’t sysprep more than 3 times or you’ll brick the image. Without rearm, you have a limit of 8 times (apparently)

If you copy the xml file to C: with passwords in it, be sure to remove it using SetupComplete.cmd file or another script

Comments?

Precautions


Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions" to disabled

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security

Configure the Domain Profile settings

Any other preferred firewall settings

Group Policy


Computer Configuration\Administrative Templates\

System/Logon – Don’t display the Getting started welcome screen at logon

Windows Components/Internet Explorer – Configure new tab page default behaviour

Windows Components / Internet Explorer – Prevent performance of first run customize settings

Windows Components / Windows Defender – Turn off Windows Defender

Group Policy continued…


User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog – Items displayed in Places Bar

MyComputer, H:\, Desktop, MyDocuments etc

Computer Configuration\Windows Settings\Security Settings\Wireless Network Policies (If previously only Windows XP machines)

User Configuration\Administrative Templates\Windows Components\Windows Logon\Options – Set action to take when logon hours expire

Group Policy Continued…


Group Policy Preferences


Group Policy Preference Client Side Extensions are needed for XP and Vista – available as a feature pack in WSUS

Preferences can be applied once, or refreshed constantly

Overwrites local settings, and doesn’t change it back – there is an option to remove the setting upon removal of the policy

Very granular targeting – like WMI query except user friendly – very easy to use.

Group Policy Preferences


Questions / demonstrations etc…

Tours???


Contact Details

Andrew CullenNetwork ManagerKnox Grammar School

[email protected](02) 9487 0416