Dealing with Windows 7 Deployment Issues
Download
Report
Transcript Dealing with Windows 7 Deployment Issues
Dealing with Windows 7 Deployment
Issues
KMS, SOEs, Sysprep and Group Policy
© The Association of Independent Schools of NSW
Welcome
Introduction
Not best practice or complete solution
Not dealing with deployment solutions
Windows 7 deployments?
Challenges?
© The Association of Independent Schools of NSW
Windows 7?
© The Association of Independent Schools of NSW
Windows 7
© The Association of Independent Schools of NSW
Tools for the job
Windows Automated Installation Kit (WAIK)
Remote Server Administration Tools (RSAT)
Sysinternals (Autoruns)
Deployment Solution (Ghost, Altiris, WDS etc)
© The Association of Independent Schools of NSW
SOE Development
Things I’ve found to help
Make a checklist & keep it updated
Do more through group policy means less steps on
each image
When initially developing images / testing Sysprep
it’s a good idea to take a backup image before
sysprepping
Any others?
© The Association of Independent Schools of NSW
Image Checklist
© The Association of Independent Schools of NSW
Installing Windows 7
We choose to remove system partition and have
the one partition
Remove the boot partition, create a new 100MB partition
in its place, remove the main partition then extend the
partition you just created to the maximum size of the hard
disk.
Add a technician account (in addition to the
Administrator account)
Choose ‘Work’ as location. This tweaks network,
firewall and security settings appropriately.
© The Association of Independent Schools of NSW
SOE General suggestions / ideas
Drivers
Use latest versions of video, network and wireless
Install others one by one as needed – don’t bloat.
Unlock the international desktop backgrounds
mctadmin /a [ AU | CA | GB | US | ZA ]
Customised logon screen utility
Win7LogonBackgroundChanger (google it)
Customised theme packs
© The Association of Independent Schools of NSW
Suggestions / ideas continued…
Enable the local admin account
Tweak UAC to required level (off)
Basic Software to include
Adobe Reader, Shockwave, Flash & Air
Microsoft Silverlight & DirectX
Java Runtime
PDFCreator
Antivirus
Codec Pack
Client management software agent
Disable Updates (Msconfig/Control Panel/In app)
Clean up with Autoruns (be careful)
© The Association of Independent Schools of NSW
Profile customisation options
Edit C:\Users\Default directly
Customise Administrator profile and set
CopyProfile=true in sysprep
Manually copy profile (unsupported and fiddly)
Some ideas for profile customisation…
© The Association of Independent Schools of NSW
…maybe not…
© The Association of Independent Schools of NSW
Profile customisation ideas
Customise Explorer shortcut default location
Go to start and type in explorer, don't hit enter, but right
click on Windows Explorer and click properties. Change
the target from “%SystemRoot%\explorer.exe” to
“%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA1069-A2D8-08002B30309D}”. Click apply and then open
the explorer shortcut on the quicklaunch and ensure it
opens to My Computer instead of libraries. (Note, it may
be %windir% instead of %SystemRoot%, if so, keep with
this convention)
Set chosen theme
Organise desktop icons
Customise Explorer favourites
© The Association of Independent Schools of NSW
More profile customisation ideas
Customise Taskbar and IE links bar
Open all programs and run through Introductory
wizards
Clean up history / recycle bin etc
Tidy up icons on desktop
Tweak local group policy if you don’t want to do it
from the network.
© The Association of Independent Schools of NSW
KMS / Activation
Change product key of your chosen server (Server
2008 R2) to the KMS server key and voila you
have a KMS server supporting Windows 7
Check _VLMCS SRV dns record under _tcp
subdomain to check for multiple servers
WAIK has Volume Activation Management Tool
Minimum of 25 Windows 7 / Vista machines in
order to activate properly, otherwise use an MAK
product key.
Doesn’t count to total if SkipReam feature is set.
Manually rearm with ‘slmgr.vbs /rearm’
© The Association of Independent Schools of NSW
Slmgr.vbs /dlv on activation server
© The Association of Independent Schools of NSW
VAMT 1.2
© The Association of Independent Schools of NSW
Sysprep
Much more complex than XP version
System Image Manager (SIM) in the WAIK
Need Windows 7 DVD or the install.wim file
Create or open an existing answer file
© The Association of Independent Schools of NSW
Windows SIM
© The Association of Independent Schools of NSW
Answer files
Broken up into passes – focus on main three
generalize
specialize
oobeSystem
Set Tools->Hide Sensitive Data to encrypt
passwords
© The Association of Independent Schools of NSW
© The Association of Independent Schools of NSW
generalize
Runs in windows immediately after running
sysprep
Required / recommended settings are:
Microsoft-Windows-Security-SPP\SkipRearm = 1
Microsoft-Windows-PnpSysprep\
PersistAllDeviceInstalls=true
© The Association of Independent Schools of NSW
specialize
Runs at the beginning of the Windows setup after
generalizing (after imaging too usually)
Required / recommended settings are:
Microsoft-Windows-Security-SPPUX_neutral\SkipAutoActivation=true
Microsoft-Windows-Shell-Setup_neutral
ComputerName=*
CopyProfile=false/true
ProductKey
ShowWindowsLive=false
© The Association of Independent Schools of NSW
specialize continued
Required / recommended settings are:
Microsoft-Windows-UnattendedJoin_neutral
Identification\JoinDomain=domainname.com
Identification\MachineObjectOU=ou (optional)
Identification\Credentials\Domain=domainname.com
Identification\Credentials\Password=userpassword
Identification\Credentials\Username=userpassword
© The Association of Independent Schools of NSW
oobeSystem
Runs during the windows ‘Welcome’ section
Required / recommended settings are:
Microsoft-Windows-International-Core_neutral
InputLocale
=
en-us
SystemLocale =
en-au
UILanguage
en-au
=
UILanguageFallback=
en-us
UserLocale
en-au
© The Association of Independent Schools of NSW
=
oobeSystem continued
Required / recommended settings are:
Windows-Shell-Setup_neutral
RegisteredOrganization
RegisteredOwner
TimeZone = AUS Eastern Standard Time
OOBE\HideEulaPage=true
OOBE\NetworkLocation=Work
OOBE\ProtectYourPC=1
UserAccounts\AdministratorPassword\Value=password
UserAccounts\LocalAccounts (Add at least 1 and populate
values and password)
© The Association of Independent Schools of NSW
Running Sysprep
sysprep.exe /generalize /oobe /shutdown
/unattend:x:\unattend.xml
If no xml file specified, it searches multiple places
including C:\Windows\Panther\Unattend\unattend.xml
and removable media etc.
Copies unattend.xml to
C:\Windows\Panther\unattend.xml and runs from there
(sensitive data deleted after finishing)
After setup wizard runs, it runs SetupComplete.cmd
from C:\Windows\setup\scripts\ if it exists. This can be
useful for deleting any xml files not wanted on the
image.
© The Association of Independent Schools of NSW
Computer Names
Can’t supply computer name during sysprep AND
join domain properly
Pre-staging the supposed solution
Can automate first login and run a VBScript
MySysprep2 is an option
© The Association of Independent Schools of NSW
Precautions
Hotfix KB981542
Take backup image before sysprep
If using rearm, you can’t sysprep more than 3
times or you’ll brick the image. Without rearm, you
have a limit of 8 times (apparently)
If you copy the xml file to C: with passwords in it,
be sure to remove it using SetupComplete.cmd file
or another script
Comments?
© The Association of Independent Schools of NSW
Group Policy
Computer Configuration\Administrative
Templates\Printers\Point and Print Restrictions" to
disabled
Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with
Advanced Security
Configure the Domain Profile settings
Any other preferred firewall settings
© The Association of Independent Schools of NSW
Group Policy continued…
Computer Configuration\Administrative Templates\
System/Logon – Don’t display the Getting started
welcome screen at logon
Windows Components/Internet Explorer – Configure new
tab page default behaviour
Windows Components / Internet Explorer – Prevent
performance of first run customize settings
Windows Components / Windows Defender – Turn off
Windows Defender
© The Association of Independent Schools of NSW
Group Policy Continued…
User Configuration\Administrative Templates\Windows
Components\Windows Explorer\Common Open File
Dialog – Items displayed in Places Bar
MyComputer, H:\, Desktop, MyDocuments etc
Computer Configuration\Windows Settings\Security
Settings\Wireless Network Policies (If previously only
Windows XP machines)
User Configuration\Administrative Templates\Windows
Components\Windows Logon\Options – Set action to
take when logon hours expire
© The Association of Independent Schools of NSW
Group Policy Preferences
© The Association of Independent Schools of NSW
Group Policy Preferences
Group Policy Preference Client Side Extensions
are needed for XP and Vista – available as a
feature pack in WSUS
Preferences can be applied once, or refreshed
constantly
Overwrites local settings, and doesn’t change it
back – there is an option to remove the setting
upon removal of the policy
Very granular targeting – like WMI query except
user friendly – very easy to use.
© The Association of Independent Schools of NSW
Tours???
Questions / demonstrations etc…
© The Association of Independent Schools of NSW
© The Association of Independent Schools of NSW
Contact Details
Andrew Cullen
Network Manager
Knox Grammar School
[email protected]
(02) 9487 0416
© The Association of Independent Schools of NSW