Dealing with Windows 7 Deployment
Issues
KMS, SOEs, Sysprep and Group Policy
© The Association of Independent Schools of NSW
Welcome
 Introduction
 Not best practice or complete solution
 Not dealing with deployment solutions
 Windows 7 deployments?
 Challenges?
© The Association of Independent Schools of NSW
Windows 7?
© The Association of Independent Schools of NSW
Windows 7
© The Association of Independent Schools of NSW
Tools for the job
 Windows Automated Installation Kit (WAIK)
 Remote Server Administration Tools (RSAT)
 Sysinternals (Autoruns)
 Deployment Solution (Ghost, Altiris, WDS etc)
© The Association of Independent Schools of NSW
SOE Development
 Things I’ve found to help
 Make a checklist & keep it updated
 Do more through group policy means less steps on
each image
 When initially developing images / testing Sysprep
it’s a good idea to take a backup image before
sysprepping
 Any others?
© The Association of Independent Schools of NSW
Image Checklist
© The Association of Independent Schools of NSW
Installing Windows 7
 We choose to remove system partition and have
the one partition
 Remove the boot partition, create a new 100MB partition
in its place, remove the main partition then extend the
partition you just created to the maximum size of the hard
disk.
 Add a technician account (in addition to the
Administrator account)
 Choose ‘Work’ as location. This tweaks network,
firewall and security settings appropriately.
© The Association of Independent Schools of NSW
SOE General suggestions / ideas
 Drivers
 Use latest versions of video, network and wireless
 Install others one by one as needed – don’t bloat.
 Unlock the international desktop backgrounds
 mctadmin /a [ AU | CA | GB | US | ZA ]
 Customised logon screen utility
 Win7LogonBackgroundChanger (google it)
 Customised theme packs
© The Association of Independent Schools of NSW
Suggestions / ideas continued…
 Enable the local admin account
 Tweak UAC to required level (off)
 Basic Software to include







Adobe Reader, Shockwave, Flash & Air
Microsoft Silverlight & DirectX
Java Runtime
PDFCreator
Antivirus
Codec Pack
Client management software agent
 Disable Updates (Msconfig/Control Panel/In app)
 Clean up with Autoruns (be careful)
© The Association of Independent Schools of NSW
Profile customisation options
 Edit C:\Users\Default directly
 Customise Administrator profile and set
CopyProfile=true in sysprep
 Manually copy profile (unsupported and fiddly)
 Some ideas for profile customisation…
© The Association of Independent Schools of NSW
…maybe not…
© The Association of Independent Schools of NSW
Profile customisation ideas
 Customise Explorer shortcut default location
 Go to start and type in explorer, don't hit enter, but right
click on Windows Explorer and click properties. Change
the target from “%SystemRoot%\explorer.exe” to
“%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA1069-A2D8-08002B30309D}”. Click apply and then open
the explorer shortcut on the quicklaunch and ensure it
opens to My Computer instead of libraries. (Note, it may
be %windir% instead of %SystemRoot%, if so, keep with
this convention)
 Set chosen theme
 Organise desktop icons
 Customise Explorer favourites
© The Association of Independent Schools of NSW
More profile customisation ideas
 Customise Taskbar and IE links bar
 Open all programs and run through Introductory
wizards
 Clean up history / recycle bin etc
 Tidy up icons on desktop
 Tweak local group policy if you don’t want to do it
from the network.
© The Association of Independent Schools of NSW
KMS / Activation
 Change product key of your chosen server (Server
2008 R2) to the KMS server key and voila you
have a KMS server supporting Windows 7
 Check _VLMCS SRV dns record under _tcp
subdomain to check for multiple servers
 WAIK has Volume Activation Management Tool
 Minimum of 25 Windows 7 / Vista machines in
order to activate properly, otherwise use an MAK
product key.
 Doesn’t count to total if SkipReam feature is set.
Manually rearm with ‘slmgr.vbs /rearm’
© The Association of Independent Schools of NSW
Slmgr.vbs /dlv on activation server
© The Association of Independent Schools of NSW
VAMT 1.2
© The Association of Independent Schools of NSW
Sysprep
 Much more complex than XP version
 System Image Manager (SIM) in the WAIK
 Need Windows 7 DVD or the install.wim file
 Create or open an existing answer file
© The Association of Independent Schools of NSW
Windows SIM
© The Association of Independent Schools of NSW
Answer files
 Broken up into passes – focus on main three
 generalize
 specialize
 oobeSystem
 Set Tools->Hide Sensitive Data to encrypt
passwords
© The Association of Independent Schools of NSW
© The Association of Independent Schools of NSW
generalize
 Runs in windows immediately after running
sysprep
 Required / recommended settings are:
 Microsoft-Windows-Security-SPP\SkipRearm = 1
 Microsoft-Windows-PnpSysprep\
PersistAllDeviceInstalls=true
© The Association of Independent Schools of NSW
specialize
 Runs at the beginning of the Windows setup after
generalizing (after imaging too usually)
 Required / recommended settings are:
 Microsoft-Windows-Security-SPPUX_neutral\SkipAutoActivation=true
 Microsoft-Windows-Shell-Setup_neutral
 ComputerName=*
 CopyProfile=false/true
 ProductKey
 ShowWindowsLive=false
© The Association of Independent Schools of NSW
specialize continued
 Required / recommended settings are:
 Microsoft-Windows-UnattendedJoin_neutral
 Identification\JoinDomain=domainname.com
 Identification\MachineObjectOU=ou (optional)
 Identification\Credentials\Domain=domainname.com
 Identification\Credentials\Password=userpassword
 Identification\Credentials\Username=userpassword
© The Association of Independent Schools of NSW
oobeSystem
 Runs during the windows ‘Welcome’ section
 Required / recommended settings are:
 Microsoft-Windows-International-Core_neutral
 InputLocale
=
en-us
 SystemLocale =
en-au
 UILanguage
en-au
=
 UILanguageFallback=
en-us
 UserLocale
en-au
© The Association of Independent Schools of NSW
=
oobeSystem continued
 Required / recommended settings are:
 Windows-Shell-Setup_neutral
 RegisteredOrganization
 RegisteredOwner
 TimeZone = AUS Eastern Standard Time
 OOBE\HideEulaPage=true
 OOBE\NetworkLocation=Work
 OOBE\ProtectYourPC=1
 UserAccounts\AdministratorPassword\Value=password
 UserAccounts\LocalAccounts (Add at least 1 and populate
values and password)
© The Association of Independent Schools of NSW
Running Sysprep
 sysprep.exe /generalize /oobe /shutdown
/unattend:x:\unattend.xml
 If no xml file specified, it searches multiple places
including C:\Windows\Panther\Unattend\unattend.xml
and removable media etc.
 Copies unattend.xml to
C:\Windows\Panther\unattend.xml and runs from there
(sensitive data deleted after finishing)
 After setup wizard runs, it runs SetupComplete.cmd
from C:\Windows\setup\scripts\ if it exists. This can be
useful for deleting any xml files not wanted on the
image.
© The Association of Independent Schools of NSW
Computer Names
 Can’t supply computer name during sysprep AND
join domain properly
 Pre-staging the supposed solution
 Can automate first login and run a VBScript
 MySysprep2 is an option
© The Association of Independent Schools of NSW
Precautions
 Hotfix KB981542
 Take backup image before sysprep
 If using rearm, you can’t sysprep more than 3
times or you’ll brick the image. Without rearm, you
have a limit of 8 times (apparently)
 If you copy the xml file to C: with passwords in it,
be sure to remove it using SetupComplete.cmd file
or another script
 Comments?
© The Association of Independent Schools of NSW
Group Policy
 Computer Configuration\Administrative
Templates\Printers\Point and Print Restrictions" to
disabled
 Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with
Advanced Security
 Configure the Domain Profile settings
 Any other preferred firewall settings
© The Association of Independent Schools of NSW
Group Policy continued…
 Computer Configuration\Administrative Templates\
 System/Logon – Don’t display the Getting started
welcome screen at logon
 Windows Components/Internet Explorer – Configure new
tab page default behaviour
 Windows Components / Internet Explorer – Prevent
performance of first run customize settings
 Windows Components / Windows Defender – Turn off
Windows Defender
© The Association of Independent Schools of NSW
Group Policy Continued…
 User Configuration\Administrative Templates\Windows
Components\Windows Explorer\Common Open File
Dialog – Items displayed in Places Bar
 MyComputer, H:\, Desktop, MyDocuments etc
 Computer Configuration\Windows Settings\Security
Settings\Wireless Network Policies (If previously only
Windows XP machines)
 User Configuration\Administrative Templates\Windows
Components\Windows Logon\Options – Set action to
take when logon hours expire
© The Association of Independent Schools of NSW
Group Policy Preferences
© The Association of Independent Schools of NSW
Group Policy Preferences
 Group Policy Preference Client Side Extensions
are needed for XP and Vista – available as a
feature pack in WSUS
 Preferences can be applied once, or refreshed
constantly
 Overwrites local settings, and doesn’t change it
back – there is an option to remove the setting
upon removal of the policy
 Very granular targeting – like WMI query except
user friendly – very easy to use.
© The Association of Independent Schools of NSW
Tours???
 Questions / demonstrations etc…
© The Association of Independent Schools of NSW
© The Association of Independent Schools of NSW
Contact Details
Andrew Cullen
Network Manager
Knox Grammar School
cullena@knox.nsw.edu.au
(02) 9487 0416
© The Association of Independent Schools of NSW