1 / 37

Dealing with Windows 7 Deployment Issues

Dealing with Windows 7 Deployment Issues. KMS, SOEs, Sysprep and Group Policy. Welcome. Introduction Not best practice or complete solution Not dealing with deployment solutions Windows 7 deployments? Challenges?. Windows 7?. Windows 7. Tools for the job.

akeem-mooney
Download Presentation

Dealing with Windows 7 Deployment Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dealing with Windows 7 Deployment Issues KMS, SOEs, Sysprep and Group Policy

  2. Welcome • Introduction • Not best practice or complete solution • Not dealing with deployment solutions • Windows 7 deployments? • Challenges?

  3. Windows 7?

  4. Windows 7

  5. Tools for the job • Windows Automated Installation Kit (WAIK) • Remote Server Administration Tools (RSAT) • Sysinternals (Autoruns) • Deployment Solution (Ghost, Altiris, WDS etc)

  6. SOE Development • Things I’ve found to help • Make a checklist & keep it updated • Do more through group policy means less steps on each image • When initially developing images / testing Sysprep it’s a good idea to take a backup image before sysprepping • Any others?

  7. Image Checklist

  8. Installing Windows 7 • We choose to remove system partition and have the one partition • Remove the boot partition, create a new 100MB partition in its place, remove the main partition then extend the partition you just created to the maximum size of the hard disk. • Add a technician account (in addition to the Administrator account) • Choose ‘Work’ as location. This tweaks network, firewall and security settings appropriately.

  9. SOE General suggestions / ideas • Drivers • Use latest versions of video, network and wireless • Install others one by one as needed – don’t bloat. • Unlock the international desktop backgrounds • mctadmin /a [ AU | CA | GB | US | ZA ] • Customised logon screen utility • Win7LogonBackgroundChanger (google it) • Customised theme packs

  10. Suggestions / ideas continued… • Enable the local admin account • Tweak UAC to required level (off) • Basic Software to include • Adobe Reader, Shockwave, Flash & Air • Microsoft Silverlight & DirectX • Java Runtime • PDFCreator • Antivirus • Codec Pack • Client management software agent • Disable Updates (Msconfig/Control Panel/In app) • Clean up with Autoruns (be careful)

  11. Profile customisation options • Edit C:\Users\Default directly • Customise Administrator profile and set CopyProfile=true in sysprep • Manually copy profile (unsupported and fiddly) • Some ideas for profile customisation…

  12. …maybe not…

  13. Profile customisation ideas • Customise Explorer shortcut default location • Go to start and type in explorer, don't hit enter, but right click on Windows Explorer and click properties. Change the target from “%SystemRoot%\explorer.exe” to “%SystemRoot%\explorer.exe /root,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}”. Click apply and then open the explorer shortcut on the quicklaunch and ensure it opens to My Computer instead of libraries. (Note, it may be %windir% instead of %SystemRoot%, if so, keep with this convention) • Set chosen theme • Organise desktop icons • Customise Explorer favourites

  14. More profile customisation ideas • Customise Taskbar and IE links bar • Open all programs and run through Introductory wizards • Clean up history / recycle bin etc • Tidy up icons on desktop • Tweak local group policy if you don’t want to do it from the network.

  15. KMS / Activation • Change product key of your chosen server (Server 2008 R2) to the KMS server key and voila you have a KMS server supporting Windows 7 • Check _VLMCS SRV dns record under _tcp subdomain to check for multiple servers • WAIK has Volume Activation Management Tool • Minimum of 25 Windows 7 / Vista machines in order to activate properly, otherwise use an MAK product key. • Doesn’t count to total if SkipReam feature is set. Manually rearm with ‘slmgr.vbs /rearm’

  16. Slmgr.vbs /dlv on activation server

  17. VAMT 1.2

  18. Sysprep • Much more complex than XP version • System Image Manager (SIM) in the WAIK • Need Windows 7 DVD or the install.wim file • Create or open an existing answer file

  19. Windows SIM

  20. Answer files • Broken up into passes – focus on main three • generalize • specialize • oobeSystem • Set Tools->Hide Sensitive Data to encrypt passwords

  21. generalize • Runs in windows immediately after running sysprep • Required / recommended settings are: • Microsoft-Windows-Security-SPP\SkipRearm = 1 • Microsoft-Windows-PnpSysprep\ PersistAllDeviceInstalls=true

  22. specialize • Runs at the beginning of the Windows setup after generalizing (after imaging too usually) • Required / recommended settings are: • Microsoft-Windows-Security-SPP-UX_neutral\SkipAutoActivation=true • Microsoft-Windows-Shell-Setup_neutral • ComputerName=* • CopyProfile=false/true • ProductKey • ShowWindowsLive=false

  23. specialize continued • Required / recommended settings are: • Microsoft-Windows-UnattendedJoin_neutral • Identification\JoinDomain=domainname.com • Identification\MachineObjectOU=ou (optional) • Identification\Credentials\Domain=domainname.com • Identification\Credentials\Password=userpassword • Identification\Credentials\Username=userpassword

  24. oobeSystem • Runs during the windows ‘Welcome’ section • Required / recommended settings are: • Microsoft-Windows-International-Core_neutral • InputLocale = en-us • SystemLocale = en-au • UILanguage = en-au • UILanguageFallback= en-us • UserLocale = en-au

  25. oobeSystem continued • Required / recommended settings are: • Windows-Shell-Setup_neutral • RegisteredOrganization • RegisteredOwner • TimeZone = AUS Eastern Standard Time • OOBE\HideEulaPage=true • OOBE\NetworkLocation=Work • OOBE\ProtectYourPC=1 • UserAccounts\AdministratorPassword\Value=password • UserAccounts\LocalAccounts (Add at least 1 and populate values and password)

  26. Running Sysprep • sysprep.exe /generalize /oobe /shutdown /unattend:x:\unattend.xml • If no xml file specified, it searches multiple places including C:\Windows\Panther\Unattend\unattend.xml and removable media etc. • Copies unattend.xml to C:\Windows\Panther\unattend.xml and runs from there (sensitive data deleted after finishing) • After setup wizard runs, it runs SetupComplete.cmd from C:\Windows\setup\scripts\ if it exists. This can be useful for deleting any xml files not wanted on the image.

  27. Computer Names • Can’t supply computer name during sysprep AND join domain properly • Pre-staging the supposed solution • Can automate first login and run a VBScript • MySysprep2 is an option

  28. Precautions • Hotfix KB981542 • Take backup image before sysprep • If using rearm, you can’t sysprep more than 3 times or you’ll brick the image. Without rearm, you have a limit of 8 times (apparently) • If you copy the xml file to C: with passwords in it, be sure to remove it using SetupComplete.cmd file or another script • Comments?

  29. Group Policy • Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions" to disabled • Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security • Configure the Domain Profile settings • Any other preferred firewall settings

  30. Group Policy continued… • Computer Configuration\Administrative Templates\ • System/Logon – Don’t display the Getting started welcome screen at logon • Windows Components/Internet Explorer – Configure new tab page default behaviour • Windows Components / Internet Explorer – Prevent performance of first run customize settings • Windows Components / Windows Defender – Turn off Windows Defender

  31. Group Policy Continued… • User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog – Items displayed in Places Bar • MyComputer, H:\, Desktop, MyDocuments etc • Computer Configuration\Windows Settings\Security Settings\Wireless Network Policies (If previously only Windows XP machines) • User Configuration\Administrative Templates\Windows Components\Windows Logon\Options – Set action to take when logon hours expire

  32. Group Policy Preferences

  33. Group Policy Preferences • Group Policy Preference Client Side Extensions are needed for XP and Vista – available as a feature pack in WSUS • Preferences can be applied once, or refreshed constantly • Overwrites local settings, and doesn’t change it back – there is an option to remove the setting upon removal of the policy • Very granular targeting – like WMI query except user friendly – very easy to use.

  34. Tours??? • Questions / demonstrations etc…

  35. Contact Details Andrew Cullen Network Manager Knox Grammar School cullena@knox.nsw.edu.au (02) 9487 0416

More Related