Gullible Jones Posted January 26, 2016 Share Posted January 26, 2016 Hi all... I am trying to figure out how to automatically configure Windows after install. Basically, I want to have a bunch of settings and state changes stored in a script, and all applied in one go. That way I could - Install Windows 7 or 10 on a PC - Run the script - Wait 10-15 minutes - Reboot into a working desktop with all the configurations applied For comparison: on Debian or Ubuntu, for a single desktop, I could use a Perl script to - Enable the firewall bidirectionally, and allow the destination ports I need - Update the APT database and installed packages - Install GCC, Fluxbox, git, and a bunch of other stuff - Minimize the initramfs, and disable the GRUB splash screen - Edit the filesystem mount options (noatime, etc.) - Enable an AppArmor profile for Firefox - Disable some services I don't need (Bluetooth, etc.) - Maybe clone, compile, and install some software from Git repositories I've done this. It's easy. I can run the script, and in ten minutes I have a desktop to my specifications. But with Windows, it's all confused. I know VBScript and (preferably?) JScript can be used for a lot of stuff, but it's often not obvious how to do some very basic tasks. e.g. I want to update the OS in a speedy manner. On Ubuntu: apt-get -qqy update, apt-get -qqy upgrade. On Windows: beats me. I can use wuauctl and force a Windows update, but that drags in everything; resolving dependencies can literally take 12 hours or more. I would like to get a list of only the most critical security fixes, and install those; and let Windows Update do the rest of the work later. No idea how though, I think it would involve a Microsoft web API and parsing a lot of XML? I want to harden the firewall configuration. On Ubuntu: use the ufw command line interface, or somesuch; or install your own iptables config. On Windows: well, I can make the firewall load some exported XML profiles, I think? I want to install a bunch of software. On Ubuntu: apt-get install whatever. Or download, check that the signatures/checksums are right, and build. On Windows: Uhh... Download with FTP or a JScript/VBScript object? No idea how to verify the sigs or checksums, out of the box. One could always package a bunch of EXE installers with the script, but that gets obsolete fast. Anyway I've Googled around for a lot of this stuff, but it's not really shown up. Microsoft's own documentation is... rather lacking, IMO, especially when it comes to useful examples. What's SOP for Windows sysadmins? Is this stuff documented in detail anywhere? Also, just a note - for desktops, the usual thing I've seen recommended is slipstreaming install media. This is a nice idea, but rather time intensive. I personally prefer Windows Sysprep and partition cloning, if I'm going to have to install Windows twice anyway... But a scripting solution would be hugely preferable. Link to comment Share on other sites More sharing options...
Clirion Posted January 26, 2016 Share Posted January 26, 2016 MDT (Microsoft Deployment Toolkit. This is what I use at home to deploy systems, We do it for a lot of machines at the office as well, (Those that are not VDI Based). At home I use a file share on my NAS to store the OS I want to install and setup the systems as I want, including software to be installed upon deployment. You can also setup a base image to be done, capture it, and then deploy that will updates during the process. It has most of the scripting compiled for you already and it is free to use. Microsoft Deployment Toolkit Gullible Jones 1 Share Link to comment Share on other sites More sharing options...
Gullible Jones Posted January 27, 2016 Author Share Posted January 27, 2016 @Clirion Thanks... I'm reading the MDT docs at the moment. I'm not sure this is what I want though; it doesn't look like a big improvement on using a VM and sysprep, for my purposes. For the record, my earlier method was to: 1. Create a Win7 Virtualbox VM on my fastest machine, sysprep it, and start upgrading/installing/etc. 2. Finish sysprep, shut down the VM, convert the VDI to raw format 3. Compress the raw image with gzip Deployment consisted of writing the image to a laptop's hard disk, fixing up the partitions as needed, and rebooting. I could probably streamline the process a bit, by using qemu-img or such to write the VDI directly, eliminating the need to convert and gzip it... But there are scalability problems in any case. Mostly that the original set of updates gets obsolete really fast. Deploy the same image a couple months later, and I have to wait hours again for the updates to complete. (Thus the desire for a fetch-the-most-critical-updates-first script.) Eh... Maybe I'm just barking up the wrong tree here. Link to comment Share on other sites More sharing options...
binaryzero Posted January 27, 2016 Share Posted January 27, 2016 (edited) MDT, or set yourself up a PXE server. This isn't rocket science, I do this on a daily basis. Simply build a unattended.xml file using MDT with all the configurations you want. Or install Windows on your machine, get it the way you want, take a snap shot and revert to that. Microsoft has given PLENTY of documentation on how to image or deploy a baseline image. Edited January 27, 2016 by Jared- Link to comment Share on other sites More sharing options...
binaryzero Posted January 27, 2016 Share Posted January 27, 2016 (edited) Also look into ConfigMgr, that will help. http://prajwaldesai.com/deploying-sccm-2012-part-14-build-and-capture-windows-7-64-bit/ same process for other systems. Link to comment Share on other sites More sharing options...
Clirion Posted January 27, 2016 Share Posted January 27, 2016 15 hours ago, Gullible Jones said: @Clirion Thanks... I'm reading the MDT docs at the moment. I'm not sure this is what I want though; it doesn't look like a big improvement on using a VM and sysprep, for my purposes. For the record, my earlier method was to: 1. Create a Win7 Virtualbox VM on my fastest machine, sysprep it, and start upgrading/installing/etc. 2. Finish sysprep, shut down the VM, convert the VDI to raw format 3. Compress the raw image with gzip Deployment consisted of writing the image to a laptop's hard disk, fixing up the partitions as needed, and rebooting. I could probably streamline the process a bit, by using qemu-img or such to write the VDI directly, eliminating the need to convert and gzip it... But there are scalability problems in any case. Mostly that the original set of updates gets obsolete really fast. Deploy the same image a couple months later, and I have to wait hours again for the updates to complete. (Thus the desire for a fetch-the-most-critical-updates-first script.) Eh... Maybe I'm just barking up the wrong tree here. Jared has a couple of points with manger, however, MDT will go fetch the updates as part of the deployment process. You can always go grab that portion of the scripting as well if you want to implement it. Link to comment Share on other sites More sharing options...
Recommended Posts