DON'T REINVENT THE COW

This is a place for Systems Administrators and IT Professionals to find and share ideas, solutions and templates. If you have something that helps you solve a problem, chances are it will help someone else too. So pay it forward and send an email to TheAgreeableCow at gmail. Full mudos to you!

Saturday 1 February 2014

Deploying and Customising Windows 8.1 using SCCM, Group Policy and Powershell

It was a bold direction Microsoft took with the interface changes in Windows 8. One that has has caused much discussion in the IT ranks. The changes in Windows 8.1 come a long way to resolve the technical limitations many people found with the original release. I don't want to delve into this argument as there are better forums for doing so. Suffice to say that some companies, like mine, are pushing ahead with Windows 8.1 and this article aims to capture some of the techniques, tips and tricks we used to do so.

Any System Administrator worth their salt will know what will fly in their company and what won't. To ease the impact of change on our staff, I like to 'tick-tock' between Operating System and Core Application upgrades, when I do a new Standard Operating Environment (SOE). I had just finished a 'tock' cycle which was focusing on new core applications such as Office, Acrobat, Lync as well as upgrades to our specific Practice and Document Management software. So this environment upgrade was only going to focus on a change to the OS and more specifically, just for laptops and tablets where I feel that Windows 8.1 truly shines.

Systems Center Configuration Manager (SCCM) Task Sequence


I'll have to assume that my audience is somewhat proficient with SCCM, so I will just focus on some of the more specific techniques used with this SOE release. As a minimum, you'll need to ensure that your're pretty up to date with your SCCM version, ADK and patches.

Our target devices were all Dell and included a Venue Pro 11 tablet as well as Latitude 12 and Latitude 14 laptops. It's well worth investing some time getting your driver libraries sorted, so if you're a Dell shop head on over to their Enterprise Client Wiki.

Here's a high level overview of the current task sequence we're using. Where possible, I avoid the use of a "Golden Image" and aim for a complete and flexible build from the original Windows 8.1 ISO.


Copy SXS source files to local computer

Having some OS source files available on your local hard disk makes updates, such as .NET 3.5 much easier. We simply created a Package which was the ISO's SXS directory. Then run the following command line sequence, linked to that package.




xcopy ".\*.*" "C:\Windows\Support\" /D /E /C /I /Q /H /R /Y /S
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:c:\Windows\Support\sxs


Removing default apps

There are some apps that you just cannot remove from Windows 8.1 (such as the camera). However, there are quite a few that your can. We do  this via a powershell script.



$AppList = "Microsoft.BingFinance",
           "Microsoft.BingFoodAndDrink",
           "Microsoft.BingHealthAndFitness",
           "Microsoft.BingMaps",
           "Microsoft.BingNews",
           "Microsoft.BingSports",
           "Microsoft.BingTravel",
           "Microsoft.BingWeather",
           "Microsoft.HelpAndTips",
           "Microsoft.Reader",
           "Microsoft.SkypeApp",
           "Microsoft.WindowsAlarms",
           "Microsoft.WindowsCalculator",
           "microsoft.windowscommunicationsapps",
           "Microsoft.WindowsReadingList",
           "Microsoft.WindowsScan",
           "Microsoft.WindowsSoundRecorder",
           "Microsoft.XboxLIVEGames",
           "Microsoft.ZuneMusic",
           "Microsoft.ZuneVideo",
     "Microsoft.WindowsPhotos",
     "Microsoft.MoCamera"

ForEach ($App in $AppList) {
   $AppxPackage = Get-AppxProvisionedPackage -online | Where {$_.DisplayName -eq $App}
   Remove-AppxProvisionedPackage -online -packagename ($AppxPackage.PackageName)
   Remove-AppxPackage ($AppxPackage.PackageName)
}


 Copy a Start Screen layout to the default user profile

Using a test device, create the Start screen layout that you're looking for (grouping, naming etc). Then grab the %AppData%\Local\Microsoft\Windows\AppsFolderLayout.bin file and drop it in a package for deployment to the default user profile.



xcopy ".\*.*" "C:\Users\Default\AppData\Local\Microsoft\Windows" /D /E /C /I /Q /H /R /Y /S


Create and Import Customised Tiles

We used a Windows 8 app called Obly Tile to create a series of new start screen tiles for our core company applications and intranet sites. Along with the previous two steps, the end results gives us a very streamlined Start Screen with familiar icons for users. Once you have created your titles, create a package out of the Obly Tile application, source folder structure it creates and an use a simple batch script to copy into the default Start Menu



if not exist "C:\Program Files\OblyTile" md "C:\Program Files\OblyTile" 
xcopy "OblyTile\*.*" "C:\Program Files\OblyTile" /s /y
xcopy "Start Menu\*.*" "C:\ProgramData\Microsoft\Windows\Start Menu" /s /y


Application Association

Some file types, such a JPEGs for example, may be associated with apps that you don't want to use. One way to update this is by updating the associations first on a test device, then exporting the AppAssoc.xml file. NB. This only works for new user profiles on that device.

"dism /online /Export-DefaultAppAssociations:C:\temp\AppAssoc.xml"

Add the xml file and batch file to import it into to your package.

"dism /online /Import-DefaultAppAssociations:AppAssoc.xml"


Group Policy

Once the machine has been deployed we implement a number of Group Policy settings to customise our final image. Every company is different, so these are just what works for us.

We typically have three Computer Policies; one for all SOE computers, then one each for the handful of special tweaks relating to either Windows 7 or Windows 8. Make sure you grab the latest Windows 8.1 ADMX files from a test build and import into Active Directory GP.

Separate Windows 7 and Windows 8 Profiles

There can be some potential corruptions between the two profile version, plus we wanted new profiles to ensure we got a consistent Start Screen experience for new users. Most of the users items such as Desktop, Favorites, My Documents etc are taken care of with Folder redirection. So by using the technique below, we were able to create separate profiles for our users, allowing them to switch back and forth between Windows 7 desktops and Windows 8 tablets and laptops.

In both the Windows 7 and Windows 8 Group Policies create a System Environment Variable (Preferences | Windows Settings | Environment Variables) and called in OSVer, with a Value of Win7 or Win8 respectively.

Then in Active Directly, set up their profile path to use the variable.

\\userfiles\home$\johnsmith\%OSVer%

Computer Policies

Force Internet Explorer to open in Desktop mode
Windows Components/Internet Explorer/Internet Settings
Set how links are opened in Internet Explorer =  Always in Internet Explorer

Disable SkyDrive
Windows Components/SkyDrive
Prevent the usage of SkyDrive for file storage =  Enabled  

Disable Windows Store
Windows Components/Store
Turn off the Store application = Enabled 


Allow local powershell scripts to run (eg logon.ps1 script)
Windows Components/Windows PowerShell
Turn on Script Execution = Enabled  
Execution Policy Allow local scripts and remote signed scripts 


Computer Preferences

Remove First Use Animation
EnableFirstLogonAnimation
Action Create 
PropertiesHive HKEY_LOCAL_MACHINE 
Key path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 
Value name EnableFirstLogonAnimation 
Value type REG_DWORD 
Value data 0x0 (0) 

User Policies

Disable Edge Help Tips
Windows Components/Edge UIhide
Disable help tips Enabled

Disable IE SPDY/3 network protocol
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Allow Internet Explorer to use the SPDY/3 network protocol Disabled

User Preferences

Boot to Desktop
OpenAtLogon
Action Replace 
PropertiesHive HKEY_CURRENT_USER 
Key path Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\ 
Value name OpenAtLogon 
Value type REG_DWORD 
Value data 0x0 (0) 

Disable DPI Scaling
Win8DpiScaling
Action Replace 
PropertiesHive HKEY_CURRENT_USER 
Key path Control Panel\Desktop 
Value name Win8DpiScaling 
Value type REG_DWORD 
Value data 0x1 (1)  


Set DPI pixels


LogPixels
Action Replace 
PropertiesHive HKEY_CURRENT_USER 
Key path Control Panel\Desktop 
Value name LogPixels 
Value type REG_DWORD 
Value data 0x60 (96)


This is probably going to be an ongoing project and I'm sure others have some great tips, so I'l keep updating as they come in.

 Cheers,
         (__)
         (oo)  ok
   /------\/  /
  / |    ||
 *  /\---/\
    ^^   ^^