Any System Administrator worth their salt will know what will fly in their company and what won't. To ease the impact of change on our staff, I like to 'tick-tock' between Operating System and Core Application upgrades, when I do a new Standard Operating Environment (SOE). I had just finished a 'tock' cycle which was focusing on new core applications such as Office, Acrobat, Lync as well as upgrades to our specific Practice and Document Management software. So this environment upgrade was only going to focus on a change to the OS and more specifically, just for laptops and tablets where I feel that Windows 8.1 truly shines.
Systems Center Configuration Manager (SCCM) Task Sequence
I'll have to assume that my audience is somewhat proficient with SCCM, so I will just focus on some of the more specific techniques used with this SOE release. As a minimum, you'll need to ensure that your're pretty up to date with your SCCM version, ADK and patches.
Our target devices were all Dell and included a Venue Pro 11 tablet as well as Latitude 12 and Latitude 14 laptops. It's well worth investing some time getting your driver libraries sorted, so if you're a Dell shop head on over to their Enterprise Client Wiki.
Here's a high level overview of the current task sequence we're using. Where possible, I avoid the use of a "Golden Image" and aim for a complete and flexible build from the original Windows 8.1 ISO.
Copy SXS source files to local computer
Having some OS source files available on your local hard disk makes updates, such as .NET 3.5 much easier. We simply created a Package which was the ISO's SXS directory. Then run the following command line sequence, linked to that package.
xcopy ".\*.*" "C:\Windows\Support\" /D /E /C /I /Q /H /R /Y /S
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:c:\Windows\Support\sxs
There are some apps that you just cannot remove from Windows 8.1 (such as the camera). However, there are quite a few that your can. We do this via a powershell script.
$AppList = "Microsoft.BingFinance",
"Microsoft.BingFoodAndDrink",
"Microsoft.BingHealthAndFitness",
"Microsoft.BingMaps",
"Microsoft.BingNews",
"Microsoft.BingSports",
"Microsoft.BingTravel",
"Microsoft.BingWeather",
"Microsoft.HelpAndTips",
"Microsoft.Reader",
"Microsoft.SkypeApp",
"Microsoft.WindowsAlarms",
"Microsoft.WindowsCalculator",
"microsoft.windowscommunicationsapps",
"Microsoft.WindowsReadingList",
"Microsoft.WindowsScan",
"Microsoft.WindowsSoundRecorder",
"Microsoft.XboxLIVEGames",
"Microsoft.ZuneMusic",
"Microsoft.ZuneVideo",
"Microsoft.WindowsPhotos",
"Microsoft.MoCamera"
ForEach ($App in $AppList) {
$AppxPackage = Get-AppxProvisionedPackage -online | Where {$_.DisplayName -eq $App}
Remove-AppxProvisionedPackage -online -packagename ($AppxPackage.PackageName)
Remove-AppxPackage ($AppxPackage.PackageName)
}
Copy a Start Screen layout to the default user profile
Using a test device, create the Start screen layout that you're looking for (grouping, naming etc). Then grab the %AppData%\Local\Microsoft\Windows\AppsFolderLayout.bin file and drop it in a package for deployment to the default user profile.
xcopy ".\*.*" "C:\Users\Default\AppData\Local\Microsoft\Windows" /D /E /C /I /Q /H /R /Y /S
Create and Import Customised Tiles
We used a Windows 8 app called Obly Tile to create a series of new start screen tiles for our core company applications and intranet sites. Along with the previous two steps, the end results gives us a very streamlined Start Screen with familiar icons for users. Once you have created your titles, create a package out of the Obly Tile application, source folder structure it creates and an use a simple batch script to copy into the default Start Menu
if not exist "C:\Program Files\OblyTile" md "C:\Program Files\OblyTile"
xcopy "OblyTile\*.*" "C:\Program Files\OblyTile" /s /y
xcopy "Start Menu\*.*" "C:\ProgramData\Microsoft\Windows\Start Menu" /s /y
Application Association
Some file types, such a JPEGs for example, may be associated with apps that you don't want to use. One way to update this is by updating the associations first on a test device, then exporting the AppAssoc.xml file. NB. This only works for new user profiles on that device.
"dism /online /Export-DefaultAppAssociations:C:\temp\AppAssoc.xml"
"dism /online /Import-DefaultAppAssociations:AppAssoc.xml"
Group Policy
Once the machine has been deployed we implement a number of Group Policy settings to customise our final image. Every company is different, so these are just what works for us.We typically have three Computer Policies; one for all SOE computers, then one each for the handful of special tweaks relating to either Windows 7 or Windows 8. Make sure you grab the latest Windows 8.1 ADMX files from a test build and import into Active Directory GP.
Separate Windows 7 and Windows 8 Profiles
There can be some potential corruptions between the two profile version, plus we wanted new profiles to ensure we got a consistent Start Screen experience for new users. Most of the users items such as Desktop, Favorites, My Documents etc are taken care of with Folder redirection. So by using the technique below, we were able to create separate profiles for our users, allowing them to switch back and forth between Windows 7 desktops and Windows 8 tablets and laptops.
In both the Windows 7 and Windows 8 Group Policies create a System Environment Variable (Preferences | Windows Settings | Environment Variables) and called in OSVer, with a Value of Win7 or Win8 respectively.
Then in Active Directly, set up their profile path to use the variable.
\\userfiles\home$\johnsmith\%OSVer%
Force Internet Explorer to open in Desktop mode
Windows Components/Internet Explorer/Internet Settings
Set how links are opened in Internet Explorer = Always in Internet Explorer
Disable SkyDrive
Windows Components/SkyDrive
Prevent the usage of SkyDrive for file storage = Enabled
Disable Windows Store
Windows Components/Store
Turn off the Store application = Enabled
Allow local powershell scripts to run (eg logon.ps1 script)
Windows Components/Windows PowerShell
Turn on Script Execution = Enabled
Execution Policy Allow local scripts and remote signed scripts
Remove First Use Animation
EnableFirstLogonAnimation
Action Create
PropertiesHive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value name EnableFirstLogonAnimation
Value type REG_DWORD
Value data 0x0 (0)
Disable Edge Help Tips
Windows Components/Edge UIhide
Disable help tips Enabled
Disable IE SPDY/3 network protocol
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Allow Internet Explorer to use the SPDY/3 network protocol Disabled
Boot to Desktop
OpenAtLogon
Action Replace
PropertiesHive HKEY_CURRENT_USER
Key path Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\
Value name OpenAtLogon
Value type REG_DWORD
Value data 0x0 (0)
Disable DPI Scaling
Win8DpiScaling
Action Replace
PropertiesHive HKEY_CURRENT_USER
Key path Control Panel\Desktop
Value name Win8DpiScaling
Value type REG_DWORD
Value data 0x1 (1)
Set DPI pixels
LogPixels
Action Replace
PropertiesHive HKEY_CURRENT_USER
Key path Control Panel\Desktop
Value name LogPixels
Value type REG_DWORD
Value data 0x60 (96)
Cheers,
(__)
(oo) ok
/------\/ /
/ | ||
* /\---/\
^^ ^^