ConfigMgr Task Sequence Collection

This is my "Clip Show" blog post, but hopefully you still find it useful.

I've been building out a Task Sequence that is just a collection of Task Sequence sections, or handy steps.  I'll use this TS to pull sections from when I create new Task Sequences, and add / modify as I test in "Real" deployment Task Sequences. DOWNLOAD HERE *Note, this is not an actual Deployment TS, it's meant to be imported and then have parts copied into your own TS.  All content, including some not used directly in this TS is included.

I have several sections, also a few handy steps for pause, wait, copying CMTrace local, and so on.  Many of these are borrowed from great community leaders such as Mike Terrill, Jason Sandys, Jörgen Nilsson, Mark Godfrey, and others (Sorry if I missed anyone)

  • Power Settings, CCMEXEC Change & Revert - This section will grab your current power settings, place in variable, set system to high performance, then restore them at the end of your TS.  It also has steps for changing the CCMEXEC service to auto start, instead of delayed, and back.
  • Upgrade Lockscreen - This section will change your lockscreen, designed for the Win10 In place upgrades.
  • User Lockouts - This section will use local group policy to block any users, either via AD Group, or users from local machine
  • AutoLogon - This adds account and keys for auto logon (for testing in lab)
  • Enable Mouse Support - This will enable the mouse cursor in the Windows 10 TS after WinPE steps are complete.
  • Windows 10 Tweaks - Several sub-sections of Customization gathered over the past years, many demo'd @ MMS2017

Power Settings info: https://garytown.com/change-and-restore-power-plan-during-ts

image

CCMExec Sevice to Auto & Back:

 

Upgrade LockScreen & User Lockout : https://garytown.com/change-lock-screen-image-during-upgrade-ts
I’ve made a few modifications since the post about this, moving the cleanup to a scheduled tasks, that will run during the upgrade deleting the Lock Screen images / Keys & cleaning up the Locked Out users, so users can log back in after.  It will also clean up the scheduled tasks.  I’ve left in the steps for you to add after the upgrade to do clean up as well, leaving you many options on how to implement this idea.  Each step has detailed notes in the descriptions.

image

 

AutoLogon: https://garytown.com/configmgr-osd-lab-add-autologon-account
Nothing changed from the blog post, just a reminder, don’t do this in production.
image

 

Enable Mouse Support: https://garytown.com/enable-mouse-support-in-win10-osd-during-state-restore
or Microsoft's Official Post 13 days later: https://blogs.technet.microsoft.com
image

Enable

Reset (Disable)

 

Windows 10 Customizations / Tweaks

SetOSDInfo: https://home.configmgrftw.com/configmgr-osd-information-script/

Most of this section is straight from MMS: https://garytown.com/windows-10-customizations-mms2017-demos
Windows 10 Features, enable or disable some “features” in win10
OEM Info, allows you to set the information that is displayed in “System”
Explorer Tweaks – Covers things that modify things displayed on Desktop or Explorer

image

Group Branding includes changing the Lock Screen, Wall Papers, User Icons, Start Menu
Default Profile are tweaks that apply only at the user level, so these are added to the default profile.

image

Remove Default Apps, either a script to remove everything (That is specified in the script, not actually everything) at once, or a line by line option to be granular.
image

Change Lock Screen & lockout users during Upgrade TS

Update: 2017.09.26 - Was able to take advantage of local group policy bypassing the need to talk with your Group Policy Team.  You can do it all in the TS..  Go to bottom to see how..
- Updated info again on 2017.10.13 here (includes updated download): https://garytown.com/configmgr-task-sequence-collection

Original Post: 2017.09.15:
What: Changing the Lock Screen Image to warn end user that the system is performing upgrade, also preventing users from logging on during TS.

Why: So users don’t call upset when they logon to a computer then get rebooted when the TS reaches that point. (For those groups whose users don’t read all of the communications about their machines updating)

How: Downloading Pre-created Images, setting registry keys, and to lock out users, that requires a little help from group policy (1 time setup)

clip_image001[15]

clip_image001[17]
Back story: ProgressUI does not display on computers unless a user is logged on.  If the process starts at it’s deadline, and no one is logged on, it will start running the task sequence with no visible signs until it reboots into setup, and the user sees the Windows 10 Setup screen.  Lets say the TS has started, and it’s in the middle of downloading the content, which can take awhile on a slow link.  User starts to do work (watch cat videos), and then they see a message pop up finally saying "computer will reboot in 60 seconds, you’re welcome", they won’t be so happy, worse yet, they look away for a couple minutes, or are grabbing their coffee to come back and find their computer rebooting to setup.   How can we draw more attention to the fact the computer is doing something.. how about make a bold lock screen image warning the user of the upgrade, or even prevent them from logging on.
Here is a picture, the PC was logged into during the TS, the User has no idea it’s in the setup.exe phase of the TS, going to reboot them in a few minutes.  This is what we’re trying to avoid.
image

Lock Screen is pretty easy, I have a couple steps in the beginning of the TS that downloads the files I need to a local folder, then deletes them at the end.

I have this same process repeated several times, before different large steps.  In my Example, I update the Security Software, which takes 20 minutes, so I have a custom lock screen image saying it’s updating Security Software.

I then repeat the process after the Security software is installed, and change the Image to say “Upgrading Windows OS”, which will be there until it reboots into setup.  At the end, I delete the registry keys allowing the original settings to take over and original lock screen image to return. (If you’re using the registry keys to apply a custom image, just set it back to what it was before, you could easily capture that key into a variable, then set it back at the end, or manually add it if everyone is the same, or have group policy fix it later)

Please modify steps to fit your environment, file names / location are only for example.

  1. Make Temp Folder for OSD Stuff
    1. cmd.exe /c if Not Exist "%programdata%\OSDReqs\" (md %programdata%\OSDReqs)
    2. image
  2. Copy Background Images (From your package with custom backgrounds)
    1. Package Contents: - Download Mine HERE
      image
    2. xcopy OSDImages\*.jpg %programdata%\OSDReqs /Y
    3. image
  3. Update Lock Screen Image Group (Only set to run if no one is logged on)
    1. WMI Query: select * from win32_computersystem where username is NULL
    2. Set Image 1 (Security Apps) – Modify the ImageName to match your needs.
      1. REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /V LockScreenImage /T REG_SZ /D C:\ProgramData\OSDReqs\ImageBackGroundRed-DoNotLogonSecurity.jpg /F
        image
    3. Tweak - Delete Legal Notice on Logon (1 of 2) –Optional – Removes the Legal Notice
      1. REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v legalnoticecaption /f
    4. Tweak - Delete Legal Notice on Logon (2 of 2) –Optional – Removes the Legal Notice
      1. REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v legalnoticetext /f
    5. Stop Process -Name WinLogon (Forces LockScreen to refresh.)
      1. powershell.exe "if((Get-WmiObject win32_computersystem).username -eq $null) {Stop-Process -Name winlogon -Force -Verbose}"
    6. Wait 5 seconds – Allows time for the Lockscreen to refresh before continuing. – Optional
      1. powershell.exe "Start-Sleep -seconds 5"

As for the locking out of users so they can’t log on, here is how I did that in my lab.

I created a group policy called “Deny Logon Locally” - TechNet

  1. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  2. Set Deny logon Locally to "DenyLogonLocally" (Which is the group we’re going to create in the TS)
    image

During the TS, I create a local group called "DenyLogonLocally" and populate it with all of the users who have logged onto the local computer (Thanks @keithga1) for the powershell code.

  1. Create Local Group DenyLogonLocally
    1. net localgroup DenyLogonLocally /add
    2. Set continue on error (it will error if you already have the group on your machine) – Recommend NOT deleting when done, but leaving for all future upgrades.  I had issues when I deleted it and recreated it, the policy didn’t take on the recreated group even with the same name.
      clip_image001[7]
    3. I had considered having an AD Group of all Domain Users (that were not admin accounts), but then you have one more group to keep manage in AD, so I decided against that. – that’s my greyed out step. - Note, added section at the end to show I had did set this up.
  2. Add Accounts to DenyLogonLocally – This will grab all of the accounts that have logged onto the machine, and populate them into the local group (You can specify accounts you don’t want included)
    1. Code: (Copy and paste it all, it is just one long line of code, thanks Keith) - Change the -notmatch area with your tech accounts

      clip_image001[21]
      Here shows the group after the script has run, both accounts garytown & cmadmin have logged on to this machine, but only garytown has been added.
      clip_image001[9]
  3. Remove Deny Logon Locally Group Membership – placed near the end in your clean up section, and in the roll back section, so if the upgrade fails, it will remove the users from that group, allowing them to log on again
    1. Code:

      clip_image001[23]

Note, do NOT kill the winlogon.exe after the setup.exe phase, bad things happen.. like it stops your TS (No errors thrown).
In the image above, you can see the "Stop Process -Name Winlogon" Step, disable / delete that.
You honestly don't need it after the setup.exe anyway, rest of the TS will be visible to your users.  After you delete the keys and clean up the images, everything will go back to how it was before once the system reboots at the end of the TS.

Hopefully this is helpful for you, not saying it’s the best or only, I’ve seen a lot of people blogging about similar things during an OSD TS, but I haven’t found much for in-place upgrade TS, so I’ve posted this.

NOTE: Sometimes the Lock Screen is buggy not showing the Lock Screen image, I’ve seen this on countless tests, I believe it is a known bug, so hopefully this gets resolved in the future.  In my last test, I changed the Background after the setup stage, but it just stayed a solid color blue, didn’t actually load the background.  This is why it’s great if you can prevent logon until the TS is complete.

I’ve also been considering removing the default “Upgrade Operating System” step with a run command line step and remove the /quiet switch.  If we don’t want users logged on, then having the UI display will assist with getting them to no be logged on, right?  Well, I still have to test this idea, if it pans out, I’ll share.

Updated 9/18 to show adding a domain group to control lock out.

In Active Directory, I created a group "DenyLogonLocallyTemp" and added all of the user accounts that I want to deny access.  This is where nested groups would be best.  Just make sure you don't have any of the tech / admin accounts in any of those groups.

Above shows the Machine after the steps "Add Domain Deny Group to Local" & "Add Accounts to DenyLogonLocally" have both run.  The Domain group was added by the first step, and the individual user by the second.  This is for demo purposes, you can pick one or the other, or both, depending on your scenarios.

Step: net localgroup DenyLogonLocally / add DOMAIN\DenyLogonLocallyTemp

Update 2017.09.26 - Update to use Local Group Policy:
using secedit.exe, we can import an inf file for this policy.  The issue I had run into, secedit uses the SID of the user group, not the display name, and if you make a local account, the SID will be different on each machine, so I need a way to dynamically update the inf file with the correct SID.  So I came up with the idea of having a script that would create the local group, grab the SID, build the inf file from scratch, and use the SID of the newly created group.  Then the script runs secedit with the contents of the inf file. (Thanks to Keith again for the assist on creating the Code).
Replace Create Local Group DenyLogonLocally with a new PowerShell Script Step:

 

Condensed Video of Progress:

Win10 Build Updates–Persistent Tweaks

CONTEXT: (Feel free to skip my babbling)
If you haven’t figured out by now, I hate managing things that I feel should manage themselves.  If I can get out of doing extra work, and have things in place to automatically take care of it, awesome.  Even if it’s less efficient on network resources, and I lose some granularity of control, if my environment doesn’t care, then I’m going to let things auto update, and auto remediate as much as possible.  (Note, where I work now, I don’t follow my personal philosophy, my environment cares, everything is controls to super granular levels, but we have people to manage it here, at my last place, it was just a couple of us doing everything, so we had to employ methods to do things with out technicians having to get involved.)

IDEA:
Make Windows 10 Build Updates easier.  While I love Task Sequences, I don’t want to have to make something complex for a build update that happens every 6 months.  I want windows to update, and I want to keep the customizations I put in during OSD.
From MMS Presentation: Download full Presentation HERE
image
image

HOW:
Tried and True is Group Policy, however, group policy can take a little while to kick back in, and I don’t want to wait, I want the customizations there before the user logs back in, I don’t want the user to know things changed.  I decided to go with good old scheduled tasks and two scripts, (1 batch file & 1 powershell) plus a 3rd script to build the scheduled tasks and copy the files required locally.

Basically, the batch file is a combination of all the system level tweaks crammed into one script, and the powershell file is the “remove default apps” script. Hopefully after 1709, you won’t need to keep removing the AppX packages, I’ve heard they are “fixing” it so that it will honor the appx you’ve removed, and not put them back in, however, they will probably keep adding in new AppX packages that you’ll have to decide if you want to keep or remove, so there is a good chance you’ll have to run a modified version of this script for each build upgrade forever.

Batch File to Create Scheduled Tasks & Copy Required Files to c:\ProgramData:

Powershell Script To Remove Default Apps (Thanks @Geodesicz):

Batch File to Reapply System Level Tweaks:

Once you have those, you’ll need to create the Scheduled Tasks:
I’ve provided the XML files in the download, and the scripts to import them. (At bottom of post)

image

First Scheduled Task – Removing Defaults Apps
image imageimage

General: Windows 10 In-Place Upgrade AppRemoval
user account: SYSTEM
Run whether user is logged on or not
Run with highest privileges (Checked)
Configure for: Windows Vista / Server 2008

Trigger: On an Event
Basic: Microsoft-Windows-AppReadiness/Admin
Source: AppReadiness
EventID: 100

Action: Start a Program
Program / Script: powershell.exe
Add arguments: -executionpolicy bypass -file "C:\ProgramData\Win10Upgrade\Windows10Tweaks\RemoveDefaultAppsWin10.ps1"

 

Second Scheduled Task – Reapplying Tweaks / Branding
imageimageimage

General: Windows 10 In-Place Upgrade Tweaks
user account: SYSTEM
Run whether user is logged on or not
Run with highest privileges (Checked)
Configure for: Windows Vista / Server 2008

Trigger: On an Event
Basic: Microsoft-Windows-AppReadiness/Admin
Source: AppReadiness
EventID: 100

Action: Start a Program
Program / Script: C:\ProgramData\Win10Upgrade\Windows10UpgradeTaskFixesScript.cmd

 

Application Contents: (Root)
image

Application Contents: (Subdirectory)
1703 folder just contains the Images I used with our 1703 deployment.

image

Once you've run the Setup Script or Application, it will create the Scheduled Tasks, and copy the files needed to run after the build update to:

DOWNLOAD Exported Application: https://garytown.com/Downloads/Win10InPlaceUpgradeTweakTasks_files.zip
This contains the raw files, you don’t actually need to import if you don’t want to.

For the Application Model of Win10 Build Upgrade, I had an application with the content source of the extracted ISO:
Install Program: Setup.exe /auto upgrade /DynamicUpdate Enable /showoobe none  (This will download and apply updates, which can take a long time, but recommend you still do this unless you manually update the install.wim file)
Detection Method: Registry: HKLM\SOFTWARE\Micrsoft\Windows NT\CurrentVersion CurrentBuild = 15063 (1703 - Change the Build number to match the Build you're deploying)

Please customize the tweaks for your environment. 🙂

As always… TEST TEST TEST.  As I mentioned in the beginning, I don't use this method any longer due to different requirements at my new employer, so I'm no longer testing and developing this process.
Please note, the Lock Screen Image can be inconsistent, sounds like MS is aware of a bug, and hopefully future builds will fix this, so if your Lock Screen doesn’t always apply right each time you test… call it good enough and move on to the next thing on your list.

 

Update 2017.09.07 - Jason Freeman (@loosusjason) pointed out you can do this with SetupConfig.ini - More info HERE

 

Windows 10 Customizations–MMS2017 Demos

Hey everyone, MMS has come and gone for another year, and I will say, it was my favorite MMS yet.  This conference keeps getting better and better, but what’s not to like, right?  Mall of America, 4 days with amazingly smart people, who are just people. There are no pedestals here, everyone is approachable, and you can ask questions of people with deep knowledge of the System Center Suite, and Windows!  What MMS does, it brings huge talent from around the world in a friendly and open environment for learning and building relationships, to help equip you for your current job and open doors to conquer new challenges you thought were unsurmountable. The downside.. um.. its only 4 days.

So I had the privilege of presenting 3 topics, over 7 sessions, I’ll be going over the customizing Windows 10 in this post.

The Task Sequence Export is available for download on github. - https://github.com/npherson/MakeItPretty

Please remember, work with your business to determine what you want to customize, and have good business reasons.  The more you customize, the more you’re on the hook for to keep consistent through in-place upgrades.  This list is NOT best practice, or even necessary recommended, just showing what you can do.

Lets take a look:  (Please also look at the slide deck for more info about each of these and how it all works) http://schd.ws/hosted_files/mms2017/96/MMS2017%20-%20Customizing%20Win%2010%20Pt%201%20and%202.pptx

image

  • Tweak – Uninstall Windows 10 Default Apps PS – Script written by Mark Godfrey to remove some apps (Slides 43 & 44)
    image
    image
  • SetOSDinfo PS  - Creates ITLocal WMI Namespace and populates it with handy info, taken from Jason Sandy’s Blog
  • Set Default Apps & Associations – Sides 12 – 15.  Note, this isn’t 100% in 10.  They seem to get reset frequently by Windows.  Recommend GPO if you need to force something.
  • IE Icons, just copying it once to Desktop and once to Accessories Folder, then I can PIN it to Taskbar and StartMenu in future steps.
  • Change “This PC” icon to Machine Name – This does exactly that.
    image
  • PinItems on TaskBar.  This is a script that is adding Office to the TaskBar.
  • Disable Edge default Prompt – I thought there was a GPO for this in 1703, but I can’t find it, must have imagined that.  Here are two examples, the top one is the one in the export.
  • One Drive Disable – 3 “Run Command Line” Steps – Note, if you keep OneDrive, make sure you update it first. (Slide 28)
    • Remove Shell Folder  - REG ADD "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /V Attributes /T REG_DWORD /D 4035969101 /F
    • Remove App - %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
    • Disable (GPP Key – Windows Components\One Drive) - REG ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /V DisableFileSyncNGSC /T REG_DWORD /D 1 /F

Explorer Tweaks
image

  • Explorer Tweaks, these will change the look in the Shell Folder, make it look more like:
    image

    • Remove Pictures Folder: (2 steps, one for x64 & x86)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Remove Video Folder: (2 steps, one for x64 & x86)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Remove Music Folder: (2 steps, one for x64 & x86)
      • REG ADD "REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Set Explorer to launch “This PC” (Slide 30)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V LaunchTo /T REG_DWORD /D 1 /F
    • MyComputer Desktop Icon (Adds “This PC” icon to desktop)
      • REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /V {20D04FE0-3AEA-1069-A2D8-08002B30309D} /T REG_DWORD /D 0 /F
    • Add Run as different user – Adds “run as different user” when you right click on an application in the start menu. – Slide 36
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /V ShowRunasDifferentuserinStart /T REG_DWORD /D 1 /F

OEMInformation section (slide 40-41)
image

image

  • Tweak - OEMInfo Logo (Copy your logo into place, has to be bitmap file) – Requires you specify your Package. I  keep the logo in a subfolder called UserLogo
    • cmd.exe /c copy UserLogo\logo.bmp C:\Windows\system32\logo.bmp /Y
  • Tweak - Set OEM Information 1 – Logo
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V Logo /T REG_SZ /D "C:\Windows\System32\logo.bmp" /F
  • Tweak - Set OEM Information 2 – Manufacturer
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V Manufacturer /T REG_SZ /D "Dell" /F
  • Tweak - Set OEM Information 3 - SupportHours
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V SupportHours /T REG_SZ /D "10AM - 2PM" /F
  • Tweak - Set OEM Information 4 – SupportPhone
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V SupportPhone /T REG_SZ /D "860-5309" /F
  • Tweak - Set OEM Information 5 – SupportURL
  • There is also a script that will do this and automatically set Model & Manufacturer of the computer.  Script is here: https://github.com/npherson/MakeItPretty

Default User Profile Tweaks
image
Note, I’m not going to cover Pinning IE to the TaskBar, so I’m going to skip that step.

  • Tweak - Mount ntuser.dat as defuser FIRST STEP (Required to make changes)
    • reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
  • Tweak - Change CMD to PowerShell in WinX (Not required in 1703, it defaults to this now)
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V DontUsePowerShellOnWinX /T REG_DWORD /D 0 /F
  • Tweak - Delete OneDriveSetup registry Key
    • reg.exe delete HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
  • Tweak - Set Cortana / Search Icon – Slide 38
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /V SearchboxTaskbarMode /T REG_DWORD /D 1 /F
  • Tweak - Disable LockScreen Tool Tips
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /V RotatingLockScreenOverlayEnabled /T REG_DWORD /D 00000000 /F
  • Tweak - Disable Windows Defender First Run (Slide 27)
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows Defender" /V UIFirstRun /T REG_DWORD /D 00000000 /F
  • Tweak - Unmount ntuser.dat as defuser LAST STEP
    • reg.exe unload HKEY_LOCAL_MACHINE\defuser

Corporate / Business Branding (Lock Screen / User Profile Pictures / Background / Start Menu)
image

  • Tweak - Default Corporate User Icons – PNGs (Slides 34-35)
    • xcopy UserLogo\* "%SystemDrive%\ProgramData\Microsoft\User Account Pictures" /Q /Y /I
      image
  • Tweak - Default Corporate User Icons – regkey (or use GPO)
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /V UseDefaultTile /T REG_DWORD /D 1 /F
      image
  • Tweak - Replace Default LockScreen Step 1 (Slide 31 - 33)
    takeown /f C:\Windows\Web\Screen\*.*
  • Tweak - Replace Default LockScreen Step 2
    icacls C:\Windows\Web\Screen\*.* /Grant System:(F)
  • Tweak - Replace Default LockScreen Step 3
    cmd.exe /c copy WallPapersLockScreens\DM_LockScreen.jpg C:\Windows\Web\Screen\img100.jpg /Y
    image
  • Tweak - Replace Default LockScreen Step 4
    cmd.exe /c copy WallPapersLockScreens\DM_LockScreen.jpg C:\Windows\Web\Screen\img105.jpg /Y
  • Tweak - Delete Default Wallpaper 4k folder Step 1 (Slide 31 - 33)
    takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
  • Tweak - Delete Default Wallpaper 4k folder Step 2
    icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
  • Tweak - Delete Default Wallpaper 4k folder Step 3
    cmd.exe /c del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
  • Tweak - Default Corporate Wallpaper – img0 (Slide 31 - 33)
    cmd.exe /c copy WallPapersLockScreens\DM_Corp.jpg C:\Windows\Web\Wallpaper\Windows\img0.jpg /Y
    image
  • Tweak - Add additional Corporate Wallpapers – img1 (1-5 are same, just using different files)
    cmd.exe /c copy WallPapersLockScreens\DM_Corp.jpg C:\Windows\Web\Wallpaper\Theme1\img1.jpg /Y
  • Tweak - Default Corporate Start Menu (Note, the previous two steps copy in fake programs that I have in the start menu, so when it mounts the start menu, those icons / programs are already “installed” – This is just for Demo) –
    powershell.exe Import-StartLayout -LayoutPath DMStartMenu\DM-Default.xml -MountPath C:\
    image
    See Slides 17 – 23 for more details about the Start Menu

I hope this is helpful, each topic could have it’s own post (and most already do, either here on GaryTown, or CCMExec.com.

Enable Mouse Support in Win10 OSD during State Restore.

I’ve been annoyed not having mouse support in Windows 10 OSD, TS Fails, I hit F8, then it’s all trying to navigate with keyboard commands.  I finally ran across a fix to enable mouse support during this stage of OSD. 

Thanks MDT Facebook group for this, and a Dell Engineer Elliot who pointed me to a Dell white paper HERE

Towards the end is this little nugget:
image

I added that to my TS:
image

Now when I open F8 / CMTrace, I have mouse control!

At the end of the TS, I have a step to undo the change and set it back to the original setting of “1”
image

Note: The mouse does NOT show up in the black areas of the setup screen, it has to be over a application window (CMD, Notepad, CMtrace, etc).  Once you move it outside of the window, it disappears again until you wiggle it back above a window. Recommend maximize your active window. Smile

image