Windows/Autounattend
| (One intermediate revision by one user not shown) | |||
| Line 145: | Line 145: | ||
==SAVE== | ==SAVE== | ||
'''SAVE THE ANSWER FILE''' | '''SAVE THE ANSWER FILE''' | ||
| + | |||
| + | =ISO Creation= | ||
| + | Now that we have the autounattend.xml file, we need to place it within the root folder of the ISO so that when a system loads, it discovers the configuration data contained within autounattend.xml and sets everything up. The best way I found to do this was in Linux. | ||
| + | ==Mount ISO== | ||
| + | First thing we need to do is mount the ISO so that we can copy the data off it on onto the local disk. | ||
| + | <nowiki>~$ sudo mkdir /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708 | ||
| + | ~$ sudo mount -t udf ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708.iso /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708/</nowiki> | ||
| + | ==Copy Data== | ||
| + | Now lets copy the data to a local store so that it is read/write capable. | ||
| + | <nowiki>~$ mkdir ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/ | ||
| + | ~$ sudo cp -R /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708/* ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/</nowiki> | ||
| + | ==Create autounattend.xml== | ||
| + | Within the directory root of the image data that you copied locally, lets create the autounattend.xml | ||
| + | <nowiki>~$ sudo vim ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/autounattend.xml</nowiki> | ||
| + | ==Create ISO== | ||
| + | And finally we can create the ISO using the image data stored locally with autounattend.xml in the root. | ||
| + | <nowiki>~$ mkisofs -J -R -allow-limited-size -iso-level 3 -b boot/etfsboot.com -no-emul-boot -boot-load-size 8 -relaxed-filenames -V "Windows2012R2autounattend" -o /home/r00t/Win2012R2_autounattend.iso /home/r00t/en_windows_server_2012_r2_with_update_x64_dvd_6052708</nowiki> | ||
Latest revision as of 14:42, 8 May 2021
[edit] Overview
Autounattend is a great way to automate the deployment of Windows operating systems with predefined settings and installed software. I choose to use Windows Assessment and Deployment Kit (ADK) rather than MDT (MS Deployment Toolkit) as I do not want to setup a deployment server.
[edit] Installation
Fairly straight forward, download and install the latest version of Windows ADK for Windows 10. In my instance, I chose to make auto unattend instances of Windows Server 2012r2, 2016, & 2019, so I installed ADK for win 10 on an instance of Windows Server.
https://go.microsoft.com/fwlink/?linkid=2086042
Make sure you look over the release notes as sometimes MS does stupid things, like release patches for the latest version because they broke basic functionality. Such is the case for v1903.
[edit] Selections
You only need the Deployment Tools feature as it contains Windows System Image Manager (SIM)
[edit] Configuration
[edit] Mount
First you'll need to mount the ISO and copy a file to the local hdd, as SIM needs read/write access and mounting will only give read.
Create a folder locally and copy install.wim to it from /sources in the image.
[edit] SIM
Now we will need to open up SIM (Windows System Image Manager).
[click] File > [select] Select Windows Image.. > [browse] to the local store containing install.wim > [select] install.wim > [click] Open > [select] the appropriate version of Windows you want to create an autounattend.xml for (remember, CORE does not include a GUI) > [click] OK & Yes to create a catalog file.
Generally creation of the catalog file takes some time. You will want to save a copy of this when you complete the XML in case you need to edit anything in the future.
[edit] autounattend.xml
Now its finally time to setup the options for your autounattend.xml.
[click] File > [select] New Answer File > Save the answer file autounattend
[edit] Disabling the Language and other preferences dialog
Windows Image pane > component: amd64_Microsoft-Windows-International-Core-WinPE_10.0.14393.0_neutral > [Right-click] Add Setting to Pass 1 windowsPE
Using the Answer File Properties and Settings panes, configure the following:
- InputLocale = en-US
- SystemLocale = en-US
- UILanguage = en-US
- UserLocale = en-US
[edit] Disabling the Select Operating System dialog
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on ImageInstall/OSImage/InstallFrom/Metadata (EXPAND OUT) and choose Add Setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:
- Key = /IMAGE/NAME
- Value = Windows Server 2016 SERVERDATACENTER
NOTE: Make sure the /IMAGE/NAME value matches the Windows Server Image flavor you originally selected. If unsure, scroll up in the Windows Image pane.
[edit] Disabling the EULA dialog
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on UserData and choose Add Setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:
- AcceptEula = true
[edit] Disabling the Disk Allocation dialog
Creating partitions will depend on if you are using a UEFI or legacy BIOS. Since i'm creating Virtual machines with a legacy BIOS (Gen 1 in Hyper-V), that is what i've documented.
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk and choose Add Setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:
- DiskID = 0
- WillWipeDisk = true
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/CreatePartitions/CreatePartition and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following settings:
- Extend = false
- Order = 1
- Size = 500
- Type = Primary
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/CreatePartitions/CreatePartition and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following settings:
- Extend = false
- Order = 2
- Size = 20000
- Type = Primary
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/ModifyPartitions/ModifyPartition and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following settings:
- Active = true
- Label = System Reserved
- Order = 1
- PartitionID = 1
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/ModifyPartitions/ModifyPartition and choose Add setting to Pass 1 windowsPE.
- Extend = true
- Format = NTFS
- Letter = C
- Order = 2
- PartitionID = 2
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on ImageInstall/OSImage/InstallTo and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:
- DiskID = 0
- PartitionID = 2
[edit] Disabling the Administrator password prompt
Start by unchecking Tools > Hide Sensitive Data. This will allow the password to be stored in plain text. If you want it "encrypted", do not do this.
Windows Image pane > component: amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral > [Right-click] on UserAccounts/AdministratorPassword and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:
- Value = your_password
[edit] Disabling network discovery
Windows Image pane > component: "amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral" > [Right-click] on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:
- CommandLine = reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff /f
- Description = Disable network discovery prompt for all users
- Order = 10
[edit] Do not show Server Manager at login
Windows Image pane > component: amd64_Microsoft-Windows-ServerManager-SvrMgrNc_10.0.14393.0_neutral [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:
- DoNotOpenServerManagerAtLogon = true
[edit] Enable Remote Desktop Protocol (RDP)
Windows Image pane > component: amd64_Microsoft-Windows-TerminalServices-LocalSessionManager_10.0.14393.479_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:
- fDenyTSConnections = false
Windows Image pane > component: amd64_Networking-MPSSVC-Svc_10.0.14393.0_neutral > [Right-click] on FirewallGroups/FirewallGroup and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following settings:
- Active = true
- Group = Remote Desktop
- Key = RemoteDesktop
- Profile = all
Windows Image pane > component: amd64_Microsoft-Windows-TerminalServices-RDP-WinStationExtensions_10.0.14393.0_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following settings:
- SecurityLayer = 1
- UserAuthentication = 0
[edit] Disable Internet Explorer Enhanced Security (ESC)
Windows Image pane > component: amd64_Microsoft-Windows-IE-ESC_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:
- IEHardenAdmin = false
- IEHardenUser = false
[edit] Disable Internet Explorer First Run Wizard
Windows Image pane > component: amd64_Microsoft-Windows-IE-InternetExplorer_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:
- DisableFirstRunWizard = true
- DisableOOBAccelerators = false
- Home_Page = google.com
[edit] Enable WinRM
Windows Image pane > component: "amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral" > [Right-click] on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:
- CommandLine = powershell Enable-PSRemoting -Force; Set-Item WSMan:\localhost\Service\AllowUnencrypted $true -Force; Set-Item WSMan:\localhost\Client\TrustedHosts * -Force
- Description = Enable WinRM
- Order = 11
[edit] Enable AutoLogon
Windows Image pane > component: "amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral" > [Right-click] on AutoLogon and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:
- Enabled = true
- Logon Count = 4
- UserName = Administrator
>> *Password:Value = [password]
[edit] Product Key
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on UserData/ProductKey and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:
- Key = [product key]
- WillShowUI = OnError
[edit] SAVE
SAVE THE ANSWER FILE
[edit] ISO Creation
Now that we have the autounattend.xml file, we need to place it within the root folder of the ISO so that when a system loads, it discovers the configuration data contained within autounattend.xml and sets everything up. The best way I found to do this was in Linux.
[edit] Mount ISO
First thing we need to do is mount the ISO so that we can copy the data off it on onto the local disk.
~$ sudo mkdir /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708 ~$ sudo mount -t udf ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708.iso /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708/
[edit] Copy Data
Now lets copy the data to a local store so that it is read/write capable.
~$ mkdir ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/ ~$ sudo cp -R /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708/* ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/
[edit] Create autounattend.xml
Within the directory root of the image data that you copied locally, lets create the autounattend.xml
~$ sudo vim ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/autounattend.xml
[edit] Create ISO
And finally we can create the ISO using the image data stored locally with autounattend.xml in the root.
~$ mkisofs -J -R -allow-limited-size -iso-level 3 -b boot/etfsboot.com -no-emul-boot -boot-load-size 8 -relaxed-filenames -V "Windows2012R2autounattend" -o /home/r00t/Win2012R2_autounattend.iso /home/r00t/en_windows_server_2012_r2_with_update_x64_dvd_6052708
