Windows/Autounattend

From r00tedvw.com wiki
Revision as of 18:00, 19 July 2019 by R00t (Talk | contribs)

Jump to: navigation, search

Contents

Overview

Autounattend is a great way to automate the deployment of Windows operating systems with predefined settings and installed software. I choose to use Windows Assessment and Deployment Kit (ADK) rather than MDT (MS Deployment Toolkit) as I do not want to setup a deployment server.

Installation

Fairly straight forward, download and install the latest version of Windows ADK for Windows 10. In my instance, I chose to make auto unattend instances of Windows Server 2012r2, 2016, & 2019, so I installed ADK for win 10 on an instance of Windows Server.
https://go.microsoft.com/fwlink/?linkid=2086042
Make sure you look over the release notes as sometimes MS does stupid things, like release patches for the latest version because they broke basic functionality. Such is the case for v1903.

Selections

You only need the Deployment Tools feature as it contains Windows System Image Manager (SIM)

Configuration

Mount

First you'll need to mount the ISO and copy a file to the local hdd, as SIM needs read/write access and mounting will only give read.
Create a folder locally and copy install.wim to it from /sources in the image.

SIM

Now we will need to open up SIM (Windows System Image Manager).
[click] File > [select] Select Windows Image.. > [browse] to the local store containing install.wim > [select] install.wim > [click] Open > [select] the appropriate version of Windows you want to create an autounattend.xml for (remember, CORE does not include a GUI) > [click] OK & Yes to create a catalog file.
Generally creation of the catalog file takes some time. You will want to save a copy of this when you complete the XML in case you need to edit anything in the future.

autounattend.xml

Now its finally time to setup the options for your autounattend.xml.
[click] File > [select] New Answer File > Save the answer file autounattend

Disabling the Language and other preferences dialog

Windows Image pane > component: amd64_Microsoft-Windows-International-Core-WinPE_10.0.14393.0_neutral > [Right-click] Add Setting to Pass 1 windowsPE
Using the Answer File Properties and Settings panes, configure the following:

  • InputLocale = en-US
  • SystemLocale = en-US
  • UILanguage = en-US
  • UserLocale = en-US

Disabling the Select Operating System dialog

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on ImageInstall/OSImage/InstallFrom/Metadata (EXPAND OUT) and choose Add Setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:

  • Key = /IMAGE/NAME
  • Value = Windows Server 2016 SERVERDATACENTER

NOTE: Make sure the /IMAGE/NAME value matches the Windows Server Image flavor you originally selected. If unsure, scroll up in the Windows Image pane.

Disabling the EULA dialog

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on UserData and choose Add Setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:

  • AcceptEula = true

Disabling the Disk Allocation dialog

Creating partitions will depend on if you are using a UEFI or legacy BIOS. Since i'm creating Virtual machines with a legacy BIOS (Gen 1 in Hyper-V), that is what i've documented.
Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk and choose Add Setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:

  • DiskID = 0
  • WillWipeDisk = true

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/CreatePartitions/CreatePartition and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following settings:

  • Extend = false
  • Order = 1
  • Size = 500
  • Type = Primary

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/CreatePartitions/CreatePartition and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following settings:

  • Extend = false
  • Order = 2
  • Size = 20000
  • Type = Primary

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/ModifyPartitions/ModifyPartition and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following settings:

  • Active = true
  • Label = System Reserved
  • Order = 1
  • PartitionID = 1

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on DiskConfiguration/Disk/ModifyPartitions/ModifyPartition and choose Add setting to Pass 1 windowsPE.

  • Extend = true
  • Format = NTFS
  • Letter = C
  • Order = 2
  • PartitionID = 2

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on ImageInstall/OSImage/InstallTo and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:

  • DiskID = 0
  • PartitionID = 2

Disabling the Administrator password prompt

Start by unchecking Tools > Hide Sensitive Data. This will allow the password to be stored in plain text. If you want it "encrypted", do not do this.
Windows Image pane > component: amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral > [Right-click] on UserAccounts/AdministratorPassword and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:

  • Value = your_password

Disabling network discovery

Windows Image pane > component: "amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral" > [Right-click] on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:

  • CommandLine = reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff /f
  • Description = Disable network discovery prompt for all users
  • Order = 10

Do not show Server Manager at login

Windows Image pane > component: amd64_Microsoft-Windows-ServerManager-SvrMgrNc_10.0.14393.0_neutral [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:

  • DoNotOpenServerManagerAtLogon = true

Enable Remote Desktop Protocol (RDP)

Windows Image pane > component: amd64_Microsoft-Windows-TerminalServices-LocalSessionManager_10.0.14393.479_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:

  • fDenyTSConnections = false

Windows Image pane > component: amd64_Networking-MPSSVC-Svc_10.0.14393.0_neutral > [Right-click] on FirewallGroups/FirewallGroup and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following settings:

  • Active = true
  • Group = Remote Desktop
  • Key = RemoteDesktop
  • Profile = all

Windows Image pane > component: amd64_Microsoft-Windows-TerminalServices-RDP-WinStationExtensions_10.0.14393.0_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following settings:

  • SecurityLayer = 1
  • UserAuthentication = 0

Disable Internet Explorer Enhanced Security (ESC)

Windows Image pane > component: amd64_Microsoft-Windows-IE-ESC_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:

  • IEHardenAdmin = false
  • IEHardenUser = false

Disable Internet Explorer First Run Wizard

Windows Image pane > component: amd64_Microsoft-Windows-IE-InternetExplorer_neutral > [Right-click] and choose Add Setting to Pass 4 specialize.
Using the Answer File Properties and Settings panes, configure the following:

  • DisableFirstRunWizard = true
  • DisableOOBAccelerators = false
  • Home_Page = google.com

Enable WinRM

Windows Image pane > component: "amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral" > [Right-click] on FirstLogonCommands/SynchronousCommand and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:

  • CommandLine = powershell Enable-PSRemoting -Force; Set-Item WSMan:\localhost\Service\AllowUnencrypted $true -Force; Set-Item WSMan:\localhost\Client\TrustedHosts * -Force
  • Description = Enable WinRM
  • Order = 11

Enable AutoLogon

Windows Image pane > component: "amd64_Microsoft-Windows-Shell-Setup_10.0.14393.0_neutral" > [Right-click] on AutoLogon and choose Add Setting to Pass 7 oobeSystem.
Using the Answer File Properties and Settings panes, configure the following:

  • Enabled = true
  • Logon Count = 4
  • UserName = Administrator

>> *Password:Value = [password]

Product Key

Windows Image pane > component: amd64_Microsoft-Windows-Setup_10.0.14393.0_neutral > [Right-click] on UserData/ProductKey and choose Add setting to Pass 1 windowsPE.
Using the Answer File Properties and Settings panes, configure the following:

  • Key = [product key]
  • WillShowUI = OnError

SAVE

SAVE THE ANSWER FILE

ISO Creation

Now that we have the autounattend.xml file, we need to place it within the root folder of the ISO so that when a system loads, it discovers the configuration data contained within autounattend.xml and sets everything up. The best way I found to do this was in Linux.

Mount ISO

First thing we need to do is mount the ISO so that we can copy the data off it on onto the local disk. 

~$ sudo mkdir /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708
~$ sudo mount -t udf ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708.iso /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708/

Copy Data

Now lets copy the data to a local store so that it is read/write capable. 

~$ mkdir ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/
~$ sudo cp -R /media/en_windows_server_2012_r2_with_update_x64_dvd_6052708/* ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/

Create autounattend.xml

Within the directory root of the image data that you copied locally, lets create the autounattend.xml 

~$ sudo vim ~/en_windows_server_2012_r2_with_update_x64_dvd_6052708/autounattend.xml

Create ISO

And finally we can create the ISO using the image data stored locally with autounattend.xml in the root. 

~$ mkisofs -J -R -allow-limited-size -iso-level 3 -b boot/etfsboot.com -no-emul-boot -boot-load-size 8 -relaxed-filenames -V "Windows2012R2autounattend" -o /home/fgiuliani/Win2012R2_autounattend.iso /home/fgiuliani/en_windows_server_2012_r2_with_update_x64_dvd_6052708
Retrieved from "https://wiki.r00tedvw.com/index.php?title=Windows/Autounattend&oldid=2832"
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
2020 Election
Volkswagen
Covid
NCDMV
Toolbox