REPO CONTENT MENU Audit/Sysprep/Generalize Setupcomplete/Firstlogon Silent Install Scripting Examples Useful Helpers ************************************************************************* 1. Audit/Sysprep/Generalize Some General hints: https://technet.microsoft.com/en-us/library/cc722413(v=ws.10).aspx And a reminder: Sysprep/Generalize consumes one rearm, so on Win 7 Systems with a limitted rearm count it might need to restore the count after 3-5 Sysprep cycles. In Win 8 onwards a new rearm functionality was introduced with a count of 1000 rearms (the lack of any Initial Grace Phase makes it almost obsolete). Win 7/8/8.1: When prompted to enter a username and password, press Ctrl+Shift+F3 Win 10: In opposite to the predecessors the entry point moved to the first Settings screen, where you're asked to chose 'Quick Settings' or configure manually. Procedure stays the same. The system will reboot and login automatically to the build in Admin account. Best is to close the Sysprep Window via 'X' to avoid any unwanted actions at this point. Now install any Windows Updates and deployment wide programs (such as Microsoft Office, Adobe Flash Player, Java, printer drivers etc). You can restart if required because you will automatically be logged back into this temporary built-in administrator account. You will be stuck in this audit mode until sysprep is run later in the process. Windows 8.1: For some weird reason this system doesn't allow updating via the normal GUI. You can use the Powershell WU CMDlet from the Little Helpers part or something like WUMT (you can find info here at MDL). NOTE: I can recommend doing this in VM with snapshot capability as the process might fail and then leaves you unable to log into the account, so you need to start over again. Any modifications you make to this user profile will be automatically copied to the local system default user profile. So this is the time to adjust your start menu, desktop wallpaper and icons, and general profile modifications as these settings will apply to all newly created users on the system. NOTE: Windows activation will NOT carry over the Sysprep/Generalize! To finalize the install, run: Code: %windir%\System32\Sysprep\sysprep.exe Check 'Activate OOBE', the Generalize button and 'Shutdown', then 'OK'. In case you did all tweaks correctly system should shut down after a moment. Last point would be to re-capture the system to a install.wim. Since i use VMware WS for this i only need to start it as Admin and map the drive to the host system and can capture it with dism: Code: dism /Capture-Image /English /ImageFile:"d:\win\install.wim" /CaptureDir:"x:" /Name:"Windows 10 Pro" /Description:"Windows 10 Pro" /CheckIntegrity /Verify Since dism can be slightly messy especially when capturing or unmounting images, it's recommended to either export once or cleanup with wimlib-imagex. EXAMPLE SCENARIOS: #1. On a physical machine as described above. After Sysprep/Generalize/Shutdown the capture can be performed from a WinPE media (even a Windows Setup) to an additional partition/drive/usb-device. Afterwards simply start the machine to initialize the OOBE part of Windows setup and install as normal. #2. Would be the virtual route. Since i use VMware i will use it in this example and add a description for Virtual Box if any knowing user provides one. After the VM entered Audit mode, i recommend to either snapshot the state or backup the VM-folder. It can spare a lot of time if anything fails, and when experimenting someting always fails . Again after Sysprep/Generalize/Shutdown close VMware and restart as Admin, then in the Settings of the Audit Mode VM navigate to the Hard Disk Settings and 'Map' the drive to make it accessible. It needs to run VMware as admin to allow Dism to recognize the Windows install, otherwise it will throw an error. In case you have a spare partition you can configure the VM to use the real disk/partition. In both cases simply capture the Install.
2. Setupcomplete/Firstlogon 2.1. %windir%\Setup\Scripts folder created inside the mounted install.wim. 2.2. sources\$OEM$ folder inside the ISO Code: DVD\sources\$OEM$ $$ <<- C:\Windows $$\Web\Wallpaper <<- Wallpapers here $$\Setup\Scripts <<- setupcomplete.cmd, firstlogon.cmd, OOBE.CMD, OEM.reg, SLP.cmd $$\System32 $$\System32\OEM <<- OEM *.xrm-ms, OEM logos. you can copy these folders from Windows\System32\OEM $$\SYSWOW64\OEM <<- replica of system32\oem for 64 bit systems OEM *.xrm-ms, OEM logos. you can copy these folders from Windows\System32\OEM $$\System32\oobe $1 <<- Drive Root $1\Drivers <<- where some OEM place driver files $1\Install <<- where I place most things and call from there. EX: %SystemRoot%\Install\Firstlog.cmd $1\ProgramData\Hewlett-Packard\images <<- example of what we are looking for The main folder needed is $$\Setup\Scripts and $$\System32\OEM [source: http://www.msfn.org/board/topic/152813-how-to-create-an-oem-folder/] The content of these folders (when placed correctly) is copied during the 'Apply' stage of Win Setup. The existence of a setupcomplete.cmd will trigger the execution of that file at 'SetupComplete' stage, so before the user is created. A firstlogon.cmd in opposite will be executed one stage later, in that case the user folders already exist and content can be copied over (e.g. INIs that need the user profile already created). Both scripts run elevated so no need to care about that. Additionally it should be mentioned that it's NOT recommended to use the above named scripts side-by-side. For instance presence of oobe.cmd will override setupcomplete and firstlogon (if i'm not mistaken). In times i built uanattended installs, i used setupcomplete.cmd to perform any activation actions and created a task in scheduler to perform all additional actions at first user login. You might wanna check: Multi-OEM/Retail Project - Continued... by mxman2k
3. Silent Installs NOTE: For DirectX and Programs the full installers are needed, not the web setup ones. 3.1. RUNTIMES Java install EXE: /s VC-Redist EXE: /Q VC-Redist MSI: /q DirectX EXE: /silent Silverlight EXE: /q Silverlight MSI: /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} /qn [Source: http://www.itninja.com/software/microsoft/silverlight/5-2022] 3.2. PROGRAMS Browser: Firefox: Silent Installer Pack: https://gallery.technet.microsoft.com/Firefox-480-x64-Silent-f3f7c0ca Packer: 7zip EXE: /S WinRAR EXE: /s Music: Foobar2000 EXE: /S System: CCleaner EXE: /SILENT HashTab EXE: /S Graphics: Xnview EXE: /Silent Editor/PDF: Notepad++ EXE: /S Acrobat Reader EXE: /sAll /rs Theming: UXStyle EXE: /Q Aeroglass EXE: /SILENT StartIsBack++ EXE: /silent
4. SCRIPTING EXAMPLES 4.1. Some General Thoughts When you chose the Setupcomplete/Firstlogon route keep in mind, that some installs and copy actions require an existing user profile. All those options need to be done at Firstlogon stage of Win Setup not at Setupcomplete. Since 'Remarks' are a nice way to provide a better readability and can really help when checking older own or other peoples scripts, i highly recommend to use '::' (double colon) instead of the 'rem' command. Background: Although the script doesn't execute any line starting with 'rem', it still will 'read' it, whereas any line with the double colon will be assumed a 'broken' Jump-Target and therefor skipped from reading. Might be no big difference for a short script but if it gets longer you will notice the difference. And again a Virtual Machine is very helpful when assembling a personal install/maintenance script, in case something fails, revert to a backup/snapshot and start over. Most of the commands in batch will show a response if they aren't sent against 'nul'. so: Code: xcopy "files\E\*.*" /s /q "%systemdrive%\system32\" /Y will show for me '2 files copied successfully', whereas Code: xcopy "files\E\*.*" /s /q "%systemdrive%\system32\" /Y >nul 2>&1 will show nothing even if it fails. The ending backslash will avoid questions whether it's a file or a folder you're targetting. When pointing to locations inside the new system, use system variables instead of referring to C:-something. Code: -------------------------------------------------------------------------------- SYSTEM VARIABLES -------------------------------------------------------------------------------- SYSTEM: %systemdrive% > C: %homedrive% > C: %windir% > C:\Windows %systemroot% > C:\Windows %programfiles% > C:\Program Files %programfiles(x86)% > C:\Program Files (x86) %commonprogramfiles% > C:\Program Files\Common Files %commonprogramfiles(x86)% > C:\Program Files (x86)\Common Files %programdata% > C:\ProgramData %allusersprofile% > C:\ProgramData USER: %userprofile% > C:\Users\s1ave77 %homepath% > \Users\s1ave77 %appdata% > C:\Users\s1ave77\AppData\Roaming %localappdata% > C:\Users\s1ave77\AppData\Local %public% > C:\Users\Public -------------------------------------------------------------------------------- 4.2. A good Beginning Code: @echo off title your-title-goes-here ::Code: your-nick-goes-here [forums.mydigitallife.net] ::Credits go further to: setlocal ENABLEDELAYEDEXPANSION pushd "%~dp0" cd %~dp0 ::=============================================================================================================== NOTE: The delayed expansion part might not always be needed but since i use for loops, i need them. So far so good ... now some more beef. 4.3. System Checks (Version, Edition, Build, Architecture) Code: ::=============================================================================================================== ::SET SYSTEM VARIABLES set sls=SoftwareLicensingService for /f "tokens=2,3 delims=.=" %%A IN ('"wmic path %sls% get version /format:list"') do set "build=%%A.%%B" for /f "tokens=2* delims= " %%a in ('reg query "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"') do ( if "%%b" == "AMD64" set vera=x64 if "%%b" == "x86" set vera=x86 ) for /f "tokens=3* delims= " %%i in ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" ^| findstr ProductName') do set vername=%%i %%j for /f "tokens=3* delims= " %%i in ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" ^| findstr /i "EditionID"') do set "winedition=%%i" ::=============================================================================================================== ::CHECK PARTITION LAYOUT for /f "skip=1 tokens=1 delims=: " %%a in ('"wmic partition where (BootPartition='True' and DiskIndex='0') get Type"') do ( set checklayout=%%a if "!checklayout!"=="GPT" set "layout=GPT" if "!checklayout!"=="Installable" set "layout=MBR" ) ::=============================================================================================================== This comes handy when you want your script to automatically recognize the Windows Version, Architechture, Name, Edition and the Partition Layout. Tag files and folders with 'x86' or 'x64', i.e. 'npp.installer.x64.exe' and execute with: Code: start /wait npp.installer.%vera%.exe /S The '%build%' variable will show: Code: Windows Vista 6.0 Windows 7 6.1 Windows 8 6.2 Windows 8.1 6.3 Windows 10 10.0 4.4. Program installs Code: echo INSTALLING : NOTEPAD++ start /wait npp.Installer.exe /S echo INSTALLING : ACROBAT READER start /wait acrobat\Setup.exe /sAll /rs Using 'start /wait' proved to be a reliable way to assure the install doesn't conflict with the following one 4.5. XCOPY Since i already showed example above i can keep this short. Keep in mind that xcopy won't work in case the target directory doesn't exist, so in that case you need to create it prior to the copy. Additionally in a lot of scenarios it's necessary tro delete stuff, in that case i use an 'if' to check for existing files to spare any errors reagrding non-existing files. Code: if not exist "%programfiles%\Autoruns" md "%programfiles%\Autoruns" xcopy "files\Autoruns\*.*" /s /q "%programfiles%\Autoruns\" /Y if exist "%userprofile%\anyname.txt" del /s /q "%userprofile%\anyname.txt" 4.6. REGISTRY ENTRIES Are easily created via 'reg add' command or altered with 'reg change'. Code: ::=============================================================================================================== :: MAKE HIDDEN VISIBLE reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Sidebar /t REG_SZ /d "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" /f ::=============================================================================================================== :: SINGLE CLICK reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShellState" /t REG_BINARY /d "240000001720000000000000000000000000000001000000120000000000000022000000" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "IconUnderline" /t REG_DWORD /d "2" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "AutoCheckSelect" /t REG_DWORD /d "0" /f ::=============================================================================================================== '/v' is the Entry Name, '/t' the Entry Type and '/d' the Entry Value. NOTE: When an Reg Key is owned by Trusted Installer you'll need something like SetACL get the permissions needed for the change. I will show some useful little helpers in a later part. TIP: to convert big REG files into batch code i can recommend: Reg Converter by wtarkan 4.7. STORE APPS & Co. Refuse to use CCleaner, OOSU or similiar tools to strip any Store or especially Telemetry related out of your system. The methods used aren't actually documented (as far as i could find) and already caused some trouble. For Telemetry Silencing i refer to the REPO in my sig. It shows what can be done and how. Removing packages with install_wim_tweak is irreversible, so it will need an in-place Repair Install to get them back. The hosts file blocking is kinda futile, since most of the connections are hardcoded and will ignore the 'recommendations' from hosts file. Way to go here would be any kind of hardware firewall. Fortunately the Store Apps can be removed safely with powershell (this is also the recommended scenario by MS for Image Deployment) Add all app names you want to have removed to the set command (inside the "" and separated by comma): Check installed apps: Code: powershell -executionpolicy remotesigned Get-AppxPackage Removal: Code: set "allappsremove=Bing, getstarted, photos, camera, store, xbox, netflix, twitter, messaging, windowscommunicationsapps, alarms, skype, zune, soundrecorder, phone, maps, people, office, candycrushsodasaga, farmville2countryescape, minecraftuwp, royalrevolt2, facebook, appconnector, 3dbuilder" for /d %%a in (%allappsremove%) do powershell -executionpolicy remotesigned Get-AppxPackage *%%a* ^| Remove-AppxPackage -verbose Restore: create store.apps.ps1 file in script directory with content Code: Get-AppxPackage -AllUsers| Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”} execute from script: Code: set "psfile=store.apps.ps1" powershell -executionpolicy remotesigned ".\%psfile%" 4.8. Offline Update Install To spare myself the hassle with Windows Update GUI i use a simple snipplet to batch install needed updates. With the help of the gathered system variables you're as always able to distinct between version and architecture. Assuming sub-folders in form \10.0\x64\ (Win 10) or \6.3\x86\ (Win 8.1). Code: for /r "%build%\%vera%" %%i in (*.msu) do WUSA "%%i" /quiet /norestart 4.9. A Happy Ending Now would be a good time to cut any lose ends and clean any temporary files. After implementing a fair ammount of actions it's always a good idea to reboot the system before you proceed. Script can either ask for it or initiate automatically. Code: ::=============================================================================================================== echo [R]EBOOT NOW ^<RECOMMENDED^> OR [Q]UIT ? CHOICE /C RQ /N /M "YOUR CHOICE ?:" if %errorlevel%==1 goto :EXIT if %errorlevel%==2 goto :REBOOT ::=============================================================================================================== ::=============================================================================================================== ::EXIT :EXIT ENDLOCAL exit ::=============================================================================================================== ::=============================================================================================================== ::RESTART :RESTART ENDLOCAL start shutdown.exe /r /t 0 ::=============================================================================================================== ...TIME TO FIRE UP THE VIRTUAL MACHINE AND TEST YOUR CREATION.
5. LITTLE HELPERS SetACL: Change Reg permissions SetACL Command Line-Version (SetACL.exe) - Syntax and Description nsudoc: Run tasks with Trusted installer permissions M2-Team NSudo (New Version 4.0) install_wim_tweak: Remove system protected packages (e.g. Cortana and Search) win6x_registry_tweak - vLite - MSFN Powershell Update CMDlet: Manage Windows Updates from command line TechNet Windows Update PowerShell Module
Nah, only got sick searching specific info every time and the questions arises here often. Additionally it's difficult (if not even impossible) to implement all stuff different users might need into a single solution. Will be expanded with silent install switches, tips and some code examples.
Added example scenarios for Audit Mode capture handling on real machines and using VMware, would be nice if a Virtual Box experienced user could offer a similiar one to be added to post#1.
Last for today: silent install part is started. Now it only needs some true old MDL spirit to collect more program switches for a more versatile library. Please: Only post switches tested working with current installers, vendors tend to change things abruptly so a lot of switches i found on the net don't work anymore.
Added a little Scripting example part to post#4 ... so some additional checking would be nice and any productive critizism is highly welcome. As last point i'm gathering an oversight regarding useful little helpers one might find helpful (SetACL, nsudoc, etc...). While waiting for responses, doggie will now paint his belly and watch some TV ...
Nice topic! Here's a an example of a simple batch file for installing apps once in audit mode for Win7-10: Spoiler Code: @echo off TITLE -== Office 2016 Automation Script ==- set Pth=%~dp0 :: ===== Make Sure We Run as Admin ===== openfiles >nul 2>&1 if %errorlevel% NEQ 0 goto :UACPrompt goto :gotAdmin :UACPrompt echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs" echo UAC.ShellExecute "%~f0", "", "", "runas", 1 >> "%temp%\getadmin.vbs" "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" exit /b :gotAdmin cd /d %Pth% SETLOCAL (SET OSV=) FOR /F "TOKENS=1* DELIMS=[" %%A IN ('VER') DO (CALL :GMM %%B) echo %OSV% IF %OSV% EQU 6.1. goto Win7 IF %OSV% EQU 6.2. goto Win8 IF %OSV% EQU 6.3. goto Win81 IF %OSV% EQU 10.0 goto Win10 Goto Error1 :Win10 call %Pth%InstallAdobe_Reader_DC.cmd call %Pth%InstallDirectX.cmd call %Pth%InstallOffice2016oem.cmd call %Pth%InstallJava.cmd call %Pth%InstallVC.cmd GOTO ENDIT :Win81 call %Pth%InstallAdobe_Reader.cmd call %Pth%InstallDirectX.cmd call %Pth%InstallOffice2016oem.cmd call %Pth%InstallJava.cmd call %Pth%InstallDotNet.cmd call %Pth%InstallVC.cmd GOTO ENDIT :Win8 call %Pth%InstallAdobe_Reader.cmd call %Pth%InstallDirectX.cmd call %Pth%InstallOffice2016oem.cmd call %Pth%InstallJava.cmd call %Pth%InstallDotNet.cmd call %Pth%InstallVC.cmd GOTO ENDIT :Win7 call %Pth%InstallAdobe_Reader.cmd call %Pth%InstallAdobe_Flash.cmd call %Pth%InstallDirectX.cmd call %Pth%InstallDotNet.cmd call %Pth%InstallOffice2016oem.cmd call %Pth%InstallJava.cmd call %Pth%InstallVC.cmd GOTO ENDIT :GMM (SET OSV=%2) (SET OSVFull=%2) (SET OSV=%OSV:~,4%) GOTO :EOF :Error1 echo UNSUPPORTED OPERATING SYSTEM [%OSVFull% PING -n 6 127.0.0.1 1>NUL GOTO ENDIT :ENDIT ENDLOCAL exit
Some switches for installs: Adobe flash: Code: start /wait %~dp0Adobe_Flash\install_flash_player_23_plugin -install start /wait %~dp0Adobe_Flash\install_flash_player_23_active_x -install Adobe Reader + Update: Code: start /wait %~dp0Adobe_Reader\AdbeRdr11010_en_US.exe /sAll /rs "/qn /norestart ALLUSERS=1 EULA_ACCEPT=YES AgreeToLicense=Yes SUPPRESS_APP_LAUNCH=YES" start /wait %windir%\System32\msiexec.exe /p "%~dp0Adobe_Reader\AdbeRdrUpd11019.msp" /qn Adobe Reader DC: Code: start /wait %~dp0Adobe_Reader\AcroRdrDC1502320053_en_US.exe /sPB /rs :: /sPB Silent Mode with Progress Bar for product :: /rs Reboot Suppress Microsoft .NET Framework 4.6.2: Code: Start /wait %PTH%DotNet\NDP462-KB3151800-x86-x64-AllOS-ENU /passive /norestart Java: Code: If %PROCESSOR_ARCHITECTURE%==x86 Start /wait %~dp0Java\jre-8u121-windows-i586.exe INSTALL_SILENT=1 STATIC=0 AUTO_UPDATE=0 WEB_JAVA=1 WEB_JAVA_SECURITY_LEVEL=H WEB_ANALYTICS=0 EULA=0 REBOOT=0 If %PROCESSOR_ARCHITECTURE%==AMD64 Start /wait %~dp0Java\jre-8u121-windows-x64.exe INSTALL_SILENT=1 STATIC=0 AUTO_UPDATE=0 WEB_JAVA=1 WEB_JAVA_SECURITY_LEVEL=H WEB_ANALYTICS=0 EULA=0 REBOOT=0 Visual C++: Code: Start /wait %~dp0VC_2010_Redist\vcredist_x86.exe /passive /norestart If %PROCESSOR_ARCHITECTURE%==AMD64 Start /wait %~dp0VC_2010_Redist\vcredist_x64.exe /passive /norestart echo Visual C++ 2012 ... Start /wait %~dp0VC_2012_Redist\vcredist_x86.exe /passive /norestart If %PROCESSOR_ARCHITECTURE%==AMD64 Start /wait %~dp0VC_2012_Redist\vcredist_x64.exe /passive /norestart echo Visual C++ 2015 ... Start /wait %~dp0VC_2015_Redist\vc_redist.x86.exe /passive /norestart If %PROCESSOR_ARCHITECTURE%==AMD64 Start /wait %~dp0VC_2015_Redist\vc_redist.x64.exe /passive /norestart Office 2007: Code: start /wait %~dp0Office2007Enterprise\setup.exe /config config.xml I don't mind having a progress bar so some switches are intentional for this...
Windows or microsoft update work in audit mode on 7 and 10, not on 8.1. On 8.1 you either need to create an user account first, next use WU and when you're done, open an elevated cmd and enter: Code: cd sysprep [press enter] sysprep /audit /reboot [press enter] When you're in audit mode you can delete the user account + user files (or exclude it in an exclusion.ini script when capturing (abbodi1406 has provided us with a win 7 and a separate 8.1/10 script)). or go directly in audit mode and use WUMT, it can scan for updates in audit mode on 8.1. ------------------------------------------------------------------------ Capturing with dism using an exclusion script: Code: dism /capture-image /imagefile:x:\install.wim /capturedir:y:\ /name:"Index_Name" /Description:"Index_Description" /ConfigFile:z:\winscript.ini /compress:maximum /checkintegrity /verify With Wimlib-ImageX: Code: wimcapture x:\ y:\install.wim Index_Name Index_Description --config=z:\winscript.ini (Wimlib-ImageX uses maximum compression by default) For some reason unknown to me, atari800xl has deleted all his posts about Wimlib-ImageX at the Simplix thread. I don't know if the developer allows it but here you can find Wimlib-ImageX. Capture using imagex with an exclusion script: Code: imagex /COMPRESS maximum /CONFIG winscript.ini /capture z: install.wim /Flags "Index_Flag" "Index_Name" "Index_Description"