none
Windows 10 deployment best practices

    Question

  • We are in the process of creating Windows 10 images to replace our aging Windows 7 image.  Our Win7 image was just a plain x64 VM with no apps and a local administrator account.  We are a Dell KACE shop.  Once the systems are imaged, a series of post-deploy scripts and GPO run to install the various apps.

    With the need to now move to Windows 10 Pro, were having a heck of a time getting a "generic" image, partly due to Microsoft's insistence on delivering bloatware and ads in Win10.  We would like a generic image just like our Win7 image.  No ads.  No extra apps. No Cortana. Now we've figured out how to remove what we need to remove but it's been so labor intensive we were wondering how other shops are doing it. Is anyone really delivering Win 10 with all of the standard applications installed?

    Appreciate any input

    Ken-

    Tuesday, March 21, 2017 10:33 PM

Answers

  • Yeah this is part of the issue were running into.  I cannot believe that most corporations would put up with this. We have security policies we like things consistent.  I find it hard to believe that corporations are rolling out Win10 with all adds and apps enabled...

    Our approach is to remove things we don't want from the image before using it for deployment or building a base image from.

    If you mount the image with DISM, you can use:

    dism /image:whatever /Get-ProvisionedAppxPackages

    to get a list of built-in packages. You can then use commands like

    dism /Image:whatever /Remove-ProvisionedAppxPackage /PackageName:Microsoft.XboxIdentityProvider_2016.616.818.0_neutral_~_8wekyb3d8bbwe

    With packagename replaced by the various things you learnt from the earlier command. Version names and packages vary between builds, so this needs doing every time a new build comes along that you want to use.

    This means the packages are gone before any user has ever logged on to that image - they're just not there in the first place. If you also do this to the image you use for in-place upgrades to newer builds, then they don't re-appear after upgrading either.

    You can similarly make changes to the default user profile this way, rather than using copyprofile, although it's a bit more fiddly. None of this relies on GPOs, so I think it works for Pro as well as for Enterprise.

    • Marked as answer by kenrinc Monday, April 10, 2017 3:19 PM
    Friday, March 24, 2017 10:06 AM

All replies

  • Are you using System Image Manager (or MDT) to create answer files for a customer Windows 10 installer?

    Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

    Tuesday, March 21, 2017 11:51 PM
  • Thanks Sean.  No MDT. We were trying to avoid the use of it.  We login to the Win10 VM as an "administrative" user.  Local administrator account not used. The thought process is to remove the apps we don't want, clean up the start menu and then we run sysprep.  When we first started doing this we were using the copy profile option and learned later that it is broken. Currently we use Powershell to remove much of the built in apps but they end up coming back once a user logs into the machine the 1st time. How are most people doing this?

    ken-

    Wednesday, March 22, 2017 12:26 AM
  • Hi kenrinc,

    We could open an administrator command line and run "get-appxpackage" to get a list of metro apps.

    For present user:
    Get-appxpackage -allusers *appname* | Remove-AppxPackage

    For new user:
    Get-appxprovisionedpackage –online | where-object {$_.packagename –like "*appname*"} | remove-appxprovisionedpackage –online

    Please note that those apps may be reinstalled after a feature upgrade. If they are reinstalled , we should run the command line again to remove them.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, March 23, 2017 6:21 AM
    Moderator
  • Yeah this is part of the issue were running into.  I cannot believe that most corporations would put up with this. We have security policies we like things consistent.  I find it hard to believe that corporations are rolling out Win10 with all adds and apps enabled.  I don't see things from the SCCM side so maybe that's part of the solution along with MDT.

    Ken-

    Thursday, March 23, 2017 9:00 PM
  • Hi kenrinc,

    I noticed you are using Pro version.

    For corporations, they usually used the Enterprise version and there is a LTSB version which is totally free of the metro apps. But it is not available for Pro version.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 24, 2017 7:34 AM
    Moderator
  • Yeah this is part of the issue were running into.  I cannot believe that most corporations would put up with this. We have security policies we like things consistent.  I find it hard to believe that corporations are rolling out Win10 with all adds and apps enabled...

    Our approach is to remove things we don't want from the image before using it for deployment or building a base image from.

    If you mount the image with DISM, you can use:

    dism /image:whatever /Get-ProvisionedAppxPackages

    to get a list of built-in packages. You can then use commands like

    dism /Image:whatever /Remove-ProvisionedAppxPackage /PackageName:Microsoft.XboxIdentityProvider_2016.616.818.0_neutral_~_8wekyb3d8bbwe

    With packagename replaced by the various things you learnt from the earlier command. Version names and packages vary between builds, so this needs doing every time a new build comes along that you want to use.

    This means the packages are gone before any user has ever logged on to that image - they're just not there in the first place. If you also do this to the image you use for in-place upgrades to newer builds, then they don't re-appear after upgrading either.

    You can similarly make changes to the default user profile this way, rather than using copyprofile, although it's a bit more fiddly. None of this relies on GPOs, so I think it works for Pro as well as for Enterprise.

    • Marked as answer by kenrinc Monday, April 10, 2017 3:19 PM
    Friday, March 24, 2017 10:06 AM
  • Mike,

    That is cool.  This might be a start.  I'm in the process of setting this up.  So after you mount the install.wim your doing a "dism /image:c:\whatever /Get-ProvisionedAppxPackages"?  This is what I wasn't clear on.  I can mount the wim but I wasn't clear on the path for the "dism /image....."

    Ken-

    Monday, March 27, 2017 9:47 PM
  • Just my two cents:

    1. The Enterprise LTSB version is intended for those building devices. The LTSB will not get feature updates like the CB or CBB tracks do. All will get security updates.

    2. You could use SIM to create an answer file and include synchronous commands to call DISM and remove items you don't want. This gives you some control of the installation process.


    Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

    Monday, March 27, 2017 11:17 PM
  • We are using Windows 10 Pro and per Microsoft, LTSB is not an option.  I've already looked into that avenue and don't wish to go down that road.


    Ken-

    Monday, March 27, 2017 11:38 PM

  • Hi kenrinc,

    There is a script could be used to remove those apps from the install.wim directly.
    Removing Built-in apps from Windows 10 WIM-File with Powershell - Version 1.2
    https://gallery.technet.microsoft.com/Removing-Built-in-apps-65dc387b

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 28, 2017 2:28 AM
    Moderator
  • Yes.  That script is essentially what Mike posted.  It works well!  I just tested it and it works very nice although there are just a few details that still get through.  The advertising for Candy Crush, Minecraft etc.... still get through to the Start menu.  For some reason OneDrive gets through.  I went back and looked at the output and the script did not remove OneDrive so that may be one more extra step to add.  We install OneDrive as part of Office365 ProPlus but I'm not interested in having it pre-installed.


    Ken-

    Tuesday, April 4, 2017 5:20 PM
  • Hi kenrinc,

    OneDrive is not a metro app, so it is not included in that script. There is an installer package in "C:\Windows\System32" or "C:\Windows\SysWOW64". It will be installed for the new users automatically because there is "Run" registry key to trigger this action. We could remove the "Run" registry key for the OneDrive when we prepared the package.
    HKU\default\software\Microsoft\Windows\CurrentVersion\Run
    hku\Default

    How to prevent OneDrive Setup prompt after first Log-In
    https://social.technet.microsoft.com/Forums/en-US/7d3db74d-a33a-401b-a9da-45b274383229/how-to-prevent-onedrive-setup-prompt-after-first-login?forum=win10itprosetup

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, April 5, 2017 2:47 AM
    Moderator
  • Thanks!  I found a post on this that gave the details.  It was quite involved.  Having said that it does work and I was able to rid my media of the install.  Now when I install Windows 10 from scratch I get none of the standard apps or OneDrive.  Nice :)   The start menu however still refreshes with adware from MS.  I'm in the process of doing the start menu config with the startlayout.xml

    For reference:

    http://serverfault.com/questions/770686/deploying-windows-10-in-an-enterprise-how-do-i-remove-the-pre-installed-apps

    Ken-

    Monday, April 10, 2017 3:18 PM
  • Yeah..But what about in situation where feature update takes place? All apps are back.. so if You want to keep Windows up-to-date You must use SCCM to deploy feature updates - which basically mean You must reinstall windows every time if a feature update comes out?

    User stuff out -> reinstall windows -> user stuff back? And so on...Massive administrative overhead compared to Windows 7.

    Ridiculous... I just don't like the new servicing model.

    From my point of view.. MS is pushing consumer product which is not meant to be in use in corp. environment. Even the enterprise version.. containing Candy Crush..


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

    Monday, April 10, 2017 3:34 PM
  • Yeah..But what about in situation where feature update takes place? All apps are back.. so if You want to keep Windows up-to-date You must use SCCM to deploy feature updates - which basically mean You must reinstall windows every time if a feature update comes out?

    Not necessarily.

    In the same way that you can customise the image you use for deployment (remove apps etc), you can use that customised image for in-place upgrades which preserve existing applications and data. You then treat the new windows version more as software to be deployed (via whatever method you use to do that) than an update.

    This still isn't ideal though - to ensure that your machines upgrade via your mechanism you need to prevent them accessing windows update to get it. Which means WSUS and policies to block access to windows update, which currently means the store doesn't work. You also need to not allow the upgrades via WSUS.

    It also isn't ideal in that some customisations are lost during in-place upgrade. See also this thread: https://social.technet.microsoft.com/Forums/en-US/0ab639e6-5de1-4082-9629-b3f072143883

    It leaves a lot to be desired, but you don't have to wipe and reinstall to move between builds (unless you're using LTSB). Service packs were a lot better...

    Monday, April 10, 2017 4:03 PM
  • Yeah..But what about in situation where feature update takes place? All apps are back.. so if You want to keep Windows up-to-date You must use SCCM to deploy feature updates - which basically mean You must reinstall windows every time if a feature update comes out?

    Not necessarily.

    In the same way that you can customise the image you use for deployment (remove apps etc), you can use that customised image for in-place upgrades which preserve existing applications and data. You then treat the new windows version more as software to be deployed (via whatever method you use to do that) than an update.

    Using what method? WSUS - no, at least I don know how to teach WSUS to deploy my customized image as a update. SCCM - administrative overhead if we are talking about 100 PC's for example.. MS update itself breaks this logic to use customized in place update..

    Some silly scripting..perhaps..? I'v looked up this thread You linked...quite dissapointed how MS deals with us.. at least I see..I'm not alone in this path..


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

    Monday, April 10, 2017 4:56 PM
  • Using what method?

    Whatever method you normally use to run a command line with admin permissions on some or all PCs. If you have 100s of PCs, you probably have a way of doing that kind of thing anyway. It means thinking of it more like an application to be deployed than an update in the Windows Update/WSUS sense.

    To be fair, we've not tried pushing this, just making it available (same as any other software installation) to staff to upgrade at a time of their own choosing. Our student PCs run LTSB and we reimage them automatically anyway.

    And yes it does involve some scripting, in our case because we want to preserve some driver customisations (changes to the power management settings), and that can't be done by customising the image.

    There is another option which we've thought about but not actually tried, which is to put a scheduled task on the machines that runs every boot and checks whether the build number has changed since the last time it ran. If it has, it could do remedial work to remove apps, restore settings etc. That would mean it no longer matters where the upgrade comes from and you could use windows update or wsus to deliver it. Should work, but we haven't tried it.

    Monday, April 10, 2017 5:15 PM
  • I gave up the fight against apps re-installing after a removing them. I have modified the install.wim image offline to get rid of a lot of the apps but some remnants are left that do come back to new users. To comply with some of our security requirements I felt it was easier to just use AppLocker through GP to at the least deny access to the rest of those stubborn built-in apps. Not the best solution but it works.
    Wednesday, April 12, 2017 12:55 PM

  • Ridiculous... I just don't like the new servicing model.

    From my point of view.. MS is pushing consumer product which is not meant to be in use in corp. environment. Even the enterprise version.. containing Candy Crush..



    Yeah, this was the whole reasoning for starting this thread!  The development of corprorate images that advertise games and other software?  Really?  This is a serious OS?

    Even after removing all the apps, when the system comes up for the 1st time, there is CandyCrush, MineSweep and all the other advertising....

    I just finished a 3 hour "education" by Dell corporate on the "Microsoft way" for Windows 10 deployment and can say that I now understand the whole concept.  The configuration portion, including removing these apps and crap is dealt with at the provisioning stage in the cloud.  For people who were used to using Ghost/KACE/Acronis etc... they are in for a rude awakening. Deployment by way of image duplication with Windows 10 is essentially gone.

    Ken-



    • Edited by kenrinc Thursday, April 13, 2017 3:54 PM
    Thursday, April 13, 2017 3:52 PM
  • I just finished a 3 hour "education" by Dell corporate on the "Microsoft way" for Windows 10 deployment and can say that I now understand the whole concept.  The configuration portion, including removing these apps and crap is dealt with at the provisioning stage in the cloud.  For people who were used to using Ghost/KACE/Acronis etc... they are in for a rude awakening. Deployment by way of image duplication with Windows 10 is essentially gone.

    Ken-

    Enlight us a bit.."provisioning stage in the cloud".. You mean in conjuction with Intune?

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

    Friday, April 14, 2017 1:59 PM
  • Do you still have access to this Dell education course? Simple link you could share with the rest of us perhaps? Curious as to what Dell is considering "best practices" in regards to Windows 10 imaging/deployment.  Thanks!


    Monday, February 5, 2018 4:08 PM