MDT Windows 8.1 image deployment customization
Customize your MDT Windows 8.1 image for a business environment
Windows 8.1 is a solid Operating System. Yes, it’s different. Yes, the differences have sparked a negative media reaction. Misguided public opinion doesn’t change the fact that Windows 8.1 is a worthwhile upgrade. I’m ready to start deploying it in my environment. If you’re reading this I assume you are as well.
Problem: despite 8.1 being an all around decent step forward, there are some aspects that I don’t want in my corporate environment. This post will discuss several tweaks and changes to your Windows 8.1 image deployment to make it more suitable for your enterprise users. My end goal isn’t to turn Windows 8.1 back into Windows 7, I just want some things to operate a little differently to better suit business needs:
I don’t want my clients to integrate with skydrive.
I want to be able to set a custom metro screen for all users in the environment.
I don’t want users getting stuck on the photo app (metro photo) screen when they click on a picture.
I don’t want the users to see the lock screen – what’s the point?
Windows Store – no. no. no.
Metro Tutorial – it gets in the way.
Many of the built-in (metro) applications are not suitable for my environment.
Disclaimer: Yes, nearly all of these issue can be addressed via GPO. You can Google around and find GPO’s for practically every tweak here. However, not every environment (mine included) has immediately converted to a 2012 Functional Level.
So, I set out to build a Windows 8.1 image deployment that addressed these issues:
- Remove built in applications (remove stock metro apps)
- Change file associations – prevent photos and videos from opening in photo app or video app (metro apps)
- Disable the Lock Screen
- Disable Windows 8.1 Store Feature
- Disable Windows 8.1 Skydrive integration
- Make user specific changes for all users:
- Show Desktop Background as Start Screen Background
- Disable: Let Me Teach You About Metro Tutorial Tips
- Disable SPDY/3 in IE11
- Set IE11 not to open in the METRO IE app – Set IE11 to desktop mode
- Customize the start screen (set metro screen for all users)
Remove built in Windows 8.1 applications
I found the best way to accomplish this was to add a PowerShell script to the 8.1 Task Sequence that uninstalls unwanted Packages and Provisioned Packages. I added this to the State Restore — Custom Tasks section of my task sequence. Depending on your task sequence, you may need to place it elsewhere.
Ben Hunter posted a nice PoweShell script on his blog that works perfectly.
Below is a modified version of his script that I tailored to specifically address apps that are still present in a stock 8.1 Pro deployment. Click to view his original script.
Depending on your environment’s needs you may want to keep some the these apps or add others to remove.
You can delete or add Package Names to the $AppsList = portion of the script
#------------------------------------------------------ # Main Routine - original script by Ben Hunter #------------------------------------------------------ # List of Applications that will be removed $AppsList = "Microsoft.BingTravel","Microsoft.WindowsAlarms","Microsoft.Reader",` "Microsoft.WindowsScan","Microsoft.WindowsSoundRecorder","Microsoft.SkypeApp" ForEach ($App in $AppsList) { $Packages = Get-AppxPackage | Where-Object {$_.Name -eq $App} if ($Packages -ne $null) { foreach ($Package in $Packages) { Remove-AppxPackage -package $Package.PackageFullName } } $ProvisionedPackage = Get-AppxProvisionedPackage -online | Where-Object {$_.displayName -eq $App} if ($ProvisionedPackage -ne $null) { remove-AppxProvisionedPackage -online -packagename $ProvisionedPackage.PackageName } }
Change Windows 8.1 file associations
By default common file types such as pictures and videos will open in full screen metro photo app or video app.
Initial user reactions are that they feel “trapped” and can’t easily find their way back the desktop.
This can be resolved by changing common file extension types (.jpeg, jpg, .png) to open in a more desktop friendly Windows Photo Viewer, for example.
Using DISM to export and import Application Associations was the only method I found that could successfully change the default file extension for all users. You can read the details about this method in the following TechNet articles:
- Export or Import Default Application Associations
- DISM Default Application Association Servicing Command-Line Options
On your reference device, setup your file extensions to your liking.
There are a lot of different ways you can accomplish this, but the quick way is through:
Control Panel -> Programs -> Default Programs
Once you’re satisfied all file extensions are set to your liking, run this command on your reference device:
Dism.exe /Online /Export-DefaultAppAssociations:C:\alocation\AppAssoc.xml
If done correctly, you should wind up with a file that looks like this:
<?xml version="1.0" encoding="UTF-8"?> <DefaultAssociations> <Association Identifier=".3gp2" ProgId="WMP11.AssocFile.3G2" ApplicationName="Windows Media Player" /> <Association Identifier=".adt" ProgId="WMP11.AssocFile.ADTS" ApplicationName="Windows Media Player" /> <Association Identifier=".adts" ProgId="WMP11.AssocFile.ADTS" ApplicationName="Windows Media Player" /> <Association Identifier=".arw" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".bmp" ProgId="PhotoViewer.FileAssoc.Bitmap" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".cr2" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".crw" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".dib" ProgId="PhotoViewer.FileAssoc.Bitmap" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".erf" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".jfif" ProgId="PhotoViewer.FileAssoc.JFIF" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".jpe" ProgId="PhotoViewer.FileAssoc.Jpeg" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".jpeg" ProgId="PhotoViewer.FileAssoc.Jpeg" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".jpg" ProgId="PhotoViewer.FileAssoc.Jpeg" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".jxr" ProgId="PhotoViewer.FileAssoc.Wdp" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".kdc" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".MP2" ProgId="WMP11.AssocFile.MP3" ApplicationName="Windows Media Player" /> <Association Identifier=".mpa" ProgId="WMP11.AssocFile.MPEG" ApplicationName="Windows Media Player" /> <Association Identifier=".MPE" ProgId="WMP11.AssocFile.MPEG" ApplicationName="Windows Media Player" /> <Association Identifier=".mpeg" ProgId="WMP11.AssocFile.MPEG" ApplicationName="Windows Media Player" /> <Association Identifier=".mpg" ProgId="WMP11.AssocFile.MPEG" ApplicationName="Windows Media Player" /> <Association Identifier=".mrw" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".mts" ProgId="WMP11.AssocFile.M2TS" ApplicationName="Windows Media Player" /> <Association Identifier=".nef" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".nrw" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".orf" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".pef" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".png" ProgId="PhotoViewer.FileAssoc.Png" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".raf" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".raw" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".rw2" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".rwl" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".sr2" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".srw" ProgId="Microsoft.PhotoManager.imagetype" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".tif" ProgId="PhotoViewer.FileAssoc.Tiff" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".tiff" ProgId="PhotoViewer.FileAssoc.Tiff" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".TS" ProgId="WMP11.AssocFile.TTS" ApplicationName="Windows Media Player" /> <Association Identifier=".TTS" ProgId="WMP11.AssocFile.TTS" ApplicationName="Windows Media Player" /> <Association Identifier=".wdp" ProgId="PhotoViewer.FileAssoc.Wdp" ApplicationName="Windows Photo Viewer" /> <Association Identifier=".WPL" ProgId="WMP11.AssocFile.WPL" ApplicationName="Windows Media Player" /> <Association Identifier=".xml" ProgId="Applications\Notepad.exe" ApplicationName="Notepad" /> <Association Identifier="http" ProgId="IE.HTTP" ApplicationName="Internet Explorer" /> <Association Identifier="https" ProgId="IE.HTTPS" ApplicationName="Internet Explorer" /> </DefaultAssociations>
There are a few different ways you could go about importing these settings into your image.
For my purposes I chose to DISM mount my offline image and import my custom Default App Associations.
I copied the previously created AppAssoc.xml file to my deployment workbench, mounted my image, imported the file, and the unmounted/committed my image.
Here are the commands I used to accomplish this:
dism /mount-wim /wimfile:C:\WIMDir\StandardMCCGWin8_164bit_Patched_Office.wim /index:1 /mountdir:C:\WIMDir\temp dism /image:c:\wimdir\temp /import-defaultappassociations:C:\Wimdir\AppAssoc.xml dism /unmount-wim /MountDir:C:\WIMDir\temp /commit
This is what the import process looks like:
The next several image adjustments will be done via registry changes
How you incorporate these registry change into your image process is entirely up to you.During my deployment sequence I like to copy over my pre-configured .reg file Win8BasicConfig.reg and execute all of my reg changes during the deployment process via batch file command:
regedit /s C:\DeploymentFiles\Win8SpecificScripts\Win8BasicConfig.reg
There are many other ways you could go about this.
Disable the Windows 8.1 Lock Screen
This is just an extra step that I don’t need my users to accomplish.
One registry entry will do the trick:
Windows Registry Editor Version 5.00 ; Disable the Lock Screen [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization] "NoLockScreen"=dword:00000001
Disable Windows 8.1 Store Feature
I’m not advocating that all Store Apps are terrible and that you shouldn’t use them. I just don’t want my users browsing the store downloading the latest FaceBook metro app. You probably don’t either. There are other methods for including desired applications.
One registry entry will do the trick:
Windows Registry Editor Version 5.00 ; Disable Windows 8.1 Apps Store Feature [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore] "RemoveWindowsStore"=dword:00000001
Disable Windows 8.1 Skydrive integration
I don’t want users in my environment syncing and saving corporate data to SkyDrive.
One registry entry will do the trick:
Windows Registry Editor Version 5.00 ;disable skydrive [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive] "DisableFileSync"=dword:00000001
The next several registry adjustments will affect the HKEY Current Users (HKCU) portion of the registry
This adds a level of complexity as you will need to mount the Default NT user .dat file to enact these changes. Making these changes in this manner ensures that all new logged in users will receive the registry adjustments in their HKCU hive.Again, how you incorporate these registry change into your image process is entirely up to you.
During my deployment sequence I like to copy over my pre-configured user-specifc .reg file Win8UserSpecifcConfig.reg and then mount Default NT user .dat file, execute the reg changes during the deployment process, and then unmount the .dat file all via batch file command. There are many other ways you could go about this.
REM mount the default NT user .dat file for the purpose of adding HKCU registry changes REG LOAD "HKU\CUSTOM" "C:\Users\Default\NTUSER.DAT" REM make the desired registry changes regedit /s C:\DeploymentFiles\Win8SpecificScripts\Win8UserSpecifcConfig.reg REM unload the .dat file - very important REG UNLOAD "HKU\CUSTOM"
Please note that because I mounted the C:\Users\Default\NTUSER.DAT file as “HKU\CUSTOM” that the registry keys must match this as well:
Windows Registry Editor Version 5.00 ;Show Desktop Background as Start Screen Background [HKEY_USERS\CUSTOM\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent] "MotionAccentId_v1.00"=dword:000000db ;Turn off The Let Me Teach You About Metro Tutorial Tips [HKEY_USERS\CUSTOM\Software\Policies\Microsoft\Windows\EdgeUI] "DisableHelpSticker"=dword:00000001 ;disables SPDY/3 in IE11 [HKEY_USERS\CUSTOM\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "EnableSPDY3_0"=dword:00000000 ;set IE11 not to open in the METRO IE app [HKEY_USERS\CUSTOM\Software\Microsoft\Internet Explorer\Main] "ApplicationTileImmersiveActivation"=dword:00000000 "AssociationActivationMode"=dword:00000002
- Show Desktop Background as Start Screen Background
- Cosmetic change that seems to have a positive psychological impact on users – I’m not kidding. With this setting enabled Metro looks a lot more like an overlay designed with additional functionality instead of an independent app that has just taken over the screen.
- Turn off The Let Me Teach You About Metro Tutorial Tips
- Simple cosmetic change to eliminate the giant tutorial popups. Users found them distracting and confusing.
- disables SPDY/3 in IE11
- IE11 seems to be having a known issues where https: websites give a page not displayed error. Clicking refresh resolves the problem but that’s another step I don’t want my users to have to make. I’ll be doing more research into why this is, but for now disabling this feature resolves the issue.
- set IE11 not to open in the METRO IE app
- If your users click the IE button on the metro start screen it by default will open the full screen IE. This version was universally hated by everyone so this registry tweak sets IE to always open via the desktop version of IE.
Customize the Windows 8.1 Start Screen for all users
UPDATE: NEW METHOD
You are welcome to read my original metro screen customization method below which uses dism to import start screen settings into an offline image. However, I recently posted a new method where a custom start screen can be imported during the task sequence. I’ve found this revised method to be easier, and much more flexible.
You can check it out the new method here: MDT – Customize 8.1 Start Screen with task sequence
OLD METHOD:
Of all the changes here, I had the most difficulty with this one. In your environment you probably customize your user’s desktop icons, so you’ll likely want to customize the start/metro screen as well. I think Microsoft prefers that this be done via GPO because doing it via the deployment process proved challenging.
I would begin by reading the following two posts:
- Windows 8.1 Start Screen…The Ultimate Admin guide
- Customizing the Windows 8.1 Start Screen? Don’t follow Microsoft’s guidance
These three files seem to be where the start screen stores it’s configuration and layout:
C:\Users\userAccount\AppData\Local\Microsoft\Windows\appsFolder.itemdata-ms
C:\Users\userAccount\AppData\Local\Microsoft\Windows\appsFolder.itemdata-ms.bak
C:\Users\userAccount\AppData\Local\Microsoft\Windows\appsFolderLayout.bin
I found a lot of suggestions on how to copy these during deployment, or place them in the default profile but I couldn’t find a way through manipulating these files that worked.
It really boils down to three possible methods for setting the start screen for all users:
- Copy Profile
- GPO
- Export / Import Start Screen Settings via PowerShell & DISM
For my deployment I utilized the Export / Import method.
First, configure your start screen just the way you want.
Then, fire up PowerShell and execute the following command:
Export-StartLayout –As BIN –Path C:\alocation\AppsFolderLayout.Bin
I then copied the AppsFolderLayout.Bin file to my deployment workbench.
On the deployment workbench I then mounted my image:
dism /mount-wim /wimfile:C:\WIMDir\StandardMCCGWin8_164bit_Patched_Office.wim /index:1 /mountdir:C:\WIMDir\temp
Next I import the AppsFolderLayout.Bin into the image:
PS C:\> Import-StartLayout -LayoutPath "C:\alocation\AppsFolderLayout.Bin" -MountPath "C:\WIMDir\temp
Finally I commit my image with the newly imported start screen settings:
dism /unmount-wim /MountDir:C:\WIMDir\temp /commit
See additional details about the Import-StartLayout command
Please note: Custom Start Screen will only apply to domain accounts!
I was stuck on this for the longest time.
After deployment the local Administrator account and other test local accounts were not having the custom start screen applied. However, when I joined the device to the domain and logged in with a domain account, the start screen was fully customized. If you have any insight into why this is, please leave a comment below.
Jacob,
Thanks for the information. Always nice to find a good blog that has information that is useful. Keep up the good work.
Kris
Great post thank you. You can create a PowerShell script to include in the task sequence for things like to disable the SkyDrive. Create the script add it to the script folder in the deployment share, in the TS insert a PowerShell script .\Scripts\something.ps1
New-ItemProperty “HKLM:\SOFTWARE\Policies\Microsoft\Windows\Skydrive\” -Name “DisableFileSync” -Value “00000001” -PropertyType “DWord”
I also found that 8.1 has issues accessing older DFS shares I included this script to fix the issue. However I am not sure if this is a security issue or not
New-ItemProperty “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\” -Name “RequireSecureNegotiate” -Value 0 -PropertyType “DWord”
Hi Jacob,
thanks for the great articel. One question:
Is Windows Server 2012 a requirement to use policys for Windows 8.x and Server 2012? I believe you can download the Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2 (http://www.microsoft.com/en-us/download/details.aspx?id=41193) and also use the files with a Server 2008 R2 Domain Controller.
Regards Carlos
Carlos,
At the moment I am working on a Windows Server 2008 R2 Datacenter Edition with Windows 8.1 Enterprise and making tweaks to the OS based on the GPO.
Key to remind is to copy the ADMX files to your central store, then you can modify the GPO settings from Windows 8.1
Thanks for this I used something similar for removing the apps but went a little more blunt instrument removing everything.
Powershell.exe -Command ""
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v RemoveWindowsStore /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsStore" /v RemoveWindowsStore /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSService" /v Start /t REG_DWORD /d 4 /f
The problem I am having though is that when I lay this down with Config Manager 2012 r2 all the removed items are all back.
What am I missing?
Get-AppXProvisionedPackage -online | Remove-AppxProvisionedPackage -online -ErrorAction SilentlyContinue
I am having some difficulty with the HKU/Custom registry keys. Could you possibly clarify this? I totally agree that the metro look makes the users dislike Windows 8.1 more.
Is anyone able to help me out? I have been working on the HKU Custom import but have been unsuccessful Thanks!