Embed Size (px)
Citation preview
Deploying Windows RT 8.1A guide for education
January 2014
Table of contents
2 Choosing a student account
4 Deployment process overview5 Shared-device scenarios7 One-to-one scenarios
9 Creating the configuration store10 Apps11 Files11 Logs13 Policies16 Profiles17 Settings18 Tasks21 Updates22 Users
24 Building a complete solution26 Preparing shared devices for delivery33 Preparing personal devices for delivery
45 Local Group Policy settings
1DEPLOYING WINDOWS RT 8.1
Deploying Windows RT 8.1A guide for education
This guide prescribes processes and provides a sample script framework that is specific to Windows RT device deployment in schools. It is based on observations from and work done at several schools deploying Surface devices.
Surface and similar Windows RT 8.1 devices are great for students and educators: They are ultraportable, sturdy, and inexpensive. Students can use Windows RT devices to watch videos, write reports, and collaborate on group projects. Surface even has a built-in kickstand and integrated keyboard, allowing users to learn and teach the way they want.
Deploying Windows RT devices in schools is different from deploying PCs, though. Windows RT devices are not PCs: They are tablets. You do not deploy them like PCs, and you do not manage them like PCs. A mobile technology similar to Apple iPad and other such tablets, Windows RT devices have limitations about which schools should be aware. You can learn more about these limitations by reading the white paper, Windows RT 8.1 in the Enterprise, at http://aka.ms/windowsrt4enterprise.
The guide you are reading now describes how schools can effectively deploy Windows RT devices. Ithelpsthemchoosetherighttypeofuseraccountandautomatemuchoftheconfigurationprocess. It also provides sample Windows PowerShell scripts for both shared and one-to-one scenariosthatschoolscancustomizeandextendtoautomatedeviceconfiguration.
NOTE The listings in this guide are formatted for print media. Do not copy and paste them from this guide. Instead, download the sample scripts from the TechNet Script Center at http://gallery.technet.microsoft.com/scriptcenter/Windows-RT-81-configuration-6b06b65a.Downloadedu_config.zipandextractitscontentstoaUSBflashdriveoranotherlocation.Thecontentsincludethetemplatefolderstructure and scripts.
2DEPLOYING WINDOWS RT 8.1
Choosing a student accountWhen planning to deploy Windows RT devices in schools, you will encounter four types of accounts:
• Local Windows accounts These accounts are local to the Windows RT device. They are the same as local accounts in earlier Windows operating system versions. In Windows RT, local accounts still have full Internet access and can run some Windows Store apps that do not require a Microsoft account.
• Microsoft accounts (previously known as Windows Live ID) These are consumer-oriented, Internet-based accounts that people use to access the Windows Store, SkyDrive, and other services that require them. Microsoft accounts are individually owned and cannot be accessed or managed by organizations, such as schools. Schools should not sign students up for Microsoft accounts, nor should they bulk-manage Microsoft accounts for students. For more information about Microsoft accounts, see “Microsoft accounts” at http://windows.microsoft.com/en-us/windows-8/microsoft-account-tutorial.
• Domain Windows accounts These accounts are in Active Directory Domain Services. You cannot sign in to Windows RT devices by using a domain account, but after students sign in to their devices using a local or Microsoft account, they can authenticate to network resources(e.g.,networkfilters,fileshares)byusingtheirdomainaccounts.
• Organizational accounts Also known as Windows Azure Active Directory accounts, these are organization-oriented, Internet-based accounts that people use to access an organization’s subscriptionservices,suchasMicrosoftOffice365orWindowsIntune.Theschoolownsorganizational accounts, and its IT staff manage them. Schools can synchronize their on-premises Active Directory infrastructure with Windows Azure AD.
NOTE Microsoft accounts in the United States comply with the Children’s Online Privacy ProtectionAct(COPPA)regardingonlineaccountcreationforchildrenunder13yearsofage.They require parental consent, which parents give by charging a small amount to their credit card(foraU.S.account).ParentalconsentisnotrequiredtocreateWindowsororganizationalaccounts, but Microsoft recommends that schools notify parents and obtain their consent before creating such accounts for students. For more information, see “Why does Microsoft charge me when I create an account for my child?” at http://windows.microsoft.com/en-us/windows-live/family-safety-why-does.
3DEPLOYING WINDOWS RT 8.1
Of the four account types, you can only use local Windows accounts or Microsoft accounts to sign in to Windows RT devices. With either type of account, students can subsequently use domain accounts to access network resources or organization accounts to access Office365.
The choice between local or Microsoft accounts depends largely on your deployment scenario. In shared-device scenarios, schools should use local accounts for device access combined with domain and organizational accounts for resource access. In one-to-one scenarios, schools might consider allowing users to sign in to their devices by using their own Microsoft accounts. They must still comply with COPPA, however, so parents of children under 13 years of age must create their children’s accounts.
NOTE
Microsoft prevents the creation of more than three Microsoft accounts from a single IP address in a single day. This limitation affects schools in which network address translation or a proxy server provides Internet access. Schools can contact Microsoft Support for an exception to this policy, however. For more information about gaining an exception to this policy, consult your account team.
4DEPLOYING WINDOWS RT 8.1
Deployment process overviewThisguideprescribesprocessesandprovidessampleWindowsPowerShellscriptsthatarespecificto Windows RT device deployment in schools. The processes and scripts are based on observations from and work done at several schools deploying Surface devices. The processes and scripts in this guide support two scenarios (see Table 1forabriefcomparison):
• Shared-device scenarios In shared-device scenarios, Microsoft recommends signing in to thedeviceasanadministratorandconfiguringsharedlocalaccountsonitbeforeplacingitinthe classroom.
• One-to-one scenarios In one-to-one scenarios, Microsoft recommends starting the device inAuditmode,configuringit,andthenusingtheSystemPreparationTool(Sysprep)tosealitbefore delivering it to the student. Students sign in to their devices using Microsoft accounts.
TaBLE 1 Scenario comparison
Shared Scenario one-to-one Scenario
Recommended account type Local Windows account Microsoft account
Student account privilege level Standard user accounts Administrator accounts
COPPa compliance Unnecessary Students under 13 years of age must have parental consent
Privacy considerations
Must prevent students from caching their credentials and savingfilestothelocaldevice
Because students do not share their devices, their information is private as long as they protect their credentials
Students can install apps from the
Windows StoreNo Yes
Access files on SkyDrive No Yes
Use the Mail app with Office 365 or
an on-premises mail server
No Yes
5DEPLOYING WINDOWS RT 8.1
Shared Scenario one-to-one Scenario
Potential for misuse
Some; students do have some anonymity when using shared devices, but you can
identify a device’s user if you require students to use domain credentials tosignintothenetworkfirewall
Some; students do not have anonymity, but they do have full administrator
access to their devices to install apps, configuresettings,andsoon
Deployment interaction
SignificantinteractiontocompletetheOut-of-BoxExperience(OOBE)
but automated afterward
Light interaction that skips the OOBE and automated afterward
A consideration that makes deploying Windows RT devices in schools different from other environments is the sheer volume over time. It is not uncommon for a school to have a dozen or moreemployees,eachpreparing30ormoredevicesatatime(i.e.,asynchronously).Therefore,capabilities like logging each device in an asset database can be challenging because doing so requires multiuser access. This guide does not attempt to solve these types of problems.
Shared-device scenarios
In a shared-device scenario, students use a device without concern for the user account accessing the device. In fact, students might not even know the name of the account they are using. It is a common scenario, but using a Microsoft account with it is not recommended:
• Microsoft does not recommend using a shared Microsoft account (that is, one account per classroom).ThisscenariomostlikelyviolatesCOPPA,anditcertainlyviolatestheprivacystatements in the Terms of Use for Microsoft accounts. Students using one device can affect students using other devices because of setting synchronization and the shared SkyDrive.
• Microsoft does not recommend allowing students to use their own Microsoft accounts in thisscenario.Unlesstheypullthesamedevicefromthesamecarteverytime,thefirstsign-inexperience will take up much of the classroom time. In addition, there is no way for schools to manage these accounts for students, and account creation requires parental consent for students under 13 years of age.
Instead,MicrosoftrecommendsthatyouconfigurealocalWindowsaccountoneachdevice.Inthe schools observed, the most common solution was to create a local user account based on the computername,andthenconfigurethedevicetosignintothedesktopautomatically.(Youcanusenetplwiz.cpltoconfigureautomaticsign-in,andthesamplescriptsinthisguideconfigureautomaticsign-induringtheconfigurationprocess.)Afterstudentsgettothedesktop,theycanuse Internet Explorer to access the Internet, use the many Windows Store apps that do not require Microsoftaccounts,orevenaccessvirtualdesktopinfrastructures(VDIs).Ofcourse,theycan
6DEPLOYING WINDOWS RT 8.1
usetheirorganizationalaccounttoaccessOffice365ortheirdomainaccounttoaccessnetworkresources.
Importantly, the local Windows account that you create on each device should be a standard useraccount(least-privilegedaccess),notanadministratoraccount.Schoolstendtowanttouse local Group Policy to completely lock down the device (e.g., remove access to Control Panel, restrictaccesstotheRegistryEditor,preventaccesstothefilesystem).Thisextraburdenislargelyunnecessary and can limit administrators’ ability to maintain and support the device later. You cannot target local Group Policy on Windows RT devices like you can with domain-based Group Policy,sopoliciesyoudefinewillaffectadministratorsaswellasstudents.Asmuchaspossible,schools should allow the standard user account to do its job to prevent students from making unwanted changes to the device. Standard users cannot change most system settings and cannot changefilesinsystemfolders.Inshared-devicescenarios,studentsshouldbemadetounderstandthatanyfiletheysaveonalocaldevicemightnotbeavailablelater.
Using local Windows accounts does come with baggage. First, you must disable credential caching (for example, Remember Me)onthesedevicessothatstudentsdonotinadvertentlyleavetheircredentials on shared devices. (See the section, “Local Group Policy settings” on page 45, forsettingsyoucanenabletopreventcredentialcaching.)Second,howdoyouidentifywhoisactually using the device? The most common way is to require students to sign in to the network filterbyusingtheirdomaincredentials.(Seethesection,“Networkfilteringrecommendations”onpage 44,formoreinformation.)
Some functionality will not work in this scenario:
• Users cannot purchase or install apps from the Windows Store without using a Microsoft account to sign in to the Windows Store. (This is not a bad thing in a school environment, either.)TopreventstudentsfromusingtheirownaccountstoinstallWindowsStoreapps,youcan use local Group Policy to disable the Windows Store app. (For more information, see the section, “Local Group Policy settings” on page 45.)
• Some apps do not work without a Microsoft account. Which apps do depends on the app. For example, the Bing app works, but the Mail app does not. Test any apps you require for the classroom to determine whether they are compatible with this scenario.
• Users cannot access their SkyDrive, and their settings do not synchronize. Students with accesstoOffice365canuseSkyDriveProtomaketheirfilesavailableoneachshareddevicethey use.
Thedeploymentprocessforthisscenariocanrequiresignificantinteraction.Installersmustcomplete the OOBE on each device, but the OOBE will not be repeated when students power on thedevice.Instead,thedeviceisreadytoplaceinaclassroom(orcart)forstudentuse.
7DEPLOYING WINDOWS RT 8.1
Priortobeginningdeviceconfiguration,preparetheconfigurationstore by customizing the scripts provided with this guide and stocking thestorewiththerequiredsourcefiles.Thesection,“Creating the configurationstore”onpage9, describes this step in detail. The high-level deployment process for the shared-device scenario is as follows:
1. Remove the device from its box, and record its serial number.
2. Start the device, and complete the OOBE.
You can use a local or Microsoft account as the administrator. Microsoft recommends that you use Microsoft accounts to prepare devices, though, so you can centralize their passwords and install apps from the Windows Store. Keep in mind that Microsoft accounts can install Windows Store apps on up to 81 devices(dependingontheapp),soifyouuseMicrosoftaccountstoconfigureshareddevices,youwillneedtousemultipleaccounts. You might consider using one account per classroom, grade level, or even school.
3. Runtheconfigurationscriptthatthesection“Preparing shared devices for delivery” on page 26describestoconfigurethedevice.
4. Shut down the device, and deliver it to the cart or classroom.
One-to-one scenarios
In a one-to-one scenario, students use dedicated Windows RT devices. Those devices might be student or institution owned. This guide assumes they are school owned. In this scenario, this guide recommends that students use Microsoft accounts to sign in to their devices so that they can have the full Windows RT experience.
Like the shared-devices scenario, students can use their Microsoft account along with their organizational accounts to access subscriptionserviceslikeOffice365andtheirdomainaccountstoaccess network resources, such as network shares, VDI, and so on. Unlike the shared-device scenario, students will be administrators on their personal devices.
NOTE
Forcing students to use local Windows accounts with least-privileged accessisdifficultbutnot impossible in one-to-one scenarios. The process is identical to the shared-device scenario, but limiting Windows RT devices in this way diminishes their usefulness to students in one-to-one scenarios.
8DEPLOYING WINDOWS RT 8.1
The deployment process for this scenario requires less interaction and time than the shared-device scenario. You skip the OOBE experience. When you deliver the device to the student and they turn it on, they experience the normal OOBE, but the device will contain your customizations. (The shared-device scenario does not repeat the OOBE.)
Priortobeginningdeviceconfiguration,preparetheconfigurationstore by customizing the scripts provided with this guide and stocking thestorewiththerequiredsourcefiles.Thesection,“Creating the configurationstore”onpage9, describes this step in detail. The high-level deployment process for the one-to-one scenario is as follows:
1. Remove the device from its box, and record its serial number.
2. Start the device in Audit mode to automatically sign in to it as the local administrator.
3. Runtheconfigurationscriptthatthesection“Preparing personal devices for delivery” on page 33describestoconfigurethedevice.Afterthescriptfinishesconfiguringthedevice,itrunsSysprep to prepare the device for delivery to the student and shut it down.
4. Deliver the device to the student. When the student turns on the device, the OOBE starts.
The section, “Preparing personal devices for delivery” on page 33, describes this process in step-by-step detail, including how to start the device in Audit mode, plus sample script listings.
NOTE
By design, the local administrator account cannot run Windows Store apps.
9DEPLOYING WINDOWS RT 8.1
Creating the configuration storeThe configuration storeiswhereyoustorethesourcefilesandscriptsthatconfigureeachdevice.Usethesameconfigurationstoreforbothdeploymentscenarios.YoucanlocatetheconfigurationstoreonaUSBflashdriveoranetworkshare.(YoucanalsokeepamastercopyoftheconfigurationstoreonanetworkshareandcopyittoUSBflashdrivestoexpediteconfigurationforeachinstaller.)ThisguideassumesthattheconfigurationstoreisonaUSBflashdriveinD:\Store.Bydefault,thescriptsinthisguidelookforfilesinthefollowing subfolders:
apps Windows Store apps to sideload on devices
Files Extrafilestocopytodevices
Logs Target location in which to log devices’ names, media access control(MAC)addresses,andserial numbers
Policies Local Group Policy settings to copy to devices
Profiles Wireless networking profilestoaddtodevices
Scripts Scripts required to configuredevices
Settings REGfilestoimportintodevices’ registries
Tasks Scheduled tasks to import on devices
Updates Update packages (MSUfiles)toinstallondevices
Ifyoustoretheconfigurationstoreonanetworkshare,guestaccessmustbeenabledontheconfigurationstore.Otherwise,installersmust provide domain credentials when preparing devices. Enabling guestaccessontheconfigurationstorehelpsstreamlinetheprocess.BecauseMicrosoftrecommendsguestaccessfortheconfigurationstore, Microsoft also recommends creating it on a stand-alone server or PC in the lab, which you can take down after you are done. A laptop or network-attached storage device is perfect for this purpose.
The following subsections tackle individual folders in the configurationstoreseparately,includingthesamplescriptsthatdriveeach. The sections, “Preparing shared devices for delivery” on page 26 and “Preparing personal devices for delivery” on page 33, give end-to-end examples that tie everything together.
WaRNING
The scripts and source filescontainpasswordsinplain text—for example, the password to use for shared accounts, wireless network passphrases, and the credentials under which to run scheduled tasks. Therefore, you must ensure that students do not have access to the configurationstore.
NOTE
The scripts that this guide provides are samples. Schools must customize and test these scripts prior to using them in any Windows RT device deployment. Although Microsoft has tested these scripts and they do work properly, they are not suitable for use as-is without careful consideration.
10DEPLOYING WINDOWS RT 8.1
Apps
Installing apps from the Windows Store requires a Microsoft account. If you are not using Microsoftaccounts(forexample,youaredeployingshareddevices),analternativeistosideloadapps. Sideloading an app means installing it directly on the device without buying it from the Windows Store. For more information, see the article, “Windows RT in the Enterprise,” at http://technet.microsoft.com/en-us/windows/dn260720.aspx in the Microsoft TechNet library.
Youneedtheapps’packagefilestosideloadthem.Package filesarefileswiththe.appxfileextension, and you obtain them from the apps’ developers. Keep in mind that few developers providepackagefilesfortheirappsoutsideoftheWindowsStore,butifyouhaveanarrangementto sideload developers’ apps or your school has developed Windows Store apps internally, copy thepackagefilestheyprovidetotheAppssubfolderoftheconfigurationstore.ThescriptinListing 1 provisions each app in the given path on the target device, meaning that those apps will be available for all users who sign in to the device.
NOTE SideloadingappsonWindowsRTdevicesrequiresthatyoufirstinstallasideloadingproductkey.Contact your account team about acquiring sideloading product keys if you must sideload apps.
LISTING 1 Apply-AppxPackages.ps1function Apply-AppxPackages {
# Install each Windows Store app from the configuration store. # Make sure the Group Policy setting AllowAllTrustedApps is enabled # and a sideloading product key is installed on the device.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing Windows Store app (APPX) packages”)][string] $Path )
if ((Test-Path -Path $Path -PathType Container)) {
Push-Location -Path $Path $AppPackages = Get-ChildItem -Filter *.appx $PackageCount = ($AppPackages | Measure-Object).Count Write-Output “Installing ($PackageCount) apps from the configuration store.”
$AppPackages | ForEach-Object { Write-Output “...$_” Add-AppxProvisionedPackage -Online -PackagePath $_ -SkipLicense }
Pop-Location Write-Output “Finished installing app packages on the device.”
11DEPLOYING WINDOWS RT 8.1
} else { Write-Output “Skipping Windows Store apps because path was not found.” }}
Files
The script in Listing 2 has a simple but useful role. It replicates the contents of the Files subfolder intheconfigurationstoretothetargetdevice.TopreparetheFilessubfolderintheconfigurationstore,createthefileandfolderstructureyouwanttoreplicateonthetargetdevice.ImaginethattheFilessubfolderoftheconfigurationstoreistherootofthesystemdriveonthetargetdevice.Forexample,ifyoucreateatextfilenamedhelloworld.txt in Files\Users\Public\Desktop, the script in Listing 2copiesthatfiletothepublicdesktoponeachdeviceitruns.Thescriptretainsfileattributesandoverwritessystem,read-only,andhiddenfiles.
LISTING 2 Apply-LocalFiles.ps1function Apply-LocalFiles {
# Copy files and folders from the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing folders and files to copy”)][string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Target path to which to copy the source folders and files”)][string] $Target )
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Applying files and folders to this device.” xcopy.exe $Path\*.* $Target\*.* /s /d /e /h /r /k /y ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } Write-Output “Finished applying files and folders to this device.” } else { Write-Output “Skipping local files because path was not found.” }}
Logs
SomeschoolsneedtocollecttheMACaddressofeachWindowsRTdeviceastheyconfigureit.Forexample,schoolsthathavenetworkfiltersmightprefertouseMACsecurityfilteringratherthanrequiringstudentstoprovidetheirdomaincredentialstogetthroughthefirewall.CollectingthenameandMACaddressofeachdeviceduringinstallationhelpssimplifytheconfigurationofMACsecurityfiltering.
12DEPLOYING WINDOWS RT 8.1
The script in Listing 3 logs the computer name, its MAC address, and its serial number in the Logs subfolderoftheconfigurationstore.Becauseyoumighthavemultipleinstallerssettingupdevices,thisscriptcreatesaseparatetextfileforeachdevicetoavoidmultiuserconflictsifyouarestoringtheminanetworkshare.ThefilenameistheMACaddressappendedtothecomputername.Thetextfilecontainsthename,MACaddress,andserialnumberseparatedbycommas.Notonlydoesthis approach prevent multiuser collisions, it enables you to easily import the comma-delimited textfilesintoaMicrosoftExcelspreadsheettoaggregatethem.
NOTE You can customize Listing 3 to collect additional information about devices.
LISTING 3 Log-DeviceWithMac.ps1Function Log-DeviceWithMac {
# Create a file containing the computer name, MAC address # of the first Wi-Fi adapter, and the device’s serial number.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path in which to log the computer’s name, MAC address, and serial number”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Logging the computer name and MAC address in the configuration store.”
$FileName = $env:ComputerName + “_” + ` $((Get-NetAdapter -Name “Wi-FI”).MacAddress ) + “.txt” $FullFilePath = Join-Path $Path $FileName # Check if the file exists do not write a new file, otherwise write the file.
If (!(Test-Path $FullFilePath)) { $Content = $env:ComputerName + “, “ + ` $((Get-NetAdapter -Name “Wi-FI”).MacAddress ) + “, “ + ` (Get-WmiObject -Class Win32_BIOS).SerialNumber Add-Content -Path $FullFilePath -Value $Content Write-Output “...$Content” } Write-Output ` “Finished logging the computer name and MAC address in the configuration store.” } else { Write-Output “Did not log the device because path was not found.” }}
13DEPLOYING WINDOWS RT 8.1
Policies
Windows RT devices do not support domain join, so they do not support domain-based Group Policy. These devices do support local Group Policy, though, and you can create a local Group Policy configurationthatyoucanapplytomanydevices.Theprocedureisas follows:
1. Onareferencedevice,configurelocalGroupPolicy.
2. Copy the local Group Policy from the reference device to the configurationstore.
3. ApplythelocalGroupPolicyfromtheconfigurationstoretoeach device.
By default, Group Policy is not enabled on Windows RT devices. You mustenableitbystartingtheGroupPolicyservice(GPSVC).Althoughyou can do this by using the Services console (see the article, “Local Group Policy support for Windows RT,” at http://technet.microsoft.com/en-us/library/2e7bfa32-9fa9-4031-8160-d3a8c526df8d#BKMK_WinRTintheTechNetlibrary),thescriptinListing 4 demonstrates how to enable the Group Policy service by using Windows PowerShell. Ifyouconfigureapolicyanditseemstohavenoeffectonthesystem,make sure that you have enabled the Group Policy service.
LISTING 4 Enable-GroupPolicy.ps1function Enable-GroupPolicy {
# Enable and start the Group Policy service.
Set-Service -Name gpsvc -StartupType auto Start-Service -Name gpsvc}
Toconfigurepoliciesonareferencedevice,usetheLocalGroupPolicy Editor. To access it, type gpedit.msc on the Start screen, and thenpressEnter.YoucanconfiguresecuritypolicyandAdministrativeTemplates for both the computer and users. Examine each policy’s description to determine whether it supports Windows RT devices. YoucanalsofiltersettingsinAdministrativeTemplatestoshowonlythose policies that Windows RT 8.1 devices support. For detailed step-by-step instructions, see the article, “Local Group Policy Editor, at
NOTE
See the section, “Local Group Policy settings” on page 45, for a list of settings that you might explore for your school’s devices. To learn more about local Group Policy, see http://www.microsoft.com/grouppolicy.
14DEPLOYING WINDOWS RT 8.1
http://technet.microsoft.com/en-us/library/cc725970.aspx in the TechNet library. Thoroughly test each policy to ensure that it works as expected on your devices. The section, “Local Group Policy settings” on page 45, lists many policies interesting to schools deploying Windows RT devices.
Afteryouhaveconfiguredpoliciesonthereferencedevice,copythemfromthereferencedevicetotheconfigurationstore.ThescriptinListing 5isanexample.(Iftheconfigurationstoreisonanetworkshare,youmustconnecttotheconfigurationstorebyusinganaccountthatcanwritetoit.)Thisscriptusesthecommand-linetoolSecedit.exetoexportthedevice’ssecurityconfigurationtoanINFfile(seethearticle,“Secedit,”http://technet.microsoft.com/en-us/library/hh875548.aspx intheTechNetlibrary).ItalsousestheExport-StartLayout Windows PowerShell cmdlet to export thecurrentStartscreenlayouttoanXMLfile.ThescriptstoresbothfilesinthelocalGroupPolicyobject(GPO—i.e.,%SystemRoot%\System32\GroupPolicy).Then,itcopiesthelocalGPOfromthereferencedevicetotheconfigurationstore.
Listing 5 Gather-GroupPolicy.ps1function Gather-GroupPolicy {
# Capture local Group Policy and save in the configuration store. # # Important: Make sure that the path and file name of $StartLayoutFile # is the same as used in the Start Menu Layout Group Policy setting. # By default, these scripts create the file layout.xml in the path # C:\Windows\System32\GroupPolicy. For more information, see # “Deploying Windows RT 8.1 in education.”
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder in which to store the local Group Policy object”)] ` [string] $Path ) $PolicySource = “C:\Windows\System32\GroupPolicy” $SecurityInfFile = Join-Path $PolicySource “security.inf” $StartLayoutFile = Join-Path $PolicySource “layout.xml”
Write-Output “Gathering Group Policy settings to $Path.”
secedit /export /cfg $SecurityInfFile | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Export-StartLayout –path $StartLayoutFile –as XML xcopy $PolicySource\*.* $Path\*.* /s /d /h /r /y | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished gathering Group Policy settings to $Path”}
The script in Listing 6 on page 15 reverses the process. It copies the local GPO from the configurationstoretothetargetdevice,thenitusesSecedittoimportsecuritypolicyfromthe
15DEPLOYING WINDOWS RT 8.1
localGPO(i.e.,%SystemRoot%\System32\GroupPolicy).Finally,itconfiguresandstartstheGroupPolicy service and runs Gpupdate.exe to refresh Group Policy on the device.
Notice that Listing 6doesnotimporttheStartscreenlayout.Instead,thelayoutfileisstoredwithinthelocalGPO,andyoumustdefinethepolicysettingnamedStart Screen Layout using the path tothelayoutfile(i.e.,%SystemRoot%\System32\GroupPolicy\layout.xml).WindowsRT8.1doessupport this policy, but it works only if sideloading is enabled on the device. For more information about managing the Start screen layout, see the article, “Customize Windows 8.1 Start Screens by Using Group Policy,” at http://technet.microsoft.com/en-us/library/dn467928.aspx in the TechNet library.
Listing 6 Apply-GroupPolicy.ps1function Apply-GroupPolicy {
# Apply local Group Policy settings from A configuration store # to the local computer, and start the Group Policy service.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing the local Group Policy object to copy”)] ` [string] $Path ) $Target = “C:\Windows\System32\GroupPolicy” $SecurityInfPath = Join-Path $Target “security.inf” $SecuritySdbPath = Join-Path $Target “secedit.sdb”
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Configuring Group Policy on this device.”
Write-Output “...Copying policy settings to the device.” xcopy $Path\*.* $Target\*.* /s /d /h /r /y | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “...Configuring security policy on the device.” secedit /configure /db $SecuritySdbPath /cfg $SecurityInfPath | Out-Null
Write-Output “...Enabling and starting the Group Policy service.” Enable-GroupPolicy
Write-Output “...Updating Group Policy on the device.” gpupdate /force | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished configuring Group Policy on the device.” } else { Write-Output “Skipping Group Policy because path was not found.” }}
16DEPLOYING WINDOWS RT 8.1
Profiles
TheProfilesfolderoftheconfigurationstorecontainswirelessnetworkingprofiles.Theprocessisas follows:
1. On a reference device, connect to each wireless network.
2. Use the example script in Listing 7tocreateawirelessnetworkprofileforeachconnectionintheconfigurationstore.ThescriptcreatesoneXMLfileforeachprofile.
3. Use the example script in Listing 8toaddeachwirelessnetworkprofileintheProfilesfolderto the Windows RT device.
On devices that have a single wireless interface, such as the Surface, Windows RT will automatically connect to network automatically.
LISTING 7 Gather-WirelessProfiles.ps1function Gather-WirelessProfiles {
# Export all wireless profiles on the device to the given $Path.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder in which to store wireless profiles”)][string] $Path )
if (!(Test-Path $Path)) { throw “Unable to export wireless profiles. $Path was not found.” }
Write-Output “Gathering wireless profiles to $Path.”
netsh.exe wlan export profile folder=”$Path” key=clear ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished gathering wireless profiles to $Path.”}
LISTING 8 Apply-WirelessProfiles.ps1function Apply-WirelessProfiles {
# Import each wireless profile found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing wireless profiles to add to the device”)] ` [string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Name of the interface with which to associate the wireless profiles”)] ` [string] $Interface
17DEPLOYING WINDOWS RT 8.1
)
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $Profiles = Get-ChildItem -Filter *.xml $ProfilesCount = ($Profiles | Measure-Object).Count Write-Output “Importing ($ProfilesCount) wireless profiles from the configuration store.”
$Profiles | ForEach-Object { Write-Output “...$_”
netsh.exe wlan add profile filename=$_ interface=$Interface ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } }
Pop-Location Write-Output “Finished importing wireless profiles from the configuration store.” } else { Write-Output “Skipping wireless profiles because path was not found.” }}
Settings
Like any recent version of Windows, Windows RT stores system and user settings in the registry. YoucanexportregistrysettingsfromtheregistrytoREGfiles.Aftereditingthemsothattheycontain only the settings you want to deploy, store them in the Settings subfolder of the configurationstore.
NOTE If you are not familiar with the Windows registry, see the article,” About the Registry,” at http://msdn.microsoft.com/en-us/library/windows/desktop/ms724182(v=vs.85).aspx in the MSDNlibrarybeforeaddingREGfilestotheconfigurationstore.YoumustunderstandhowtocreateREGfilesthatcontainonlythesettingsyouwanttodeploy.
The script in Listing 9importseachREGfileitfindsintheconfigurationstore’sSettingsfolderintothetargetdevice’sregistry.ThisisaneasywaytoconfiguresystemandusersettingsthatyoucannotconfigurethroughlocalGroupPolicy.
LISTING 9 Apply-RegFiles.ps1function Apply-RegFiles {
# Import each registry file found in the configuration store.
18DEPLOYING WINDOWS RT 8.1
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing registry (REG) files to import on the device”)]` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $RegFiles = Get-ChildItem -Filter *.reg $RegFileCount = ($RegFiles | Measure-Object).Count Write-Output “Importing ($RegFileCount) REG files from the configuration store.”
$RegFiles | ForEach-Object { Write-Output “...$_” reg import $_ | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } }
Pop-Location Write-Output “Finished importing REG files from the configuration store.” } else { Write-Output “Skipping settings because path was not found.” }}
Tasks
SchoolscanuseWindowsIntunewithorwithoutMicrosoftSystemCenter2012R2ConfigurationManagertomanageWindowsRTdevicesbyusingMobileDeviceManagement(MDM),buttheycannot use Windows Intune to run Windows PowerShell scripts on remote devices. Although Windows Intune does support a subset of local Group Policy settings that it uses to manage compliance(e.g.,WindowsUpdateschedule,passwordpolicy,andsoon),itdoesnotsupportconfigurationofarbitrarylocalGroupPolicysettings.
A simple workaround is to schedule a task on each device that downloads and runs a script from the school’s network once each day. Then, you can update the script as necessary to at least have some capability to touch Windows RT devices. You can also schedule a task that downloads the localGPOfromtheconfigurationstoreonceeachday,allowingyoutoupdatethelocalGPOsbeyond initial delivery. Listing 10 and Listing 11 on page 19 are examples. Schedule Listing 10, which is a batch script that runs the Windows PowerShell script in Listing 11, bypassing execution policy.
LISTING 10 Update-DeviceConfig.cmd@echo off
rem Update-DeviceConfig.cmd
19DEPLOYING WINDOWS RT 8.1
remrem Start Update-DeviceConfig.ps1, bypassing execution policy.
powershell.exe -ExecutionPolicy Bypass ^ %~dp0Update-DeviceConfig.ps1 -PoliciesPath D:\Store\Policies
LISTING 11 Update-DeviceConfig.ps1# Update-DeviceConfig.ps1## This is a sample script that you can run from a scheduled task on each# Windows RT device. Use this script to touch remote devices when they phone# home on schedule. Place it in a network share, which your scheduled task# can access, so that you can update it in the future. See the guide# “Deploying Windows RT 8.1 in education” for more information about using and# customizing this script to configure Windows RT devices in schools.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder containing the local Group Policy object to copy”)] ` [string] $PoliciesPath)$ErrorActionPreference = ‘Stop’
# GLOBAL VARIABLES ##############################################
$PolicyTarget = “C:\Windows\System32\GroupPolicy” # DO NOT CHANGE
# If you change the following folder and file names, you must also change them in# Apply-SharedConfig.pst, Apply-PersonalConfig.pst, and Update-DeviceConfig.pst.
$SecurityInfFile = Join-Path $PolicyTarget “security.inf”$SecuritySdbFile = Join-Path $PolicyTarget “secedit.sdb”
# MAIN ##########################################################
# Update Group Policy on the device.
xcopy $PoliciesPath\*.* $PolicyTarget\*.* /s /d /h /r /y | Out-Nullsecedit /configure /db $SecuritySdbFile /cfg $SecurityInfFile | Out-Nullgpupdate /force | Out-Null
The process is as follows:
1. Onareferencedevice,configureeachtaskthatyouwanttoschedule.Checktheactions,triggers, and settings carefully.
Microsoftrecommendsthatyouconfigurearandomdelayonanytaskthataccessesthenetwork to prevent all of your devices from hitting it at the same time. Of course, test your tasks to make sure they work as expected.
2. ExporteachtaskdefinitiontoanXMLfileintheTaskssubfolderoftheconfigurationstore.InTask Scheduler, click the task you want to export; then, click Export in the Actions pane.
3. Oneachtargetdevice,importthetaskdefinitionsfromtheconfigurationstore.
20DEPLOYING WINDOWS RT 8.1
Listing 12importseachXMLfileitfindsintheTaskssubfolderoftheconfigurationstoreonthe device. In addition to the path, it requires the user name and password of an account under which to run the task. Listing 12 creates that account on the local device and adds it to the local Administrators group.
LISTING 12 Import-ScheduledTasks.ps1function Import-ScheduledTasks {
# Install each task found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing task (XML) files to import into scheduled tasks”)]` [string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Name of the account under which to run each imported scheduled task”)]` [string] $TaskUser, [Parameter(Mandatory=$true, HelpMessage = ` “Password for the account under which to run each imported scheduled task”)]` [string] $TaskPassword )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path # Create the local administrator account to use for running the tasks.
Write-Output “Creating the local administrator account for $TaskUser.” net user $TaskUser $TaskPassword /add /expires:never /passwordchg:no ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } net localgroup “Administrators” $TaskUser /add ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
# Add each task file to the task scheduler, using our local administrator account.
$TaskFiles = Get-ChildItem -Filter *.xml $TaskFileCount = ($TaskFiles | Measure-Object).Count Write-Output “Importing ($TaskFileCount) scheduled tasks from the configuration store.”
$TaskFiles | ForEach-Object { Write-Output “...$_” $TaskXML = get-content $_ | Out-String Register-ScheduledTask -Xml $TaskXML -TaskName $_ ` -User $TaskUser -Password $TaskPassword }
Pop-Location Write-Output “Finished importing scheduled tasks from the configuration store.” } else { Write-Output “Skipping tasks because path was not found.” }
21DEPLOYING WINDOWS RT 8.1
}
Updates
Windows RT downloads updates over the Internet directly from Microsoft. It does not support WindowsServerUpdateServices(WSUS),andanupdatecatalogisnotavailableforWindowsRT.For updates that you absolutely must install during preparation (e.g., updates on which your apps haveadependency),contactyouraccountteamtoseewhethertheycanprovideupdatepackages(MSUfiles).(Formoreinformationaboutupdatepackages,seethearticle,“Descriptionofthewindows Update Standalone Installer in Windows,” at http://support.microsoft.com/kb/934307 ontheMicrosoftSupportwebsite.)PuteachMSUfileyouraccountteamprovidesintheUpdatesfolderintheconfigurationstore.ThescriptinListing 13 automatically installs each update package thatitfindsintheUpdatesfolderbyusingthecommand-linetoolWusa.exe.
LISTING 13 Apply-UpdateFiles.ps1function Apply-UpdateFiles {
# Install each update found in the configuration store. Windows RT does # not support WSUS and an update catalog is not available. Contact your # account team about acquiring update packages (MSU files).
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Folder containing Microsoft update (MSU) files to install on the device”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $UpdatePackages = Get-ChildItem -Filter *.msu $PackageCount = ($UpdatePackages | Measure-Object).Count Write-Output “Installing ($PackageCount) updates from the configuration store.”
$UpdatePackages | ForEach-Object { Write-Output “...$_” $cmd = “wusa $_ /quiet /norestart” Invoke-Expression $cmd
# Wait until the process finishes before continuing.
while ((Get-Process | Where { $_.Name -eq ‘wusa’}) -ne $null) { Start-Sleep -Seconds 1 } }
Pop-Location Write-Output “Finished installing update packages on the device.” } else { Write-Output “Skipping update packages because path was not found.” }}
22DEPLOYING WINDOWS RT 8.1
Users
In shared-device scenarios, you must create a local account for students to use, but what do you name this account? You can use the same name for the account on every device, but a common alternative is to base the name of the shared user account on the computer, removing any special characters, like dashes. The script in Listing 14 shows an example that creates a local user account based on the computer name. You can easily modify this script to use any other convention, though.
Asabonus,thisscriptalsodemonstrateshowtoconfigurethedevicesothatitautomaticallysignsin by using the shared user account to help students get to the desktop quicker. Alternatively, you canusethenetplwiz.cplControlPanelapplettoconfigureautomaticsign-in.
NOTE The script in Listing 14 uses NET USER to add the shared user account, and it uses the command-line option /expires:never to disable password expiration for the account. In shared-device scenarios, this is necessary to prevent mayhem when devices are distributed in classrooms. However, schools using an MDM service must understand that this option breaks password management in these services.
LISTING 14 Create-SharedUser.ps1function Create-SharedUser {
# Provision a shared local account based on the device’s name.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Password to use for the device’s shared user account”)][string] $Password )
$LocalUserName = $env:ComputerName -replace “-”, “” Write-Output “Creating the local user account $LocalUserName.”
# Use NET USER to add the shared account to this device. This script # disables password expiration for the shared user account, which is # necessary in shared-device scenarios. However, this will break # password management in Mobile Device Management.
net user $LocalUserName $Password /add /expires:never /passwordchg:no ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Configuring device to automatically sign in as $LocalUserName.” Set-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name DefaultDomainName -Value $env:ComputerName | Out-Null
23DEPLOYING WINDOWS RT 8.1
Set-ItemProperty -` Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name DefaultUserName -Value $LocalUserName | Out-Null New-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name DefaultPassword -Value $Password | Out-Null Set-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name AutoAdminLogon -Value “1” | Out-Null
Write-Output “Finished creating the local user account on the device.”}
24DEPLOYING WINDOWS RT 8.1
Building a complete solutionThesamplescriptsin“Creatingtheconfigurationstore”showedhowtosolveindividualproblems,such as applying updates or scheduling tasks. The scripts in this section combine everything intoacompletesolution,includingscriptstostocktheconfigurationstoreandapplysharedandpersonalconfigurations.
Youmuststockmostofthefilesintheconfigurationstoremanually.CopyAPPXfilestotheAppssubfolder,MSUfilestotheUpdatessubfolder,andsoon.However,Listing 15 and Listing 16 automaticallycopylocalGroupPolicysettingsandwirelessnetworkingprofilesfromthereferencedevicetotheconfigurationstore.Listing 15 is a batch script that runs the similarly named Windows PowerShell script while bypassing execution policy, preventing installers from having to set executionpolicytounrestrictedoneachdevicetheyconfigure.
StorebothscriptsintheScriptssubfolderoftheconfigurationstoresothatyoucanaccessthemfromanyreferencedevice.YouspecifythepathtotheconfigurationstoreinthelastlineofListing 15.
Listing 15 Gather-DeviceConfig.cmd@echo off
rem Gather-DeviceConfig.cmdremrem Start Gather-DeviceConfig.ps1, bypassing execution policy.
powershell.exe -ExecutionPolicy Bypass ^ %~dp0Gather-DeviceConfig.ps1 -StorePath D:\Store
Listing 16 Gather-DeviceConfig.ps1# Gather-DeviceConfig.ps1## Gather configuration from reference device and save in the configuration store.# The configuration store can be on a USB flash drive or a network share. See the# guide “Deploying Windows RT 8.1 in education” for more information about using# and customizing this script to configure Windows RT devices in schools.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder containing the configuration store”)][string] $StorePath)
$ErrorActionPreference = ‘Stop’if (!(Test-Path -Path $StorePath -PathType Container)) { throw “$StorePath was not found.”}
# GLOBAL VARIABLES ##############################################
# If you change the following folder and file names, you must also change them in
25DEPLOYING WINDOWS RT 8.1
# Apply-SharedConfig.pst, Apply-PersonalConfig.pst, and Update-DeviceConfig.pst.
$PoliciesPath = Join-Path $StorePath “Policies”$ProfilesPath = Join-Path $StorePath “Profiles”
# FUNCTIONS #####################################################
function Gather-WirelessProfiles {
# Export all wireless profiles on the device to the given $Path.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder in which to store wireless profiles”)][string] $Path )
if (!(Test-Path $Path)) { throw “Unable to export wireless profiles. $Path was not found.” }
Write-Output “Gathering wireless profiles to $Path.”
netsh.exe wlan export profile folder=”$Path” key=clear ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished gathering wireless profiles to $Path.”}
function Gather-GroupPolicy {
# Capture local Group Policy and save in the configuration store. # # Important: Make sure that the path and file name of $StartLayoutFile # is the same as used in the Start Menu Layout Group Policy setting. # By default, these scripts create the file layout.xml in the path # C:\Windows\System32\GroupPolicy. For more information, see # “Deploying Windows RT 8.1 in education.”
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder in which to store the local Group Policy object”)] ` [string] $Path ) $PolicySource = “C:\Windows\System32\GroupPolicy” $SecurityInfFile = Join-Path $PolicySource “security.inf” $StartLayoutFile = Join-Path $PolicySource “layout.xml”
Write-Output “Gathering Group Policy settings to $Path.”
secedit /export /cfg $SecurityInfFile | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Export-StartLayout –path $StartLayoutFile –as XML xcopy $PolicySource\*.* $Path\*.* /s /d /h /r /y | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished gathering Group Policy settings to $Path”
26DEPLOYING WINDOWS RT 8.1
}
# MAIN ##########################################################
Write-Output “Beginning to gather this device’s configuration.”Write-Output “------------------------------------------------------------------------”Gather-GroupPolicy $PoliciesPathWrite-Output “------------------------------------------------------------------------”Gather-WirelessProfiles $ProfilesPathWrite-Output “------------------------------------------------------------------------”Write-Output “Finished gathering this device’s configuration.”
Preparing shared devices for delivery
Similar to the scripts in the previous section, Listing 17 and Listing 18 are complete examples that rely on the examples you learned about in the section, “Creatingtheconfigurationstore”onpage9. Listing 17 runs the Windows PowerShell script in Listing 18 while bypassing execution policy. Listing 18isaworkingexamplethatappliesthecontentsofthepreviouslypreparedconfigurationstore to the target device.
StorebothscriptsintheScriptssubfolderoftheconfigurationstoresothatyoucanaccessthemfromanytargetdevice.YouspecifythepathtotheconfigurationstoreinthelastlineofListing 17.
In shared-device scenarios, the preparation process is as follows:
1. Start the device, and complete the OOBE.
2. At an elevated command prompt, run the code Listing 17, which launches the Windows PowerShell script in Listing 18 while bypassing execution policy.
3. Performanymanualstepsrequiredtoconfigurethedevice(e.g.,installingWindowsStoreapps).
4. Shut down the device, and deliver it to the classroom.
LISTING 17 Apply-SharedConfig.cmd@echo off
rem Apply-SharedConfig.cmdremrem Start Apply-SharedConfig.ps1, bypassing execution policy.
powershell.exe -ExecutionPolicy Bypass ^ %~dp0Apply-SharedConfig.ps1 -StorePath D:\Store
LISTING 18 Apply-SharedConfig.ps1# Apply-SharedConfig.ps1## Apply settings from the configuration store to the local device.
27DEPLOYING WINDOWS RT 8.1
# This script configures shared devices. See Apply-PersonalConfig.ps1# for a script that prepares devices for one-to-one scenarios. See the guide# “Deploying Windows RT 8.1 in education” for more information about using# and customizing this script to configure Windows RT devices in schools.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder containing the configuration store”)][string] $StorePath)
$ErrorActionPreference = ‘Stop’if (!(Test-Path -Path $StorePath -PathType Container)) { throw “$StorePath was not found.”}
# GLOBAL VARIABLES ##############################################
# The following variables define subfolder names within# the configuration store. These scripts expect specific types# of files to appear in specific subfolders. If you change the# following folder and file names, you must also change them in# Gather-DeviceConfig.pst, Apply-PersonalConfig.pst, and# Update-DeviceConfig.pst.
$AppsPath = Join-Path $StorePath “Apps”$FilesPath = Join-Path $StorePath “Files”$LogsPath = Join-Path $StorePath “Logs”$PoliciesPath = Join-Path $StorePath “Policies”$ProfilesPath = Join-Path $StorePath “Profiles”$SettingsPath = Join-Path $StorePath “Settings”$TasksPath = Join-Path $StorePath “Tasks”$UpdatesPath = Join-Path $StorePath “Updates”
# The following variables define the user name and password# to use to create scheduled tasks on each device. The scripts# will add this account to the local device and use it when# creating each scheduled task.
$TaskUser = “DevAdmin”$TaskPassword = “Passw0rd”
# Additional variables:
$Interface = “Wi-Fi” # The name of the Wi-Fi interface on Surface devices$UserPassword = “Passw0rd” # The password to use when creating the shared user account$FilesTarget = “C:” # The root of the file system for applying local files.
# FUNCTIONS #####################################################
function Apply-AppxPackages {
# Install each Windows Store app from the configuration store. # Make sure the Group Policy setting AllowAllTrustedApps is enabled # and a sideloading product key is installed on the device.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing Windows Store app (APPX) packages”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) {
Push-Location -Path $Path
28DEPLOYING WINDOWS RT 8.1
$AppPackages = Get-ChildItem -Filter *.appx $PackageCount = ($AppPackages | Measure-Object).Count Write-Output “Installing ($PackageCount) apps from the configuration store.”
$AppPackages | ForEach-Object { Write-Output “...$_” Add-AppxProvisionedPackage -Online -PackagePath $_ -SkipLicense }
Pop-Location Write-Output “Finished installing app packages on the device.” } else { Write-Output “Skipping Windows Store apps because path was not found.” }}
function Apply-LocalFiles {
# Copy files and folders from the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing folders and files to copy”)][string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Target path to which to copy the source folders and files”)][string] $Target )
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Applying files and folders to this device.” xcopy.exe $Path\*.* $Target\*.* /s /d /e /h /r /k /y ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } Write-Output “Finished applying files and folders to this device.” } else { Write-Output “Skipping local files because path was not found.” }}
Function Log-DeviceWithMac {
# Create a file containing the computer name, MAC address # of the first Wi-Fi adapter, and the device’s serial number.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path in which to log the computer’s name, MAC address, and serial number”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Logging the computer name and MAC address in the configuration store.”
$FileName = $env:ComputerName + “_” + ` $((Get-NetAdapter -Name “Wi-FI”).MacAddress ) + “.txt” $FullFilePath = Join-Path $Path $FileName # Check if the file exists do not write a new file, otherwise write the file.
29DEPLOYING WINDOWS RT 8.1
If (!(Test-Path $FullFilePath)) { $Content = $env:ComputerName + “, “ + ` $((Get-NetAdapter -Name “Wi-FI”).MacAddress ) + “, “ + ` (Get-WmiObject -Class Win32_BIOS).SerialNumber Add-Content -Path $FullFilePath -Value $Content Write-Output “...$Content” } Write-Output ` “Finished logging the computer name and MAC address in the configuration store.” } else { Write-Output “Did not log the device because path was not found.” }}
function Enable-GroupPolicy {
# Enable and start the Group Policy service.
Set-Service -Name gpsvc -StartupType auto Start-Service -Name gpsvc}
function Apply-GroupPolicy {
# Apply local Group Policy settings from A configuration store # to the local computer, and start the Group Policy service.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing the local Group Policy object to copy”)] ` [string] $Path ) $Target = “C:\Windows\System32\GroupPolicy” $SecurityInfPath = Join-Path $Target “security.inf” $SecuritySdbPath = Join-Path $Target “secedit.sdb”
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Configuring Group Policy on this device.”
Write-Output “...Copying policy settings to the device.” xcopy $Path\*.* $Target\*.* /s /d /h /r /y | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “...Configuring security policy on the device.” secedit /configure /db $SecuritySdbPath /cfg $SecurityInfPath | Out-Null
Write-Output “...Enabling and starting the Group Policy service.” Enable-GroupPolicy
Write-Output “...Updating Group Policy on the device.” gpupdate /force | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished configuring Group Policy on the device.” } else { Write-Output “Skipping Group Policy because path was not found.” }}
30DEPLOYING WINDOWS RT 8.1
function Apply-RegFiles {
# Import each registry file found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing registry (REG) files to import on the device”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $RegFiles = Get-ChildItem -Filter *.reg $RegFileCount = ($RegFiles | Measure-Object).Count Write-Output “Importing ($RegFileCount) REG files from the configuration store.”
$RegFiles | ForEach-Object { Write-Output “...$_” reg import $_ | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } }
Pop-Location Write-Output “Finished importing REG files from the configuration store.” } else { Write-Output “Skipping settings because path was not found.” }}
function Import-ScheduledTasks {
# Install each task found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing task (XML) files to import into scheduled tasks”)] ` [string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Name of the account under which to run each imported scheduled task”)] ` [string] $TaskUser, [Parameter(Mandatory=$true, HelpMessage = ` “Password for the account under which to run each imported scheduled task”)] ` [string] $TaskPassword )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path # Create the local administrator account to use for running the tasks.
Write-Output “Creating the local administrator account for $TaskUser.” net user $TaskUser $TaskPassword /add /expires:never /passwordchg:no ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } net localgroup “Administrators” $TaskUser /add ` | Tee-Object -Variable Results | Out-Null
31DEPLOYING WINDOWS RT 8.1
if ($LASTEXITCODE -ne 0) { throw $Results }
# Add each task file to the task scheduler, using our local administrator account.
$TaskFiles = Get-ChildItem -Filter *.xml $TaskFileCount = ($TaskFiles | Measure-Object).Count Write-Output “Importing ($TaskFileCount) scheduled tasks from the configuration store.”
$TaskFiles | ForEach-Object { Write-Output “...$_” $TaskXML = get-content $_ | Out-String Register-ScheduledTask -Xml $TaskXML -TaskName $_ ` -User $TaskUser -Password $TaskPassword }
Pop-Location Write-Output “Finished importing scheduled tasks from the configuration store.” } else { Write-Output “Skipping tasks because path was not found.” }}
function Apply-UpdateFiles {
# Install each update found in the configuration store. Windows RT does # not support WSUS and an update catalog is not available. Contact your # account team about acquiring update packages (MSU files).
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Folder containing Microsoft update (MSU) files to install on the device”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $UpdatePackages = Get-ChildItem -Filter *.msu $PackageCount = ($UpdatePackages | Measure-Object).Count Write-Output “Installing ($PackageCount) updates from the configuration store.”
$UpdatePackages | ForEach-Object { Write-Output “...$_” $cmd = “wusa $_ /quiet /norestart” Invoke-Expression $cmd
# Wait until the process finishes before continuing.
while ((Get-Process | Where { $_.Name -eq ‘wusa’}) -ne $null) { Start-Sleep -Seconds 1 } }
Pop-Location Write-Output “Finished installing update packages on the device.” } else { Write-Output “Skipping update packages because path was not found.” }
32DEPLOYING WINDOWS RT 8.1
}
function Create-SharedUser {
# Provision a shared local account based on the device’s name.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Password to use for the device’s shared user account”)] ` [string] $Password )
$LocalUserName = $env:ComputerName -replace “-”, “” Write-Output “Creating the local user account $LocalUserName.”
# Use NET USER to add the shared account to this device. This script # disables password expiration for the shared user account, which is # necessary in shared-device scenarios. However, this will break # password management in Mobile Device Management.
net user $LocalUserName $Password /add /expires:never /passwordchg:no ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Configuring device to automatically sign in as $LocalUserName.” Set-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name DefaultDomainName -Value $env:ComputerName | Out-Null Set-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name DefaultUserName -Value $LocalUserName | Out-Null New-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name DefaultPassword -Value $Password | Out-Null Set-ItemProperty ` -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” ` -Name AutoAdminLogon -Value “1” | Out-Null
Write-Output “Finished creating the local user account on the device.”}
function Apply-WirelessProfiles {
# Import each wireless profile found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing wireless profiles to add to the device”)] ` [string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Name of the interface with which to associate the wireless profiles”)] ` [string] $Interface )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $Profiles = Get-ChildItem -Filter *.xml $ProfilesCount = ($Profiles | Measure-Object).Count Write-Output “Importing ($ProfilesCount) wireless profiles from the configuration store.”
33DEPLOYING WINDOWS RT 8.1
$Profiles | ForEach-Object { Write-Output “...$_”
netsh.exe wlan add profile filename=$_ interface=$Interface ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } }
Pop-Location Write-Output “Finished importing wireless profiles from the configuration store.” } else { Write-Output “Skipping wireless profiles because path was not found.” }}
# MAIN
Write-Output “Beginning to configure this device for shared use.”Write-Output “------------------------------------------------------------------------”Apply-WirelessProfiles $ProfilesPath $InterfaceWrite-Output “------------------------------------------------------------------------”Apply-LocalFiles $FilesPath $FilesTargetWrite-Output “------------------------------------------------------------------------”Apply-RegFiles $SettingsPathWrite-Output “------------------------------------------------------------------------”Apply-GroupPolicy $PoliciesPathWrite-Output “------------------------------------------------------------------------”Import-ScheduledTasks $TasksPath $TaskUser $TaskPasswordWrite-Output “------------------------------------------------------------------------”Apply-UpdateFiles $UpdatesPathWrite-Output “------------------------------------------------------------------------”Create-SharedUser $UserPasswordWrite-Output “------------------------------------------------------------------------”Apply-AppxPackages $AppsPathWrite-Output “------------------------------------------------------------------------”Log-DeviceWithMac $LogsPathWrite-Output “------------------------------------------------------------------------”Write-Output “Finished configuring this device for shared use.”
Preparing personal devices for delivery
Whenpreparingpersonaldevicesfordelivery,youusethesameconfigurationstoreyouusedforshareddevices.ThatincludescopyingthelocalGPOandwirelessnetworkingprofilesfromareferencedevicetotheconfigurationstore,addingAPPXandMSUfiles,andsoon.
Afteryouhavestockedtheconfigurationstore,preparingpersonaldevicesfordeliverycanbe easier and a bit quicker than preparing shared devices, mainly because you do not have to completetheOOBEwhenconfiguringthedevice.Instead,youstartdevicesinAuditmode.InAuditmode,youcanconfigureandcustomizedevicespriortodeliveringthemtostudents.Afterthefirsttimestudentsstarttheirdevices,theyseetheOOBE.FormoreinformationaboutAuditmode, see the article, “Audit Mode Overview,” at http://technet.microsoft.com/en-us/library/hh824891.aspx in the TechNet library.
34DEPLOYING WINDOWS RT 8.1
To prepare personal devices for delivery, complete the following steps:
1. Start the device, and wait for the OOBE to begin.
2. Tap the accessibility icon, tap On Screen Keyboard, and then press Ctrl+Shift+Fn+F3 to start the device in Audit mode, signing in to the local Administrator automatically.
3. At an elevated command prompt, run the code in Listing 19, which then launches the code in Listing 20.
BecauseSysprepcannotfinishwhilerestartsarepending,Listing 20finishesbycopyingExit-AuditMode.ps1 (Listing 21)andUnattend.xml(Listing 22)tothedeviceandconfiguresthedevice so that it runs Exit-AuditMode.ps1 the next time the device starts. Exit-AuditMode.ps1 runs Sysprep to reseal the device, exiting Audit mode and shutting the device down.
4. Deliver the device to the student.
LISTING 19 Apply-PersonalConfig.cmd@echo off
rem Apply-PersonalConfig.cmdremrem Start Apply-PersonalConfig.ps1, bypassing execution policy.
powershell.exe -ExecutionPolicy Bypass ^ %~dp0Apply-PersonalConfig.ps1 -StorePath D:\Store
LISTING 20 Apply-PersonalConfig.ps1# Apply-PersonalConfig.ps1## Apply settings from the configuration store to the local device,# and prepare the device for delivery to the student by running Sysprep.# This script configures personal devices. See Apply-SharedConfig.ps1# for a script that prepares devices for shared scenarios. See the guide# “Deploying Windows RT 8.1 in education” for more information about using# and customizing this script to configure Windows RT devices in schools.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path to the folder containing the configuration store”)][string] $StorePath)
$ErrorActionPreference = ‘Stop’if (!(Test-Path -Path $StorePath -PathType Container)) { throw “$StorePath was not found.”}
# GLOBAL VARIABLES ##############################################
$ScriptPath = Split-Path -Parent $MyInvocation.MyCommand.Path
# The following variables define subfolder names within
35DEPLOYING WINDOWS RT 8.1
# the configuration store. These scripts expect specific types# of files to appear in specific subfolders. If you change the# following folder and file names, you must also change them in# Gather-DeviceConfig.pst, Apply-PersonalConfig.pst, and# Update-DeviceConfig.pst.
$AppsPath = Join-Path $StorePath “Apps”$FilesPath = Join-Path $StorePath “Files”$LogsPath = Join-Path $StorePath “Logs”$PoliciesPath = Join-Path $StorePath “Policies”$ProfilesPath = Join-Path $StorePath “Profiles”$SettingsPath = Join-Path $StorePath “Settings”$TasksPath = Join-Path $StorePath “Tasks”$UpdatesPath = Join-Path $StorePath “Updates”
# The following variables define the user name and password# to use to create scheduled tasks on each device. The scripts# will add this account to the local device and use it when# creating each scheduled task.
$TaskUser = “DevAdmin”$TaskPassword = “Passw0rd”
# Additional variables:
$Interface = “Wi-Fi” # The name of the Wi-Fi interface on Surface devices$FilesTarget = “C:” # The root of the file system for applying local files.
# FUNCTIONS #####################################################
function Apply-AppxPackages {
# Install each Windows Store app from the configuration store. # Make sure the Group Policy setting AllowAllTrustedApps is enabled # and a sideloading product key is installed on the device.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing Windows Store app (APPX) packages”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) {
Push-Location -Path $Path $AppPackages = Get-ChildItem -Filter *.appx $PackageCount = ($AppPackages | Measure-Object).Count Write-Output “Installing ($PackageCount) apps from the configuration store.”
$AppPackages | ForEach-Object { Write-Output “...$_” Add-AppxProvisionedPackage -Online -PackagePath $_ -SkipLicense }
Pop-Location Write-Output “Finished installing app packages on the device.” } else { Write-Output “Skipping Windows Store apps because path was not found.” }}
36DEPLOYING WINDOWS RT 8.1
function Apply-LocalFiles {
# Copy files and folders from the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing folders and files to copy”)][string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Target path to which to copy the source folders and files”)][string] $Target )
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Applying files and folders to this device.” xcopy.exe $Path\*.* $Target\*.* /s /d /e /h /r /k /y ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } Write-Output “Finished applying files and folders to this device.” } else { Write-Output “Skipping local files because path was not found.” }}
Function Log-DeviceWithMac {
# Create a file containing the computer name, MAC address # of the first Wi-Fi adapter, and the device’s serial number.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path in which to log the computer’s name, MAC address, and serial number”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Logging the computer name and MAC address in the configuration store.”
$FileName = $env:ComputerName + “_” + ` $((Get-NetAdapter -Name “Wi-FI”).MacAddress ) + “.txt” $FullFilePath = Join-Path $Path $FileName # Check if the file exists do not write a new file, otherwise write the file.
If (!(Test-Path $FullFilePath)) { $Content = $env:ComputerName + “, “ + ` $((Get-NetAdapter -Name “Wi-FI”).MacAddress ) + “, “ + ` (Get-WmiObject -Class Win32_BIOS).SerialNumber Add-Content -Path $FullFilePath -Value $Content Write-Output “...$Content” } Write-Output ` “Finished logging the computer name and MAC address in the configuration store.” } else { Write-Output “Did not log the device because path was not found.” }}
function Enable-GroupPolicy {
# Enable and start the Group Policy service.
37DEPLOYING WINDOWS RT 8.1
Set-Service -Name gpsvc -StartupType auto Start-Service -Name gpsvc}
function Apply-GroupPolicy {
# Apply local Group Policy settings from A configuration store # to the local computer, and start the Group Policy service.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing the local Group Policy object to copy”)] ` [string] $Path ) $Target = “C:\Windows\System32\GroupPolicy” $SecurityInfPath = Join-Path $Target “security.inf” $SecuritySdbPath = Join-Path $Target “secedit.sdb”
if ((Test-Path -Path $Path -PathType Container)) { Write-Output “Configuring Group Policy on this device.”
Write-Output “...Copying policy settings to the device.” xcopy $Path\*.* $Target\*.* /s /d /h /r /y | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
# For personal configurations, this script does not import the # security settings by using secedit. These security settings can # interfere with running Sysprep in Audit mode, because they # disable the local Administrator account by default. To work # around this problem, the script Exit-AuditMode.ps1 imports the # security settings just prior to running Sysprep.
# Write-Output “...Configuring security policy on the device.” # secedit /configure /db $SecuritySdbPath /cfg $SecurityInfPath | Out-Null
Write-Output “...Enabling and starting the Group Policy service.” Enable-GroupPolicy
Write-Output “...Updating Group Policy on the device.” gpupdate /force | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
Write-Output “Finished configuring Group Policy on the device.” } else { Write-Output “Skipping Group Policy because path was not found.” }}
function Apply-RegFiles {
# Import each registry file found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing registry (REG) files to import on the device”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) {
38DEPLOYING WINDOWS RT 8.1
Push-Location -Path $Path $RegFiles = Get-ChildItem -Filter *.reg $RegFileCount = ($RegFiles | Measure-Object).Count Write-Output “Importing ($RegFileCount) REG files from the configuration store.”
$RegFiles | ForEach-Object { Write-Output “...$_” reg import $_ | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } }
Pop-Location Write-Output “Finished importing REG files from the configuration store.” } else { Write-Output “Skipping settings because path was not found.” }}
function Import-ScheduledTasks {
# Install each task found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing task (XML) files to import into scheduled tasks”)] ` [string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Name of the account under which to run each imported scheduled task”)] ` [string] $TaskUser, [Parameter(Mandatory=$true, HelpMessage = ` “Password for the account under which to run each imported scheduled task”)] ` [string] $TaskPassword )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path # Create the local administrator account to use for running the tasks.
Write-Output “Creating the local administrator account for $TaskUser.” net user $TaskUser $TaskPassword /add /expires:never /passwordchg:no ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } net localgroup “Administrators” $TaskUser /add ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results }
# Add each task file to the task scheduler, using our local administrator account.
$TaskFiles = Get-ChildItem -Filter *.xml $TaskFileCount = ($TaskFiles | Measure-Object).Count Write-Output “Importing ($TaskFileCount) scheduled tasks from the configuration store.”
$TaskFiles | ForEach-Object {
39DEPLOYING WINDOWS RT 8.1
Write-Output “...$_” $TaskXML = get-content $_ | Out-String Register-ScheduledTask -Xml $TaskXML -TaskName $_ ` -User $TaskUser -Password $TaskPassword }
Pop-Location Write-Output “Finished importing scheduled tasks from the configuration store.” } else { Write-Output “Skipping tasks because path was not found.” }}
function Apply-UpdateFiles {
# Install each update found in the configuration store. Windows RT does # not support WSUS and an update catalog is not available. Contact your # account team about acquiring update packages (MSU files).
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Folder containing Microsoft update (MSU) files to install on the device”)] ` [string] $Path )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $UpdatePackages = Get-ChildItem -Filter *.msu $PackageCount = ($UpdatePackages | Measure-Object).Count Write-Output “Installing ($PackageCount) updates from the configuration store.”
$UpdatePackages | ForEach-Object { Write-Output “...$_” $cmd = “wusa $_ /quiet /norestart” Invoke-Expression $cmd
# Wait until the process finishes before continuing.
while ((Get-Process | Where { $_.Name -eq ‘wusa’}) -ne $null) { Start-Sleep -Seconds 1 } }
Pop-Location Write-Output “Finished installing update packages on the device.” } else { Write-Output “Skipping update packages because path was not found.” }}
function Apply-WirelessProfiles {
# Import each wireless profile found in the configuration store.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing wireless profiles to add to the device”)] ` [string] $Path, [Parameter(Mandatory=$true, HelpMessage = ` “Name of the interface with which to associate the wireless profiles”)] `
40DEPLOYING WINDOWS RT 8.1
[string] $Interface )
if ((Test-Path -Path $Path -PathType Container)) { Push-Location -Path $Path $Profiles = Get-ChildItem -Filter *.xml $ProfilesCount = ($Profiles | Measure-Object).Count Write-Output “Importing ($ProfilesCount) wireless profiles from the configuration store.”
$Profiles | ForEach-Object { Write-Output “...$_”
netsh.exe wlan add profile filename=$_ interface=$Interface ` | Tee-Object -Variable Results | Out-Null if ($LASTEXITCODE -ne 0) { throw $Results } }
Pop-Location Write-Output “Finished importing wireless profiles from the configuration store.” } else { Write-Output “Skipping wireless profiles because path was not found.” }}
function Start-Sysprep {
# Prepare the device to run Sysprep the next time the device starts.
param ( [Parameter(Mandatory=$true, HelpMessage = ` “Path of the folder containing this script and Unattend.xml”)] ` [string] $ScriptPath )
$TargetPath = “C:\Windows\Panther” $SaveUnattendFile = “Unattend.sav” $RunOnceSource = Join-Path $ScriptPath Exit-AuditMode.ps1 $RunOnceTarget = Join-Path $TargetPath Exit-AuditMode.ps1 $SourceUnattendFile = Join-Path $ScriptPath Unattend.xml $TargetUnattendFile = Join-Path $TargetPath Unattend.xml
# Copy the Unattend.xml file from the configuration store # to the Panther folder on the Windows RT device.
if (Test-Path $SourceUnattendFile ) { Write-Output “Copying Unattend.xml to the device.” if (Test-Path $TargetUnattendFile ) { Rename-Item $TargetUnattendFile $SaveUnattendFile } Copy-Item $SourceUnattendFile $TargetUnattendFile }
# Prepare the Windows RT device to run Exit-AuditMode.ps1 the # next time the device starts. We use the RunOnce registry key.
if (test-path $RunOnceSource ) { Write-Output “Preparing the device to restart.” Copy-Item $RunOnceSource $RunOnceTarget New-ItemProperty `
41DEPLOYING WINDOWS RT 8.1
-Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ` -Name Sysprep ` -Value “powershell.exe -ExecutionPolicy Bypass $RunOnceTarget” | Out-Null }}
# MAIN ##########################################################
Write-Output “Beginning to configure this device for personal use.”Write-Output “This process is complete after the device shuts down.”Write-Output “------------------------------------------------------------------------”Apply-WirelessProfiles $ProfilesPath $InterfaceWrite-Output “------------------------------------------------------------------------”Apply-LocalFiles $FilesPath $FilesTargetWrite-Output “------------------------------------------------------------------------”Apply-RegFiles $SettingsPathWrite-Output “------------------------------------------------------------------------”Apply-GroupPolicy $PoliciesPathWrite-Output “------------------------------------------------------------------------”Import-ScheduledTasks $TasksPath $TaskUser $TaskPasswordWrite-Output “------------------------------------------------------------------------”Apply-UpdateFiles $UpdatesPathWrite-Output “------------------------------------------------------------------------”Apply-AppxPackages $AppsPathWrite-Output “------------------------------------------------------------------------”Log-DeviceWithMac $LogsPathWrite-Output “------------------------------------------------------------------------”Start-Sysprep $ScriptPathshutdown /r /t 0
LISTING 21 Exit-AuditMode.ps1# Exit-AuditMode.ps1## The script Apply-PersonalConfig.ps1 uses this script to exit Audit mode by running Sysprep.# Sysprep cannot run while restarts are pending. Apply-PersonalConfig sets this script to run# the next time the device starts, and then restarts the device to clear pending restarts.## See the guide “Deploying Windows RT 8.1 in education” for more information about using# and customizing this script to configure Windows RT devices in schools.
$Target = “C:\Windows\System32\GroupPolicy”$SecurityInfPath = Join-Path $Target “security.inf”$SecuritySdbPath = Join-Path $Target “secedit.sdb”
# Run secedit to import the security configuration. This must be done# just prior to running Sysprep because the security configuration can# interfere with restarting the device in Audit mode, since the default# security configuration disables the local Administrator account.
secedit /configure /db $SecuritySdbPath /cfg $SecurityInfPath | Out-NullStop-Process -Name sysprep -ErrorAction SilentlyContinueC:\Windows\System32\Sysprep\Sysprep.exe /oobe /shutdown
LISTING 22 Unattend.xml<?xml version=”1.0” encoding=”utf-8”?><unattend xmlns=”urn:schemas-microsoft-com:unattend”> <settings pass=”specialize”> <component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”arm” publicKeyToken=”31bf3856ad364e35”
42DEPLOYING WINDOWS RT 8.1
language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <ComputerName>Surface</ComputerName> <RegisteredOrganization>Contoso</RegisteredOrganization> <RegisteredOwner>Contoso</RegisteredOwner> <DoNotCleanTaskBar>true</DoNotCleanTaskBar> <TimeZone>Pacific Standard Time</TimeZone> </component> <component name=”Microsoft-Windows-International-Core” processorArchitecture=”arm” publicKeyToken=”31bf3856ad364e35” language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <InputLocale>0409:00000409</InputLocale> <SystemLocale>en-US</SystemLocale> <UILanguage>en-US</UILanguage> <UserLocale>en-US</UserLocale> </component> <component name=”Security-Malware-Windows-Defender” processorArchitecture=”arm” publicKeyToken=”31bf3856ad364e35” language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <TrustedImageIdentifier>81b553fb-1321-4862-9269-594e5c04c1f2</TrustedImageIdentifier> </component> </settings> <settings pass=”oobeSystem”> <component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”arm” publicKeyToken=”31bf3856ad364e35” language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <OEMInformation> <HelpCustomized>false</HelpCustomized> <Logo>C:\Windows\System32\OOBE\Info\surface.bmp</Logo> <Manufacturer>Microsoft Corporation</Manufacturer> <SupportURL>http://www.microsoft.com/surface/support</SupportURL> <SupportPhone> U.S./Canada: 1-800-Microsoft (642-7676); Mexico: 01 800 123 3353 </SupportPhone> </OEMInformation> <OOBE> <HideEULAPage>true</HideEULAPage> <HideLocalAccountScreen>false</HideLocalAccountScreen> <HideOnlineAccountScreens>false</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <NetworkLocation>Work</NetworkLocation> <ProtectYourPC>1</ProtectYourPC> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> </OOBE> <StartTiles> <WideTiles> <WideTile1>
43DEPLOYING WINDOWS RT 8.1
<AppId>Microsoft.FreshPaint_8wekyb3d8bbwe!Microsoft.FreshPaint</AppId> </WideTile1> </WideTiles> <SquareTiles> <SquareTile1> <AppId> Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim </AppId> </SquareTile1> <SquareTile2> <AppId>Microsoft.SkypeWiFi_kzf8qxf38zg5c!App</AppId> </SquareTile2> </SquareTiles> </StartTiles> <UserAccounts> <LocalAccounts> <LocalAccount wcm:action=”add”> <Password> <Value>Passw0rd</Value> <PlainText>true</PlainText> </Password> <Description></Description> <DisplayName>SchoolAdmin</DisplayName> <Name>SchoolAdmin</Name> <Group>Administrators</Group> </LocalAccount> </LocalAccounts> </UserAccounts> <RegisteredOrganization>Contoso</RegisteredOrganization> <RegisteredOwner>Contoso</RegisteredOwner> <TimeZone>Pacific Standard Time</TimeZone> </component> <component name=”Microsoft-Windows-International-Core” processorArchitecture=”arm” publicKeyToken=”31bf3856ad364e35” language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”> <InputLocale>0409:00000409</InputLocale> <SystemLocale>en-US</SystemLocale> <UILanguage>en-US</UILanguage> <UserLocale>en-US</UserLocale> </component> </settings></unattend>
44DEPLOYING WINDOWS RT 8.1
Network filtering recommendationsA common challenge in schools is providing student access to the Internet from Windows RT devices.Schoolsusenetworkfiltersthatworkseamlesslywithdomain-joinedPCsbutnotworkgroup devices, like Windows RT devices. There are three ways to get these devices through firewalls:
• User authentication After students sign in to their Windows RT device by using their local orMicrosoftaccounts,theycanauthenticatewiththefirewallbyusingtheirdomainaccounts.Thismethodhastheaddedbenefitthattrackingbehaviortoindividualsiseasierthanothermethods(e.g.,bullyinginvestigations).
• MAC security filtering AcommonsolutionistoenableMACaddresssecurityfilteringonthefirewall,thenaddingeachWindowsRTdevice’sMACaddresstoit.Listing3recordseachdevice’s name and MAC address in the Logs folder to provide the data for this solution.
• Certificate-based authentication SchoolscaninstallcertificatesonWindowsRTdevicesandusethemtoauthenticatewiththefirewall.Deployingcertificatestothedevicesandconfiguringcertificate-basedauthenticationcanbechallengingtoautomate,butWindowsIntuneplusSystemCenter2012R2ConfigurationManagerprovidesthisfunctionality.
45DEPLOYING WINDOWS RT 8.1
Local Group Policy settingsTable 2 describes Group Policy settings that schools might evaluate when planning Windows RT deployment.Manyofthesepoliciesmightleavethedeviceinastatewhereitisdifficulttomanageor support. Schools have a tendency to over-manage Windows RT devices by using local Group Policy when they would be better off allowing the standard user account to do its job. For example, instead of locking all users out of the Control Panel, simply rely on standard user accounts not being able to change system settings that adversely affect the device. Likewise, standard users cannotsaveorchangefilesinsystemfolders.
TaBLE 2 Local Group Policy settings for evaluation
Location name
ComputerConfiguration\WindowsSettings\Security Settings\Account Policies
• Password Policy
ComputerConfiguration\AdministrativeTemplates\Windows Components\App Package Deployment
• Allow all trusted apps to install
ComputerConfiguration\AdministrativeTemplates\Edge UI
• Disable help tips
ComputerConfiguration\AdministrativeTemplates\Sync your settings
• Do not sync
UserConfiguration\Scripts • Logon
• Logoff
UserConfiguration\AdministrativeTemplates\Control Panel
• HidespecifiedControlPanelitems
• Prohibit access to Control Panel and PC settings
• ShowonlyspecifiedControlPanelitems
46DEPLOYING WINDOWS RT 8.1
Location name
UserConfiguration\AdministrativeTemplates\Start Menu and Taskbar
• Clear history of recently opened documents on exit
• Clearhistoryoftilenotificationsonexit
• Go to the desktop instead of Start when signing in
• Lock the Taskbar
• Start Screen Layout
• Prevent users from customizing their Start screen
• Do not keep history of recently opened documents
• Prevent changes to Taskbar and Start menu settings
• Prevent users from uninstalling applications from Start
• Pin apps to Start when installed
UserConfiguration\AdministrativeTemplates\System
• Prevent access to the command prompt
• Prevent access to registry editing tools
• Don’trunspecifiedWindowsapplications
• RunonlyspecifiedWindowsapplications
UserConfiguration\AdministrativeTemplates\System\Logon
• Run these programs at user logon
UserConfiguration\AdministrativeTemplates\Windows Components\App runtime
• Allow Microsoft accounts to be optional
UserConfiguration\AdministrativeTemplates\Windows Components\Credential user interface
• Do not display the password reveal button
UserConfiguration\AdministrativeTemplates\Windows Components\File Explorer
• Hidethedrop-downlistofrecentfiles
• Hide the common dialog Places Bar
• Items displayed in Places Bar
UserConfiguration\AdministrativeTemplates\Windows Components\Internet Explorer
• Do not allow users to enable or disable add-ons
UserConfiguration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
• Site to Zone Assignment List
• User data persistence
47DEPLOYING WINDOWS RT 8.1
Location name
UserConfiguration\AdministrativeTemplates\Windows Components\Internet Explorer\Internet Settings
• Set how links are opened in Internet Explorer
• Open Internet Explorer tiles on the desktop
UserConfiguration\AdministrativeTemplates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client
• Do not allow passwords to be saved
UserConfiguration\AdministrativeTemplates\Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections
• SpecificdefaultconnectionURL
UserConfiguration\AdministrativeTemplates\Windows Components\Store
• Turn off the offer to update to the latest version of Windows
• Turn off the Store application
UserConfiguration\AdministrativeTemplates\Windows Components\Windows Mail
• Turn off Windows Mail application
