This is one of those blogposts that tries to answer lost of question and and the same time create new questions, but I get a lot of questions regarding the topic of “Image Customization”, and mainly about how-to, but
Why?
Before you even consider doing this, you need to understand why. The reason “we have always done that” is not really a great answer. There are basically to kinds of devices. The device is either going to be used as a “normal” computer by a user or it is a “thing” or in other words a task-oriented computer, like a teller machine, a kiosk machine. The later type needs heavy modifications to be adjusted, but spending the same effort a a regular computer is just waste of time.
But my users are idiots?
No, they are not. There will always be a few percent that don’t want to learn or actually have a hard time figuring out how to perform certain operations. But modifying every car on the planet so that every person can drive them is not really a smart thing, if a few percent of the org cannot select to add an application from ConfigMgr, why would you make it impossible for others do to so. Help them few percent that cannot do it and ask yourself the following?
– Do you reimage the phone for them?
– Do you reimage the TV set for them?
– Do you reimage the car stereo for them?
Windows 10 is different in more ways you can imagine
First, the operating system is “serviced”, that means that you will receive a new version approximately 2 times every year and that will be a upgrade, meaning it will fall back to the same apps you spent so many hours to remove, so that was just a waste of time.
Windows 10 will stick around for a while and it will not change much over the next 9 years (I’ll guess), so it is better that users learn it, they will have it at home and having a look and feel that is similar make sense for most users, but by trying to make Windows 10 look like Windows 7 does not really help people, it just prolong the learning that they need.
If you need to redo the work every time there is a new version, you will spend the rest of the Windows 10 era to find new ways to do these modifications, since the solution that worked in one version most likely will be broken in the next, we can see that happen over and over again.
My users should not be able to run “that”
Ok, so you want to remove the Xbox application, because? What is the danger? What could possible happen. Users are usually afraid of everything, so they don’t click at all when they have no idea what it is, and even if they do, running the Xbox app does not really do any harm. There are Security Baseline Policy’s that include the possibility to turn of many of those settings (not all) but this one will fix a lot of those “consumer” things.
“Enabled "Turn off Microsoft consumer experiences," – https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/
Maybe there are other tasks that are more important then to make sure that it “looks” like Windows 7?
There are a lot of new security features that are very important, maybe it is better to think of a way to shift from BIOS to UEFI. That makes it possible to take advantage of many things, like Secure Boot and one of the most important features in Windows 10, Credential Guard.
Supported?
If you really want to do image-hacking, maybe you should consider if it is supported. Just because you can make it work today, it might render the possibility to deploy upgrades and updates when the next version comes around?
Yes, I do lost of modifications!
But I also have a long conversation with the customer before we go ahead and do it, i always check with friends inside Microsoft to see if it is kind of “ok”, before we do that.
What could be ok?
That is kind of easy, everything you can modify using GPO, GPP’s is usually perfectly fine to do, in most cases using PowerShell is also fine.
What I’m really try to say is
Think for a while, is that really, REALLY needed? or is it just “something we have always done”
Where can i find Information about this stuff?
https://blogs.technet.microsoft.com/mniehaus/2015/12/31/updated-remove-apps-script-and-a-workaround/
https://blogs.technet.microsoft.com/deploymentguys/
/mike
Share this:
Categories: OSD
The Deployment Bunny 
About customizing and locking down, I usually say to the person who wants to do it “do you also want to make sure that the mouse is on the right side of the keyboard and that the user cannot move it to the left? Do you want to dictate how many papers a user can have on his/hers desk? Is it company policy to not allow pictures of your SO or family? Or do you just want to give them an recommended experience by doing default installations but allowing the user to customize?”
Some take the hint.
I agree, making configuration adjustments that “helps” the user to do the right thing is a great, like a policy that by default makes them save a document in the preferred location make sense. In some cases there could be a company policy that dictates that the background picture must the logo, we have that in some case, I’m fine with that to, bur just looking down the ability to use the task manager for the reason of “They should not use that” is useless.
All customization in any corporate environment should be done via GPO and nothing more. Other than setting some default start menu pinned items and groups, or maybe setting IE11 as the default browser, there’s little that should be pushing down during MDT that can’t be a policy.
I’d like to stick with GPOs for Edge, but they’ve provided so few policies. When I tell higher ups, they claim we should just switch to Chromebooks…which looks like it’s coming. :( I can’t defend Windows like I used to.
Use IE 11 if you need “control”, or use “Chrome” on W10 and and manage it “like a Chromebook”
Great Article and I try and have similar conversations with customers also regarding Windows 10 SOE projects. Some changes that need to currently be made to the image include removing the OneDrive setup registry key / removing Universal apps (new user login performance), start menu modifications and loading up .net 3.5 for some corporate applications still is about all I do for capturing an image. Ideally, I would like a GPO to simply replace the pinned Edge icon for users with IE and then we would be sorted. I don’t recommend anyone use those run-once scripts to replace the taskbar as that is just messy later.
I completely agree! We used to have a heavily customized Image for Windows 7 which included all kinds of problems.
With Windows 10 we will go with the stock image and do some light modifications in the OSD TS.
Mainly: Removing the Windows Apps with a PS script. There was some disagreement whether to remove them or not but in the end the higher ups decided to remove them all (which I was all for).
I think with the constant updates we will see with Windows 10 customizing the Images would create an unnecessary workload while not gaining much. TS offers more flexibility and hopefully will do just as well.