Two NTLite Questions

[jkr2k8]

1) All my images created with NTLite are hardware-agnostic. I built the images in an internal VM (Hyper-V) environment that does not connect to internet and use a cmd script to automate app installation in Sysprep Audit Mode via an internal share drive.

2) Yes you can, but I do not suggest you remove too much. As long as the apps are not disturbing you should keep them. The point to keep in mind is that you may one day need those apps and you have no way to install them back. So we should cut those apps that you are sure you do not want to see them in your environment. For example, Xbox-related apps are irrelevant and disturbing in a work environment.

The reason apps are being removed is for a more sanitized environment to simulate a specific work lab which is a secure environment with no connectivity. Win Apps do have vulnerabilities occasionally which would then have to be updated which becomes more a hassle in an environment without external connectivity. Even for normal environments to simulate that you're talking airgapping so when you start talking about win apps and airgapping that's not even worth the hassle.

Things like office hub, one drive, snip and sketch, one note, etc. Win apps as you know are per user not per machine. I've seen them where even at after uninstalling via powershell they still show up as being under the system profile as "system (staged)". The environment I am trying to simulate is not a everyday workday production environment but more a specific lab use environment performing specific work.

 

[Annie Ng]

The environment I am trying to simulate is not a everyday workday production environment but more a specific lab use environment performing specific work.

Would you elaborate on such specific lab environment? While NTLite is fully capable of making a very vanilla Windows, without further information (such as specific application requirements of the lab, or what kind of specific work), I would not suggest app removals. I am not even sure if I should suggest a "consumer" OS for such specific lab purpose. Rather I would suggest you try Windows LTSC for the work.

 

[garlin]

Things like office hub, one drive, snip and sketch, one note, etc. Win apps as you know are per user not per machine. I've seen them where even at after uninstalling via powershell they still show up as being under the system profile as "system (staged)". The environment I am trying to simulate is not a everyday workday production environment but more a specific lab use environment performing specific work.

AppX packages are "installed" or more accurately provisioned on a per-user basis. If you don't perform a Remove-AppxPackage for all user profiles, then the package isn't removed from the system. That's because Windows expects a future user might want to run that same app.

 

[jkr2k8]

I know the command and yes I get they are on a per user basis which when distributing applications is the least desirable method. Per machine is the preferred method whenever possible.

Get-AppxPackage *office* -AllUsers | Remove-AppxPackage -AllUsers

And sometimes it works and sometimes it doesn't. I don't know if sometimes its because a user account no longer exists but the sid does. I don't know if its because lets be honest the Windows Store has gone through quite a few revisions. And even if you don't agree with me on that last statement I think we can agree that the store is not really well documented.

You have provisioned packages and where can I get a detailed list on those. The store was just never put together well. And why install any? I get convience but why not just download from the store. Yes that would provide issues for offline and yes you can sideload but getting packages to sideload for windows is definitely takes more effort than say sideloading on other OS's.

 

[jkr2k8]

Would you elaborate on such specific lab environment? While NTLite is fully capable of making a very vanilla Windows, without further information (such as specific application requirements of the lab, or what kind of specific work), I would not suggest app removals. I am not even sure if I should suggest a "consumer" OS for such specific lab purpose. Rather I would suggest you try Windows LTSC for the work.

Win 10 Pro or Enterprise are not really consumer based. Yes most people probably use pro at home now but keep in mind Pro was not designed with consumers in mind when W2K Pro was introduced. Lab environments where you would not want that or use those apps would be data modeling, simulations, various other sorts where what you are using those machines for is basically analying data where really all you care about is data throughput. And many stay away from LTSC just because the fact that Pro and Enterprise are available.

If you ever work with traders and I mean high volume. A single trader, alot of them will have at least two machines sometimes three or four and only one of those machines is actually used for user productivity such as email, browsing, etc. The other machines are simply used to pump data through and analyze it.

 

[jkr2k8]

Part of this is Microsoft's fault when they went to the channel methodolgy and when they first introduced there were a lot more channels (previously known as branches) and thats when LTSC was actually known as LTSB - Long Term Service Branch. And when releases came out depended on which branch you were in. LTSB was more like banks, ATMS, etc.

LTSC is not that great if you are also in a compliance driven environment. This is why many use Pro or Enterprise and use a less is more approach. While I am emulating the lab. In the lab recently we made the decision to remove edge from all the machines but a handful due to how often edge has been getting updated. Imagine if you doing compliance scans that require updated defs/rulesets but before you can do that you have to run windows update, any edge updates, virus signature updates before you can even get to updating the scanners because if you don't the scanners are going to hit on them and its all being done via an airgap methodology.

 

[Annie Ng]

I see you typed a lot of words, but you really have not elaborated on your requirements. For example:

1) Do you want the machines connect to the Internet? Or just in an isolated lab environment? Or is "lab environment" actually connecting to the Internet?
2) Do any of your "required" applications need to be installed from Microsoft Store, or are they installed manually? Or do you think they will ever be moved to the Store?
3) Do you actually need to perform "Windows Update" every month to patch the machines? Or are you setting up WSUS servers for that purpose? Do you actually need antivirus such as Microsoft Defender update every day via the Internet?
4) Any reason specific to your use case such that LTSC is not a viable option?

These are the types of questions that I would like to see addressed before suggesting app removals. You do not need to tell me about the history of Windows 10 because I supported it since v1607. We have deployed LTSB before for specific tasks with great results.

If you are not really specific about your requirements, it is difficult for the discussion to continue. I would probably stop here.

 

[jkr2k8]

Actually there are many environments where this is useful. I am sorry you have not come across them. Many entities do no like to use LTSB/LTSC as it is a slower update channel it always has been.

Environments that are stressing high security compliance would be an example of where this would be used. The machines do need to be update as regularly as possible for compliance since the machines might have to be scanned at anytime and no we're not talking virus scans. The reason for the app removal is the machines do not have external connectivity therefore they have to be updated using an airgap method with Microsofts offline scan file and a third party product that I'm using.

The Windows App store has always been horrible from an O&M aspect. MS has never made it easy to do anything with the storeapps it's why most people avoid them like the plague. In this environment you would have to update them manually which would be extremely painstaking and not worth the effort.

I did not appreciate this sentence just because you are unfamiliar of a use case scenario for what I am doing. I more than know what my requirements are and I am sorry if you don't understand them.
"If you are not really specific about your requirements, it is difficult for the discussion to continue. I would probably stop here."

Had you read the post and paid attention. It was right in the post.
"more sanitized environment to simulate a specific work lab which is a secure environment with no connectivity"

And while it has no connectivity it must be updated regularly which is why I mentioned airgapping. Now if you're not familiar with the concept of airgapping or high security environments then this probably isn't a good discussion for you.

 

[jkr2k8]

Computer name, accounts, passwords, and logo, are all things you would modify in the unattend XML. NTLite will have some guidance in the tool, but otherwise you have to research those to learn more (link). The best advice anyone could give before you get started, is test everything in layers, meaning if you make an unattend XML, test it to completion before thinking about moving to component removals or other tweaks. The unattend layer is one that many people get wrong, so iron that out by itself or it will come back to bite you later.

Hey had a question on the unattend.xml. After much thought tried to keep it pretty simple less possible points of failure that way.

If I am getting a disk config error is it possible that just changing the type from Primary to EFI could resolve the issue.

Most if not all of these machines do have a uefi bios. Mostly Dell, I do have one HP which is worse than Dell with HP's implementation of Wolf Security.

I am trying to include a disk wipe at the beginning so not sure if there was anything special I had to do besides setting the disk wipe option in the Ntouch unattend section.

Lastly, if just changing the disk type from "Primary" to "EFI" in the unattend.xml in Wordpad I am assuming I can just save the file and burn a new iso.

 

[Annie Ng]

Now if you're not familiar with the concept of airgapping or high security environments then this probably isn't a good discussion for you.

Nevermind, you have already ended a discussion with someone who deployed >10000 Windows 10/11 GAC/SAC/LTSC/LTSB in a city with the most secure organization required by law.

PS: I hope your journey to an "air-gapped yet updated with no unwanted apps Windows consumer OS" could come to a great end.

 

[jkr2k8]

Think I found my disk configuration error with the autounattend.xml. One question. NTouch sets up the install partion to 10000. Can the value of Extend be put in there?

 

[jkr2k8]

In regards to disk space for the system drive. In the unattended section I did not see anywhere to set the system drive to extend. Is this accomplished by replacing the value of 10000 with the word Extend?

Also if this is just a newer version of this image that I am just making some tweaks and corrections to I had some registry tweaks do I need to apply those keys again or should they already be in here from the previous image built.

 

[garlin]

From Unattended mode, the Configure disk wizard has a "double arrow" for extending the system partition.

Due to a design problem with unattended files, this moves the Recovery partition before the Windows partition. That's because "extend" means "extend until the end of the disk", and not "extend until the next assigned partition".

If you have an existing image, you can always change the Unattended settings without redoing the image. NTLite will just create a new unattended file in the ISO folder.

 

[Hellbovine]

...in the unattend.xml in Wordpad I am assuming I can just save the file and burn a new iso.

Presets and unattend files can be manually edited, but everything has to use the correct syntax or it'll fail. A common place people do manual edits is to delete component removal lines that are suspected of causing problems, rather than using the NTLite menu checkboxes.

Were you able to get your issues resolved? If you get stuck, attach both the NTLite preset and unattend files with an explanation of your updated issues and someone can help. Every new user has a million questions, but the only way to truly become familiar with NTLite and develop troubleshooting skills is to get hands-on, make images, and experiment, otherwise threads derail into circular discussions on concepts and theory.

 

[garlin]

Removing component removal lines is straightforward. Editing disk layouts in the preset or unattended file can be error prone, if you're not experienced enough to check for mistakes.

 

[jkr2k8]

Presets and unattend files can be manually edited, but everything has to use the correct syntax or it'll fail. A common place people do manual edits is to delete component removal lines that are suspected of causing problems, rather than using the NTLite menu checkboxes.

Were you able to get your issues resolved? If you get stuck, attach both the NTLite preset and unattend files with an explanation of your updated issues and someone can help. Every new user has a million questions, but the only way to truly become familiar with NTLite and develop troubleshooting skills is to get hands-on, make images, and experiment, otherwise threads derail into circular discussions on concepts and theory.

Semi-working....but I mean I was expecting multiple versions before getting to final.

Wasn't originally going to inject drivers. I might now especially because these are older machines and I just need a base driver. Windows didn't find drivers for everything. I will read your guide on drivers.

Other is registry changes I want to play around with that some more either somehow I didn't apply them or you have to redo them with each image version. Lot of registry settings and without an enterprise environment to push gpo's I'd like to add what I can to the image within reason.

Too many you'll have a mess.

 

[jkr2k8]

Removing component removal lines is straightforward. Editing disk layouts in the preset or unattended file can be error prone, if you're not experienced enough to check for mistakes.

It seems a little weird and like I said screenshots I've seen on the forum don't match the actual UI in the program. Yeah been with a little bit.

Example is using disk template in unattend don't see a drive letter field either. Not super important. It defaults to c: anyways but it was just weird how different the screenshots on the forum and ui are unless I'm misunderstanding those screenshots.

couple times also when trying to make changes to the unattend file in NTLite....it's a little flakey. Nothing too bad but like for example and I think I mentioned this, was adding a local user. Forgot to change the group from adm to usr and wasn't able to change the group so wound up removing and recreating the account.

 

[jkr2k8]

Presets and unattend files can be manually edited, but everything has to use the correct syntax or it'll fail. A common place people do manual edits is to delete component removal lines that are suspected of causing problems, rather than using the NTLite menu checkboxes.

Were you able to get your issues resolved? If you get stuck, attach both the NTLite preset and unattend files with an explanation of your updated issues and someone can help. Every new user has a million questions, but the only way to truly become familiar with NTLite and develop troubleshooting skills is to get hands-on, make images, and experiment, otherwise threads derail into circular discussions on concepts and theory.

I'm still looking at it some. I will probably try to up something this week unless I come across a eureka moment. A couple other things I want to look at tomorrow. Three main issues I believe at least with the hp box: drivers, the way hp configures the built in image (my fault should have ordered it with freedos), possibly issues with unattended file but today I kinda didn't mess with the unattended any more. Figure deal with the driver issues I'm seeing first.