Windows 10 IoT Enterprise - setup secrets for embedded scripts

Foreword

Probably you have seen ATMs, information kiosks, advertising panels on which an error or system notification is displayed. If you have not seen such social devices "live", then you can easily find such photos on the Internet if you look for pictures according to the words "ATM error windows". And once the system notification appeared live during the weather forecast, the photo can be found according to the words “windows notification live”. For fun, you can still search for the “biggest blue screen”.

What does all this mean?

- You love cats?
- Not
- You just do not know how to cook them!

For specialized devices, Microsoft suggests using Windows 10 IoT Enterprise , which differs from Windows 10 Enterprise only in the absence of universal applications. Accordingly, from a technical point of view, Win 10 IoT Enterprise is a desktop operating system that involves user interaction. But on specialized devices user interaction should not be because Sometimes there is not even a user in his usual sense, especially with regard to advertising panels.

When preparing a specialized device, some technical specialists forget about the above nuance completely or forget to turn off any category of notifications. This article is written to recall some of the features of customizing Windows for specialized solutions. In this article we will consider the preparation of solutions for a single business problem.

All settings will be described for Win 10 IoT Enterprise 2016 LTSB, the demo version of which can be downloaded here .

What business problem we solve?

Once I arrived at the pickup point of one online store. In this store, the sellers only gave out the goods or gave it to look, and the order needed to be made out only on the site of the store. So that you can place an order right at the pick-up point, a lot of PCs were installed in the pick-up room. The PCs themselves were hidden, there was only a monitor and a mouse, a specialized store database was opened on the screen, in which you could find the goods and place an order and an on-screen keyboard.

Consider the preparation of a similar solution, which will be designed to navigate the site www.quarta-embedded.ru . Estimated conditions of use - without uninterruptible power supply and with minimal maintenance.

Solution preparation

Step 1 - Preparing the Device

As the device was taken conventional PC, with a hard disk of 120 GB, 4 GB RAM. OS boot mode - Legacy.

Since Our device will be used without an uninterruptible power supply. It is imperative to provide for an unplanned power outage. Those. the device must turn on itself when power is applied, for this it is necessary to set the device BIOS accordingly. The necessary items in the BIOS can be found by intuitive names, I have this "Advanced> Power-On Options> After Power Loss", set "On". But if you want the device to turn off when turned on, when it was turned off intentionally, then set the “Previous State”.

Step 2 - Install Win 10 IoT

Installing Win 10 IoT Enterprise is no different than installing Win 10 Enterprise, so I do not see much point in describing the installation. I will install “Win ​​10 IoT Enterprise 2016 LTSB x32” without an internet connection, so that nothing superfluous will “fly into the system”. At the first boot created user Admin.

Step 3 - save the system image

What, did not expect such a turn? Just install the system and immediately save the image. When preparing a solution, it is advisable to periodically save the image of the system in case something suddenly goes wrong. Then you will not need to do a system setup first.

When we talk about creating an image, we touch on the issue of replication, but it is so broad that we can devote a separate article to it and not one, therefore in this article I will not describe this question in detail.

To create a technological (intermediate) image, I will print the system with the command

%SYSTEMROOT%\System32\Sysprep\sysprep.exe /audit /generalize /shutdown /quiet 

and create a wim image of the system volume using the DISM utility.

It is important - if you go the same way, after expanding such an image, do not forget to copy the contents of the “Windows \ System32 \ Recovery” directory to the first volume in the “Recovery \ WindowsRE” folder. And you need to do this before loading the OS. after the OS is loaded, the Windows \ System32 \ Recovery directory will already be empty. I implemented it as follows:

 if exist W:\Windows\System32\Recovery\*.* ( xcopy W:\Windows\System32\Recovery\*.* S:\Recovery\WindowsRE\ /h /k /y attrib +s +h +i S:\Recovery attrib +s +h +i S:\Recovery\*.* /s /d ) 

Please note that after sealing, the system will automatically log into the built-in administrator account. And now sysprep will automatically start. To prevent this window from interfering with me, I added a script with a single command to the shell: startup

 taskkill /im sysprep.exe 

In order not to forget to delete the script, I will immediately make a script for sealing, in which the command to clear the autorun will be written.

 del "%systemdrive%\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" /q 

I still need to seal the system in oobe mode.
All technological files I will place in the folder C: \ Sysprep

Step 4 - Install Drivers

Strangely enough, but some complain that after installing Win 10 "the drivers were not installed themselves." I hasten to disappoint you, nothing happens, drivers need to be installed. There is a certain set of standard drivers in the system, but it is unlikely that you can use all the features of the equipment with a standard set of drivers. It is best if you yourself install the most appropriate drivers for your device. Windows can automatically download drivers from the special Microsoft storage and install them, but it is not necessary that there will be all the necessary drivers or that these will be suitable drivers. A driver that the system installs automatically can crash the system. What to do if you find yourself in a situation where you need to prevent such an automatic driver installation? There are 2 options:

1. Disable update service
net stop wuauserv - service stop command
sc config wuauserv start = disabled - change the service startup mode to "Disabled"
But in this case, the system will not receive any updates at all.

2. Disable installation of a specific driver in group policies.

For this you need:

Open the group policy editor with the gpedit command.

Go to the "Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restrictions" section. The English version of the branch "Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restrictions"
In this section, you can prohibit driver installation for a specific class or hardware ID. To prevent the installation of other drivers, it is NOT necessary to set the checkbox “Also apply to corresponding devices that have already been installed” “Also apply to matching devices that are already installed”, otherwise you will make the use of the device impossible.

Since I have an experimental solution and the drivers do not really matter, I will not purposefully install drivers. After connecting to the Internet, the system found a driver for some devices.

Step 5 - Russification of the system

I think that this action is very simple and does not need to be described in detail. I will say that for the correct display of the Cyrillic alphabet, I indicated the Russian language for programs that do not support Unicode. Indicated the location, although in my case it is not necessary. And along the way, you can change the time zone because default is UTC -8. I installed the Russian language pack, when I installed the language pack via the Internet, it seemed to me a long one, so I installed it using the previously downloaded Microsoft-Windows-Client-Language-Pack_x86_ru-ru.cab package, installed the command

 DISM /Online /Add-Package /PackagePath:"%~dp0Microsoft-Windows-Client-Language-Pack_x%PROCESSOR_ARCHITECTURE:~-2%_ru-ru.cab" 

After installation, I switched the main language of the system to Russian and turned on the option to copy the language settings for the welcome screen and new accounts.
That's all, the Russian language is added, perhaps you can save the image of the system ...

Step 6 - Power Setup

Our device should not fall asleep and turn off the monitor, so you need to adjust the power accordingly. Power can be configured using the script:

 powercfg -change -monitor-timeout-ac 0 powercfg -change -monitor-timeout-dc 0 powercfg -change -disk-timeout-ac 0 powercfg -change -disk-timeout-dc 0 powercfg -change -standby-timeout-ac 0 powercfg -change -standby-timeout-dc 0 powercfg -change -hibernate-timeout-ac 0 powercfg -change -hibernate-timeout-dc 0 pause 

Step 7 - Disable emergency boot mode

The important point is that if our device has an incorrect shutdown 2-3 times in a row, the system will boot into recovery mode, and this should not be allowed. Therefore, disable this boot mode. This can be done with the command

 bcdedit /set {current} bootstatuspolicy IgnoreAllFailures 

Please note that this setting is recorded in the bcd repository, which is located on the recovery partition. I do not save the recovery partition while saving the system image, therefore, after deploying the system, this setting will be in the initial state since there will be a new bcd storage. In order not to forget about this setting, I will add it to the sealing script in oobe mode.

Step 8 - Disable Error Messages and Pop-Up Notifications

So that the system does not give out error messages, a request to send error reports, messages about problems with the equipment, all this needs to be turned off. The diagnostic policy service can be configured in group policies:

Computer Configuration \ Administrative Templates \ System \ Diagnostics
Diagnostics: setting the script execution level - Enable “Detection and Diagnostics Only”

But it's easier for me to configure everything with a single reg file.

 Windows Registry Editor Version 5.00 ;    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows] ;"ErrorMode"=dword:00000000 ;   ;"ErrorMode"=dword:00000001 ;     . ,     "ErrorMode"=dword:00000002 ;    . ,   dll ;     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting] ;"Disabled"=dword:00000000 ;   "Disabled"=dword:00000001 ;   ;       [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI] ;"ScenarioExecutionEnabled"=dword:00000000 ;      "ScenarioExecutionEnabled"=dword:00000001 ;      "EnabledScenarioExecutionLevel"=dword:00000001 ;    ;"EnabledScenarioExecutionLevel"=dword:00000002 ;,     

Pop-up notifications can be configured in the "User Configuration \ Administrative Templates \ Start Menu" and Taskbar \ Notifications group policies. But it's easier for me to enable Do Not Disturb, it can be enabled in the graphical interface, in the notification center and in the registry. Since This setting refers to a specific user, then you need to perform it under the target user. Therefore, we create a user, under which the application will be run for public use. While this user will be in the administrators group, for ease of configuration. To avoid problems with the Russian / English group name, I’ll get the name of the group by SID.

 net user User /add wmic useraccount where "Name='User'" set PasswordExpires=False for /f "tokens=2 delims==" %%i in ('wmic group where "SID='S-1-5-32-544'" get Name /value^|find "Name"') do set GroupName=%%i net localgroup %GroupName% User /add pause 

And turn on the mode do not disturb.

 Windows Registry Editor Version 5.00 ;  " " [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings] "NOC_GLOBAL_SETTING_TOASTS_ENABLED"=dword:00000000 ;  ;"NOC_GLOBAL_SETTING_TOASTS_ENABLED"=dword:00000001 ;  

In order not to forget to exclude a user from the administrators group, I will add an exclusion command to the sealing script.

 for /f "tokens=2 delims==" %%i in ('wmic group where "SID='S-1-5-32-544'" get Name /value^|find "Name"') do set GroupName=%%i net localgroup %GroupName% User /delete 

Step 9 - Configure System Updates

It does not hurt to install all the latest updates at the time of preparation of the system. You can configure updates based on the specifics of your device. You can disable the installation of all updates or driver updates, as we considered in step 4. Or you can turn off the installation of system updates and leave the driver update.

 Windows Registry Editor Version 5.00 ;  .      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "NoAutoUpdate"=dword:00000001 ;  ;"NoAutoUpdate"=dword:00000000 ;  

But it is also possible that you need to install system updates, but a specific update will disable the system. In this situation, you can prevent the installation of a specific update. This can be done with the wushowhide.diagcab utility, which can be found here .

In group policies, you can find many detailed settings for installing updates. "Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update"

Since I do not need updates, I will turn them off completely:

 net stop wuauserv sc config wuauserv start=disabled pause 

Here I once again save the image of the system.

Step 10 - setting up the application launch

Site navigation quarta-embedded.ru will be in IE, to remove access to the address bar and settings, you can enable full-screen mode in group policies. "User Configuration> Administrative Templates> Windows Components> Internet Explorer> Enabling Full-Screen Mode." And it is necessary to prohibit the closure of IE “User Configuration> Administrative Templates> Windows Components> Internet Explorer> Browser Menu> Menu“ File ”: disable the closing of browser windows and explorer”.
To launch the application, instead of the system shell, we will use a special application launcher - ShellLauncher. With it you can:

1. Assign launch of a specific application for a specific user or group of users

2. To control the operation of a running application, when closing a running application, you can:

• a. Restart application
• b. Reboot system
• c. Turn off the system
• d. Take no action

First you need to add ShellLauncher as a component, it can be done in the graphical interface “Control Panel> Programs> Turning On and Off Window Components”, section “Device lock”. You can configure the launch of programs in the registry branch "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Embedded \ Shell Launcher". Setup of program launch is made by SIDs of users, SIDs can be found out with the help of whoami utility. To enable ShellLauncher, you just need to replace the launch of the standard shell in the registry with the launch of ShellLauncher. And a little nuance, ShellLauncher does not affect the size and position of the window of the running program, and I would like to launch IE deployed on the whole screen. Therefore, we configure the IE startup mode, again under the User user, at the same time we prohibit calling the IE context menu so that the user doesn’t spoil anything.

 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main] "FullScreen"="yes" [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions] "NoBrowserContextMenu"=dword:00000001 

Now we set up ShellLauncher, again it’s more convenient for me to do everything using the console ...

 @echo off chcp 1251 echo  ShellLouncher   DISM /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher echo. echo  SID  User for /f "tokens=2 delims==" %%i in ('wmic useraccount where "Name='User'" get SID /value^|find "SID"') do set SID=%%i echo. echo   iexplore.exe   User reg add "HKLM\SOFTWARE\Microsoft\Windows Embedded\Shell Launcher\%SID%" /v Shell /t REG_SZ /d "C:\Program Files\Internet Explorer\iexplore.exe www.quarta-embedded.ru" /f echo. echo     IE reg add "HKLM\SOFTWARE\Microsoft\Windows Embedded\Shell Launcher\%SID%" /v DefaultReturnCodeAction /t REG_DWORD /d 0 /f echo. echo       reg add "HKLM\SOFTWARE\Microsoft\Windows Embedded\Shell Launcher\S-1-5-32-544" /v Shell /t REG_SZ /d "explorer.exe" /f echo. echo         reg add "HKLM\SOFTWARE\Microsoft\Windows Embedded\Shell Launcher\S-1-5-32-544" /v DefaultReturnCodeAction /t REG_DWORD /d 3 /f pause 

And, as an example, you can assign a default shell to be started when no applications are assigned to the user.

 Windows Registry Editor Version 5.00 ;     ,    cmd.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Embedded\Shell Launcher] "Shell"="explorer.exe" ;        ;"DefaultReturnCodeAction"=dword:00000000 ;  ;"DefaultReturnCodeAction"=dword:00000001 ; ;"DefaultReturnCodeAction"=dword:00000002 ; "DefaultReturnCodeAction"=dword:00000003 ;   

And turn on Shell Launcher

 Windows Registry Editor Version 5.00 ; ShellLouncher    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="eShell.exe" ; Shell Launcher ;"Shell"="explorer.exe" ; Shell Launcher 

Step 11 - Setting the System Boot Display

In previous versions of Windows, you could set your own logos, which would be displayed when the system was booted, now there are only two options on. and off You can disable the process of displaying the download in the bcd repository, I will execute these commands immediately and add the sealing to the script.

 echo    Windows  .     true   false bcdedit /set {globalsettings} custom:16000067 true echo        Windows.     false bcdedit /set {globalsettings} nobootuxprogress true 

You can also hide the user login process.

 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Embedded\EmbeddedLogon] ;"HideAutoLogonUI"=dword:00000000 ;  "HideAutoLogonUI"=dword:00000001 ;  

Now we turn on the automatic login of the User, this can be done using the netplwiz command. Reboot and see what happened, there is no display of the OS boot, there is no display of the user's login. Only, just before logging in to the system, the Win icon and a ball-like animation appear for a few seconds, but this is because the OS is in audit mode, and after sealing in oobe mode, this will not happen. IE automatically started with the address www.quarta-embedded.ru , a little later the microsoft.com tab appeared, well, nothing, you will need to add a command to the sealing answer file to change settings in the registry

 reg add HKLM\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d 1 

Here again I will make an image of the system.

Step 12 - Install and Remove Windows Key

Before installing the key, you need to disconnect the PC from the Internet so that the system is not activated. You can add a key and you can immediately remove it so that no one can pull it out. In this case, the system can still be activated.

 slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX slmgr /cpky 

Step 13 - Seal the System

So that the system does not ask questions when it is first booted after being sealed in oobe mode, I use the answer file previously prepared in the Windows System Image Manager utility. I run the script for sealing, below the contents of the script and the answer file.

Sealing script:

 del "%systemdrive%\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" /q for /f "tokens=2 delims==" %%i in ('wmic group where "SID='S-1-5-32-544'" get Name /value^|find "Name"') do set GroupName=%%i net localgroup %GroupName% User /delete bcdedit /set {current} bootstatuspolicy IgnoreAllFailures bcdedit /set {globalsettings} custom:16000067 true bcdedit /set {globalsettings} nobootuxprogress true pushd "%~dp0" %SYSTEMROOT%\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown /quiet /unattend:Unattend.xml 

Unattend.xml:

 <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Path>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\OOBE /v SetupDisplayedProductKey /t REG_DWORD /d 1 /f</Path> <Order>1</Order> <Description>Dont show key page</Description> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Path>reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\OOBE /v UnattendCreatedUser /t REG_DWORD /d 1 /f</Path> <Order>2</Order> <Description>Dont make account</Description> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Path>reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d 1 /f</Path> <Order>3</Order> <Description>Disable First Run Customize</Description> </RunSynchronousCommand> <RunSynchronousCommand wcm:action="add"> <Path>cmd.exe /c rd %systemdrive%\Sysprep /s /q</Path> <Order>4</Order> <Description>Del Folder</Description> </RunSynchronousCommand> </RunSynchronous> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <AutoLogon> <Enabled>true</Enabled> <Username>User</Username> </AutoLogon> </component> </settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <InputLocale>en-US; ru-RU</InputLocale> <SystemLocale>ru-RU</SystemLocale> <UILanguage>ru-RU</UILanguage> <UILanguageFallback></UILanguageFallback> <UserLocale>ru-RU</UserLocale> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <OOBE> <HideEULAPage>true</HideEULAPage> <HideLocalAccountScreen>true</HideLocalAccountScreen> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <ProtectYourPC>1</ProtectYourPC> </OOBE> </component> </settings> <cpi:offlineImage cpi:source="" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend> 

Total

What happened in the end ... The system booted itself without any questions, IE started with the right page. If we take into account that there will be no physical access to the PC, and only a mouse can be accessed from the input tools, then nothing can be broken. Log in to the administrator account and see that the Sysprep folder is deleted. The system is ready ...