Caden Beck's Project Log

Creating Custom Windows Images

This is a small project I have taken on to create a sort of standardized image for computers, which either Intune, Active Directory, or another program will then interact with to put the user or department specific apps onto the device. Also, it can ensure those original programs are updated to their latest version.

Building these images has mostly been for fun, since I plan to deploy these machines with Intune and leave the custom image behind entirely. It will be easier to rely more on the modular approach you can use to deploy apps and configuration policies with MDMs like intune; as opposed to creating, updating and constantly recompiling images if we take as ham-fisted an approach to this as the rest of the company does with their other activities.

So far I have created two images: A generic employee workstation image, as well as an image for Associate-use Facility Desktops. Both images share some similar features, as one is based off the other.

Employee Workstation Image

  • Custom Registry Keys for simplification of the user experience
    • Removing the Search Bar, Task View, Widgets, etc
  • Customized Windows Defender settings – dependent on what the image is used for.
    • Take Home Employee use: Locked down, but to a lesser extent. Through the use of intune or another MDM I expect to set up quarantine rules with notifications and compliance policies, though with a simple image that could be accomplished through some fiddling and scripting.
  • Pre-Installed Mandatory Deployment Applications
    • These are apps like Slack / Teams, Chrome / Firefox, The rest of the Gsuite, etc
    • I plan to include a script to update these upon first boot, since this is created under the hypothetical that it won’t be connected to an MDM
  • Applied company branding

Facility / Plant Desktop Image

  • Custom Registry Keys for simplification of the user experience
    • Removing the Search Bar, Task View, Widgets, etc
  • Customized Windows Defender settings – dependent on what the image is used for.
    • Facility / Plant Employee use: These desktops will be very locked down, and will only allow certain downloads from specific sites such as the ones used in the workflows (Done through Chrome). This will be done in an effort to limit the risk the windows deployments pose to the plant network
  • Pre-Installed Mandatory Deployment Applications
    • Most Facility desktops will feature only the base set of applications but others will include software for automation equipment, label generation, as well as device IPs or network other addresses to communicate with them. There isn’t really an easy way to ensure only the right computers get the special software if we do it all on one image. Instead it will probably be best to have a separate image for the specialty computers.
    • These are apps like Slack / Teams, Chrome / Firefox, The rest of the Gsuite, etc
    • I plan to include a script to update these upon first boot, since this is created under the hypothetical that it won’t be connected to an MDM
  • Applied company branding