Tweaking Deployment Image For Our Business?

The title is vaige but I will still likely continue to have questions. I created a Windows 10 (home) image for our company using an ISO directly from Microsoft in Audit mode. Configured the administrator desktop the way I needed it then did a bare metal clone both before and after a sysprep using an XML unattended file. This way I have a pre-sysprep development image to make changes to as needed and a sysprepped deployment image. I am trying to work around the fact I have no group policy ability with the home licenses.

• I need some audio devices disabled in the device manager by default, but after the sysprep/copy profile it reenables the devices...is there anyway to prevent this? I tried disabling them in the sound settings as well but that does not stick either.
• I am looking into how to prevent the bundled bloatware from reinstalling after the sysprep/copy profile, it was removed from the administrator account prior to sysprep.
• I realize the start menu tile config does not copy but there has to be a way? At least leave all tiles removed so there are none after the sysprep/copy profile.
• I realize its a limitation of no group policy but I would love to block the start menu out, all the employees need is a shutdown and restart button.

Any advice is greatly appreciated!

I have no choice, I am pressed to make what we have work using a home license there is no arguing with management I have already tried and it gets me nowhere. We buy entry level consumer grade hardware for a full blown production environment (a call center) nothing here ever makes sense, ever.

The link helps, but its a bit generic I am in search of exact solutions (I know its a lot to ask). I am overwhelmed over here multitasking.

Enable Group Policy Editor (gpedit.msc) in Windows 10 Home Edition - MajorGeeks

Did you created a Standard user and an administrator user (or enabled Windows administrator)?

Good stuff I did not realize you could enable the group policy editor in Home!

I used the administrator account to create a base profile (Audit mode). Then I have the unattended answer file setup to create a standard user from the administrators plus copy profile enabled. It also creates an administrators user named "Admin" so that I can get through UAC, otherwise I was not able to figure out how to enable the built in administrator account without creating an administrators level user. I would rather only create one standard user and use the built in administrator account for UAC.

Here is my answers file used for sysprep. Really wish I could find something to add to it which copies the administrator profile's start menu configuration (no tiles, I disabled the start folders and uninstalled all bundled bloatware) but all 3 of those things come back when it copies the administrator profile to a new standard user.

<?xml version="1.0" encoding="utf-8"?><unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="windowsPE"> <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SetupUILanguage> <UILanguage>en-US</UILanguage> </SetupUILanguage> <InputLocale>0409:00000409</InputLocale> <SystemLocale>en-US</SystemLocale> <UILanguage>en-US</UILanguage> <UILanguageFallback>en-US</UILanguageFallback> <UserLocale>en-US</UserLocale> </component> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <ImageInstall> <OSImage> <InstallTo> <DiskID>0</DiskID> <PartitionID>4</PartitionID> </InstallTo> <InstallToAvailablePartition>false</InstallToAvailablePartition> </OSImage> </ImageInstall> <UserData> <ProductKey> <!-- Do not uncomment the Key element if you are using trial ISOs --> <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> <Key></Key> <WillShowUI>Never</WillShowUI> </ProductKey> <AcceptEula>true</AcceptEula> <FullName>Call Center Agent</FullName> <Organization>Acquisition Technologies</Organization> </UserData> </component> </settings> <settings pass="offlineServicing"> <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <EnableLUA>true</EnableLUA> </component> </settings> <settings pass="generalize"> <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SkipRearm>1</SkipRearm> </component> </settings> <settings pass="specialize"> <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <InputLocale>0409:00000409</InputLocale> <SystemLocale>en-US</SystemLocale> <UILanguage>en-US</UILanguage> <UILanguageFallback>en-US</UILanguageFallback> <UserLocale>en-US</UserLocale> </component> <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <SkipAutoActivation>true</SkipAutoActivation> </component> <component name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CEIPEnabled>0</CEIPEnabled> </component> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CopyProfile>true</CopyProfile> <ComputerName>Production-DEV</ComputerName> </component> </settings> <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <AutoLogon> <Password> <Value>***=</Value> <PlainText>false</PlainText> </Password> <Enabled>true</Enabled> <Username>Call Center Agent</Username> </AutoLogon> <OOBE> <HideEULAPage>true</HideEULAPage> <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> <HideOnlineAccountScreens>true</HideOnlineAccountScreens> <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> <NetworkLocation>Work</NetworkLocation> <SkipUserOOBE>true</SkipUserOOBE> <SkipMachineOOBE>true</SkipMachineOOBE> <ProtectYourPC>3</ProtectYourPC> </OOBE> <UserAccounts> <AdministratorPassword> <Value>ZwBoAGYAagBkAGsAcwBsAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAUABhAHMAcwB3AG8AcgBkAA==</Value> <PlainText>false</PlainText> </AdministratorPassword> <LocalAccounts> <LocalAccount wcm:action="add"> <Password> <Value>***=</Value> <PlainText>false</PlainText> </Password> <Description></Description> <DisplayName>Call Center Agent</DisplayName> <Group>Users</Group> <Name>Call Center Agent</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Password> <Value>***=</Value> <PlainText>false</PlainText> </Password> <DisplayName>Admin</DisplayName> <Group>Administrators</Group> <Name>Admin</Name> </LocalAccount> </LocalAccounts> </UserAccounts> <RegisteredOrganization>Acquisition Technologies</RegisteredOrganization> <RegisteredOwner>Call Center Agent</RegisteredOwner> <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Description>Control Panel View</Description> <Order>1</Order> <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v StartupPage /t REG_DWORD /d 1 /f</CommandLine> <RequiresUserInput>true</RequiresUserInput> </SynchronousCommand> <SynchronousCommand wcm:action="add"> <Order>2</Order> <Description>Control Panel Icon Size</Description> <RequiresUserInput>false</RequiresUserInput> <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 0 /f</CommandLine> </SynchronousCommand> <SynchronousCommand wcm:action="add"> <Order>3</Order> <RequiresUserInput>false</RequiresUserInput> <CommandLine>cmd /C wmic useraccount where name="Call Center Agent" set PasswordExpires=false</CommandLine> <Description>Password Never Expires</Description> </SynchronousCommand> </FirstLogonCommands> <TimeZone>Eastern Standard Time</TimeZone> </component> </settings> <cpifflineImage cpi:source="wim:d:/documents/configurations/call%20center%20agents/development/install.wim#Windows 10 Home Single Language" xmlns:cpi="urn:schemas-microsoft-com:cpi" /></unattend>

You have two places where the start menu programs are build:
%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu (for the loged on user)
C:\ProgramData\Microsoft\Windows\Start Menu (common to all users)

You can make a startup cmd to move all files on those folders to C:\User\Admin\AppData\Roaming\Microsoft\Windows\Start Menu (administrators user named "Admin" start menu) so only administrator would have the complete start menu.

First off thank you for providing direct solutions, you are very much appreciated!

It is not so much copying programs/files from the base administrator desktop profile to the new standard user desktop profile as much as it is NOT copying them. Below is how I configured the start menu on the base administrator desktop in Audit mode, notice I removed the tiles and start menu folders on the left.


Here is what it looks like after a sysprep using the answer file, it copies the base administrator profile but fails to move the start configuration over and it also reinstalls all the bundled bloatware that I uninstalled from the base administrator desktop profile before the sysprep. I made sure to disable automatic app updates in the Windows Store before the sysprep as well. I am hoping I can use the group policy to my advantage for some of this.

I think I wasn't clear.
As updates install or reinstall shortcuts to:
%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu (for the loged on user)
and / or C:\ProgramData\Microsoft\Windows\Start Menu (common to all users)

You can create a a startup cmd to move all files on those folders to C:\User\Admin\AppData\Roaming\Microsoft\Windows\Start Menu (administrators user named "Admin" start menu) so only Admin user would have the complete start menu.
I would make this cmd to run under task scheduler so that, at user log in, all start shortcuts from "all users", and the logged user, would be moved to the Admin user Start Menu profile


You should carefully read Kari's tutorial Image in Audit Mode with Sysprep

One thing that can't be done is:
- Pinned icons (Taskbar and Start) will not be copied to default profile
- Start Menu and Start Screen will remain default, cannot be modified

I found a way to export the start menu/screen layout configuration to an XML file using a PowerShell command (Export-StartLayout)

I edited the Start Layout object in the local group policy editor and pointed it to the XML I stored locally on the machine.

Ran the force policy update command (gpupdate /force) then restarted machine but I can not get a single change made in group policy to take effect on this machine. I am starting to think its impossible on a Home license....I may have enabled the editor on a Home license but the backend may not be enabled to use the policy once its been modified?

Sorry, can't help you further.