- Bohack - https://www.bohack.com -

How To Make An Unattend.xml Sysprep File

Sysprep is very useful in preparing an image for cloning / imaging by stripping all specialization from the installation like: drives, SID, PNP enumeration, name and more. During the next reboot PNP is initiated and the Out Of Box Experience is run; this is similar to a preloaded laptop or computer from the factory starting up for the first time.

When you are cloning/imaging machines in mass it is extremely handy to automate as much as possible. Using the Windows AIK (Automated Installation Kit) specifically a tool called Windows SIM (System Image Manager) you can automate the entire process. The unattend.xml file is used along with sysprep to automate the image specialization and OOBE after it is cloned and rebooted.

The following process will automate the sysprep so next reboot it will only ask for computer name. Some assumptions during this article are: you are creating an English/US install, you are using a KMS server and your timezone is EDT.

Step 1. – Download and install the latest WAIK from http://downloads.microsoft.com, the WAIK should support Windows 7 and 2008 R2 (check the date).

Step 2. – Get your media that you have installed with and mount it in the DVD-ROM or via and ISO mounting utility; if it is only and ISO. You will need to allow Windows SIM to access the install.wim in the next step.

Step 3. – Start Windows SIM and right click on “Select a Windows Image or Catalog” and find the “install.wim” in the sources directory on the media. In this tutorial I used x64 (amd64) media, this also works for x86 media; using the same steps.

Select Windows Image

Step 4. – Now we need an answer file, so right click on “Create or open an answer file” and select “New Answer File”

New Answer File

Step 5. – On the left hand side open the “Components” folder and find “Microsoft-Windows-International-Core”, right click and select “Add Settings to Pass 7 oobeSystem”. It will be added to the answer file in the center.

Microsoft-Windows-International-Core

Step 6. – Fill in the settings for InputLocale thru UserLocale in the properties pane; I used en-US for English language and United States locale. The “en-US” is defined in the RFC4646 actually two standards put together: the ISO 639-1 code for known languages and the ISO 3166-1 code for assigned country codes. Microsoft has an article of supported RFC4646 locales called the LCID reference http://msdn.microsoft.com/en-us/library/cc233965%28v=PROT.10%29.aspx

RFC4646 LCID Locale

Step 7. – On the left hand side under the “Components” folder and find “Microsoft-Windows-Shell-Setup_6.1.xxxxx”, right click and select “Add Settings to Pass 7 oobeSystem”. It will be added to the answer file in the center. Click on the Shell-Setup in the answer file section and fill in the TimeZone under properties. A list of these time zones can be found here http://technet.microsoft.com/en-us/library/cc749073%28WS.10%29.aspx.

Shell Setup Timezone

Step 8. – Open the “Microsoft-Windows-Shell-Setup” folder in the answer file and find OOBE and click on it. In the properties page set “HideEULAPage” to true and Network Location to Work, Public or Home. The “ProtectYourPC” property can be set to: 1 for recommended protection, 2 for updates only and 3 for automatic protection to be disabled. These all related to the Windows Update protection. http://technet.microsoft.com/en-us/library/cc749278%28WS.10%29.aspx

OOBE Settings

Step 9. – We need to setup the first administrator account since Windows 7’s administrator account is disabled by default. Further down under “Microsoft-Windows-Shell-Setup” click on “UserAccounts” then right click on “LocalAccounts” and select “Insert New LocalAccount”.

Insert New LocalAccount

Step 10. – In the properties of the local account on the right side; fill out Description, DisplayName and Name. The Group must be “administrators”, so that you can locally administrate the computer (i.e. login local).

LocalAccount Poperties

Step 11. – Click on “Password” under the “LocalAccount[Name=”username”] and in the properties pane set the password for the account. The password will be saved in the XML file however it will be encrypted (the encryption used is unspecified in Microsoft’s documentation).

LocalAccount Password

Step 12. – On the left hand side under the “Components” folder and find “Microsoft-Windows-Shell-Setup_6.1.xxxxx”, right click and select “Add Settings to Pass 4 specialize”. It will be added to the answer file in the center; respectively under “4 Specialize”. Click on the Shell-Setup in the answer file section and fill in the “ProductKey” with the default KMS key found here http://technet.microsoft.com/en-us/library/ff793406.aspx. These product keys will not activate via Microsoft (retail), instead they are dummy keys for a Key Management Server to activate. The product key I used was for Windows 7 Enterprise “33PXH-7Y6KF-2VJC9-XBBR8-HVTHH”. Setting this will skip the activation question during setup, but make sure you have a KMS server running. Also make sure you have met the 25 client threshold or the KMS will not activate any of the clients. http://technet.microsoft.com/en-us/library/ff793434.aspx

KMS Serial Number

Step 13. – Right click on the answer file and choose “Close Answer File” when prompted save it as “unattend.xml”.

Save Unattend.xml

Step 14. – Copy the unattend.xml into “C:\windows\system32\sysprep” folder and create a startprep.cmd file containing the code below. The startprep.cmd file is not totally necessary, however I find it is best consistency; so the next time you do this you have the command at hand. You could just type the command into a CMD prompt.

startprep.cmd

@echo off
cd c:\windows\system32\sysprep sysprep /oobe /generalize /unattend:c:\windows\system32\sysprep\unattend.xml

Step 15. – Run the startprep.cmd and the system will sysprep revert its specialized settings and drivers and shutdown. Create an image of the workstation using your favorite image software and distribute the image to other workstations. When they restart the unattend.xml file will be run along with sysprep and you will only be prompted for computer name.

example unattend.xml

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UILanguageFallback>en-US</UILanguageFallback>
<UserLocale>en-US</UserLocale>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<HideEULAPage>true</HideEULAPage>
<NetworkLocation>Work</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
</OOBE>
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=</Value>
<PlainText>false</PlainText>
</Password>
<Description>First Admin User</Description>
<DisplayName>User</DisplayName>
<Group>administrators</Group>
<Name>User</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
<TimeZone>Eastern Standard Time</TimeZone>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ProductKey>33PXH-7Y6KF-2VJC9-XBBR8-HVTHH</ProductKey>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:h:/sources/install.wim#Windows 7 ENTERPRISE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>