Windows desktop shortcuts... .ico images gone after sysprep!

m144

So… After a few days of messing with this, it turns out to be the CopyProfile = true bit in the unattend.xml that is messing with the desktop icons.

I set CopyProfile = false and just threw the links into default profile myself and now the links and everything else that was being odd work just fine. Other customizations like start menu etc are gone but I can work around that.

Has anyone else had any problems with CopyProfile = true in their unattend.xml? Its a shame to not be able to use that.

Quazz

@m144 I personally use Defprof to keep most of the customizations for the default profile.

x23piracy

https://www.forensit.com/support-downloads.html

@Quazz will this copy, startmenu, taskbar and default apps?

m144

@x23piracy That’s what I ended up using… I used defprof back in the XP days. Happy to see that it is still around.

Avaryan

You could also create a PowerShell/batch script to copy the icons onto the Public desktop. Push it out as a FOG Snapin.

Copy-Item -Path C:\Tools\Shortcut01.lnk -Destination $env:PUBLIC\Desktop\Shortcut01.lnk -Force

m144

@avaryan Thanks, That’s not a half bad idea… As of now, defprof is doing the job. The only problems I have left to fix on this windows 10 img is:

1. The fact that after Sysprep it auto logs into the pc as administrator twice but we only have it set to do so once in the unattend.xml (Not sure how I am going to fix this one!)

2. Chrome profile settings are not being copied over to the default profile. (Not that big of a problem can live with out it)

Other than that I should be able to push this out to a few computers today, give it a good test run before our first go around with a few hundred computers… to start with.

Avaryan

@m144 said in Windows desktop shortcuts... .ico images gone after sysprep!:

1. The fact that after Sysprep it auto logs into the pc as administrator twice but we only have it set to do so once in the unattend.xml (Not sure how I am going to fix this one!)

Auto login values and stored in the registry. I would use the SetupComplete.cmd file to launch a PowerShell script that runs something like this:

# This is completely untested.

# If this is the same account specified in the unattend, the user/pass info may already be stored here.
$Username = "Administrator"
$Password = "MySuperSecretPassword"
$LogonAmount = 1

# Editing these while an account is logged in has given me errors before, so just to make sure...
Start-Process -FilePath "$env:windir\System32\shutdown.exe" -ArgumentList '-l -f' -Wait
Start-Sleep -Seconds 2

$path = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
if ($LogonAmount -gt 0) {
    Set-ItemProperty -Path $path -Name AutoAdminLogon -Value 1
} else {
    # If it's set to 0 (or less), turn auto logon off.
    Set-ItemProperty -Path $path -Name AutoAdminLogon -Value 0
}

Set-ItemProperty -Path $path -Name DefaultUserName -Value $Username
            
if (-Not (Get-ItemProperty -Path $path | Select-Object -ExpandProperty "DefaultPassword" -ErrorAction SilentlyContinue )) {
    New-ItemProperty -Path $path -Name DefaultPassword -Value $Password | Out-Null
}

Set-ItemProperty -Path $path -Name DefaultPassword -Value $Password | Out-Null

if (-Not (Get-ItemProperty -Path $path | Select-Object -ExpandProperty "AutoLogonCount" -ErrorAction SilentlyContinue )) {
    New-ItemProperty -Path $path -Name AutoLogonCount -Value $LogonAmount | Out-Null
}

Set-ItemProperty -Path $path -Name AutoLogonCount -Value $LogonAmount | Out-Null            
Restart-Computer -Force```

m144

@avaryan WOW that was quick… Did you just make this!

So, I have a firstboot.bat that runs on the first autologin that does some stuff like delete the unattend.xml, start the fog service, etc.

I think I am just going to have my firstboot.bat file throw another .bat (secondboot.bat) into the startup folder for the administrator account. Who knows maybe we will find something we can add to the secondboot.bat that is useful.

Below is the list of the basic things we do excludes any extra stuff we are doing. Just want to list out how we are doing things in case anyone else wants a super basic process.

*Note: This is the code we use if “CopyProfile” in the unattend.xml is set to false and we are using the DefProf tool.

#win_10-generalize.bat

sc config "FOGService" start= disabled
net stop "FOGService"

cd C:\Tools\firstboot
copy firstboot-shortcut.lnk "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

#more stuff goes on here

cd C:\Windows\System32\Sysprep
sysprep /generalize /oobe /shutdown /unattend:c:\Windows\System32\Sysprep\unattend.xml

Upload to FOG server… Then send out to what ever.

#firstboot.bat

del C:\Windows\System32\Sysprep\*.xml

sc config "FOGService" start= auto
net start "FOGService"

#more stuff goes on here

cd C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
del firstboot-shortcut.lnk

cd C:\Tools\secondboot
copy secondboot-Shortcut.lnk "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Startup"

del C:\Tools\firstboot\*.bat

#at this point FOG reboots and joins the computer to the domain

# fix my auto log in twice problem

shutdown -r -t 60

cd C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
del secondboot-shortcut.lnk

del C:\Tools\secondboot\*.bat

Probably not the best way to fix this whole logging into the administrator account twice for no reason problem… But it is a quick way to fix it lol.

Avaryan

Regarding the auto login issue. I have a FOG Snapin called “(9) System Restart”. It’s just a blank text file with the “Reboot after install” option enabled in the snapin settings.

FYI: I have the number there to assign deployment priority. FOG will pull them alphabetically. “(0)” is my SCCM client. “(4)” are my normal applications, etc…

m144

@avaryan I have not messed around with FOG Snapins that much at all… I guess now is a good time to start!

Thanks for all your help on this, much appreciated.

Avaryan

@m144 said in Windows desktop shortcuts... .ico images gone after sysprep!:

@avaryan WOW that was quick… Did you just make this!

Modified from something I previously wrote so that I could apply auto login values in bulk via IP addresses exported from DHCP and saved in a csv file. This was at a time when our DNS records weren’t reliable so the tool that I typical use to set auto login wasn’t working reliably.

The original, in case anyone ever needs it for something:

<#
.Synopsis
   Enables Automatic Login with supplied credentials.
.DESCRIPTION
   Logs off all users, sets AutoLogon registry keys with entered values, restarts the computer.
.EXAMPLE 
   ./Set-AutoLogon.ps1 -ComputerName PTSD-TestComputer -Username PTSD\TestAccount -Password Password123 -TimesToLogin 3
   This will automatically logon to PTSD-TestComputer three times as the TestAccount user. The computer will revert to the normal logon procedure after the third automatic logon. 
.NOTES
   Supplied credentials are stored in plain text in the registry. They are removed from the registry when the number of 
   automatic logons is depleted.
#>

Param(
    [parameter(Mandatory=$true)]
    [String[]]
    $ComputerName,

    [parameter(Mandatory=$true)]
    [String]
    $Username,

    [parameter(Mandatory=$true)]
    [String]
    $Password,

    [parameter(Mandatory=$false)]
    [Int]
    $TimesToLogin = 1
)

$credentials = Get-Credential

Invoke-Command -ComputerName $ComputerName -Credential $credentials -ScriptBlock {
    Param($Times, $User, $Pass)
            
    $shutdown = $env:SystemRoot + "\System32\shutdown.exe"
    Start-Process -FilePath $shutdown -ArgumentList '-l -f' -Wait
    Start-Sleep -Seconds 2

    $path = 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
    Set-ItemProperty -Path $path -Name AutoAdminLogon -Value 1
    Set-ItemProperty -Path $path -Name DefaultUserName -Value $User
            
    if (-Not (Get-ItemProperty -Path $path | Select-Object -ExpandProperty "DefaultPassword" -ErrorAction SilentlyContinue )) {
        New-ItemProperty -Path $path -Name DefaultPassword -Value $Pass | Out-Null
    }

    Set-ItemProperty -Path $path -Name DefaultPassword -Value $Pass | Out-Null

    if (-Not (Get-ItemProperty -Path $path | Select-Object -ExpandProperty "AutoLogonCount" -ErrorAction SilentlyContinue )) {
        New-ItemProperty -Path $path -Name AutoLogonCount -Value $Times | Out-Null
    }

    Set-ItemProperty -Path $path -Name AutoLogonCount -Value $Times | Out-Null
            
    Restart-Computer -Force
                
} -ArgumentList $TimesToLogin,$Username,$Password