Localboot products: automatic software distribution with opsi

Localboot products are all products that are installed by the 'opsi-client-agent' after the computer started the installed OS. This is in contrast to the netboot products described below Netboot products.

opsi standard products

The following localboot products are part of the default installation of opsi.


The opsi-client-agent is the client agent of opsi and is described in detail above: see chapter opsi-client-agent.


The product opsi-script is a special case. It contains the current opsi-script. This does not have to be set to setup to update. Rather, part of the opsi-client-agent checks each time it is started whether a different version of the opsi-script is available and fetches it if this is the case.


The opsi graphical management interface packaged as application For Windows and Linux. See also chapter: opsi-Management GUI: opsi-configed


Java based editor with syntax highlighting for 'opsi-script' scripts.

Products for Hardware and Software Audit: hwaudit and swaudit

The hwaudit and swaudit products are used for hardware and software inventory. The hardware data is collected via WMI and reported back to the server via the 'opsi-webservice'. For the software inventory the information is taken from the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)and reported back to the server via the 'opsi-webservice'.


Template for creating your own opsi scripts. You can extract the template with:

opsi-package-manager -x opsi-template-with-userlogin_<version>.opsi

or rename it at the same time:

opsi-package-manager -x opsi-template-with-userlogin_<version>.opsi --new-product-id myprod

See also the opsi-script-manual Chapter:
Script for installations in the context of a local user


Shuts down the computer when there are no further actions pending.


Large collection of opsi-script self tests. This can be used as a sample collection for working calls of opsi-script commands.


See also chapter: opsi WIM Capture


Product for easy generation of an opsi-winpe See also the opsi-getting-started manual, chapter 'Creating a PE'.


See also chapter: opsi with UEFI / GPT


See also chapter:


Text viewer with selection for log levels and events.
For Windows and Linux.

  • The opsi-logviewer tool created by uib now also opens files that are compressed in the archive formats zip or gzip. This means that log files that are sent as an archive can be viewed directly. (If an archive contains several files, the contents are of all files are appended.)


Configures various Windows 10 settings such as lock screen, hibernation boot, sending telemetry and update behavior.

Version 4.0.7 added new options.

  • allow_useractivity_publishing allows Microsoft to collect userctivity experiences

  • change_power_plan changes the power management profile.

  • config_updates allows you to change the source of the updates. The updates are then downloaded either directly from Microsoft servers, a local peer-to-peer network or a peer-to-peer network from the Internet. The 'disable' option is meanwhile moved into a separate property called 'disable_updates'.

  • defer_upgrade postpones updates and upgrades. Updates can be postponed by four weeks and upgrades by eight months. It should be noted that security-relevant updates are installed despite the 'defer' option. However, feature updates are not installed.

  • deferfeatureupdatesperiodindays Defines how long quality updates, also called windows upgrades, should be defered. The maximum is 365 days.

  • deferqualityupdatesperiodindays Defines how many days feature updates should be defered. The maximum is 29 days.

  • disable_advertising_id deactivates the so-called Advertising ID. This stores data about the browser history in order to display user-specific advertising.

  • disable_app_suggestion_in_startmenu deactivates suggested apps in the start menu.

  • disable_automatic_logon_on_reboot: disables an automatic logon after reboot.

  • disable_cortana deactivates the Cortana voice assistant. This collects various data about input and transfers this data to Microsoft servers.

  • disable_customer_experience disables collecting data related to application usage data.

  • disable_defender disables the anti-virus protection included with Windows 10 called 'Defender'.

  • disable_dosvc disbales a service used for delivery optimization.

  • disable_error_report deactivates sending error reports to Microsoft. This does not affect third party apps.

  • disable_fast_boot deactivates fast boot and ensures that the standard opsi-event gui_startup works properly.

  • disable_font_streaming ensures that fonts not installed on the system are streamed from the Internet.

  • disable_handwrite_sharing A special feature is the use of Windows 10 on tablet PCs. Here, data about handwriting is collected and sent to a Microsoft server.

  • disable_location_sensors disables collecting data about the current geolocation of the device.

  • disable_lock_screen disables the lock screen.

  • disable_mrt deactivates the use of the 'Malware Removal Tool', MRT for short. This service scans existing files on the computer’s hard drive at regular intervals and compares them with a list of potentially dangerous software.

  • disable_news_and_interest deactivates news and interest in the taskbar.

  • disable_onedrive_sync disables the OneDrive file synchronization.

  • disable_push_install disables the possibility to push install apps from the Microsoft store from another device with the same account.

  • disable_recent_apps disables the presentation of recently used apps in the start menu.

  • disable_sending_feedback makes it possible to influence the transfer of data to Microsoft in the event of application crashes.

  • disable_smbv1 disables the SMB v1 protocol.

  • disable_suggested_silent_app_installion deactivates a silent installation of suggested apps in the background without user interaction.

  • disable_telemetry makes it possible to limit the amount of data collected. A lot of data is transferred as standard. If the property is set to 'true', Windows is set so that only security-relevant data is transferred. This is the lowest level. This security level can only be set in the Windows 10 Enterprise and LTSB version. In the other versions of Windows 10, the next lowest level is applied, Basic.

  • disable_update_button disables the update button within the update settings. If set to false after it was set to true it might take a couple of hours to make the button usable again.

  • disable_update_service disables the windows update service and provides another possibility to block updates.

  • disable_updates blocks connections to Microsoft update sources when set to 'true'. Setting the property to 'false' enables these connections again.

  • disable_wifi_sense deactivates the service called 'Wifi Sense'. This service enables saved WLAN configurations to be shared with contacts.

  • flashplayer_autorun There is a security vulnerablility in Windows 10 with the Adobe Flashplayer. It is recommended to deactivate the autorun feature of the flash player. With 'false' the Flashplayer is no longer started.

  • hide_known_file_extensions hides known file extensions, e.g. txt.

  • local_wsus_available: Only affects Windows Updates: When 'true' a connection to a local WSUS server is possible.

  • minimize_recommendations deactivaes the usage of collected data to show recommendations on lockscreen.

  • no_new_app_install_notification: If this is set to 'true' this property deactivates notifications on app updates.

  • online_search Online results are also provided for every search using the integrated search bar in the taskbar. 'true' enables such an online search, 'false' disables it.

  • oobedisableprivacyexperience: Only affects Windows 10 1809 and newer. Deactivates OOBE DIsablePrivacyExperiene, if 'true'.

  • remove_edge_from_desktop removed the desktop shotcut for the old edge browser.

  • show_all_folder_in_navbar shows all folders in the navigation bar in the Widnows Explorer.

  • show_drive_letter_first shows the drive letter first.

  • show_this_pc_instead_of_quicklaunch opens this pc instead of a quick access.

  • sync_settings If you use Windows 10 in combination with a Microsoft account, it is possible to synchronize your settings with the current Microsoft account. If you set the property 'sync_settings' to 'false' this will be deactivated.

  • wlid_service controls the behaviour of the Windows Live ID Service.

type: bool
name: disable_fast_boot
description: Disable Fastboot for proper opsi startup
default: True

type: bool
name: disable_lock_screen
default: True

type: bool
name: disable_telemetry
description: Disable telemetry data transmission
default: True

type: bool
name: disable_cortana
description: Disable Cortana assistant
default: True

type: bool
name: disable_customer_experience
description: Disable customer experience program
default: True

type: bool
name: disable_mrt
description: Disable Malicious Software Removal Tool
default: True

type: unicode
name: config_updates
multivalue: False
editable: False
description: Set Windows-Update behavior
values: ["AllowPeerToPeer", "LocalPeerToPeer", "MicrosoftOnly"]
default: ["MicrosoftOnly"]

type: bool
name: disable_mac
description: Disable Microsoft Account communication
default: False

type: bool
name: disable_advertising_id
description: Disable Microsoft Advertising ID
default: False

type: bool
name: disable_updates
description: Disable Windows Updates
default: False

type: bool
name: disable_defender
description: Disable Microsoft Windows Defender
default: False

type: bool
name: disable_wifi_sense
description: Disable Wi-Fi Sense
default: False

type: bool
name: disable_sending_feedback
description: Disable sending feedback and diagnostics
default: False

type: bool
name: disable_font_streaming
description: Disable font streaming of not installed fonts
default: False

type: bool
name: defer_upgrade
description: Defer Windows 10 Upgrade
default: True

type: bool
name: flashplayer_autorun
description: Adobe Flashplayer: allow autorun?
default: False

type: bool
name: location_sensors
description: Disable location and sensor detection
default: True

type: bool
name: online_search
description: Disable online search during file or command search
default: True

type: bool
name: disable_handwrite_sharing
description: Tablet-PC: Disable sharing of handriting information
default: True

type: bool
name: sync_settings
description: Sync settings with AccountID
default: False


Package for customizing the basic settings of the user interface, Explorer, etc.


opsi-auto-update is a product to simplify the maintenance of the clients.

opsi-auto-update is not for clients running the WAN-extension

In essence, this product can be used to ensure that the installed products are up to date.
The product sets all installed products, whose version is not identical to that on the server, for the client to setup.

Properties for managing excludes:

  • name: products_to_exclude

    • description: (deneylist) Which opsi product(s) should be excluded from update ?
      List of products that should not be installed even if there is an update (such as windomain)

  • name: products_to_exclude_by_regex

    • description: (deneylist) Which opsi product(s) should be excluded from update (by regular expressions)?
      List of regular expressions that fit products that should not be installed even if there is an update (such as windomain)

  • name: products_to_include

    • description: (allowlist) Which opsi product(s) should be checked for update ? ; If empty = all products
      Here you can enter a list of products to which the update check should be limited. Products that are not in this list are also not considered when checking for updates. Exception: If the list is empty, all products are checked.

Properties for managing includes:

  • name: products_to_run_always

    • description: Which opsi product(s) should be installed via every update ? (List will not be cleared after run)
      List of products which are set to setup every time opsi-auto-update is run.

  • name: failed_products_to_setup

    • description: if true this also sets all failed products to setup on all clients
      If this is True, all products currently on failed are set to setup.

Properties for sequence control:

  • name: shutdown_on_finish

    • description: if true we have a final shutdown if false we have no reboot / shutdown default: False
      Should a shutdown me made after the product has finished?

Special properties for 'local-image / vhd-reset':
See also: opsi vhd reset
See also: opsi local image

  • name: do_cleanup

    • description: If false: skip restore before update
      This property is ignored if it is not a vhd or local image installation.
      For a vhd installation, do_cleanup=true executes opsi-vhd-control before the updates, thereby discarding all changes and restoring the saved state.
      For a local-image installation, do_cleanup=true executes opsi-local-image-restore before the updates, thereby discarding all changes and restoring the saved state.
      In both cases, information about action requests is also discarded. In order to be able to add or remove products during a run of opsi-auto-update, there are the following two properties.

  • name: products_to_install

    • description: Which opsi product(s) should be installed via update ? (List will be cleared after run)
      List of products which are set to setup during the opsi-auto-update run. If the products have been installed successfully, they will be removed from this list.

  • name: products_to_uninstall

    • description: Which opsi product(s) should be uninstalled via update ? (List will be cleared after run)
      List of products which are set to uninstall during the opsi-auto-update run. If the products have been uninstalled successfully, they will be removed from this list.

  • name: do_merge

    • description: If false: skip backup after update
      This property is ignored if it is not a vhd or local image installation.
      For a vhd installation, do_cleanup=true executes opsi-vhd-control with upgrade=true after the updates and thus all changes are saved.
      For a local-image installation, do_cleanup=true executes opsi-local-image-backup after the updates and thus all changes are saved.

Properties for debugging:

  • name: disabled
    This property is for debugging purposes.
    If 'true', the product does not execute any actions.
    Default = 'false'

  • name: rebootflag
    Please do not change during the run. This should be '0' before starting.

  • name: stop_after_step
    This property is for debugging purposes.
    If not '0' then this is the number of reboots after which to stop. Default = '0'

The opsi-auto-update product has a very low priority (-97), which is even less than that of opsi-vhd-control.

The opsi-auto-update product can be combined well with a cron job that executes opsi-wakeup-clients.
(opsi-wakeup-clients is part of the opsi-utils package)
For details see here: opsi-wakeup-clients, opsi-auto-update and working_window


opsi-auto-update is not for clients running the WAN-extension

The goal of this product is, to update the driver of existing windows machines from the standard netboot driver repository.

If you have new drivers for your machines, usually the first step is to integrate these drivers into the driver repository of the used netboot product.

How this is done is decribed in the opsi-windows-client-manual in the chapter:
Drivers automatically assigned to the clients using the inventory fields.

and in the opsi-manual chapter:
Automatic driver upload

By default, the product tries to use the 'byAudit' driver repository of the netboot product used for the OS installation of this machine. The driver repository of this netboot product will be used for this product.
The script tries to detected the used netbootproduct. You may use the property netbootproduct to define the netboot product to use.
Using the property driver_path you may also point to a totaly different driver repository. Such a driver repository will not be filterd by <vendor>/<model>.

The properties:

  • name: driver_path
    description: Path to the driver directory.
    'auto'= from netboot product driver repo

  • name: netbootproduct
    description: name of the netboot product (where we can find the driver in driver_path auto mode).
    'auto'= try to detect the used netboot product

  • name: force_import_cert_from_sys
    description: if true, installation of not correct signed drivers will be possible by extracting the certs from the .sys file and import them to the cert store

  • name: force_reinstallation
    description: if true, we try to install the driver even if it seems to be installed in the repo version

The list of found path to drivers will be filtered by the following criteria: All directories which contains one of the following pattern will be excluded:
autorun.inf, WINXP, XP, WIN200, WIN2K, VISTA, WINPE
On 64 Bit system all directories which contains one of the following pattern will be excluded:
32, x86, DrvBin32 ,WIN32, IA32, IA-32
On 32 Bit system all directories which contains one of the following pattern will be excluded:
64, x64 , DrvBin64, WIN64, x86-64, amd64

Manipulating the installation sequence by priorities and dependencies

Since opsi 4.0, the installation order is determined by the opsi-server taking into account product dependencies and product priorities.

  • Product dependencies
    Defines dependencies and the necessary installation order between opsi-packages. A typical example is the dependency of Java programs on the Java Runtime Environment (javavm).

  • Product priorities
    Priorities are used to push certain packages forward or backward in the order of installation. It makes sense to install service packs and patches first and a software inventory at the end of an installation sequence.
    Product priorities are numbers between 100 and -100 (0 is the default)

There are different possibilities how these two factors are used to determine the installation order. Therefore, opsi provides two algorithms.

Switch between these algorithms can be done either:

using 'opsi-configed', in the server configuration

opsi-configed: server configuration
Figure 1. 'opsi-configed': server configuration

or on the command line with the following command:

opsi-setup --edit-config-defaults
Choose the sort algorithm: Part 1
Figure 2. Choose the sort algorithm: Part 1
Choose the sort algorithm: Part 2
Figure 3. Choose the sort algorithm: Part 2

Algorithm1: product dependency before priority (default)

With this algorithm, the products are first sorted based on their priorities and then re-sorted based on the product dependencies. This of course allows a product with a very low priority to be pushed far forward because it is required by a product other than 'required before'. On the other hand, it prevents installation problems due to unresolved product dependencies.
Algorithm 1 ensures that the installation order is constant, regardless of how many products are set to setup. This order corresponds to the order which is shown in configed when the products are sorted according to the position column.
This ensures that if a setup script is only interrupted with "ExitWindows /immediateReboot", the processing of the interrupted script is continued immediately after the reboot.

Algorithm2: product priority before dependency

This algorithm is based on the idea that in practice, there are essentially three priority classes:

  • Products to be installed first such as OS patches and drivers that bring the PC to a standard state. Is realized by assigning a high priority (maximum +100).

  • "Normal" products that install applications (default priority 0).

  • Products that should be installed last, e.g. software inventory control. Realized by assigning a low priority (lowest possible -100).

Product dependencies are only resolved within a priority class. This ensures that products with a high priority are actually installed at the beginning. Cross-priority product dependencies are not taken into account or give a warning. It is therefore important to note when packaging that product dependencies are only defined within one priority class.

The product dependencies are interpreted here in such a way that with "normal" products they automatically lead to a consistent order that takes all dependencies into account. If contradictory (circular) dependencies have been defined, an error is displayed.

In the case of products with high priorities that are essential for setup of the computer, however, the administrator should set the exact order by hand - similar to, for example, Unix start-up scripts - by assigning a specific priority between +100 and +1 for each product according to the desired order. The same applies to the final products with low priorities.

Defining product priorities and dependencies

Priorities and product dependencies belong to the metadata of an Produkt. You will be asked for these when creating a product with the command opsi-newprod.

This metadata is stored in the control file of the product and can be edited there. After a change in the control file, the product must be repacked and installed again.

See also the chapter 'Creating an opsi product package' in the opsi-getting-started manual.

Integration of new software packages into the opsi software deployment.

Instructions for integrating your own software can be found in the opsi-getting-started manual.