Localboot products: automatic software distribution with opsi

Localboot products are all products that are installed by the 'opsi-client-agent' after the computer started the installed OS. This is in contrast to the netboot products described below Netboot products.

opsi standard products

The following localboot products are part of the default installation of opsi.

activate-win

Activate Windows:

by using different methods controlled by the properties
by using different license key sources

config-win10

Configures various Windows 10 settings such as lock screen, hibernation boot, sending telemetry and update behavior.

See also: microsoft-windows-policies.

allow_useractivity_publishing allows Microsoft to collect userctivity experiences
change_power_plan changes the power management profile.
config_updates allows you to change the source of the updates. The updates are then downloaded either directly from Microsoft servers, a local peer-to-peer network or a peer-to-peer network from the Internet. The 'disable' option is meanwhile moved into a separate property called 'disable_updates'.
defer_upgrade postpones updates and upgrades. Updates can be postponed by four weeks and upgrades by eight months. It should be noted that security-relevant updates are installed despite the 'defer' option. However, feature updates are not installed.
deferfeatureupdatesperiodindays Defines how long quality updates, also called windows upgrades, should be defered. The maximum is 365 days.
deferqualityupdatesperiodindays Defines how many days feature updates should be defered. The maximum is 29 days.
disable_advertising_id deactivates the so-called Advertising ID. This stores data about the browser history in order to display user-specific advertising.
disable_app_suggestion_in_startmenu deactivates suggested apps in the start menu.
disable_automatic_logon_on_reboot: disables an automatic logon after reboot.
disable_cortana deactivates the Cortana voice assistant. This collects various data about input and transfers this data to Microsoft servers.
disable_customer_experience disables collecting data related to application usage data.
disable_defender disables the anti-virus protection included with Windows 10 called 'Defender'.
disable_dosvc disbales a service used for delivery optimization.
disable_error_report deactivates sending error reports to Microsoft. This does not affect third party apps.
disable_fast_boot deactivates fast boot and ensures that the standard opsi-event gui_startup works properly.
disable_font_streaming ensures that fonts not installed on the system are streamed from the Internet.
disable_handwrite_sharing A special feature is the use of Windows 10 on tablet PCs. Here, data about handwriting is collected and sent to a Microsoft server.
disable_location_sensors disables collecting data about the current geolocation of the device.
disable_lock_screen disables the lock screen.
disable_mrt deactivates the use of the 'Malware Removal Tool', MRT for short. This service scans existing files on the computer’s hard drive at regular intervals and compares them with a list of potentially dangerous software.
disable_news_and_interest deactivates news and interest in the taskbar.
disable_onedrive_sync disables the OneDrive file synchronization.
disable_push_install disables the possibility to push install apps from the Microsoft store from another device with the same account.
disable_recent_apps disables the presentation of recently used apps in the start menu.
disable_sending_feedback makes it possible to influence the transfer of data to Microsoft in the event of application crashes.
disable_smbv1 disables the SMB v1 protocol.
disable_suggested_silent_app_installion deactivates a silent installation of suggested apps in the background without user interaction.
disable_telemetry makes it possible to limit the amount of data collected. A lot of data is transferred as standard. If the property is set to 'true', Windows is set so that only security-relevant data is transferred. This is the lowest level. This security level can only be set in the Windows 10 Enterprise and LTSB version. In the other versions of Windows 10, the next lowest level is applied, Basic.
disable_update_button disables the update button within the update settings. If set to false after it was set to true it might take a couple of hours to make the button usable again.
disable_update_service disables the windows update service and provides another possibility to block updates.
disable_updates blocks connections to Microsoft update sources when set to 'true'. Setting the property to 'false' enables these connections again.
disable_wifi_sense deactivates the service called 'Wifi Sense'. This service enables saved WLAN configurations to be shared with contacts.
flashplayer_autorun There is a security vulnerablility in Windows 10 with the Adobe Flashplayer. It is recommended to deactivate the autorun feature of the flash player. With 'false' the Flashplayer is no longer started.
hide_known_file_extensions hides known file extensions, e.g. txt.
local_wsus_available: Only affects Windows Updates: When 'true' a connection to a local WSUS server is possible.
minimize_recommendations deactivaes the usage of collected data to show recommendations on lockscreen.
no_new_app_install_notification: If this is set to 'true' this property deactivates notifications on app updates.
online_search Online results are also provided for every search using the integrated search bar in the taskbar. 'true' enables such an online search, 'false' disables it.
oobedisableprivacyexperience: Only affects Windows 10 1809 and newer. Deactivates OOBE DIsablePrivacyExperiene, if 'true'.
remove_edge_from_desktop removed the desktop shotcut for the old edge browser.
show_all_folder_in_navbar shows all folders in the navigation bar in the Widnows Explorer.
show_drive_letter_first shows the drive letter first.
show_this_pc_instead_of_quicklaunch opens this pc instead of a quick access.
sync_settings If you use Windows 10 in combination with a Microsoft account, it is possible to synchronize your settings with the current Microsoft account. If you set the property 'sync_settings' to 'false' this will be deactivated.
wlid_service controls the behaviour of the Windows Live ID Service.

[ProductProperty]
type: bool
name: disable_fast_boot
description: Disable Fastboot for proper opsi startup
default: True

[ProductProperty]
type: bool
name: disable_lock_screen
default: True

[ProductProperty]
type: bool
name: disable_telemetry
description: Disable telemetry data transmission
default: True

[ProductProperty]
type: bool
name: disable_cortana
description: Disable Cortana assistant
default: True

[ProductProperty]
type: bool
name: disable_customer_experience
description: Disable customer experience program
default: True

[ProductProperty]
type: bool
name: disable_mrt
description: Disable Malicious Software Removal Tool
default: True

[ProductProperty]
type: unicode
name: config_updates
multivalue: False
editable: False
description: Set Windows-Update behavior
values: ["AllowPeerToPeer", "LocalPeerToPeer", "MicrosoftOnly"]
default: ["MicrosoftOnly"]

[ProductProperty]
type: bool
name: disable_mac
description: Disable Microsoft Account communication
default: False

[ProductProperty]
type: bool
name: disable_advertising_id
description: Disable Microsoft Advertising ID
default: False

[ProductProperty]
type: bool
name: disable_updates
description: Disable Windows Updates
default: False

[ProductProperty]
type: bool
name: disable_defender
description: Disable Microsoft Windows Defender
default: False

[ProductProperty]
type: bool
name: disable_wifi_sense
description: Disable Wi-Fi Sense
default: False

[ProductProperty]
type: bool
name: disable_sending_feedback
description: Disable sending feedback and diagnostics
default: False

[ProductProperty]
type: bool
name: disable_font_streaming
description: Disable font streaming of not installed fonts
default: False

[ProductProperty]
type: bool
name: defer_upgrade
description: Defer Windows 10 Upgrade
default: True

[ProductProperty]
type: bool
name: flashplayer_autorun
description: Adobe Flashplayer: allow autorun?
default: False

[ProductProperty]
type: bool
name: location_sensors
description: Disable location and sensor detection
default: True

[ProductProperty]
type: bool
name: online_search
description: Disable online search during file or command search
default: True

[ProductProperty]
type: bool
name: disable_handwrite_sharing
description: Tablet-PC: Disable sharing of handriting information
default: True

[ProductProperty]
type: bool
name: sync_settings
description: Sync settings with AccountID
default: False

swaudit + hwaudit: Products for hard- and software-audit

The hwaudit and swaudit products are used for hardware and software inventory. The hardware data is collected via WMI and reported back to the server via the 'opsi-Webservice'. For the software inventory the information is taken from the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)and reported back to the server via the 'opsi-Webservice'.

jedit

Java based editor with syntax highlighting for 'opsi-script' scripts.

microsoft-windows-policies

Configures various Windows 10 settings.
Like config-win10 but the implementation is policy based.
The product documentation will be found inside the product at the path: documentation.

opsi-auto-update

opsi-auto-update is a product to simplify the maintenance of the clients.

opsi-auto-update is not for clients running the WAN-extension. Use in this case: opsi-outdated-to-setup

In essence, this product can be used to ensure that the installed products are up to date.
The product sets all installed products, whose version is not identical to that on the server, for the client to setup.

Properties for managing exceptions:

name: products_to_exclude
- description: (Blacklist) Which opsi product(s) should be excluded from update ?
  List of products that should not be installed even if there is an update (such as windomain)
name: products_to_exclude_by_regex
- description: (Blacklist) Which opsi product(s) should be excluded from update (by regular expressions)?
  List of regular expressions that fit products that should not be installed even if there is an update (such as windomain)
name: products_to_include
- description: (Whitelist) Which opsi product(s) should be checked for update ? ; If empty = all products
  Here you can enter a list of products to which the update check should be limited. Products that are not in this list are also not considered when checking for updates. Exception: If the list is empty, all products are checked.

Properties for managing includes:

name: products_to_run_always
- description: Which opsi product(s) should be installed via every update ? (List will not be cleared after run)
  List of products which are set to setup every time opsi-auto-update is run.
name: failed_products_to_setup
- description: if true this also sets all failed products to setup on all clients
  If this is True, all products currently on failed are set to setup.

Properties for sequence control:

name: shutdown_on_finish
- description: if true we have a final shutdown if false we have no reboot / shutdown default: False
  Should a shutdown me made after the product has finished?

Special properties for 'local-image / vhd-reset':
See also: opsi vhd reset
See also: opsi local image

name: do_cleanup
- description: If false: skip restore before update
  This property is ignored if it is not a vhd or local image installation.
  For a vhd installation, do_cleanup=true executes opsi-vhd-control before the updates, thereby discarding all changes and restoring the saved state.
  For a local-image installation, do_cleanup=true executes opsi-local-image-restore before the updates, thereby discarding all changes and restoring the saved state.
  In both cases, information about action requests is also discarded. In order to be able to add or remove products during a run of opsi-auto-update, there are the following two properties.
name: products_to_install
- description: Which opsi product(s) should be installed via update ? (List will be cleared after run)
  List of products which are set to setup during the opsi-auto-update run. If the products have been installed successfully, they will be removed from this list.
name: products_to_uninstall
- description: Which opsi product(s) should be uninstalled via update ? (List will be cleared after run)
  List of products which are set to uninstall during the opsi-auto-update run. If the products have been uninstalled successfully, they will be removed from this list.
name: do_merge
- description: If false: skip backup after update
  This property is ignored if it is not a vhd or local image installation.
  For a vhd installation, do_cleanup=true executes opsi-vhd-control with upgrade=true after the updates and thus all changes are saved.
  For a local-image installation, do_cleanup=true executes opsi-local-image-backup after the updates and thus all changes are saved.

Properties for debugging:

name: disabled
This property is for debugging purposes.
If 'true', the product does not execute any actions.
Default = 'false'
name: rebootflag
Please do not change during the run. This should be '0' before starting.
name: stop_after_step
This property is for debugging purposes.
If not '0' then this is the number of reboots after which to stop. Default = '0'

The opsi-auto-update product has a very low priority (-97), which is even less than that of opsi-vhd-control.

The opsi-auto-update product can be combined well with a cron job that executes opsi-wakeup-clients.
(opsi-wakeup-clients is part of the opsi-utils package)
For details see here: opsi-wakeup-clients
On maintenance of the clients see also:
opsi-outdated-to-setup
working-window

opsi-cli

Client version of the command line tool opsi-cli
See also chapter: opsi-cli

opsi-client-agent

The opsi-client-agent is the client agent of opsi and is described in detail above: see chapter opsi-client-agent

To this group of opsi products also belong:

opsi-linux-client-agent (for Linux)
opsi-mac-client-agent (for macOS)

opsi-client-kiosk

With the opsi-client-kiosk (Software on Demand) opsi administrators may give their users access to install a range of software-products. These software products may be selected and installed user-driven without the administrator needing to do anything.

To this group of opsi products also belong:

l-opsi-client-kiosk (for Linux)
m-opsi-client-kiosk (for macOS)

opsi-configed

The opsi graphical management interface packaged as application
Also provides the 'opsi-logviewer'.
For Windows, Linux and macOS.
See also chapter: opsiconfiged

opsi-script-beautifier

Tool to indent opsi-script code.

opsi-script-test

Large collection of opsi-script self tests. This can be used as a sample collection for working calls of opsi-script commands.

opsi-script

The product opsi-script is a special case. It contains the current opsi-script. This does not have to be set to setup to update. Rather, part of the opsi-client-agent checks each time it is started whether a different version of the opsi-script is available and fetches it if this is the case.

opsi-setup-detector

The opsi-setup-detector is GUI Tool to create opsi products based on a installer file. It also may produce opsi template products.

opsi-uefi-netboot

Reboots an UEFI client into a network boot.
See also chapter: opsi with UEFI / GPT

opsi-wim-capture

Captures an existing Windows installation as image to a WIM file.

this topic also covers the products:

opsi-wim-delete
opsi-wim-info

opsi-win-driver-update

opsi-auto-update is not for clients running the WAN-extension

The goal of this product is, to update the driver of existing windows machines from the standard netboot driver repository.

If you have new drivers for your machines, usually the first step is to integrate these drivers into the driver repository of the used netboot product.

How this is done is described in the opsi-windows-client-manual in the chapter:
Drivers automatically assigned to the clients using the inventory fields.

and in the User Interface chapter:
Automatic driver upload

By default, the product tries to use the 'byAudit' driver repository of the netboot product used for the OS installation of this machine. The driver repository of this netboot product will be used for this product.
The script tries to detected the used netbootproduct. You may use the property netbootproduct to define the netboot product to use.
Using the property driver_path you may also point to a totally different driver repository. Such a driver repository will not be filtered by <vendor>/<model>.

The properties:

name: driver_path
description: Path to the driver directory.
'auto'= from netboot product driver repo
default=auto
name: netbootproduct
description: name of the netboot product (where we can find the driver in driver_path auto mode).
'auto'= try to detect the used netboot product
default=auto
name: force_import_cert_from_sys
description: if true, installation of not correct signed drivers will be possible by extracting the certs from the .sys file and import them to the cert store
default=false
name: force_reinstallation
description: if true, we try to install the driver even if it seems to be installed in the repo version
default=false

The list of found path to drivers will be filtered by the following criteria: All directories which contains one of the following pattern will be excluded:
autorun.inf, WINXP, XP, WIN200, WIN2K, VISTA, WINPE
On 64 Bit system all directories which contains one of the following pattern will be excluded:
32, x86, DrvBin32 ,WIN32, IA32, IA-32
On 32 Bit system all directories which contains one of the following pattern will be excluded:
64, x64 , DrvBin64, WIN64, x86-64, amd64

opsi-winpe

Product for easy generation of an opsi-winpe.
See also chapter: Creating a WinPE

opsipackagebuilder_wlm

The opsipackagebuilder is a opsi community GUI Tool to modify opsi products.
For Windows, Linux und Mac.
See also:

shutdownwanted

Shuts down the computer when there are no further actions pending.

windomain

Controls a join to a AD or Samba4 Domain. Works on Windows, macOS and Ubuntu clients.

windows10-enablement

Product to move certain Windows 10/11 releases to a higher version by installing special hotfixes and without running a complete inplace upgrade.
Updates Windows 10 1903 to 1909 or Windows 10 2004, 20H1 and 21H1 to version 21H2

windows10-upgrade

Runs a Windows release upgrade.
The product documentation will be found inside the product at the path: localsetup\docs

windows11-upgrade

Runs a Windows release upgrade.
The product documentation will be found inside the product at the path: localsetup\docs

Dependencies and Order

For product action requests you may define product dependencies and product priorities.

Product priorities

Priorities are used to push certain packages forward or backward in the order of installation. It makes sense to install service packs and patches first and a software inventory at the end of an installation sequence.
Product priorities are numbers between 100 and -100 (0 is the default)

Product dependencies

Defines dependencies and the necessary installation order between opsi-packages. A typical example is the dependency of Java programs on the Java Runtime Environment (javavm).

Defining product priorities and dependencies

Priorities and product dependencies belong to the metadata of an product. You will be asked for these when creating a product with the command opsi-newprod.

This metadata is stored in the control file of the product and can be edited there. After a change in the control file, the product must be repacked and installed again.

See also the chapter: Priority and Dependencies

Integration of new software packages into the opsi software deployment.

Instructions for integrating your own software can be found in the chapter: Integrating custom software