2

I have about 23 Windows 10 laptops (currently @ 1803) which are used by students for training courses that run for several weeks. I've found that students leave lots of files behind when the course completes including answers/projects/etc for work that an incoming class shouldn't see. As such, I would like to reset these machines to a relatively pristine state.

I know I could do Windows 10 recovery, but that is a bit heavy-handed and also requires a lot of manual work as we have to customize the uniquely named machines. I'd be fine with simply clearing out the Desktop, Documents, Downloads, etc. folders. I'll leave recovery for "nuke from orbit" cases...

I've found a number of solutions, but they either appear to complicated (ADK), deprecated (WMIC) or seemingly not preferred by Windows given the number of hoops to jump through (PsExec).

My question is, if I'm fine with the laptop's build as-is and just want to wipe the "custom content" that a former student has created (BAT for PS1 is fine), what would be the best solution in a modern Windows 10 environment? While I know I could SneakerNet a USB drive with the script, once set up I'd rather do this remotely going forward (PsExec or Enter-PSSession would have presumably been great) but as mentioned, the hurdles are tricky and I just want to make sure I'm chasing the right solution before going too far down one path. So what is the right path?

bjb
  • 121
  • 2
  • Perhaps [something like this?](https://itknowledgeexchange.techtarget.com/powershell/working-with-profiles-2-deleting-profiles/) That particular script deletes a profile on the local machine, but making it work on a remote machine should just be a matter of adding `-ComputerName` in the appropriate places. – Harry Johnston Jun 06 '19 at 22:37

1 Answers1

2

If the students aren't supposed to be installing stuff, etc. then I'd simply lock the drive down with DeepFreeze. This is what we do for our IT course machines. Students have full admin access, etc. and can in fact install stuff but a simple reboot returns it back to default state. It is also possible to boot the machines on a schedule or via WOL and unlock ("thaw") and push updates out from a master controller machine.

All work has to be kept on an external device, though in the case of a laptop that a student will use continuously for a while you could be nice and set up a second partition of say 15gb (so it can be copied to a 16gb flash drive) that is r/w and persists between boots.

Use policy to block updates, etc. unless a specific admin user is logged in (who can also unlock the drive) or simply re-image the machine with security updates/patches/program updates/etc between sessions.

Note that booting with a Linux distro on USB, etc. totally bypasses DeepFreeze ... but it works well enough in the labs we use it in (~300 machines, including 20 laptops for student use) and it is a definite "must have" for allowing students to actually DO things to/with a machine (like compile code and run it without an admin whitelisting it, etc or running a port scanner or packet sniffer) and have it usable for the next class period.

ivanivan
  • 1,448
  • 6
  • 6