Automate with Unattend.xml
Here are a few typical examples of how you can use your Unattend.xml even further to automate the OOBE process and prepare your Windows image as comprehensively as possible. I’ve put together a few different scenarios for you to give you a feel for how flexible answer files can be.
1. Automatic creation of local user accounts
Especially in test environments or with special requirements, you often want certain local accounts to be created directly. Example:
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>
<Value>DeinVerschlüsseltesPasswort</Value>
<PlainText>false</PlainText> <!-- Ggf. true für Klartext -->
</Password>
<Description>Lokaler Admin für Wartungsarbeiten</Description>
<DisplayName>AdminWartung</DisplayName>
<Group>Administrators</Group>
<Name>AdminWartung</Name>
</LocalAccount>
<LocalAccount wcm:action="add">
<Password>
<Value>EinAnderesVerschlüsseltesPW</Value>
<PlainText>false</PlainText>
</Password>
<Description>Standard-Benutzer</Description>
<DisplayName>TestUser</DisplayName>
<Group>Users</Group>
<Name>TestUser</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
</component>
</settings>
</unattend>Important: In productive use, you should never store passwords unencrypted (i.e. ‘PlainText’ set to “false” in the best case). Also note that encryption may require special tools or processes that are used during deployment.
2. Predefine regional settings and keyboard layout
If you already know which region you want the system to run in or which keyboard layout will be used, you can set this in the Unattend.xml so that the user doesn’t always have to click through it in OOBE. Example:
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral">
<InputLocale>0407:00000407</InputLocale> <!-- Deutsch (Deutschland) -->
<SystemLocale>de-DE</SystemLocale>
<UILanguage>de-DE</UILanguage>
<UserLocale>de-DE</UserLocale>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral">
<InputLocale>0407:00000407</InputLocale>
<SystemLocale>de-DE</SystemLocale>
<UILanguage>de-DE</UILanguage>
<UserLocale>de-DE</UserLocale>
</component>
</settings>
</unattend>These settings ensure that your image runs in German from the start, uses the German keyboard layout, and users no longer have to make region selections.
3. Preset time zone and date/time format
Just like the keyboard layout, you can also predefine the time zone. This prevents the need to manually select the correct time zone for each new system:
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-TimeZone" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<TimeZone>W. Europe Standard Time</TimeZone>
</component>
</settings>
</unattend>
- W. Europe Standard Time stands for the Central European Time Zone (CET).
- For a list of all available time zones, see the Microsoft documentation.
4. Automatic activation via key management (KMS) or MAK
If you are in a volume license environment, you can store the key directly in the answer file. Or you can make sure that the computer automatically connects to the KMS server:
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<!-- Beispiel für KMS-Client-Setup-Key (fiktiv) -->
<ProductKey>VK7JG-NPHTM-C97JM-9MPGT-3V66T</ProductKey>
<RegisteredOwner>Firma Mustermann</RegisteredOwner>
<RegisteredOrganization>Abteilung IT</RegisteredOrganization>
<!-- Falls nötig, hier KMS-Server konfigurieren -->
</component>
</settings>
</unattend>With a MAK key (Multiple Activation Key), you could also enter the real key, but be careful: This will distribute the key to each image. This shouldn’t be a major problem with KMS, as long as you use the standard KMS keys for Windows 11 and the KMS server is set up correctly in the network.
5. Automatically generate or set computer name
In the OOBE, a computer name is often asked for if no domain guidelines apply. If you want a specific naming standard or dynamic generation, you can define it in the answer file:
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<ComputerName>WIN11-PC-%RANDOM%</ComputerName>
</component>
</settings>
</unattend>%RANDOM%is not an official placeholder at Microsoft, but could be replaced with suitable scripts or tools. Alternatively, you can leave the name blank so that Windows creates a generic random name (for example, DESKTOP-ABC1234).
6. Automate domain joining (be careful!)
Theoretically, you can also configure automatic inclusion in an Active Directory domain in the Unattend.xml. However, you have to be very careful with this, as you would be storing the username and password of a domain account. This poses security risks. If you still want to implement it, it looks something like this:
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
<Identification>
<JoinDomain>deineDomäne.local</JoinDomain>
<MachineObjectOU>OU=Clients,DC=deineDomäne,DC=local</MachineObjectOU>
<MachinePassword>PasswordFürJoinAccount</MachinePassword>
<UnsecureJoin>false</UnsecureJoin>
<DebugJoin>false</DebugJoin>
<Credentials>
<Domain>deineDomäne</Domain>
<Password>PasswordFürJoinAccount</Password>
<Username>DomänenJoinUser</Username>
</Credentials>
</Identification>
</component>
</settings>
</unattend>Important: Never distribute plaintext passwords in an answer file that may end up on multiple computers. For greater security, you have to weigh up very carefully whether you want to carry out this step automatically or manually.
7. Other Settings (Selection)
- Disable EULA display: If you always want this to run in the background.
- Configure automatic updates: Some people can control them via the unattend file, but this is often also done via group policy (GPO).
- Network configuration (static IP): For environments without DHCP or with special requirements.
- OEM information: You can also use the Unattend.xml to store manufacturer information, support information or logos (e.g. in the Control Panel).
Conclusion
The examples above show you only a small part of the possibilities. With a Unattend.xml, you can automate the entire initial setup process down to the last detail, from the time zone to automatic domain join. This is an invaluable tool, especially in larger environments or laboratory environments where standardized installations are required.
Note:
As convenient as it is to set many settings and accounts via Unattend.xml, the more careful you need to be about not distributing sensitive information (e.g. domain or administrator passwords) unprotected. Where sensitive data is unavoidable, a secure process is recommended (e.g., use of encrypted media, special key management tools, or a deployment framework that asks for passwords during deployment and does not store them permanently).