วีดีโอ

In this particular video, I'm working with a TrueNAS Mini R. This uses an Intel Atom C3758, and we selected the 64 GB RAM configuration for this unit.

@ what are your thoughts on that configuration? Under powered? What would you put together if you were building yourself? I’m gathering parts to build one myself.

@markstanchin1692 As with everything, it really depends on what you want to do with it. The C3758 has eight cores / eight threads, natively supports 16 SATA devices, 10 Gb connectivity, and enough PCIe lanes to be able to handle some NVMe SSDs as well. For what I need in this unit--namely, boatloads of storage shared over SMB, with nightly backup jobs to Microsoft Azure--that's plenty. I built my own home NAS back in 2018(ish?) to run TrueNAS CORE (though it was FreeNAS at the time). Keeping in mind that this was back in 2018, I used a Xeon E5-2620 v4, on a Supermicro X10SRL-F. It's installed in an eight-bay rackmount case. The motherboard supports all the direct SATA I need, so no need for an HBA. I also used the two SuperDOM slots to get two SATADOM modules as a mirrored boot drive. It doesn't have 10 Gb connectivity because my home network didn't have that at the time--anything I built these days would have 10 Gb for sure. I originally built it with 16 GB of RAM, but deliberately planned to upgrade it over time as I added more disks. Which I did--it now has 32 GB of RAM with six disks in the pool. The Xeon is overpowered for what I'm doing, in all honesty. But at the time, I didn't know exactly what I might want to do in future. If you were planning to run multiple plugins or VMs within TrueNAS itself, or if you were planning on supporting a lot of iSCSI connections, then you might want to have that additional power. For home or small business SMB shares, it's overkill. RAM is the bigger concern, because RAM indirectly affects the size of your primary ARC. Last point I'll raise: my home NAS does not include a SLOG. If you're going to do anything with VMware or iSCSI, or generally need solid sync write performance, you want a SLOG--a fast SSD used as a separate log device. The unit in the video has two SSDs, one for a "read accelerator" (L2ARC) and one for a "write accelerator" (SLOG). (These were not labelled separately out of the box! But when I inserted them into the unit, one was detected as 480 GB, and one was detected as only 16 GB. That's intentional--the full-size drive is the read accelerator, and the sized-down drive is the write accelerator. Intentionally decreasing the reported size of the device allows the disk controller to perform wear levelling over the "unused / unallocated" hardware, extending the drive lifetime under load. Given the SLOG writes out at least every five seconds, you don't actually need a lot of disk space for the log device--16 GB is ideal. TrueNAS includes tools to "size down" a drive for this purpose.) Of course, if you're using all-flash storage media, you don't need a SLOG or L2ARC to accelerate anything, but I still use spinning drives for their long-term endurance and cost in large arrays.

@ Oh wow, thanks for the excellent information, you know your stuff, exactly what I was looking for so question what motherboard is being used with the I X systems I know you mentioned 8 core, it’s probably a super micro, do you know the model number? So a big question if you were building something today what would you build motherboard and processor being the biggest decisions 64 gig ram is min , also, with enough sata to grow into. I’d like to find something in the supermicro line and intel based for sure. Xeon probably.

@markstanchin1692 The TrueNAS Mini R seems to be using a Supermicro A2SDi-H-TF (at least that's reported by dmidecode on this particular unit). Considering there are units with 10G SFP connectivity instead of 10G copper connectivity, it may be a different motherboard for those. I'm not sure what parts I would use if I was building a similar unit today. I haven't looked at them, honestly!

Thanks! :)

@@NextDoorNetAdmin You bet!

Which is a perfectly valid choice! The good thing is, the router-id command takes precedence over any loopback interfaces, so you can always use both (if desired) to both hard-code it and also provide a stable address for reachability and route-leaking purposes. :)

1. EIGRP is a Cisco proprietary protocol. Yes, they released a limited set of EIGRP features for other vendors to implement, but they kept some of the more advanced features only for themselves. And their RFC is informational only, so they retain full control of the protocol. 2. The administrative distance is defined entirely by Cisco, so yes, it only stands to reason their proprietary protocol has a better default AD than a more open protocol. That, however, can be changed. :)

I feel like I saw this in a debugging log, but I can't recall the details of it, sadly. :/ It didn't prevent me from booting WinPE in this setup, though...

Anything in particular you'd like to hear about OSPF? :)

@@NextDoorNetAdmin The good ol "how and why"

I do indeed work at an MSP! All the techs we employ start on the help desk, without exception--it's a good way to become familiar with processes and customer networks before taking on more responsibility. That certainly included me! (I was already in a more senior role when I made the errors I've mentioned here, which is why I had the ability to fall flat on my face in such a spectacular fashion.)

@@NextDoorNetAdmin Something something more power more responsibility more ways to fail 😂 I'm somewhat freshly at an MSP myself as a system admin and have been gravitating towards the network side so I've been enjoying your videos

CISSP seems fine to me. Well-respected, but very much C-level / managerial in focus, rather than administrator / operator-focused. (For example, I personally might lean more towards the SSCP instead.) One of my bigger concerns, though, is the recertification requirements. There's an annual maintenance fee, plus a need to post continuing education credits. Neither of these strike me as problematic in of themselves, but I would suggest you be sure that it's something you're willing to commit to in the long-term, or else your certification will expire.

I imagine it would work, but I also imagine it would be even trickier than using a static IP. The TLS option you mention requires that the printer have a third-party trusted TLS certificate installed, and that it use that certificate to verify its identity with Office 365. Depending on your printers, that may or may not be easy / possible.

When you boot off the USB stick, do the rest of your settings from Autounattend.xml get applied? Or do you have to go through the install process manually, step by step? My hunch is that maybe your Autounattend isn't being used correctly by Setup, so that everything goes through the normal installation process instead of using those settings. Best suggestion I have right now is to double-check all your settings and formatting in the XML. If some settings are being used OK, but Audit mode isn't being selected, then that might help you figure out where the problem is--Setup may ignore portions of a valid XML file if there's an error.

@NextDoorNetAdmin Yes, it does apply parts of the autounattend.xml file, I don't fill in anything, but I see the pop-ups scrolling like searching disk ... then the file copy counter at the top left of the screen, I don't have the same interface as you show in the video, then it reboots and shows me the first oobe screen. I'm working on an offline PC, bios setting or windows update and things like that can't have anything to do with this? I use rufus to generate usb key in gpt without requirement for an online microsoft account

@Zach13862 Ah, well that would do it. Rufus builds its own unattend.xml which will override the settings in your Autounattend.xml. (Which is why Audit mode isn't running automatically--by the time you get there, you're using Rufus's unattend settings, which don't include selecting Audit mode.)

@NextDoorNetAdmin I put the autounattend.xml file at the root of the key generated by rufus. Do you use windows 11 installation media to create your usb key? Thanks

@Zach13862 Yes, I use the Windows 11 ISO downloaded from Microsoft. (With the alterations made to the install.wim to deprovision the extra bloatware apps and insert the registry keys I want.) What I would suggest is this: do use Rufus to create your USB stick in GPT mode, same as before, but *don't* choose any of the extra options like bypassing the requirement for an online Microsoft account. If you don't select any of those options, Rufus won't create an unattend.xml file. Then whatever settings you put into your Autounattend.xml will apply normally. (If you're booting into Audit mode, you won't run into the requirement for a Microsoft account anyway, so you don't need the Rufus options for that.)

oh gods no, chatgpt can't write the scripts. Learn powershell, python or whatever you need. But learn don't learn how to do prompts

Yes, our RMM can handle the upgrade process. I've argued that we should use that since we have it already, rather than introducing another component at such cost. Speaking personally, I'm not going to use ChatGPT to write anything, ever. What's the point of learning anything if you're not going to use it? :) There's already enough people out there blindly using such tools to do a substandard job; my personal feeling is we would be better off in the world of IT if we had more experts who actually understood what they were doing.

Any time you say "bulk email campaigns," others (including myself) are likely to hear "spammer." Nothing I present is intended for use by spammers or "bulk email" campaigns. May all their unsolicited commercial messages be lost in the ether for all time.

You're very welcome! 😀👍

I really don't think so, because in that case the Windows installation is being pre-installed and sent out directly to your staff members. You're kind of stuck with shipping them Windows as Microsoft sees fit, and then using Intune to customize it out later.

That's a decent thought--cheers!

For any new machine I touch (work or personal), I start by erasing whatever's already on it. If you don't have to worry about multiple users on the machine, or if you don't need to create a master image to be cloned to multiple machines, then you probably don't need to muck around in Audit mode. Definitely prepare your installation media first by deprovisioning junk apps and inserting some registry settings, but then you can take the settings from unattend.xml and merge them into Autounattend.xml. If you do it right, it should automatically wipe the disk, boot through OOBE, and create a new user account for you. You can also use the "OEMkey.ps1" script I provided to reactivate your copy of Windows, using the OEM license already burned into the BIOS.

@@NextDoorNetAdmin so this solution is not advise for a laptop that will have 2-3 users. Thanks for the answer.

It'll work fine for a laptop with multiple users! If you're doing that, just follow the whole process, Audit mode and all. :) Uncomment the section in deploy1.cmd to allow the OEMkey.ps1 script to run, and you should be good to go.

The machine isn't (and shouldn't!) be attached to any domain while it's in audit mode, so group policies won't apply. Once you've created the image and it's booting into OOBE, that's when you join the domain and get group policy applied! On the other hand, if you're talking about Local Group Policy... it's a bit more complicated. First, remember that group policies are just a more user-friendly way of inserting values into the Windows registry. Most user-specific registry entries will be persisted into the default profile if you're using CopyProfile. Most machine-specific registry entries will also be persisted... but some won't. When Sysprep comes through and resets the machine in preparation for capture and cloning, some parts of the registry are cleaned up, and changes may be lost. This is something you may need to test a fair amount. I've spent weeks testing and re-testing things, sometimes. If your desired changes are cleaned up during sysprep, you may be able to re-load and modify the registry hives offline, or you may be able to re-insert the desired values on first boot via a command script... there's always ways to get things done! :)

1. If Autounattend.xml is present on the root directory of any drive attached when Windows Setup starts, it will be used. So, if you boot off a setup DVD, but Autounattend.xml is present in the root of a connected USB drive, Setup will still use it. 2. When any unattend file is being used (auto or regular), Setup will copy it into the filesystem of the new operating system. (Specifically, C:\Windows\Panther.) This allows Setup to go through multiple reboots to process the different phases of setup, while still using the same unattend file. (edit)2a. If you were to copy an unattend.xml file into C:\Windows\Panther during initial setup, Setup will start using the settings as if it was an "in-progress" unattend file after it reboots. Rufus uses this method to insert any custom settings chosen by the user. 3. When we sysprep the image out of audit mode and into OOBE, we'll pass an argument telling sysprep exactly which unattend file we want it to use. I also prep the filesystem manually, as a belt-and-suspenders approach. 4. All the slipstreaming is done in Audit mode! That's what we're going to see in the next video. :) 5. The default profile copy does work for domain users... with a slight catch. If domain users are using local profiles or a roaming profile which hasn't been instantiated yet, the default profile will be used to provision their new profile. But if domain users are using an existing roaming profile, then their existing roaming profile will be used (as you would expect).

I do not and would not sell these images. I'm happy to share them, but I suspect that selling them would put me immediately at odds with Microsoft. There's a lot of difference, after all, between using Microsoft's available tools to customize their software (and telling other people how to do the same thing themselves), versus reselling their software without authorization.

@@NextDoorNetAdmin do you have a place we can contact you up?

Not yet. I haven't built out a website or email just yet (though I do have plans for that), so for now the best way to reach me is right here in the comments! That being said, I intend to put much of the details for this online, so other people can access it more freely. I haven't exactly figured out how I want to do that, but in the next couple weeks I should have something for everybody as we wrap up the series. :) I just need to get enough time to sit down and figure it all out!

The BypassNRO registry key set here removes the requirement to use a Microsoft account in Windows 11. The use of local accounts is re-enabled, and a Microsoft account becomes optional.

@@NextDoorNetAdmin Could that do the trick to use a laptop registrated on a work or school account to bypass the registration? (It's legal here, we bought the laptop from the company, just don't want to go over there every time I need to reinstall...)

@thorsteinbrynjarr7937 I'm not entirely sure that I understand your question... you have a laptop "registered" to a work or school account in what way? As best as I can tell, you bought a laptop from a company, and for some reason you have to physically go over there when you want to reinstall Windows? But yes, if you reinstall Windows with the correct settings (including BypassNRO), then you can use a local account on the machine and do not have to set up a Microsoft account on it at all.

That's a different discussion altogether. :) I use Linux, and as I've said in other comments, I personally have chosen to move to Linux instead of using Windows 11 on my personal systems. But that doesn't mean I can tell all of my business clients that I refuse to install Windows any more--that's a complete non-starter. So I still need to know how to do this for work purposes.

@@NextDoorNetAdmin and for businesses that need to use excel amd office etc. hell even i use office

I can't think of any use for hardware RAID anymore. It's expensive, slower and risks data corruption.

​@@az09letters92it depends on what HW raid you are using. GPU accelerated raid is on unmatched speed compared to SW raid and it does checksum, consistency check and protects against write-hole

It concerns me that the website simply redirects me to a TH-cam channel. If I'm going to use something created by somebody else, I want to know EXACTLY what has been done--and ideally, I want to use that process myself to replicate their work, rather than take it on trust. Windows is opaque enough as it is. If I'm going to modify it, I want to be able to start from an official download from Microsoft and then do the modifications myself, so I know exactly what has been done and what (if anything) has been added. That's just my personal preference, though. I'm sure lots of people have had nothing but good experiences with it, but I haven't had experience with it at all, good or bad! Most of my work focuses on cleaning up Windows 10/11 for a business environment, which is a different target. I need stability, support from Microsoft, and the ability to be able to enable telemetry for business purposes if needed; I can't afford to strip everything out like some of those builds do. (I just need to learn to control it.)

@@NextDoorNetAdmin what kind of telemetry is useful for business

Think of a business application, developed and written in-house rather than purchased. A new update to the application is pushed out, and people start to report that it crashes sometimes. But it doesn't crash all the time, and it doesn't crash on every machine, so troubleshooting it is taking some time... Or, think of pushing out a critical security update. It installs properly on most machines, but it's failing on a few machines here and there. What's different about the machines where it fails? Maybe your business pays for some very expensive applications, and you'd like to know which application(s) you should focus on trying to eliminate--which departments use which applications, and how often? Telemetry is useful for these kinds of problems. If there's a crash, Windows error reporting can log it and send some of the details needed to help fix the issue. If an update fails, diagnostic data can help shed light on what's different about the hardware or software on the problem PCs, so you can adjust the details of which machines are assigned which updates--or which machines you might need to fix in another fashion. Microsoft's telemetry functions are primarily intended to help spot issues like these, particularly as Windows grows more complex. But Microsoft also has settings to allow the business to store the telemetry data for their own in-house reporting needs, in which case Microsoft only collects and forwards the data. You can also turn off Windows error reporting completely without having to remove it--there's a setting for that. (Microsoft used to have a service that allowed businesses to examine and use the telemetry from the Windows PCs in their own fleet, but a lot of the data is now available through the use of Intune or other such agents, some of which still use the built-in data collection functionality in order to provide the needed information.)

I think it is. At the moment, I consider somebody with a CCNA to be "entry-level". I know Cisco has added additional certifications below CCNA these days... I personally have my CCNP, and I consider myself to be a mid-level networking guy in the grand scheme of things. Might get up to CCIE eventually. :) Cisco certifications spend entirely too much time on the Cisco-specific marketing stuff. Learn it to pass the test, forget it afterwards. The important parts are the general networking principles, yes, but because Cisco is one of the big granddaddies of the Internet, I have found that learning more of the Cisco-specific CLI commands is a massive benefit as well--a lot of other networking gear echoes the Cisco design and command structure!

@@NextDoorNetAdmin i hear ccnp is quite hard

There are lots of programs out there. :) For cleaning up an installation file, specifically, there is a program to do this... but it went further than I thought was beneficial, so I went through it all myself to choose what to get rid of and what to keep. It's also worth pointing out that sometimes programs to do this automatically can have negative effects--some previous versions rendered Windows unable to install any security updates, making them quite vulnerable to exploitation. I'm going to show you all one of those tools at the end of this series, but I thought it would be important for people to know how it works and why, so they can make their own decisions about whether they want to go through it manually (like I have).

@@NextDoorNetAdmin i just want a safe and non monitoring version that plays games and works with Office suite

Indeed! I've had some success using Procexp to find the offending handle and force it closed, but I've found that when it's System holding it open, force-closing the handle leads to system instability. Usually, though, a System file handle is the result of an anti-virus scanner, a file opened remotely via SMB, or something else of that nature. Makes me go on a bit of a hunt!

@@NextDoorNetAdmin Yep, I've had Procexp fail a few times too. Sometimes the offending process just re-spawns the handle. On rare cases, it just fails with an error. Rather than trying to force it at that point, most people would give up and just reboot the system to clear the issue. My end run around an inclosable file handle is to simply unplug the drive in sleep mode. When the system wakes up, the offending process just has to deal with the file error...for a file it never should have kept open anyway. Technically, it was done with the file. If the system successfully goes to sleep, any pending file operations and cached versions of the file should have been committed to disk. Of course, I wouldn't do that with a complex file system, such as a database or enterprise-level system. For the average PC, I hadn't had any issues with that trick. If I keep having the same problem with the same app/process, it's still preferable to actually find and correct the issue.

I decided I would rather switch to Linux than run Windows 11 on my personal systems. But that doesn't stop me from having to deploy Windows 11 for work purposes, so I needed to figure out how to clean this all up anyway. :)

​@@NextDoorNetAdminthere is no workaround for Office/Excel users and gamers right?

@@NextDoorNetAdmin I don't want to do it, but I'll be running Windoze 10 until May, and then I'll have the summer to figure something else out.

We're definitely going to be taking a look at disabling the requirement for a Microsoft account in order to use your computer! There's also going to be some more settings that we can toggle to reduce the amount of "cloud" prompting we have to deal with. Stay tuned!

​@@NextDoorNetAdmincan we buy a "cleaned" installation file from you sir? Of course i would pay the key + the technical work done

Wonder if with every new update all this laborious work goes to waste. Microsoft can just reinstall everything and more😢

This is (mostly) protected from being changed in future updates. Microsoft wouldn't make any friends if classified government networks suddenly had new stuff showing up on their secured PCs, after all! These registry keys exist specifically to disable this behaviour, and for that reason, you can expect them to work through all versions of Windows 11. (And even if Microsoft did add new provisioned applications, it would affect any existing user accounts on the machine. Provisioned apps only install themselves for brand-new users on the machine, so you're fairly safe from that, too!)