Creating operating system images for quick player deployment

In order to deploy multiple computers with least effort and highest consistency in their management and security it is common practise to use an operating system image (image from here on). This image is created once and subsequently put on the mass storage device (SSD, hard drive or SD card) of new computers with the goal of having those computers fully configured and ready for use when it is first turned on.

This way of working is also very usefull for deploying signage players. When creating the image, that is going to be used for deploying signage players, specifically for use with our service there are a number of things to keep in mind.

In general:

  • Install as little software as possible
  • Make sure remote management software is clone-resistent

Specific for signage players:

  • Enable cookie storage
  • Clean cookie storage
  • Clear hardware identifyers

The first point is a general rule that applies to all computing devices that are used in a company to ensure the least options for malicious parties to gain entry and foothold insode a company's network. What software is needed for each computer inside a company depends on many things and more detailed advise on this subject than the general "minimize the attack area" is outsie the scope of this article.

If the use of remote management software is needed; make sure to check that the installation and configuration of that software is done so the software will work on multiple players. Most makers of remote access software are aware of the fact that their software is "rolled out" using images and can handle this way of deployment. It usually does, hoewever, require specific configuration or versions of the software to be do this. It is not uncommon for the configuration to be different on different operating systems. So please read the documentation and test that the remote management software will connect to and works properly on multiple players before you roll out the image to all devices.

The signage specific points are addressed in the paragraphs below

Creating A New Image

When creating an image that will be used to create multiple players you will configure and install the operating system and applications as described in our help pages. Optionally you can add tools to support the security and management of the device. We assume you run all required applications to ensure they work as expected. Before you create an image of the operating system you now have to ensure to take these steps:

  1. Make sure cookies and caching are enabled for the browser that are going to be used for signage playback and that these two (cache and cookie storage) are not cleaned on restart of the device
  2. Clear the cache and cookie storage of the browser in the browser settings page when you completed testing the image
  3. Clear the hardware derived identifyer by clearing the appropriate registry key just before you are going to create the image. Either
    • open the Registry Editor and find the MachineGuid key in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography folder and delete it, or
    • safe this file to the computer and execute the file from the Explorer, or
    • open a terminal and type (execute by closing with the Enter key): reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid

The reason for the last two steps is that they remove the two ways our servers identify a specific player. Since you create the operating syste image is to create players that can be registered and assigned content when they are turned on it is important that the player is "new" to our servers, ie it holds no information that our server might recognise to identy the device.

There are imaging tools that remove the MachineGuid registry key when creating an image. If the tool you use does this you do not need to take the second step described above.

Microsoft offers a tool in Windows itself that can be used to prepare the operating system before an image is created from it so it can be safely used to install "clones" of the system ocnfiguration. This tool is called SYSPREP. However, this tool doe smuch more than remove the MachineGuid. It removes hardware specific drivers and much more. This will result in optimally running cloned devices especially if you plan to use different types of hardware. However, we advise you to only use this tool if you have experience using it.

Deploying An Existing Image

This is what to do when you have an image that was created without clearing the identifyers. You will need to perform the same steps as described above. So every time you create a player device from the operating system image that you have, you start up the device and then:

  1. Clear the cache and cookie storage of the browser in the browser settings page, you will need to close the browser by pressing the Ctrl-W keys to stop playback that should start automatically, then open the browser and clear the cache and cookie storage
  2. Clear the hardware derived identifyer by clearing the appropriate registry key. Either
    • open the Registry Editor and find the MachineGuid key in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography folder and delete it, or
    • safe this file to the computer and execute the file from the Explorer, or
    • open a terminal and type (execute by closing with the Enter key): reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid

Now restart the player. It should now show the registration page

This obvioously is more work than taking these steps before creating the operating system image. If you need to create a number of players from an image that was not "cleaned" as described in the paragraph above we suggest creating a new operating system image after taking the steps in this paragraph since that basically creates a clean image as if you created it from scratch as described above.