Immutable/ephemeral desktops

Jakes 1 Reputation point

Hi folks,

(As reader may guess, I'm more familiar & comfortable in the Linux/POSIX world, so please keep that in mind)

I'm in the process of rebuilding n+20 laptops, intended for semi-public use (MakerSpace: think classroom or library), and want to set them up in an immutable/ephemeral manner.

I want them to be 'flushed' periodically, so that they are all similar/standard, and clean for the next persons' use.
Planning on doing this around every major OS update ("patch Tuesday"?), so that the desktops have updates pre-installed rather than individually updated or wait-times during installation boots.

Users/guests constantly log into the desktops an/or browsers with their personal gmail/o365 accounts, which has us/my environ represent a privacy & security risk.

The game-plan looks like:

  • set up a base-line or reference (W10) desktop with
    • stripped-down OS, with updates , patches & system-level tweaks applied
    • relevant accounts loaded - logons & browsers logged into relevant web-apps (cookies loaded), etc
    • using the likes winget, choco/vagrant/ansible/puppet/chef/whatever/etc to install our standard app set
  • setting up local server/'cloud' back-end for docker/VM's/etc to rapidly try out options
    • PXE imaging & deployment tool - Foreman/Cobbler, FOG, etc
    • Guests/users store configs & personal data on LAN NAS (ala NextCloud)
  • image or build periodic reference snapshot of reference-machines (including updates) that get deployed via PXE

Essentially what I'm after is something akin to Fedora Silverblue, that's an immutable/ephemeral desktop, where nothing "sticks" across reboots & the underlying remains unchanged. Thinking of it in a similar way Docker images have changes "layered" on top of each other or a ZFS or Git, where changes are taken as incremental snapshots that can be committed or rolled back gracefully.

I/we have not committed to AD yet - the environment has not been large or complex enough to warrant it yet - but I know the short answer is to use GPO; I plan on burning that bridge eventually.

Is there a way or some other best-practice means for me to achieve this goal?
How can I build an OS or image that gets nuked - from the ground up - across reboots, to the point where the HDD's are interchangeable & no update are ever prompted?

BONUS QUESTION: I'm guessing(?) I can fully virtualize sets of hardware specs? (this is further down on my to-do list)
I'm hoping to fully virtualize the sets of machines we've been given - mostly HP's, but slightly different generations/models - so that I can manage & maintain a "reference machine" that I keep current with apps & updates, including drivers, that I can then image & deploy via the PXE stack above.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,978 questions
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,600 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,918 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,471 Reputation points

    Hi there,

    For your first set of logic which is to create a custom image, you can try out the System builder deployment of Windows for desktop editions.

    Using this you create a reference installation, capture an image of the installation, and rerun Windows Setup with an answer file that points to your custom image.

    Deploying a custom image using Windows Setup provides several benefits over applying an image using an image capture tool. Below is an article to dig more into this.

    Deploy a Custom Image

    For a PC with fewer updates, you can try the LTSC. Windows Long-Term Servicing Channel (LTSC) is an enterprise Windows solution for devices that don't need to be updated for years to come.


    --If the reply is helpful, please Upvote and Accept it as an answer–

    1 person found this answer helpful.
    0 comments No comments

  2. Michel 0 Reputation points

    Hi Jakes,

    Just came across your post and was wondering if you ended up finding a solution. I'm currently facing a similar project and would be super interested in getting your feedback.

    0 comments No comments