(As reader may guess, I'm more familiar & comfortable in the Linux/POSIX world, so please keep that in mind)
I'm in the process of rebuiling n+20 laptops, intended for semi-public use (MakerSpace: think classroom or library), and want to set them up in an immutable/ephemeral manner.
I want them to be 'flushed' periodically, so that they are all similar/standard, and clean for the next persons' use.
Users/guests constantly log into the desktops an/or browsers with their personal gmail/o365 accounts, which has us/my environ represent a privacy & security risk.
The game-plan looks like:
- set up a base-line or reference (W10) desktop with
- stripped-down OS, with updates , patches & system-level tweaks applied
- relevant accounts loaded - logons & browsers logged into relevant web-apps (cookies loaded), etc
- using the likes winget, choco/vagrant/ansible/puppet/chef/whatever/etc to install our standard app set
- setting up local server/'cloud' back-end for docker/VM's/etc to rapidly try out options
- PXE imaging & deployment tool - Foreman, FOG, etc
- Guests/users store configs & personal data on LAN NAS (ala NextCloud)
- image or build periodic reference snapshot of reference-machines (including updates) that get deplyed via PXE
Essentially what I'm after is something akin to Fedora Silverblue, that's an immutable/ephemeral desktop, where nothing "sticks" across reboots & the underlying remains unchanged. Thinkig of it in a similar way Docker images have changes "layered" on top of each other or a ZFS or Git, where changes are taken as incremental snapshots that can be committed or rolled back gracefully.
I/we have not comitted to AD yet - the environment has not been large or complex enough to warrant it yet - but I know the short answer is to use GPO; I plan on burning that bridge eventually.
Is there a way or some other best-practice means for me to achive this goal? How can I build an OS or image that gets nuked - from the ground up - across reboots, to the point where the HDD's are interchangable & no update are ever promped?
What you are looking for is a kiosk station.
Microsoft has the Unified Write Filter module for that.
HP thin clients for example come with this installed and a little user interface to manage it.
In the past, I have used a program called DeepFreeze to lock the state of the computer. Fixes a lot of the issues you asked about but there are other issues that can arrise. You can disable through group policy the setting that allows personal accounts, but I do believe they need to be on win pro. If you have not settled on AD, you could also use the free accounts of a MS O365 domain to manage users. You can create a test tennant here, but note that at minimum you would need 1 O365 Business Basic account ~$7 CAD per month. Only one user needs to be registered to create other users for domain based login. https://signup.microsoft.com/create-account/signup?OfferId=B07A1127-DE83-4a6d-9F85-2C104BDAE8B4&dl=ENTERPRISEPACK&ali=1&products=cfq7ttc0k59j:0009