I hope that Autoinstall.yaml will be updated to support all the new features of the Ubuntu 26.04 installer.
Specifically, the following features are important to me:
Support for preconfiguring HW FDE.
Support for enabling and preconfiguring Landscape.
Backup of the HW FDE recovery key in Landscape and Entra ID/Intune storage.
Support for enabling and preconfiguring authd.
Enabling automatic snap package updates.
Support for download with authentication in the Autoinstall.yaml file location selection window.
The ability to add additional software repositories with their signing keys (Microsoft, Google, etc.).
I would also like to be able to:
Preset corporate (OEM) desktop wallpapers (with or without the option to block wallpaper changes).
Be able to set a custom device name based on the serial number, for example, “text” - {{SERIAL}}.
It would be nice to fix the already existing functions:
shutdown: poweroff
and
debconf-selections: |
ufw ufw/enable boolean true
These commands don’t work.
Why do we need this?
There are two scenarios:
Provisioning a preset by downloading Autoinstall.yaml from a secure site for an employee who wants to install Ubuntu themselves.
Silent and fully automatic installation of Ubuntu with the Autoinstall.yaml file in the root of the flash drive.
This is necessary so that engineers can prepare a corporate laptop with Ubuntu on board for delivery to a new employee.
Currently, due to the lack of the ability to preset authd, the user is created after the OS installation using the GDM wizard. The only interactive window is the network selection.
Example is below:
autoinstall:
version: 1
# Basic system configuration
# Installer updates
refresh-installer:
update: true
channel: stable/ubuntu-$REL
#Automatically install OEM Kernel if recommended
oem:
install: auto
# Make these sections interactive
interactive-sections:
- network
# id on the Ubuntu Desktop ISO, install with the minimal (default) source
source:
id: ubuntu-desktop-minimal
# Explicit storage configuration (Will be skipped because of Interactive selection)
storage:
layout:
name: lvm
# User and hostname configuration (Pre-fill values but allow user modification)
identity:
# GDM native solution after OS installation will open the wizard to set the options below:
hostname: ""
username: ""
password: ""
# Additional software installation
packages:
- gufw
snaps:
- name: prompting-client
channel: stable
- name: desktop-security-center
channel: stable
# Start the ufw firewall automatically
debconf-selections: |
ufw ufw/enable boolean true
drivers:
install: true # Third-party drivers for graphics/WiFi
codecs:
install: true # Additional media formats
# APT configuration (for selecting main software update source by default instead of the local mirror)
apt:
mirror-selection:
primary:
- uri: "http://archive.ubuntu.com/ubuntu"
arches: [amd64, i386]
- uri: "http://ports.ubuntu.com/ubuntu-ports"
arches: [s390x, arm64, armhf, powerpc, ppc64el, riscv64]
fallback: abort
geoip: false
# Updates, the type that will be downloaded and installed after the system installation, and before rebooting into the target system
# Updates from both the security and updates pockets are installed.
updates: all
# Shutdown configuration
shutdown: poweroff
# Edge and Intune installation
late-commands:
# Install Prerequisites
- curtin in-target -- apt update
- curtin in-target -- apt install -y curl gpg
# Install Microsoft GPG key
- curtin in-target -- sh -c "curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/microsoft-edge.gpg"
- curtin in-target -- sh -c "curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > /usr/share/keyrings//microsoft.gpg"
# Add Microsoft repositories
- curtin in-target -- sh -c "echo 'deb [arch=amd64] https://packages.microsoft.com/repos/edge stable main' > /etc/apt/sources.list.d/microsoft-edge.list"
- curtin in-target -- sh -c "echo 'deb [arch=amd64] https://packages.microsoft.com/ubuntu/$(lsb_release -rs)/prod $(lsb_release -cs) main' > /etc/apt/sources.list.d/microsoft-ubuntu-$(lsb_release -cs)-prod.list"
# Install Edge and Intune
- curtin in-target -- apt update
- curtin in-target -- apt install -y microsoft-edge-stable intune-portal
- curtin in-target -- ufw --force enable
# Restart Intune daemon to apply changes and avoid the Intune registration error "4u3gb"
- curtin in-target -- systemctl restart intune-daemon.service || true
Hi, do you mean they don’t work for you in the current 24.04 LTS and wish it to work for 26.04 LTS? If that is so I can help you a bit with those. I have those working in my setup and I think most likely that it will continue to work for 26.04. Not locking the default wallpaper though, but setting it.
I tried many solutions to solve the mentioned points, and they are working, untill we faced the decision to prepare the preinstall USB for the Local IT teams.
Since Ubuntu must be preinstalled, we are bypassing the user creation stage.
In this configuration: On first startup GDM will initiate the user account creation wizard that will override previously generated device name based on serial number (I used early commands to achieve it).
Also all solutions that I found to set a default wallpaper (not replacing the original) will not work, since GDM wizard will ignore my settings and reset them.
If you can help me taking into account my limitation, I will be pleased.
Thanks in advance.
P.S. my idea was in getting in some default functionality that must be part of the desktop provisioning and managed by Autoinstall.yaml, so we can just put the OEM wallpaper in some default folder and enable it’s usage in Autoinstall.yaml.
The same way, it would be nice to have option to use an “serial number” switch in Autoinstall.yaml instead of using a custom script, this functionality is very popular in device provisioning systems like Intune or JAMF.
Since the mentioned options must/can be a part of installer, GDM must take into account at user creation step the used functionality and accordingly skip device renaming window, and resetting wallpaper settings.
I hope in 26.04 and maybe back port or 24.04, the Landscape domain setup window will be available in GDM, so if the OS is preinstalled, it still must have an option to setup the Landscape and get management and especially authd enabled, to create aanged account.
At my work we tried with the user creation wizard, but also discovered that it would break/override certain settings (like hostname) that were already set so we went back and skipped that so the techs need to manually create the user account for the user that will use the computer. It was a time vs. functionality decision. It works, but not optimal. We are waiting to be able to use SSSD/LDAP login, but atleast for now we get our pre-set unique hostname, custom wallpaper and near zero touch installation.
here the solution we use for hostname
I saw in your example that you use commands directly in late commands. Have you tried using scripts instead? We saw that it gave us more stability and order as changes were made, they were only changed in that specific script and things broke at lot less. I have scripts for each area, like post-install-network.sh, post-install-microsoft.sh, post-install-custompkgs.sh, post-install-dell.sh and so on.
That’s one thing I learned from my experience with Microsofts SCCM deploy over the years. There is always some work with structuring the deployment content and order.
as for shutdown step, it will not work if there is an interactive step. I have same issue. If I have a fully automated deploy, it works
Maybe they will change user creation wizard for 26.04 so it works how you want it, but I will not use it here anyways I think. It seems more for OEM than enterprise deployment.
Your approach certainly works, and I’ve experimented with it too. But we have a different goal.
1. Pre-install the OS in OEM mode so that employees can create users themselves.
2. Based on the first, we’ve eliminated the use of many scripts and hope that the behavior of Autoinstall.yaml and GDM will be updated in 26.04. At a minimum, adding Landscape support to GDM is critical.
3. At this stage, we’ll use Intune to fine-tune and manage the OS; we’ve long since abandoned on-prem AD.
4. We hope management will approve the purchase of Landscape, but this depends on its integration into the new installer and the functionality of TPM-FDE.
I’ve written in various Discourse threads several times that I’d be happy to assist in collecting information from our corporate hardware. But this project has stalled.
Interesting to see someone actually using Intune to manage clients. It would great help to share your experience on how you’ve integrated ubuntu + Intune for others.
In short, Intune on Linux is garbage. If you don’t have to use it, don’t even think about it.
We have to, because it’s included for free with our M365 E3 subscription, and Landscape still has to prove itself to management, as critical functionality was promised for Ubuntu 24.04, and there’s no guarantee it will be added this time, or that it will be crude.
In detail, it’s best to pre-install Intune on the system; an inexperienced user won’t be able to handle it.
There’s also no automation; the user must launch Intune and register manually. What’s even funnier is that Intune uses Edge torender windows for authentication.
Edge on Linux itself can work with Passkey, but Intune doesn’t!
We’ve also opened a bunch of bugs with Microsoft tech support.
For some reason, they’re convinced it’s okay to ask users to manually launch Intune every day to enable background processes and syncing(since they’re not sure, will it work automatically by design or not).
Running scripts is incredibly difficult to get proper feedback, and compliance only works within Edge.
Worst of all, Intune’s default behavior is not only poorly documented, but the developers themselves don’t know how it works and spend months figuring it out, all the while trying to dismiss the issue with the phrase “buy design.”
Sounds very bad with no command line interface on intune to fix enrollment in the background. My work is probably going that path with intunes in a near future, but I hope we get Landscape instead.