In my last post I presented you with the main deployment script I have been using. What it did not include are all the little tweaks and prerequisites that allow it to work.<\/p>\n
The first thing we need before running the script is a Template. As previously mentioned, I built a vm from the corporate standard ISO. I then applied updates and added some post deployment scripts to do things we couldn’t do with NEW-VM or the customization specification.<\/p>\n
Here are the files I used. Some consolidation could be made and your mileage may vary:<\/p>\n
powershell -command \"& {Set-ExecutionPolicy Unrestricted}\"\r\npowershell -file \"c:\\temp\\pre-domain-config.ps1\"\r\n\r\ncd \\\r\ncd temp\\client\r\nc:\\temp\\client\\ccmsetup.exe \/noservice smssitecode=auto ccmhttpport=\"80\" ccmhttpsport=\"443\"\r\ntimeout \/t 30\r\n\r\npowershell -file \"c:\\temp\\post-domain-config.ps1\"\r\npowershell -command \"& {Restart-Computer}\"<\/pre>\nThis simple .bat file is called by the customization specification. It is calling two other powershell scripts, installing sccm client and restarting the vm to finish up the installs.<\/p>\n
The first file called is:<\/p>\n
Write-Host \"Setting SNMP Properties\" -ForegroundColor Green\r\n\r\nRemove-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\Parameters\\PermittedManagers\" -Name \"1\"\r\n\r\nSet-ItemProperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities\" -name \"SNMP-community-name\" -value 16 -type dword\r\n\r\nWrite-Host \"Setting DNS Servers\" -foregroundcolor Green\r\n\r\nSet-DnsClientServerAddress -interfaceindex 12 -ServerAddresses (\"x.x.x.x\", \"x.x.x.x\")\r\n\r\nWrite-Host \"Disabling IPV6\" -ForegroundColor Green\r\n\r\ndisable-netadapterbinding -interfacedescription \"vmxnet3 ethernet adapter\" -ComponentID ms_tcpip6\r\n\r\nWrite-Host \"Adding DNS Server Suffixes\" -ForegroundColor Green\r\n\r\nSet-DNSClientGlobalSetting -SuffixSearchList @(\"our-domain.local.local\",\"our-domain-2.com\")\r\n\r\nWrite-Host \"Renaming Guest Account\" -ForegroundColor Green \r\n\r\nRename-LocalUser Guest localguest\r\n\r\n<\/pre>\nThis file sets the SNMP properties, updated DNS servers, disables IPv6, adds domain suffixes and renames the local guest account<\/p>\n
The next file:<\/p>\n
Write-Host \"Adding AD-Group to Local Administrators\" -foregroundcolor Green\r\n\r\nAdd-LocalGroupMember -Group \"Administrators\" -Member \"domain\\our_admin_group\"\r\n\r\nregedit \/s C:\\temp\\legal.reg\r\n\r\nWrite-host \"Renaming Admin Account\" -ForegroundColor Green\r\n\r\nRename-LocalUser Administrator localadmin\r\n<\/pre>\nThis file adds our AD admin group to the local administrators group on the vm. It also renames the local Administrator account. You may notice the calling of the legal.reg file. This was needed because we have a legal message displayed after login, and it was causing us to have to interact with each vm to get it through the customization process. We disabled the legal notice in the template, and reinstate it using the registry key.<\/p>\n
Here it is, masked for business sensitive information, of course:<\/p>\n
Windows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system]\r\n\"DisableAutomaticRestartSignOn\"=dword:00000001\r\n\"EnableVirtualization\"=dword:00000001\r\n\"EnableInstallerDetection\"=dword:00000001\r\n\"DelayedDesktopSwitchTimeout\"=dword:00000000\r\n\"PromptOnSecureDesktop\"=dword:00000001\r\n\"EnableLUA\"=dword:00000000\r\n\"EnableSecureUIAPaths\"=dword:00000001\r\n\"ConsentPromptBehaviorAdmin\"=dword:00000005\r\n\"ValidateAdminCodeSignatures\"=dword:00000000\r\n\"EnableUIADesktopToggle\"=dword:00000000\r\n\"EnableCursorSuppression\"=dword:00000001\r\n\"ConsentPromptBehaviorUser\"=dword:00000003\r\n\"disablecad\"=dword:00000000\r\n\"dontdisplaylastusername\"=dword:00000001\r\n\"legalnoticecaption\"=\"WARNING\"\r\n\"legalnoticetext\"=\"This computing system is a company owned asset and provided for the exclusive use\r\nof authorized personnel for business purposes.\r\nAll information and data created, accessed, processed, or stored using this system, (including personal information) are subject to monitoring,auditing, or review to the extent permitted by applicable law.\r\nUnauthorized use or abuse of this system may lead to corrective action including termination of employment, civil and\/or criminal penalties.\"\r\n\"scforceoption\"=dword:00000000\r\n\"shutdownwithoutlogon\"=dword:00000000\r\n\"undockwithoutlogon\"=dword:00000000\r\n\"FilterAdministratorToken\"=dword:00000000\r\n\"DSCAutomationHostEnabled\"=dword:00000002\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\Audit]\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\UIPI]\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\UIPI\\Clipboard]\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\UIPI\\Clipboard\\ExceptionFormats]\r\n\"CF_UNICODETEXT\"=dword:0000000d\r\n\"CF_DIBV5\"=dword:00000011\r\n\"CF_PALETTE\"=dword:00000009\r\n\"CF_BITMAP\"=dword:00000002\r\n\"CF_TEXT\"=dword:00000001\r\n\"CF_DIB\"=dword:00000008\r\n\"CF_OEMTEXT\"=dword:00000007\r\n\r\n<\/pre>\nNow that we have talked about all the scripts and their functions, lets move on to the last, yet very important piece: The customization specification. <\/p>\n
I created one specifically for this build process as I needed to customize it a bit more than we were doing normally. I needed credentials with domain joining ability, the proper domain specified in the CS and adding pre.bat<\/em> to the run once field.<\/p>\nAs you can see, not terribly complicated. Definitely room for improvement. And, with the addition of some actual automation tools, could become much more powerful. This was simply my way to reduce busy work within the confines of our environment. Please feel free to use this, pick it apart or send me beer if you really liked it :)<\/p>\n","protected":false},"excerpt":{"rendered":"
In my last post I presented you with the main deployment script I have been using. What it did not include are all the little tweaks and prerequisites that allow it to work. The first thing we need before running the script is a Template. As previously mentioned, I built a vm from the corporate […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=\/wp\/v2\/posts\/267"}],"collection":[{"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=267"}],"version-history":[{"count":4,"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=\/wp\/v2\/posts\/267\/revisions"}],"predecessor-version":[{"id":271,"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=\/wp\/v2\/posts\/267\/revisions\/271"}],"wp:attachment":[{"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.indycloudcover.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}