automate few post os install tasks

Tagged: 

This topic contains 3 replies, has 3 voices, and was last updated by Profile photo of Rob Simmers Rob Simmers 3 years ago.

  • Author
    Posts
  • #16182
    Profile photo of shivang gaur
    shivang gaur
    Participant

    Tasks to be done
    1)customzied installation of antivirus symantec Virus and Spyware Protection
    2)2.Startup and Recovery: Time to display list: 5 seconds, Auto restart, Kernel Memory Dump, overwrite
    for this bcdedit /timeout ### can work but how to set time to display recovery option when needed
    3) Based on the memory size we need to create the page file 1.5 times
    4.change the setting of firewall off and stop service of firewall and make it manual
    6 windows update never install
    7.RDP encryption level is set to FIPS Compliant and negotiate
    8)Sysback configuration procedure:thru task schduler(batch file already there)
    9)install IIS, telnet client
    10)check for software installed
    11)NIC setting disable power setting change
    12)Add static routes
    13) add entries to host file
    14)add to domain
    15)activate windows
    16)SSL v2 not disabled from registry (All keys should be added):
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    Create a new REG_DWORD called “DisabledByDefault” and set the value to 1
    Create a new REG_DWORD called “Enabled” and set the value to 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
    Create a new REG_DWORD called “DisabledByDefault” and set the value to 1
    Create a new REG_DWORD called “Enabled” and set the value to 0

  • #16185
    Profile photo of Vern Anderson
    Vern Anderson
    Participant

    Working with the registry is fairly easy you have the PSProvider that let's you treat the registry just like a file system. However adding keys is a bit more tricky.

    [blockquote]Set-Location HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client

    New-ItemProperty -Path . -Name DisabledByDefault -Value 1[/blockquote]

    However at this stage in the game rather then trying to automate by script you may want to take the oportunity to learn PowerShell Desired State Configuration it makes stuff like this easier to repeat and more industry standard.

    -VERN

  • #16187
    Profile photo of Vern Anderson
    Vern Anderson
    Participant

    As for the installation of your AV you will have to figure out the command line parameters the installer EXE has and call that from PowerShell. You can look to their documentation for information on that.

    # PageFile # You'll have to use WMI for that
    Get-WmiObject Win32_PageFileSetting
    # Setting things with WMI will take some practice however can be easily done in PowerShell DSC

    # 6 I totally disagree with # 6 and have no help to offer there plus I would never want to do that unless the machine is never going to touch a network!!!

    # Install IIS
    Import-Module ServerManager
    Add-WindowsFeature Web-Server -IncludeAllSubFeature
    # You may want to experiment with the "IncludeAllSubfeatures"

    # Add to the domain I don't have an example however there are tons of examples out there but again this is easier with DSC

    -VERN

  • #16188
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    I have several questions\statements:

    [ol]
    [li] How are you deploying the OS? SCCM OSD? Disk Cloning? Cloning is a deprecated way to deploy and OS, you should really look into Microsoft Deployment Toolkit to capture and deploy an image if it's a small shop. Another important cloning step you have not mentioned is SYSPREP, so make sure you are doing that or you will run into issues with system having duplicate GUIDs.[/li]
    [li]Most of the items you are configuring are typically managed by Group Policy (e.g. firewall, startup and recovery,IE settings, etc. )[/li]
    [li]Setting the memory to 1.5 times the installed memory is a deprecated ideology from Window NT 4.0. Windows has gotten better at managing memory and it's recommended to let Windows manage memory. Do you really need to make that modification?
    [li]Windows is typically activated with a KMS server. If a client isn't activating, then you can reset the client KMS components with slmgr.vbs (see: http://technet.microsoft.com/en-us/library/ff793406.aspx)[/li]
    [/ol]

    I've deployed OS's at a lot of companies and I think you should really look into MDT or other deployment technologies and group policy management. 90-95% of your item list would not be managed with a script when deploying an OS with a typical Operating System Deployment (OSD) infrastructure in place. MDT requires no licensing if cost is a consideration.

You must be logged in to reply to this topic.