In my last post I presented you with the main deployment script I have been using. What it did not include are all the little tweaks and prerequisites that allow it to work.
The first thing we need before running the script is a Template. As previously mentioned, I built a vm from the corporate standard ISO. I then applied updates and added some post deployment scripts to do things we couldn’t do with NEW-VM or the customization specification.
Here are the files I used. Some consolidation could be made and your mileage may vary:
|
1 2 3 4 5 6 7 8 9 10 |
powershell -command "& {Set-ExecutionPolicy Unrestricted}" powershell -file "c:\temp\pre-domain-config.ps1" cd \ cd temp\client c:\temp\client\ccmsetup.exe /noservice smssitecode=auto ccmhttpport="80" ccmhttpsport="443" timeout /t 30 powershell -file "c:\temp\post-domain-config.ps1" powershell -command "& {Restart-Computer}" |
This simple .bat file is called by the customization specification. It is calling two other powershell scripts, installing sccm client and restarting the vm to finish up the installs.
The first file called is:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Write-Host "Setting SNMP Properties" -ForegroundColor Green Remove-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers" -Name "1" Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" -name "SNMP-community-name" -value 16 -type dword Write-Host "Setting DNS Servers" -foregroundcolor Green Set-DnsClientServerAddress -interfaceindex 12 -ServerAddresses ("x.x.x.x", "x.x.x.x") Write-Host "Disabling IPV6" -ForegroundColor Green disable-netadapterbinding -interfacedescription "vmxnet3 ethernet adapter" -ComponentID ms_tcpip6 Write-Host "Adding DNS Server Suffixes" -ForegroundColor Green Set-DNSClientGlobalSetting -SuffixSearchList @("our-domain.local.local","our-domain-2.com") Write-Host "Renaming Guest Account" -ForegroundColor Green Rename-LocalUser Guest localguest |
This file sets the SNMP properties, updated DNS servers, disables IPv6, adds domain suffixes and renames the local guest account
The next file:
|
1 2 3 4 5 6 7 8 9 |
Write-Host "Adding AD-Group to Local Administrators" -foregroundcolor Green Add-LocalGroupMember -Group "Administrators" -Member "domain\our_admin_group" regedit /s C:\temp\legal.reg Write-host "Renaming Admin Account" -ForegroundColor Green Rename-LocalUser Administrator localadmin |
This file adds our AD admin group to the local administrators group on the vm. It also renames the local Administrator account. You may notice the calling of the legal.reg file. This was needed because we have a legal message displayed after login, and it was causing us to have to interact with each vm to get it through the customization process. We disabled the legal notice in the template, and reinstate it using the registry key.
Here it is, masked for business sensitive information, of course:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "DisableAutomaticRestartSignOn"=dword:00000001 "EnableVirtualization"=dword:00000001 "EnableInstallerDetection"=dword:00000001 "DelayedDesktopSwitchTimeout"=dword:00000000 "PromptOnSecureDesktop"=dword:00000001 "EnableLUA"=dword:00000000 "EnableSecureUIAPaths"=dword:00000001 "ConsentPromptBehaviorAdmin"=dword:00000005 "ValidateAdminCodeSignatures"=dword:00000000 "EnableUIADesktopToggle"=dword:00000000 "EnableCursorSuppression"=dword:00000001 "ConsentPromptBehaviorUser"=dword:00000003 "disablecad"=dword:00000000 "dontdisplaylastusername"=dword:00000001 "legalnoticecaption"="WARNING" "legalnoticetext"="This computing system is a company owned asset and provided for the exclusive use of authorized personnel for business purposes. All information and data created, accessed, processed, or stored using this system, (including personal information) are subject to monitoring,auditing, or review to the extent permitted by applicable law. Unauthorized use or abuse of this system may lead to corrective action including termination of employment, civil and/or criminal penalties." "scforceoption"=dword:00000000 "shutdownwithoutlogon"=dword:00000000 "undockwithoutlogon"=dword:00000000 "FilterAdministratorToken"=dword:00000000 "DSCAutomationHostEnabled"=dword:00000002 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\Audit] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\UIPI] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\UIPI\Clipboard] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\UIPI\Clipboard\ExceptionFormats] "CF_UNICODETEXT"=dword:0000000d "CF_DIBV5"=dword:00000011 "CF_PALETTE"=dword:00000009 "CF_BITMAP"=dword:00000002 "CF_TEXT"=dword:00000001 "CF_DIB"=dword:00000008 "CF_OEMTEXT"=dword:00000007 |
Now that we have talked about all the scripts and their functions, lets move on to the last, yet very important piece: The customization specification.
I created one specifically for this build process as I needed to customize it a bit more than we were doing normally. I needed credentials with domain joining ability, the proper domain specified in the CS and adding pre.bat to the run once field.
As you can see, not terribly complicated. Definitely room for improvement. And, with the addition of some actual automation tools, could become much more powerful. This was simply my way to reduce busy work within the confines of our environment. Please feel free to use this, pick it apart or send me beer if you really liked it :)
