WingNews logo WingNews
top | item 13346454

(no title)

raffapen | 9 years ago

Being heavily involved in setting up standard developer workstations, I consider this to be the only practical approach. It's way beyond any specific config item (including telemetry). This is a sure way to get to a stable and consistent configuration.

A few comments:

- It is better to split such a mega-script into a set of named scripts, so admins can mix-and-match their own configuration set. - The configuration set scripts should be re-entrant, that is, one can run it few times in a row, achieving the same stable result. This is an important principle because those scripts evolve over time until they are are stable, so the re-entrancy enabled the re-configuration game.

- Some configuration items are system-based while other are user-account-based. This means that the latter should be invoked automatically once a new user account is created.

- VM is your friend. Wash, rinse, repeat.

- It is not always wise to replace automation (PowerShell) invocations with direct registry modifications. Tradeoffs should be obvious.

- MDT setups should avoid direct system configuration wherever possible, and rely on configuration scripts instead.

- One of the features still not possible to script is setting the policy startup/shutdown/login/logout scripts. One can provide this manually in a base workstation image.

- Esp. on Windows systems prior to Windows 10: make sure PowerShell is stable - version and module-wise.

discuss

order

anton_gogolev|9 years ago

I believe the word you're looking for in your very first list item is "idempotent", not "re-entrant".

raffapen|9 years ago

Right. One should ensure that simply re-invoking the script will not break anything by itself. The end result between invocations may be different if scripts are modified between invocations, as getting configuration right is a tricky business.

qplex|9 years ago

This script is a good start.

I would also change the default policy in Windows Firewall to drop all outgoing traffic, and then enable access on application basis, and for basic things such as DNS and DHCP.

Windows 10 will still spam the DNS server for telemetry hostnames, and there seems to be nothing that you can do about that.

And really, if you can, you should switch to a better OS that doesnt require you to work against it.

sixothree|9 years ago

I seem to remember a tool that would allow you to do this but made it easy to enable specific application access. Does anyone remember this tool?