0

I have 6 machines which all run Windows 10. They are networked up to 2 servers running Server 2012. They were all hardened to meet CIS Guidelines by an engineer who didn't take into account what they were to be used for. Nothing network based worked properly after that.

After reinstalling Windows 10 Pro and a lot of fiddling with the hardening applied to the fresh install on one of the machines I have managed to get SNMP, Remote Desktop, PerfMon and user security and remote commands working. I now want to do the same to the remaining 5.

What was done previously to the other machines was badly documented and I know that people were poking around in the registry to try to get things to work unsuccessfully. As such I would like to put an image of the Windows 10 machine I have got working and tested on each of the other machines.

Is this possible given that I have been running it as a regular installation (i.e. not just in Audit Mode) for a few weeks?

If so, what methods are closest to Microsoft recommended best practice? I have read about Sysprep but it doesn't sound like it is appropriate given that it is a tried and tested working machine not a new image.

Flash_Steel
  • 103
  • 4
  • Sysprep is exactly what you should use. Microsoft's statement about not using Sysprep on a computer that has been running for an extended period of time is related to the cruft/detritus that can build up over time as programs get installed/uninstalled, user profiles get created, files get created/deleted, etc. If you're happy with the state of the source machine then there's no reason you can't Sysprep it and use it as your source image. – joeqwerty Mar 22 '17 at 13:04

2 Answers2

2

Sysprep is the way to go, especially if the machines are identical hardware-wise.

If not then you could still use sysprep and use the generalize option to strip all drivers etc from the machines.

You should also clean up unnecessary programs, users etc. berfore sysprepping

Frederik
  • 3,359
  • 3
  • 32
  • 46
  • Great. The machines are all identical hardware. Microsoft say that Sysprep isn't meant "to take a computer that has been running in production for extended period of time and run sysprep then create a new image or clone from the computer. Sysprep is designed to prepare new installations of Windows for imaging." How stable would a Sysprep image of a machine that has been running for weeks be? Would it still work networking with 5 other clones of itself? https://support.microsoft.com/en-gb/help/828287/unsupported-sysprep-scenarios – Flash_Steel Mar 22 '17 at 12:28
  • 2 weeks is nowhere near an "extended period of time" so that should be fine. I would probably make the image and deploy to the other machines and if everything works as expected I would re-image the source machine as well to ensure they are alike. Re. networking; when the machine gets a new SID via sysprep it works fine in a domain environment so that should be fine as well. – Frederik Mar 22 '17 at 12:45
  • Thanks for your help. I already have an image of the woring machine pre-sysprep so I will give this a go. – Flash_Steel Mar 22 '17 at 13:05
  • I agree with Frederick, however I'd be cautious about the existing machines. If actual users have been using them however, there may be junk on them that you want to clean up first, and if security is a concern, then you'll want to start fresh – Jim B Mar 22 '17 at 13:39
1

Sysprep is the way to go.

But, in your scenario /generalize is NOT optional. You have to use /generalize to reset the security IDs of each machine or they will conflict on the network.

Appleoddity
  • 3,488
  • 2
  • 13
  • 33
  • What I found was that generalizing the image could be done without removing the drivers - keeping the drivers could be done with a registry flag (which escapes me right now). Generalizing with Sysprep and keeping the drivers was definitely the way to go. – Flash_Steel Jul 20 '17 at 20:57
  • There may be something in the registry. But this is usually done by providing an unattend.xml file during sysprep. The flag you are looking for is: `PersistAllDeviceInstalls` https://technet.microsoft.com/en-us/library/cc722095(v=ws.10).aspx – Appleoddity Jul 20 '17 at 21:16