As part of our standard scripted install I have a number of simple scripts to help with tasks such as patching and hardening the image.
Quite a few of you will have your images subject to Security scans - I now run these scripts to close minor security holes:
REM Set local passwords to expire after 30 days REM This may not survive sysprep net accounts /MAXPWAGE:30 REM Rename Local Administrator and Guest accounts REM This may not survive sysprep set admin=mooney set guest=hunt wmic UserAccount where name="Administrator" call Rename Name="%admin%" wmic UserAccount where name="Guest" call Rename Name="%guest%" REM Turn off CDROM Autorun reg add HKLM\SYSTEM\CurrentControlSet\services\cdrom /v AutoRun /t REG_DWORD /d 0 /f REM Disable saving Dial up passwords reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v DisableSavePassword /t REG_DWORD /d 1 /f
Then there's odd other settings you may want:
REM powercfg.exe High power no hibernate powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c powercfg.exe /hibernate off REM Disable Windows Media Player Update Reg add HKLM\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer /v DisableAutoUpdate /t REG_DWORD /d 00000001
You might have a variety of OS and core app updates to install, CAB, EXE and MSU files:
REM To install exe updates REM Copy executable patches locally to c:\support\Patches\exe first FOR /F "delims=" %%A IN ('dir c:\support\patches\exe\*.exe /s /b') DO (%%A /quiet /norestart) REM To DISM Windows updates from CAB REM Copy cab files locally to c:\support\Patches\cab first FOR /F "delims=" %%A IN ('dir c:\support\patches\cab1\*.cab /s /b') DO (dism.exe /online /Add-Package /PackagePath:%%A /NoRestart /quiet) REM To WUSA Windows updates from MSU REM Copy msu files locally to c:\support\Patches\msu first FOR /F "delims=" %%A IN ('dir c:\support\patches\msu\*.msu /s /b') DO (wusa.exe %%A /NoRestart /quiet)
And for Windows 7 I like to get rid of the Event ID 10 errors:
'KB2545227 Event ID 10 error fix 'vbscript strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\subscription") Set obj1 = objWMIService.ExecQuery("select * from __eventfilter where name='BVTFilter' and query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ""Win32_Processor"" AND TargetInstance.LoadPercentage > 99'") For Each obj1elem in obj1 set obj2set = obj1elem.Associators_("__FilterToConsumerBinding") set obj3set = obj1elem.References_("__FilterToConsumerBinding") For each obj2 in obj2set WScript.echo "Deleting the object" WScript.echo obj2.GetObjectText_ obj2.Delete_ next For each obj3 in obj3set WScript.echo "Deleting the object" WScript.echo obj3.GetObjectText_ obj3.Delete_ next WScript.echo "Deleting the object" WScript.echo obj1elem.GetObjectText_ obj1elem.Delete_ Next