登录
 
主页技术资源库学习下载支持社区论坛
IT 专业人士的资源 >
unattend and FirstLogonCommands

Answered unattend and FirstLogonCommands

  • 2012年5月8日 14:56
     
      包含代码
    登录进行投票
    0

    We are having the issue where we have created an unattend that has a firstlogoncommand to customize our VM (different agents, firewall rules, etc), the VM will reboot before the script has finished running. We can watch the VM from the console and as soon as the VM logs in it will reboot. We have added some logging into our logon script and it is kicking off the first part but never finishes.

    <?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <servicing></servicing>
    <settings pass="specialize">
        <component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <BlockPopups>no</BlockPopups>
            <Home_Page>www.otc.edu</Home_Page>
            <IntranetCompatibilityMode>false</IntranetCompatibilityMode>
            <ShowCommandBar>true</ShowCommandBar>
            <DisableFirstRunWizard>true</DisableFirstRunWizard>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OEMInformation>
                <Manufacturer>OTC</Manufacturer>
            </OEMInformation>
            <BluetoothTaskbarIconEnabled>false</BluetoothTaskbarIconEnabled>
            <CopyProfile>false</CopyProfile>
            <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
            <DoNotCleanTaskBar>false</DoNotCleanTaskBar>
            <RegisteredOrganization>OTC</RegisteredOrganization>
            <RegisteredOwner>OTC</RegisteredOwner>
            <ShowWindowsLive>false</ShowWindowsLive>
            <TimeZone>Central Standard Time</TimeZone>
            <AutoLogon>
                <Enabled>true</Enabled>
                <LogonCount>1</LogonCount>
                <Username>xxxxx</Username>
                <Password>
                    <Value>xxxxx</Value>
                    <PlainText>false</PlainText>
                </Password>
            </AutoLogon>
        </component>
        <component name="Microsoft-Windows-TapiSetup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <TapiUnattendLocation>
                <AreaCode>417</AreaCode>
                <OutsideAccess>9</OutsideAccess>
                <PulseOrToneDialing>1</PulseOrToneDialing>
            </TapiUnattendLocation>
        </component>
        <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <fDenyTSConnections>false</fDenyTSConnections>
        </component>
        <component name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <FirewallGroups>
                <FirewallGroup wcm:action="add" wcm:keyValue="File and Printer Sharing">
                    <Active>true</Active>
                    <Group>File and Printer Sharing</Group>
                </FirewallGroup>
                <FirewallGroup wcm:action="add" wcm:keyValue="Windows Remote Management">
                    <Group>Windows Remote Management</Group>
                    <Active>true</Active>
                </FirewallGroup>
                <FirewallGroup wcm:action="add" wcm:keyValue="Remote Desktop">
                    <Group>Remote Desktop</Group>
                    <Active>true</Active>
                    <Profile>all</Profile>
                </FirewallGroup>
            </FirewallGroups>
            <DisableStatefulFTP>false</DisableStatefulFTP>
            <DisableStatefulPPTP>false</DisableStatefulPPTP>
            <DomainProfile_DisableNotifications>false</DomainProfile_DisableNotifications>
            <PrivateProfile_DisableNotifications>false</PrivateProfile_DisableNotifications>
            <PublicProfile_DisableNotifications>false</PublicProfile_DisableNotifications>
            <DomainProfile_EnableFirewall>true</DomainProfile_EnableFirewall>
            <PrivateProfile_EnableFirewall>true</PrivateProfile_EnableFirewall>
            <PublicProfile_EnableFirewall>true</PublicProfile_EnableFirewall>
            <DomainProfile_LogDroppedPackets>true</DomainProfile_LogDroppedPackets>
            <DomainProfile_LogFileSize>10240</DomainProfile_LogFileSize>
        </component>
        <component name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <IEHardenAdmin>false</IEHardenAdmin>
            <IEHardenUser>true</IEHardenUser>
        </component>
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Credentials>
                        <Password>xxxxx</Password>
                        <Username>xxxxx</Username>
                        <Domain>otc.edu</Domain>
                    </Credentials>
                    <Order>1</Order>
                    <Description>Specialize Tasks</Description>
                    <Path>\\SCVMM-MS\MSSCVMMLibrary\Scripts\2008\script4specialize.bat</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>3</ProtectYourPC>
            </OOBE>
            <FirstLogonCommands>
                <SynchronousCommand wcm:action="add">
                    <CommandLine>C:\work\build\script7oobeSystem.bat</CommandLine>
                    <Description>Run FirstLogon Commands</Description>
                    <Order>1</Order>
                    <RequiresUserInput>false</RequiresUserInput>
                </SynchronousCommand>
            </FirstLogonCommands>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="wim://reb/images/server/source_files/2008/r2_sp1/sources/install.wim#Windows Server 2008 R2 SERVERDATACENTER" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

     

全部回复

  • 2012年5月8日 16:04
    版主
     
     
    登录进行投票
    0

    SCVMM also uses this to perform some customizations and they maybe forcing the reboot and tipping your hand.

    For your output you need to dump to a logging location to get a better tip.

    I use the following to orchestrate some commands.  the ">>" causes the output of hte script to be written to the file.  So you have to have your script write to the screen to capture it.

    At the very least I get an empty file with a time stamp.

          <FirstLogonCommands>
            <SynchronousCommand wcm:action="add">
              <Order>1</Order>
              <CommandLine>%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe -command set-executionpolicy remotesigned -force >> %Public%\Documents\setExecution.log</CommandLine>
              <Description>Set the ExecutionPolicy to RemoteSigned for the script to run</Description>
            </SynchronousCommand>
            <SynchronousCommand wcm:action="add">
              <Order>2</Order>
              <CommandLine>%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe C:\Goshenite\EnvDump.ps1 >> %Public%\Documents\EnvDump.log</CommandLine>
              <Description>Dump the configuration as of deployment time</Description>
            </SynchronousCommand>
            <SynchronousCommand wcm:action="add">
              <Order>3</Order>
              <CommandLine>%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe C:\Goshenite\Configure.ps1 >> %Public%\Documents\Configure.log</CommandLine>
              <Description>Do the heavy lifting</Description>
            </SynchronousCommand>
          </FirstLogonCommands>

    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

     
  • 2012年5月8日 17:28
     
      包含代码
    登录进行投票
    0

    I added the extra logging and the log stops on the first command. Looks like SCVMM is rebooting the VM. I have attached the script we are trying to run. The output from the log is as follows.

    REM Install DPM Agent
    IF EXIST "C:\program files (x86)" GOTO x64
    C:\work\temp\DPMAgentInstaller_x64.exe /q dpm.otc.edu

    REM Install DPM Agent
IF EXIST "C:\program files (x86)" GOTO x64
goto x32

:x64
C:\work\temp\DPMAgentInstaller_x64.exe /q dpm.otc.edu
GOTO Continue

:x32
C:\work\temp\DPMAgentInstaller_x86.exe /q dpm.otc.edu
GOTO Continue

:Continue

REM Turn on File and Printer Sharing
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable="Yes"

REM Turn on Network Discovery
netsh advfirewall firewall set rule group="Network Discovery" new enable="Yes"

REM Turn on Windows Management Instrumentation
netsh advfirewall firewall set rule group="Windows management Instrumentation (WMI)" new enable=yes

REM Turn on Remote Management
netsh advfirewall set domainprofile settings remotemanagement enable

REM Turn on Remote Event Log Management
netsh advfirewall firewall set rule group="Remote Event Log Management" new enable=yes

REM Turn on Remote Scheduled Tasks Management
netsh advfirewall firewall set rule group="Remote Scheduled Tasks Management" new enable=yes

REM Turn on Remote Service Management
netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes

REM Turn on Remote Volume Management
netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

REM Turn on Remote Administration
netsh advfirewall firewall set rule group="Remote Administration (RPC)" new enable=Yes
netsh advfirewall firewall set rule group="Remote Administration (RPC-EPMAP)" new enable=Yes
netsh advfirewall firewall set rule group="Remote Administration (NP-In)" new enable=Yes

net localgroup "Distributed COM Users" /add "otc\domain admins"

REM Enable Remote Desktop
Cscript %windir%\system32\SCRegEdit.wsf /ar 0
netsh advfirewall firewall set rule name="remote desktop (tcp-in)" new enable=yes

REM Enable Remote Mangement
powershell Configure-SMRemoting.ps1 -force -enable

REM Disable UAC
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

REM Configure MultiPath IO
Mpclaim -n -i  -d "HITACHI DF600F"

REM Disable 8.3 naming for all NTFS
fsutil.exe behavior set disable8dot3 1

REM Force Activation
cscript C:\Windows\System32\slmgr.vbs /ato

REM Run windows update
powershell c:\work\windowsupdates.ps1

     
  • 2012年5月8日 17:33
    版主
     
     已答复
    登录进行投票
    0

    Have you tried including the script as part of the SCVMM template instead of as part of the unattend as a first logon action?

    This should make it part of SCVMM provisioning workflow.

    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.
    Disclaimer: Attempting change is of your own free will.

    • 已标记为答案 Wolfraider 2012年5月8日 19:03
    •  
     
  • 2012年5月8日 19:00
     
     已答复 包含代码
    登录进行投票
    0

    Adding the unattend prepopulates that area but apparently it doesn't work correctly. Finally got a process to work.

    1. removed the run scripts from the unattend

    2. added a reboot to the end of the last run script

    3. set the run script as a login script in scvmm

    4. ran the following powershell command to add the login to the template

    #Get Template by name
($template = Get-SCVMtemplate | where {$_.Name -eq "Name of Template"}) | fl Name, OperatingSystem, VirtualizationPlatform

#Get local admin account
($raa = Get-SCRunAsAccount -Name "Local Admin Account") | fl Name, Username, Domain

#Set auto logon
(Set-SCVMTemplate -VMTemplate $template -AutoLogonCredential $raa -AutoLogonCount 1) | fl Name, AutoLogonCredential, AutoLogonCount