0

I hope serverfault is the right place for this question. If it's not, please let me know where the right place is!

Anyway, I have a WDS server which I am using to push Windows 10 images. However, it's not a vanilla Windows 10 image, it's a DoD image with a lot of security already baked in. My problem is, the local security policy has the firewall set to block incoming traffic, so even though I can deploy the image, most of the task sequence fails. Now, in my mind, I have two options: modify the image, change the firewall setting, capture the image, push that image out instead, then re-enable the firewall once it joins the domain and gets a reasonable firewall policy. The problem with this is that IF I get a "new" image from this DoD source, I will need to repeat this process. If I somehow modify the firewall during MDT deployment, I will not have to permanently change the image. This seems like the better option, if I could figure out how to do it. From what I've read, modifying the Local Security Policy from the command line is no simple feat. I'd like to do this "the right way" so it doesn't bite me later. What's the "correct" way to do this?

Thanks so much!

prelic
  • 319
  • 3
  • 17
  • Are you an employee of the DoD? If so then you have to ask your supervisors as this type of help solicitation is not quite the most secure source of information for infrastructure implementation. I have discussed MDT with an employee of the DoD and I know that they use it on some of their infrastructure so I know that what you're attempting is possible. I AM NOT AN EMPLOYEE OF THE DoD. IF YOU ARE A DoD EMPLOYEE PLEASE USE INTERNAL SOURCES! – Elliot Huffman Apr 17 '17 at 12:27
  • Ok, well if you replace DoD with any entity who distributes customized versions of operating systems, then the question still stands, and without the "security implications". – prelic Apr 17 '17 at 18:33
  • Have you confirmed that if you disable the firewall you can continue with the MDT deployment process? – Elliot Huffman Apr 17 '17 at 18:44
  • So the real reason the deployment does not continue is because the firewall is blocking the computer from getting a DHCP address. So if I allow incoming requests in order to get a DHCP request, the task sequence proceeds, yes. I could just add that step to the guide, but I'd like the deployments to be as hands-off as possible. Thanks for the response! – prelic Apr 17 '17 at 18:46
  • Ok then add the firewall disable entry to your unattended.xml (it is applied right after system Imaging and before the restart) and after you finish the task sequence add the firewall on command using powershell or the command line (add it as the last item in the TS or set it as a run once in the reg). – Elliot Huffman Apr 17 '17 at 18:49

0 Answers0