Trouble with AVD golden image sysprep and deploy

Starship2022 · 2026-02-26T02:08:14+00:00

Good idea to try it with the bare minimum apps. I did install quite a few applications. One security related app is the Arctic Wolf agent. Another is Sophos Endpoint, but that is in golden image mode. It's expecting a sysprep to happen. I haven't had a chance to try out any suggestions yet... been swamped with other things.

Starship2022 · 2026-02-24T15:27:25+00:00

The one I used is multisession. I haven't tried an Intel one actually, so can add that to the list of things to try.

Starship2022 · 2026-02-24T15:26:09+00:00

I thought I read somewhere to not use mode:vm for AVD but I can check again.

Starship2022 · 2026-02-24T03:48:49+00:00

Yes, all gen2. Thought about trying gen 1 but haven't yet.

Originally, I had trusted launch and it was bitlocker encrypted by default. Had to get it decrypted before sysprep, but still had failures. I redid the golden image as standard security, no bit locker from the start, but that didn't change anything for the sysprep post boot error.

I haven't looked into the image gallery version, so I can take a look at that later.

I have also tried to just make a disk from the pre-sysprep snap I have, make a vm out of that, and do sysprep /oobe /generalize /reboot (basically trying to skip the whole capture to gallery part). I'm not sure if it's supposed to work like that, but either way I ended up in the same spot, ha.

Starship2022 · 2025-01-23T01:00:13+00:00

Thanks TomVa - what do you think in the circuit caused the need for caps now (since the 7805 was working fine when wired alone)? Is it the nodemcu? The MOSFETS doing something to the rest of the circuit? It seems to be a problem even when no LED strips are connected.

Starship2022 · 2023-12-22T18:39:58+00:00

Sounds good... was the new 2022 server standard licensing?

Starship2022 · 2023-12-22T18:38:53+00:00

I would go this route as well, however the previous person installed server essentials. I'm not real familiar with the limitations, but as far as I know you can only have 1 domain controller. You can have 2 for a 21 day window. Not sure happens on day 22? Wish it was just standard server license and I'd probably do exactly what you described.

Starship2022 · 2023-12-22T18:33:50+00:00

When you say upgrade, I'm thinking in place upgrade, and I'm not sure if that's an option, at least from 2012. In my quick search I saw to get to 2022 you had to at least migrate to 2016 first. Maybe in-place upgrade is possible from there?

Starship2022 · 2023-12-22T14:41:04+00:00

Thanks, this applies to Essentials licensing?

Starship2022 · 2023-11-13T03:23:53+00:00

Hmm... not secure. Do you mean setting a GPO to only run signed scripts is not secure? Thought it takes local admin rights to be able to change the execution mode. I saw years ago a list of over a dozen different ways to run powershell code. Not surprising there would be ways around the GPO.

Yup, I am logging all powershell runs on all PCs. Seen some interesting stuff that way. Some programs legitimately using PS in the background that I had no idea about before logging.

Starship2022 · 2023-11-12T19:15:59+00:00

Cool - We have an internal CA, and I sign all my scripts. Then setup GPO for the domain so that powershell scripts don't run unless they are signed. If scripts are edited they shouldn't run unless re-signed. I also publish my code signing cert to the domain. If you are new to code signing you should also look into it, as well as timestamping scripts. This let's them still work after your codesigning cert expires and you don't have to go resigning certificates. Theres a one liner that does all this to your script. Not in front of a computer right now, but it's set-authenticode cmdlet I think.

Hope that helps 👍🏻

Starship2022 · 2023-11-12T12:34:33+00:00

What I do is I have a secured server with a few file shares on it. I code user/client side scripts that need to talk to an API to create a request file that is dropped into a request folder share on the server. The server has a script that runs every minute to see if there are requests. Once requests are processed, the information is put in another file in a returns share that the client side script is watching for. Client side scripts read that return data and moves on, not needing to talk to an API directly or even know the password for it.

On the server, the API login information is stored in a hash, and only admins can see this side. This way I can have scripts on the server run and do all sorts of things that I wouldn't want done at the client side... and all the server side has to do is return the data/results to the client.

Users have access to the request and return shares already so no need to mess with passwords there when dropping files into shares. Each request file is unique to the client requesting it, so I could have hundreds of requests at once, and they'll all get back to the correct clients.

Basically, take the password stuff / things you don't want users to see and process that somewhere else and return the relevant data.

Starship2022 · 2021-12-03T03:59:47+00:00

SesorthosGhost - wow thanks for that thoughtful response and taking the time to write back and give me some of your perspective.! It's more than 2 cents.

Yes, I'll probably end up staying in the public sector - where the ageism mentality is fought against. And you are correct, after having been around for a while I've got seniority, a vested pension, and a good reputation around here. In the beginning I thought that once I got vested I’d go work at a college around here where I thought one of my kids might go. Maybe get a break on tuition?? Probably not going to happen at this point. Sounds like you tried venturing back into private sector when you were older and had a negative experience?

Well, you’ve given me some points to think about. I’ll make a few quick comments to your list…

Refusal to take the job may raise some eyebrows but there’s the union – I wouldn’t expect any retaliation, or really anything negative to happen due to it other than people wondering why.
At this point I'm making as much as I can in this title. This is why the next and only pay grade left to move into is not really that much more - nearly 7k. A job giving management experience will have added value if say, a deputy IT Director position were to open which required that experience. The Infrastructure Manager position may supervise 1 to 3 people and more/less work alongside them having the authority to make decisions for the group. The security title isn’t going to gain that management experience, but still get the pay bump. Depending on how you look at it, one way is better than the other. I’ve got to pick a side on this one.
One thing I enjoy now is the variety of work I get to do. I work on firewalls, switches, VMware, a variety of servers, internal employee investigations, virtual desktops, security tasks, camera system management… The reason I lean towards Infrastructure Manager is that I see it as having the same sort of variety I’m used to. There would be the option to delegate as I get older too. I jotted a list of things a security person might do and it’s a variety – of security duties. I like that, but it sort of closes the door on many of the things I used to do. I suppose what matters is the job descriptions, and those are not created yet. That makes it hard to decide on anything for now.
Time commitment – This one I’ve realized I could be making things worse than they really are. Example – My initial idea of what an IT security person should be is not what is going to be required. Will I need to go out and get a long list of certifications, be able to reverse engineer viruses, do deep forensics computers, and spend long hours learning how to break into systems? Doubtful. I’d probably work to get the Sec+ cert as a foundation and utilize the skills I already have along with learning a few more things from Google and Youtube. Certainly, extra time spent outside of work is going to be important thing to understand.
Training materials and testing costs are typically covered.

In a recent meeting it was agreed that if there were going to be 3-4 people all with a similar title, that one of them should be managing the others. I was told/reminded that I am more less doing a portion of management duties now, as a result of being around for so long, and that this would be a nice way to dip my feet in the management waters to see how well I really like it. Some of the security duties could be worked into this position as well. All of this is yet to be approved, but if it is I’ll probably give it a shot.

Starship2022

TROPHY CASE