Best practice for locking down Windows 7 OS for image deployment (SOE)

There are 2 questions for this.

1. What is the best practice for creating a Windows 7 Image for deployment. Eg Locking down the OS, Sysprep, Capture and deploy. Basically any changes made to lock down the OS need to be retained in the image. My understanding is that after running sysprep, many of the changes made are reverted back to default.

2. What is the best "Freeware" imaging product. 95% of our clients are Thin clients, so we only really need to image laptops from time to time.
HowzattAsked:
Who is Participating?
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
It comes installed with all best practices enabled. What is a best practice and what works under ALL circumstances can come into conflict.

Keep UAC turned on and run all users as STANDARD users is about the most effective best practice for user desktops
0
 
Rick HobbsConnect With a Mentor RETIREDCommented:
If you use sysprep, all lockdown choices are gone.

best free imager: Macrium Reflect Free Edition
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
making images for deployment, legally requires sysprep and volume media to create the master image.

You may disagree with, find another way of doing it but in doing so you are violating the terms of licensing agreement between you and Microsoft. You have been warned.
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
HowzattAuthor Commented:
Understood, so Legally I cannot lock down an image?
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
I use Windows Post Install unless the systems are on a domain in which i use group policy

In the post install wizard I add all of the registry entries that need to be modified.
0
 
HowzattAuthor Commented:
Post install tasks seem to be the go.

Anywhere i can find a list of recommended post install tasks? I can pick out which I will use.
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
What do you want locked down or installed? Each situation is entirely different. Other than installing windows updates and Microsoft Security Essentials.. Windows 7 is a pretty secure operating system.. use a product like Macecraft jv16 tools and capture the registry.. do your customization then capture the registry again.. compare the differences and put the registry changes into either 1 .reg file or a bunch of .reg files and then script it to install each registry file..

You may want to run sysprep.. then at the oobe logon press shift-ctrl-f3 to get into administrative mode now capture the registry and compare the differences between the customized system and the sysprep'd system.. this will show you what customizations did not make it past the sysprep.
0
 
HowzattAuthor Commented:
Thanks for that. I am not sure exactly what I want to lock down at this stage.

Mainly just want to make the laptop a thin client for the users to run their Citrix Published Desktops on. But woud also like to keep some element of functionality on their local PC too.

My plan was to review the best practices and work from there.
0
 
HowzattAuthor Commented:
I am sure it is already loaded with the best practices. However I am sure there must be a list out there somewhere of recommended policies etc for me to work from?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.