Best Practices

Its good.

But i install Antivirus, 7-ZIP, Adobe etc. later because i can faster add ne versions of the applikations. If you make every month a new masterimage thats ok.

But my mind is already the image as few as possible.

Hope it helps.

Office is a pretty big postinstall task, any reason why you don't include it in your image?

I also use your VM approach for the snapshot ability, which comes in handy with Sysprep especially.  Although I do a CopyProfile on a physical machine otherwise I lose some graphics capability.

I do pretty much the same thing except I have everything post install. I let GPOs handle firewall, and UAC. You can also set these in your unattend.xml.

My snapshot has Windows updates turned on. I load the snapshot. Run the updates I need, and then sysprep. In my unattend.xml I have Windows updates turned off so I do not need to worry about turning them back off.

I have three main images that I updated every few months. I want to test copying my unattend.xml to C:\windows\panther as a preinstall to see if I can just have one "Golden Image", but just have separate preinstall tasks for each. I just haven't had time to test this yet.

Seems like a pretty good procedure. I like using VMs to prepare my images as well, keeps from having to tie up hardware resources. I agree with Johnzko, though. We don't include any software in the image unless it's just too complicated to install after the fact. This makes updating which version is installed easier.

The other thing we do different in our organization is we let our K1000 do the "heavy lifting" of app installs. In Healthcare there are a lot of complicated app installs that we could never seem to get to work right as Post Install Tasks. So we use "bread crumbs" in the registry, along with Custom Inventory and Smart Labels to install the needed software from the K1000. The K2000 just lays down the basics: OS image, drivers, K1 agent, and the "bread crumbs". We also use wsusoffline to install updates as a post install task. This way we only have to update the folder that stores the updates, rather than having to capture a whole new image.

I have found out that disabling IPv6 in the master image does no good.  the hardware is recreated post sysprep so IPv6 is enabled again.  I had to add the disable after the machine comes out of sysprep, doing it as a post task even did not help.  I added a run once to run on the machines first boot after post sysprep reboot.

this is my postinstallation line to kill ipv6

start /wait reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v ipv6kill /d "reg.exe add \"HKLM\SYSTEM\CurrentControlSet\services\Tcpip6\Parameters\" /v DisabledComponents /t REG_DWORD /d 4294967295 /f"

also if you are using the 100 meg partition and sysprep you can add all your drivers ahead of sysprep to create a univerasal image.  This also works with windows 8.1 so far

http://www.itninja.com/blog/view/creating-a-windows-7-sysprep-image-without-having-to-install-any-drivers-at-post-install-tasks

It is not recommened to install anti-virus or any type of agent software (like the K1000) into your golden image.

I'm with johnzko, I install all my software as a PO because that way when I update my golden image I only have to update windows, the other software gets updated in the PO task or a network share so its always up-to-date.

Corey
Lead L3 Enterprise Solutions Consultant, K2000
If my response was helpful, please rate it!