UIU Support Case Example - Fixing Software and Security Interference During OS Image Deployment
There are several factors that can interfere with the successful completion of a deployed image. The factors generally amount to security restrictions relating to the copying of files or modification of the registry.
How can software interference be mitigated?
One common issue occurs when an installed and activated anti-virus or anti-malware software inhibits the modification of one or more registry settings. In this event, the typical error message presented during services startup phase is, "Windows Could Not Finish Configuring the System. To attempt to resume configuration, restart the computer.” Unfortunately, restarting the computer results in the same error message and the administrator finds themselves in an infinite loop.
One method includes disabling (or in worst case scenarios, removing) the active protection components on the base image. The recommended method includes preparing a base image without anti-virus or anti-malware software installed and relying on bonafide application deployment solutions to install these types of software in a layered approach to deployment - such as the OS is installed first, then configuration settings are applied by a directory service, and finally, applications are deployed to appropriate computers, based on requirements.
For example, if Kaspersky Endpoint Security
is installed and enabled on the base image or WIM file, “Self Defense” could be disabled in the software’s settings. These settings should be re-enabled on each PC post-deployment to ensure protection.
Security Settings Interference
Another common issue occurs when security settings in the base image or WIM file are set to stringent levels, inhibiting or requiring authorization to copy/execute files to the secured operating system folders. The most common error presented in these instances is “Open File - Security Warning” at first login. These are realized frequently when Control Panel applications included with device drivers are presented for installation during OS deployment. (See Imaging Insights Newsletter Issue 3 "The Problem with Drivers that Include Executables)
How can security settings interference be mitigated?
There are many methods for solving this issue during OS deployment and a process should definitely be instituted to restore required security levels after deployment is completed. Some methods are relatively complicated and involve modifying zone settings to include trusted files or sites and some methods involve reducing security to the lowest levels. The selected solution is likely to be driven by corporate policy.
For example, an administrator charged with deploying an OS to computers may have included a driver that was not prepared properly (potential driver signing issue) and is experiencing the following prompt upon first login:
An administrator may elect to modify Internet Zone settings to enable the launching of applications and unsafe files, accessible through Internet Explorer or Control Panel, Internet Options.
This method may cause Internet Explorer to repeatedly complain about the apparent lapse in security and may be silenced through the use of Group Policy Editor.
It is beneficial to minimize the potential for errors or interference during the OS deployment process and a well-planned method that includes a layered approach to application deployment as well as a careful analysis of PC security settings will provide successful PC deployments with maximum efficiency.