|
1 | 1 | ## 🖥️ Efficient Workstation Management, Configuration, and ITSM Compliance for Windows 10 & 11 |
2 | 2 |
|
3 | | -Welcome to the **ITSM-Templates-WKS** repository — a curated suite of **PowerShell and VBScript automation tools** for managing and standardizing Windows 10 and 11 workstations. These scripts help IT teams automate tasks, enforce ITSM policies, and streamline configuration workflows. |
| 3 | +Welcome to the **ITSM-Templates-WKS** repository — a standardized toolkit of **PowerShell, VBScript, and .REG automation files** designed for the configuration, standardization, and compliance enforcement of Windows 10 and 11 workstations across institutional environments. |
4 | 4 |
|
5 | | -📘 For full reference, see: |
| 5 | +📘 **Official Guide:** |
6 | 6 | **JUNE-19-2025-ITSM-Templates Application Guide for Windows 10 and 11.pdf** |
7 | | -This guide includes step-by-step procedures across nine units, covering domain prep, workstation standardization, printer setup, and naming conventions. |
| 7 | +This document includes step-by-step procedures across nine units: domain preparation, OS image deployment, printer and workstation configuration, registry and GPO compliance, hostname conventions, and removal of decommissioned assets. |
8 | 8 |
|
9 | 9 | --- |
10 | 10 |
|
11 | 11 | ## 🌟 Key Features |
12 | 12 |
|
13 | | -- 🖼️ **Graphical Interfaces (GUI):** Designed for use by Level 1 and Level 2 support. |
14 | | -- 📝 **Structured Logging:** Logs generated in `.log` format with standardized naming. |
15 | | -- 📊 **CSV Reporting:** Exportable `.csv` reports for documentation and audits. |
| 13 | +- 🖼️ **GUI Interfaces:** Designed for L1 and L2 Service Desk staff. |
| 14 | +- 📝 **Structured Logging:** Logs saved to `C:\ITSM-Logs-WKS\` in `.log` format. |
| 15 | +- 📊 **CSV Reporting:** Inventory and configuration reports generated in `.csv` format. |
| 16 | +- 🔒 **Built-in Microsoft Tools Only:** No 3rd-party dependencies — all operations use native Windows features. |
| 17 | +- 📦 **Sysprep & Image Readiness:** Ensures cloned OS has unique SIDs, WSUS compliance, and domain readiness. |
16 | 18 |
|
17 | 19 | --- |
18 | 20 |
|
19 | 21 | ## 📄 Script Overview |
20 | 22 |
|
21 | 23 | ### Folder: `/BeforeJoinDomain/` |
22 | 24 |
|
23 | | -| Script Name | Purpose | |
| 25 | +| **Script Name** | Purpose | |
24 | 26 | |------------------------------|---------------------------------------------------------------------------------------------------------------| |
25 | | -| **ITSM-BeforeJoinDomain.hta** | Automates 20 pre-domain actions: registry, network reset, profile prep, WSUS certs, and security compliance for domain readiness. | |
| 27 | +| **ITSM-BeforeJoinDomain.hta** | Executes 20 critical pre-join configurations: 10 VBScript actions + 10 Registry/Theme setups. Ensures WSUS, firewall, profile, UI, and theme standards are in place before AD join. | |
26 | 28 |
|
27 | 29 | ### Folder: `/AfterJoinDomain/` |
28 | 30 |
|
29 | | -| Script Name | Purpose | |
| 31 | +| **Script Name** | Purpose | |
30 | 32 | |-----------------------------|---------------------------------------------------------------------------------------------------------------| |
31 | | -| **ITSM-AfterJoinDomain.hta** | Finalizes domain config: DNS registration, GPO refresh, profile imprint, offline login setup — ensuring full domain integration. | |
| 33 | +| **ITSM-AfterJoinDomain.hta** | Post-join automation: registers DNS, refreshes GPOs, updates profile metadata, and triggers domain logon caching via three login cycles. | |
32 | 34 |
|
33 | 35 | ### Folder: `/Assets/AdditionalSupportScripts/` |
34 | 36 |
|
35 | | -| Script Name | Purpose | |
| 37 | +| **Script Name** | Purpose | |
36 | 38 | |----------------------------------------|-----------------------------------------------------------------------------------------------------------| |
37 | | -| **ActivateAllAdminShare.ps1** | Enables Admin shares, activates RDP, disables Windows Firewall and Windows Defender for administrative access. | |
38 | | -| **ExportCustomThemesFiles.ps1** | Exports Windows custom themes: .msstyles, layout XML, and wallpapers. | |
39 | | -| **FixPrinterDriverIssues.ps1** | Resets Print Spooler and removes driver conflicts to restore printer functionality. | |
40 | | -| **GetSID.bat** | Uses Sysinternals to retrieve the system’s Security Identifier (SID). | |
41 | | -| **InventoryInstalledSoftwareList.ps1** | Generates a complete inventory of installed software for auditing purposes. | |
42 | | -| **LegacyWorkstationIngress.ps1** | Enables legacy Windows systems to join modern AD domains. | |
43 | | -| **RenameDiskVolumes.ps1** | Renames `C:` to hostname and `D:` to "UserData" for consistency. | |
44 | | -| **SystemMaintenanceWorkstations.ps1** | Runs SFC, DISM, GPO reset, WSUS resync, and optionally reboots with GUI support. | |
45 | | -| **UnjoinADComputer-and-Cleanup.ps1** | Unjoins computer from AD and cleans residual metadata and artifacts. | |
46 | | -| **Update-KasperskyAgent.ps1** | Repoints the Kaspersky Agent to the current server and refreshes certificates. | |
47 | | -| **WorkStationConfigReport.ps1** | Collects and exports BIOS, OS, and network data into a .CSV report. | |
48 | | -| **WorkstationTimeSync.ps1** | Syncs time and NTP settings; adjusts time zone using a guided GUI. | |
| 39 | +| **ActivateAllAdminShare.ps1** | Enables Admin shares, activates RDP, disables Windows Firewall and Defender. | |
| 40 | +| **ExportCustomThemesFiles.ps1** | Extracts and packages local Windows themes, wallpapers, and layout. | |
| 41 | +| **FixPrinterDriverIssues.ps1** | Flushes Print Spooler and clears faulty printer driver data. | |
| 42 | +| **GetSID.bat** | Retrieves the system SID using Sysinternals `psgetsid.exe`. | |
| 43 | +| **InventoryInstalledSoftwareList.ps1** | Generates software inventory in CSV format. | |
| 44 | +| **LegacyWorkstationIngress.ps1** | Enables legacy OSes to meet domain join policies. | |
| 45 | +| **RenameDiskVolumes.ps1** | Renames `C:` to match hostname and `D:` to "Personal-Files". | |
| 46 | +| **SystemMaintenanceWorkstations.ps1** | Runs SFC, DISM, GPO sync, WSUS resync, and schedules reboot via GUI. | |
| 47 | +| **UnjoinADComputer-and-Cleanup.ps1** | GUI tool for leaving the domain and cleaning residual AD/DNS metadata. | |
| 48 | +| **Update-KasperskyAgent.ps1** | Updates Kaspersky client configuration and root certificates. | |
| 49 | +| **WorkStationConfigReport.ps1** | Collects BIOS, OS, and network metadata into a structured .CSV. | |
| 50 | +| **WorkstationTimeSync.ps1** | Syncs system clock, NTP source, and time zone using GUI automation. | |
49 | 51 |
|
50 | 52 | ### Folder: `/Assets/Certificates/` |
51 | 53 |
|
52 | 54 | | Certificate Name | Purpose | |
53 | 55 | |--------------------------|----------------------------------------------------------------------------------------------| |
54 | | -| **ADCS-Server.cer** | Certificate for the internal Active Directory Certificate Services (ADCS) infrastructure. | |
55 | | -| **RDS-Server.cer** | Establishes trust for Remote Desktop Services within the enterprise. | |
56 | | -| **WSUS-Server.cer** | Enables secure communication with the internal WSUS infrastructure. | |
| 56 | +| **ADCS-Server.cer** | Root CA certificate for ADCS infrastructure. | |
| 57 | +| **RDS-Server.cer** | RDP trust certificate for Remote Desktop access. | |
| 58 | +| **WSUS-Server.cer** | SSL certificate for WSUS communication. | |
57 | 59 |
|
58 | 60 | ### Folder: `/Assets/CustomImages/` |
59 | 61 |
|
60 | 62 | | File/Asset Name | Purpose | |
61 | 63 | |---------------------------|-------------------------------------------------------------------------| |
62 | | -| **UserProfileImages/** | Default institutional images applied to user accounts. | |
63 | | -| **DesktopThemeImages/** | Custom desktop wallpapers for local user profiles. | |
| 64 | +| **UserProfileImages/** | Institutional photos for user profiles. | |
| 65 | +| **DesktopThemeImages/** | Default wallpaper and lock screen branding. | |
64 | 66 |
|
65 | 67 | ### Folder: `/Assets/MainDocs/` |
66 | 68 |
|
67 | 69 | | Document Name | Purpose | |
68 | 70 | |--------------------------------|-------------------------------------------------------------------------------------------------------------| |
69 | | -| **CheckListOrigin.docx** | Editable source version of the workstation deployment checklist. | |
70 | | -| **DefaultUsersAccountImages/** | Institutional user images and a `hosts` file to block known malicious sites (from Safer-Networking Ltd). | |
| 71 | +| **CheckListOrigin.docx** | Editable version of the official ITSM procedure. | |
| 72 | +| **DefaultUsersAccountImages/** | Default avatars and a hardened `hosts` file that blocks known malicious addresses. | |
71 | 73 |
|
72 | 74 | ### Folder: `/Assets/ModifyReg/AllGeneralConfigs/` |
73 | 75 |
|
74 | | -| Script Name | Purpose | |
| 76 | +| **Script Name** | Purpose | |
75 | 77 | |---------------------------|---------------------------------------------------------------------| |
76 | | -| **GeneralConfigScripts/** | System-wide registry modifications for baseline configuration. | |
| 78 | +| **GeneralConfigScripts/** | Disables Windows Firewall, UAC, sets default pages, and adjusts ownership metadata. | |
77 | 79 |
|
78 | 80 | ### Folder: `/Assets/ModifyReg/DefaultBackground/` |
79 | 81 |
|
80 | | -| Script Name | Purpose | |
| 82 | +| **Script Name** | Purpose | |
81 | 83 | |--------------------------|-------------------------------------------------------------------------| |
82 | | -| **BackgroundConfig.ps1** | Sets institutional desktop and logon backgrounds. | |
83 | | -| **HostsFileSetup.ps1** | Installs customized hosts file for domain join pre-configuration. | |
| 84 | +| **BackgroundConfig.ps1** | Applies logon and wallpaper images. | |
| 85 | +| **HostsFileSetup.ps1** | Overwrites `hosts` file with security-enhanced entries. | |
84 | 86 |
|
85 | 87 | ### Folder: `/Assets/ModifyReg/UserDesktopFolders/` |
86 | 88 |
|
87 | | -| Script Name | Purpose | |
| 89 | +| **Script Name** | Purpose | |
88 | 90 | |-----------------------------------|-------------------------------------------------------------------------| |
89 | | -| **CopyInstitutionalShortcuts.ps1** | Copies organizational shortcuts and folder links to all user desktops. | |
| 91 | +| **CopyInstitutionalShortcuts.ps1** | Creates desktop folders and institutional shortcuts for all users. | |
90 | 92 |
|
91 | 93 | ### Folder: `/Assets/ModifyReg/UserDesktopTheme/` |
92 | 94 |
|
93 | | -| Script Name | Purpose | |
| 95 | +| **Script Name** | Purpose | |
94 | 96 | |-------------------------------|-------------------------------------------------------------------------| |
95 | | -| **ApplyInstitutionalTheme.ps1** | Applies custom desktop theme, classic mode, and institutional branding. | |
| 97 | +| **ApplyInstitutionalTheme.ps1** | Applies full `.deskthemepack`, classic mode UI, and branding. | |
96 | 98 |
|
97 | 99 | --- |
98 | 100 |
|
99 | | -## 🚀 Getting Started |
| 101 | +## 🧭 Execution Order Summary |
| 102 | + |
| 103 | +1. **Prepare system:** OOBE with Sysprep, enable built-in Administrator, and remove local accounts. |
| 104 | +2. **Apply Windows Updates:** Use `WSUS Offline` or centralized update repository. |
| 105 | +3. **Execute `ITSM-BeforeJoinDomain.hta`:** Applies 20 pre-join configs (scripts + registry). |
| 106 | +4. **Rename drives:** `C:` = hostname, `D:` = Personal-Files. |
| 107 | +5. **Join the Domain:** Manual or automated, authenticated using delegated account. |
| 108 | +6. **Execute `ITSM-AfterJoinDomain.hta`:** Applies post-join fixes and logs in DNS/GPOs. |
| 109 | +7. **Mandatory login cycles:** Perform 3x (Logon → Logoff → Reboot) under domain account. |
| 110 | +8. **Validate logs:** In `C:\ITSM-Logs-WKS\` and `C:\Scripts-LOGS\`. |
| 111 | + |
| 112 | +--- |
| 113 | + |
| 114 | +## 🏷️ Hostname Format |
| 115 | + |
| 116 | +``` |
| 117 | +
|
| 118 | +<LOC><EQUIP><UNIT><ASSET> |
| 119 | +Example: MIADSALESO11704 |
100 | 120 |
|
101 | | -```bash |
102 | | -git clone https://github.com/brazilianscriptguy/Windows-SysAdmin-ProSuite.git |
103 | 121 | ```` |
104 | 122 |
|
105 | | -1. **Navigate to:** |
106 | | - `Windows-SysAdmin-ProSuite/ITSM-Templates-WKS/` |
| 123 | +| Component | Meaning | |
| 124 | +|------------|------------------------------------------| |
| 125 | +| LOC | 3-letter location (e.g., MIA, BOS, NYC) | |
| 126 | +| EQUIP | D = Desktop, L = Laptop, P = Printer | |
| 127 | +| UNIT | Division/Section code (e.g., SALESO) | |
| 128 | +| ASSET | Unique asset ID number | |
107 | 129 |
|
108 | | -2. **Read Instructions:** |
109 | | - Each subfolder has a `README.md` with usage guidance. |
| 130 | +Drive C label = hostname |
| 131 | +Drive D label = `Personal-Files` |
110 | 132 |
|
111 | | -3. **Run the Script:** |
| 133 | +--- |
112 | 134 |
|
113 | | - ```powershell |
114 | | - .\ScriptName.ps1 |
115 | | - ``` |
| 135 | +## 📠 Printer Compliance Steps |
116 | 136 |
|
117 | | -4. **Review Outputs:** |
118 | | - Logs (`.log`) and reports (`.csv`) are saved in designated folders. |
| 137 | +- Enable DHCP, configure hostname, and reserve MAC/IP. |
| 138 | +- Access via Embedded Web Server (EWS). |
| 139 | +- Update firmware and restrict protocols. |
| 140 | +- Enable SNMP v2/v3. |
| 141 | +- Sync time with `ntp1.company`. |
| 142 | +- Assign user-friendly display name: |
| 143 | + `PRINTER-ATL-L14510`, `PRINTER-TPA-HPCOLOR` |
119 | 144 |
|
120 | 145 | --- |
121 | 146 |
|
122 | | -## 📝 Logging & Reporting |
| 147 | +## 🧹 Domain Removal (Unjoin) |
123 | 148 |
|
124 | | -* **Logs:** |
125 | | - All actions are logged in `.log` format for troubleshooting and audit trails. |
| 149 | +Use GUI tool `UnjoinADComputer-and-Cleanup.ps1`: |
126 | 150 |
|
127 | | -* **Reports:** |
128 | | - Workstation actions are summarized in `.csv` files. |
| 151 | +1. **Leave Domain** → reboot |
| 152 | +2. **Post-Cleanup** → removes DNS, cached metadata |
| 153 | +3. Confirm system is no longer resolvable via DNS |
| 154 | +
|
| 155 | +--- |
| 156 | +
|
| 157 | +## 🚀 Getting Started |
| 158 | +
|
| 159 | +```bash |
| 160 | +git clone https://github.com/brazilianscriptguy/Windows-SysAdmin-ProSuite.git |
| 161 | +```` |
| 162 | +
|
| 163 | +```powershell |
| 164 | +cd Windows-SysAdmin-ProSuite/ITSM-Templates-WKS/ |
| 165 | +.\ScriptName.ps1 |
| 166 | +``` |
| 167 | + |
| 168 | +Logs are saved to `C:\ITSM-Logs-WKS\` |
| 169 | +Reports to `.csv` files within the same structure |
| 170 | + |
| 171 | +--- |
| 172 | + |
| 173 | +## 📝 Logging & Reporting |
| 174 | + |
| 175 | +* **Logs:** Stored in `C:\ITSM-Logs-WKS\` and `C:\Scripts-LOGS\` |
| 176 | +* **Reports:** CSV summaries of config states, SID, BIOS, updates, apps, etc. |
129 | 177 |
|
130 | 178 | --- |
131 | 179 |
|
132 | 180 | ## 💡 Optimization Tips |
133 | 181 |
|
134 | | -* 🔁 **Automate Execution:** Schedule via Task Scheduler or enforce via GPO. |
135 | | -* 🗂️ **Centralize Logs:** Redirect outputs to shared folders for compliance. |
136 | | -* 🧩 **Customize Scripts:** Modify templates to match your IT governance model. |
| 182 | +* 🔁 Schedule with Task Scheduler or enforce via GPO |
| 183 | +* 🗂️ Centralize logs to network share |
| 184 | +* 🧩 Customize scripts to match institutional policy |
137 | 185 |
|
138 | 186 | --- |
139 | 187 |
|
140 | 188 | ## 📁 Log File Paths |
141 | 189 |
|
142 | | -All logs are saved to: |
143 | | - |
144 | 190 | ```plaintext |
145 | 191 | C:\ITSM-Logs-WKS\ |
| 192 | +C:\Scripts-LOGS\ |
146 | 193 | ``` |
147 | 194 |
|
148 | | -This includes: |
| 195 | +Includes: |
149 | 196 |
|
150 | | -* Domain ingress activity logs |
151 | | -* DNS registration logs |
152 | | -* User profile imprint logs |
| 197 | +* `ITSM-BeforeJoinDomain.log` |
| 198 | +* `ITSM-AfterJoinDomain.log` |
| 199 | +* `gpos-synch-and-sysmaint.log` |
| 200 | +* `libreoffice-fullpackage-install.log` |
| 201 | +* `kes-antivirus-install.log` |
| 202 | +* and more... |
| 203 | + |
| 204 | +--- |
| 205 | + |
| 206 | +## 📌 Document Classification |
| 207 | + |
| 208 | +**RESTRICTED:** Internal use only. Confidential to IT management teams. |
| 209 | + |
| 210 | +© 2025 Luiz Hamilton. All rights reserved. |
153 | 211 |
|
154 | 212 | --- |
155 | 213 |
|
156 | 214 | ## ❓ Need Help? |
157 | 215 |
|
158 | | -This project is modular and adaptable. For help, check each folder's `README.md` or use the support links below: |
| 216 | +Check each folder’s `README.md` or contact support: |
159 | 217 |
|
160 | 218 | [](mailto:luizhamilton.lhr@gmail.com) |
161 | 219 | [](https://www.patreon.com/brazilianscriptguy) |
162 | 220 | [](https://buymeacoffee.com/brazilianscriptguy) |
163 | 221 | [](https://ko-fi.com/brazilianscriptguy) |
164 | | -[](https://gofund.me/4599d3e6) |
165 | 222 | [](https://whatsapp.com/channel/0029VaEgqC50G0XZV1k4Mb1c) |
166 | | -[](https://github.com/brazilianscriptguy/Windows-SysAdmin-ProSuite/blob/main/.github/ISSUE_TEMPLATE/CUSTOM_ISSUE_TEMPLATE.md) |
167 | | -
|
168 | | ---- |
169 | | -
|
170 | | -## 📌 Document Classification |
171 | | -
|
172 | | -**RESTRICTED:** This documentation is intended for internal use within the organization only. |
173 | | -
|
174 | | -© 2025 Luiz Hamilton. All rights reserved. |
| 223 | +[](https://github.com/brazilianscriptguy/Windows-SysAdmin-ProSuite/issues) |
0 commit comments