Debugging Post-Setup Commands

[gtissington]

Hi,

I have this post-setup commands.
command | args
netsh | advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

It does not enable the predefined firewall rule. I have also tried using the "advfirewall firewall new rule" method. I have tried this in both Machine and User sections of post-setup.

In all cases nothing happens. No new rule is created and the pre-defined rule is not enabled.

Questions:
1. I've seen in the forums that exporting a wfw rules file from Windows Firewall and then using netsh to import them may work. That seems like just the same thing I'm doing but I only need the one rule. Is there a difference. Some reason wfw would work where my command wouldn't
2. Is there a way to debug what is happening with my command. Is there any logging? Or a way to pause the install at the post-install step and run the command manually?
3. How is POst-Setup implemented? Is it just unattend.xml <FirstLogonCommands>? Or implemented somewhere else?

Thanks all for your help.

 

[garlin]

1. Post-Setup (Machine) commands are collected, and written to a single CMD script:

sources\$OEM$\$$\Setup\Files\SetupComplete.cmd​

If you're not on an OEM licensed PC, Windows\Setup\Files\SetupComplete.cmd is run right after OOBE, but before first user logon.
If you have to use OEM SetupComplete for an OEM PC, SetupComplete.cmd is run from autounattend.xml as a specialize pass command.

2. Post-Setup (User) commands are collected, and written in the registry as RunOnceEx commands. They are executed on first user logon.

For debugging, I usually add "> C:\path\log.txt" at the end of Parameters to see if any errors are thrown. Unless there's some path dependency, anything you execute in Post-Setup can be tested (dry-run) by running the same commands from an Admin CMD.

Since your netsh firewall rule works perfectly fine on a live system, you should check your image edits.

 

[clarensio]

Hi,

I have this post-setup commands.
command | args
netsh | advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes

with WFC I import the rules with this command:

netsh advfirewall import "<name_rules>.wfw"

I don't know if it can be useful to you

 

[gtissington]

Thanks for your replies. The debug log output was a big help. But after many tries I still don't have this working. I did get the Post-Setup script to run correctly. However, it seems to have an interaction with the "Skip Machine OOBE" and "Skip User OOBE" settings.

Can I have Skip OOBE selected and still have the POst Setup run? So far I've not got his to work.

Any suggestions?

Thanks again.

1. Post-Setup (Machine) commands are collected, and written to a single CMD script:

sources\$OEM$\$$\Setup\Files\SetupComplete.cmd​

If you're not on an OEM licensed PC, Windows\Setup\Files\SetupComplete.cmd is run right after OOBE, but before first user logon.
If you have to use OEM SetupComplete for an OEM PC, SetupComplete.cmd is run from autounattend.xml as a specialize pass command.

2. Post-Setup (User) commands are collected, and written in the registry as RunOnceEx commands. They are executed on first user logon.

For debugging, I usually add "> C:\path\log.txt" at the end of Parameters to see if any errors are thrown. Unless there's some path dependency, anything you execute in Post-Setup can be tested (dry-run) by running the same commands from an Admin CMD.

Since your netsh firewall rule works perfectly fine on a live system, you should check your image edits.

 

[garlin]

For anything other than W7, SkipOOBE settings should never be used.

They exist for backwards compatibility, but usually break things when used on W10/11 installs. I know some will disagree with this point – but I don't have problems like others. For W10/11, use the other Hide settings to skip over the privacy choices.

 

[gtissington]

Thanks so much for you help. That fits. After the last post I've done a few more trials and it is working as you describe. Now I just need to find the incantation to make the network "private". Network "Home" doesn't seem to do what I need.

Overall I'm trying to setup an ISO image that is open only for Ansible WinRM management. It's a process but I'm getting there.

It is amazing to have people like you answer so quickly. Much appreciated.

Garth

 

[garlin]

This might be too brute force, depending on how many individual networks (wired/WiFi) you have:

powershell "Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private"

How do I force Windows 10 to see a network as private?