HBSS with DISA config

Well I have been talking about Compose for my last few posts so let continue.  I want to discuss the steps involved in installing HBSS with the DISA config.  When I did this it was pretty difficult as I had to do allot of searches and pull allot of guides to get this setup properly on the network.  I however did just find some who put all of the steps down in a readable format from start to finish.  The steps are below

1. I am using vSphere to run the virtualized environment, and the HBSS was deployed directly to a VM following the DISA Guide. Within vSphere Client after the initial install, all I had to do was change NIC to use the vSphere VM Network portgroup. This is the portgroup I use to access my environment’s “infrastructure” VLAN.
2. In the HBSS guest, set the Network Location Awareness to private by editing Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies ->Unidentified Networks. Then use œnetsh int ip reset to reset the NIC completely (very important) “ this requires a reboot.
3. Disable IPv6 per the 
4. Assign same IP address as was used for the original HBSS Manual Install (172.24.4.31). This is an enclave-local IP address – set one to match your needs.
5. Because our enclave is local, we have our own Certificate Authority (CA). Thus, the Windows Server Update Services (WSUS) server to be used to update the HBSS server has a certificate from our local CA. To enable this to work, I installed our local CA top-level certificate to the HBSS guest as a trusted root certificate.
6. Update HBSS to reference the local WSUS server by modifying local group policy. Keep in mind that the DISA HBSS image must not be a member of your domain, so any Group Policy Object (GPO) changes must be applied locally to the HBSS guest!
7. Apply all Windows Updates. The DISA Guide actually has this as a separate set of instructions, but I wanted to make sure that all updates were applied before I proceeded. In my case, a number of .NET Framework 4 updates refused to upgrade and we finally had to install them one-by-one “ sysadmins, be aware of this problem and be assured that updates can be applied with effort and persistence.
8. Verified that the HBSS 4.6.6 packaged from DISA is the latest version as of 08 AUG 13.
9. During name change (Steps 4.1.5 to 4.1.21) used HBSSEPO002MV; the original DISA name was HBSS2K8-FOC. Also installed VMware Tools, set default suffix (domain) to armycloud.cloud.army.mil, verify networking, activate Windows, and perform reboot.
10. Prior to running DISA HBSS Rename Script (Step 5.1) be sure to update DNS for the HBSS hostname *and* update related PTR record. Not sure if this is required but it is safest to ensure that reverse DNS queries return the expected values. Also, the instructions state that a system reboot is necessary after the script completes but the script doesn™t actually prompt the user to do this reboot. So, I performed a manual reboot after the rename script finished successfully (around 10 minutes to run).
11. Step 6.1 has you login to the ePO Server “ the default credentials are admin/Charming1! (the œHBSS Configuration Guide points this out, but not the œBuild From Image Guide. Also, for the master key name used HBSSEPO002MV to match the VM name.
12. After the final reboot (after setting up master key) be sure to set the œMcAfee ePolicy Orchestrator 4.6.6 Event Parser service to Automatic (and start it). The œBuild From Image Guide has you set it to manual but this results in warnings when you login to the ePO Server console.

I got these steps form https://www.softwareab.net/wordpress/hbss-installing-the-disa-image/ and he has allot of links to referance to maintain the system as well.  I hope this helps anyone who is trying to get HBSS up and running on a COMPOSE network