Forked from tvjames/Vagrantfile
Last active July 6, 2019 04:55
Prepare Server 2012 for building a Vagrant base box
# provision-base-box.ps1 - Prepare Server 2012 for building a Vagrant base box
# Instructions:
# 1. Create a new Windows VM in VirtualBox
# 2. Install Server 2012 R2 onto the VM
# 3. Download and run this script from within the VM
# 4. Install Windows Updates within the VM
# 5. From the host machine, run: `vagrant package --base <name of VM in VirtualBox> --output <name>.box`
# 6. Then run: `vagrant box add <name> /path/to/<name>.box
function main {
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -force
Write-Status "User Access Control (UAC) has been disabled."
Write-Status "Server Manager is disabled from running at logon."
Write-Status "IE Enhanced Security Configuration (ESC) has been disabled."
Write-Status "Shutdown Tracker has been disabled."
Write-Status "Windows Update has been disabled."
Write-Status "Passwords complexity requirements have been eased."
Write-Status "Remote desktop enabled."
Write-Status "WinRM has been configured and enabled."
Write-Status "Windows Firewall has been disabled."
Rename-User "Administrator" "vagrant" -ErrorAction SilentlyContinue
Set-UserPassword "vagrant" "vagrant"
Write-Status "Created 'vagrant' account from builtin 'Administrator' account."
Write-Host "Restarting Computer." -ForegroundColor Yellow
function Disable-UAC {
New-ItemProperty -Path 'HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -PropertyType DWord -Value 0 -Force | Out-Null
function Disable-ServerManagerStartup {
New-ItemProperty -Path 'HKLM:\Software\Microsoft\ServerManager' -Name DoNotOpenServerManagerAtLogon -PropertyType DWord -Value 1 -Force | Out-Null
New-ItemProperty -Path 'HKCU:Software\Microsoft\ServerManager' -Name CheckedUnattendLaunchSetting -PropertyType DWord -Value 0 -Force | Out-Null
function Disable-IEEnhancedSecurity {
$componentBasePath = 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components'
$componentIds = @( '{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}', '{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' )
foreach ($id in $componentIds) {
$path = Join-Path $componentBasePath $id
Set-ItemProperty -Path $path -Name 'IsInstalled' -Value 0 | Out-Null
Stop-Process -Name Explorer | Out-Null
function Disable-ShutdownTracker {
# Reference:
$reliabililtyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability"
If (!(Test-Path $reliabililtyPath)) {
New-Item -Path $reliabililtyPath
New-ItemProperty -Path $reliabililtyPath -Name "ShutdownReasonOn" -PropertyType DWord -Value 0 -Force -ErrorAction Continue | Out-Null
New-ItemProperty -Path $reliabililtyPath -Name "ShutdownReasonUI" -PropertyType DWord -Value 0 -Force -ErrorAction Continue | Out-Null
function Disable-AutomaticUpdates {
# Reference:
$autoUpdateSettings = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings
$autoUpdateSettings.NotificationLevel = 1
function Disable-PasswordComplexityRequirements {
# Reference:
$seccfg = [IO.Path]::GetTempFileName()
try {
Run-Silently secedit /export /cfg $seccfg
(Get-Content $seccfg) | foreach { $_ -replace "PasswordComplexity\s*=\s*1", "PasswordComplexity=0" } | Set-Content $seccfg
Run-Silently secedit /configure /db $env:windir\security\new.sdb /cfg $seccfg /areas SECURITYPOLICY
} finally {
Remove-Item $seccfg
function Enable-RemoteDesktop {
# Reference:
$tsSettings = Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices
$tsSettings.SetAllowTsConnections(1,1) | Out-Null
$tsGeneralSettings = Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'"
$tsGeneralSettings.SetUserAuthenticationRequired(0) | Out-Null
function Enable-WinRM {
Run-Silently winrm quickconfig -q
Run-Silently winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'
Run-Silently winrm set winrm/config '@{MaxTimeoutms="1800000"}'
Run-Silently winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Run-Silently winrm set winrm/config/service/auth '@{Basic="true"}'
function Disable-Firewall {
Run-Silently netsh advfirewall set allprofiles state off
function Rename-User {
param($user, $newName)
$adsiUser = [adsi]"WinNT://./$user,user"
function Set-UserPassword($user, $password) {
Run-Silently net user $user $password
function Run-Silently {
[parameter(ValueFromRemainingArguments=$true)] $args
$output = & $script $args 2>&1 | Out-String
if (-not $?) {
Write-Output $output
function Write-Status($text) {
Write-Host $text -ForegroundColor Green
