Froosh/Set-NonDefaultKDSConfig.ps1

## Set-NonDefaultKDSConfig.ps1
#Requires -Version 5.1
#Requires -RunAsAdministrator

Param (
    # Woo, Password Based Key Derivation Function number 2
    [ValidateSet('PBKDF2', 'SP800_108_CTR_HMAC')]
    [string]
    $KdfAlgorithm = 'PBKDF2',

    # Honestly, SHA512 is the default on Server 2022, but this might also work on older Server versions
    [ValidateSet('SHA512', 'SHA384', 'SHA256', 'SHA1')]
    [string]
    $HMAC = 'SHA512',

    # Cheating, but really, who doesn't want to use an eliptic curve these days
    [ValidateSet('ECDH')]
    [string]
    $SecretAgreementType = 'ECDH',

    # I couldn't get 521 to work, so 384 is all you get
    [ValidateSet(256, 384)]
    [int]
    $SecretAgreementKeyLength = 384
)

# Null-terminated array of unicode bytes for the HMAC name
$HMACBytes = [System.Text.Encoding]::Unicode.GetBytes($HMAC) + [byte[]] @(0, 0)

# Get the length of the HMAC as an array
$HMACLength = [System.BitConverter]::GetBytes([int] $HMACBytes.Length)

# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/9946aeff-a914-45e9-b9e5-6cb5b4059187
$KdfParameters = [byte[]] @(0, 0, 0, 0, 1, 0, 0, 0) + $HMACLength + (0, 0, 0, 0) + $HMACBytes

# Set the preferred Key Derivation Function and HMAC length
Set-KdsConfiguration -KdfAlgorithm $KdfAlgorithm -KdfParameters $KdfParameters

# Squish the Algorithm name together with the desired key length
$SecretAgreementAlgorithm = '{0}_P{1}' -f $SecretAgreementType, $SecretAgreementKeyLength

# Set the preferred Secret Agreement Algorithm and Key Length
Set-KdsConfiguration -SecretAgreementAlgorithm $SecretAgreementAlgorithm -SecretAgreementPublicKeyLength $SecretAgreementKeyLength -SecretAgreementPrivateKeyLength $SecretAgreementKeyLength -SecretAgreementParameters $null
	#Requires -Version 5.1
	#Requires -RunAsAdministrator

	Param (
	# Woo, Password Based Key Derivation Function number 2
	[ValidateSet('PBKDF2', 'SP800_108_CTR_HMAC')]
	[string]
	$KdfAlgorithm = 'PBKDF2',

	# Honestly, SHA512 is the default on Server 2022, but this might also work on older Server versions
	[ValidateSet('SHA512', 'SHA384', 'SHA256', 'SHA1')]
	[string]
	$HMAC = 'SHA512',

	# Cheating, but really, who doesn't want to use an eliptic curve these days
	[ValidateSet('ECDH')]
	[string]
	$SecretAgreementType = 'ECDH',

	# I couldn't get 521 to work, so 384 is all you get
	[ValidateSet(256, 384)]
	[int]
	$SecretAgreementKeyLength = 384
	)

	# Null-terminated array of unicode bytes for the HMAC name
	$HMACBytes = [System.Text.Encoding]::Unicode.GetBytes($HMAC) + [byte[]] @(0, 0)

	# Get the length of the HMAC as an array
	$HMACLength = [System.BitConverter]::GetBytes([int] $HMACBytes.Length)

	# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/9946aeff-a914-45e9-b9e5-6cb5b4059187
	$KdfParameters = [byte[]] @(0, 0, 0, 0, 1, 0, 0, 0) + $HMACLength + (0, 0, 0, 0) + $HMACBytes

	# Set the preferred Key Derivation Function and HMAC length
	Set-KdsConfiguration -KdfAlgorithm $KdfAlgorithm -KdfParameters $KdfParameters

	# Squish the Algorithm name together with the desired key length
	$SecretAgreementAlgorithm = '{0}_P{1}' -f $SecretAgreementType, $SecretAgreementKeyLength

	# Set the preferred Secret Agreement Algorithm and Key Length
	Set-KdsConfiguration -SecretAgreementAlgorithm $SecretAgreementAlgorithm -SecretAgreementPublicKeyLength $SecretAgreementKeyLength -SecretAgreementPrivateKeyLength $SecretAgreementKeyLength -SecretAgreementParameters $null