annymsMthd/Bootstrap-EC2-Windows-CloudInit.ps1

## Bootstrap-EC2-Windows-CloudInit.ps1
# Windows AMIs don't have WinRM enabled by default -- this script will enable WinRM
# AND install 7-zip, curl and .NET 4 if its missing.
# Then use the EC2 tools to create a new AMI from the result, and you have a system
# that will execute user-data as a PowerShell script after the instance fires up!
# This has been tested on Windows 2008 SP2 64bits AMIs provided by Amazon
#
# Inject this as user-data of a Windows 2008 AMI, like this (edit the adminPassword to your needs):
#
# <powershell>
# Set-ExecutionPolicy Unrestricted
# icm $executioncontext.InvokeCommand.NewScriptBlock((New-Object Net.WebClient).DownloadString('https://gist.github.com/masterzen/6714787/raw')) -ArgumentList "adminPassword"
# </powershell>
#
param(
	[Parameter(Mandatory=$true)]
	[string]
	$AdminPassword
)

Start-Transcript -Path 'c:\bootstrap-transcript.txt' -Force
Set-StrictMode -Version Latest
Set-ExecutionPolicy Unrestricted

$log = 'c:\Bootstrap.txt'

while (($AdminPassword -eq $null) -or ($AdminPassword -eq ''))
{
	$AdminPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((Read-Host "Enter a non-null / non-empty Administrator password" -AsSecureString)))
}

# move to home, PS is incredibly complex :)
cd $Env:USERPROFILE
Set-Location -Path $Env:USERPROFILE
[Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath

#change admin password
net user Administrator $AdminPassword
Add-Content $log -value "Changed Administrator password"

$client = new-object System.Net.WebClient

#check winrm id, if it's not valid and LocalAccountTokenFilterPolicy isn't established, do it
$id = &winrm id
if (($id -eq $null) -and (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue) -eq $null)
{
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name LocalAccountTokenFilterPolicy -value 1 -propertyType dword
    Add-Content $log -value "Added LocalAccountTokenFilterPolicy since winrm id could not be executed"
}

&winrm quickconfig `-q
&winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1000"}'
&winrm set winrm/config '@{MaxTimeoutms="1800000"}'
&winrm set winrm/config/client/auth '@{Basic="true"}'
&winrm set winrm/config/service/auth '@{Basic="true"}'
&winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Add-Content $log -value "Ran quickconfig for winrm"

&netsh advfirewall firewall add rule name="WinRM" dir=in action=allow protocol=TCP localport=5985 profile=public
Add-Content $log -value "Ran firewall config to allow incoming winrm"

Stop-Transcript
	# Windows AMIs don't have WinRM enabled by default -- this script will enable WinRM
	# AND install 7-zip, curl and .NET 4 if its missing.
	# Then use the EC2 tools to create a new AMI from the result, and you have a system
	# that will execute user-data as a PowerShell script after the instance fires up!
	# This has been tested on Windows 2008 SP2 64bits AMIs provided by Amazon
	#
	# Inject this as user-data of a Windows 2008 AMI, like this (edit the adminPassword to your needs):
	#
	# <powershell>
	# Set-ExecutionPolicy Unrestricted
	# icm $executioncontext.InvokeCommand.NewScriptBlock((New-Object Net.WebClient).DownloadString('https://gist.github.com/masterzen/6714787/raw')) -ArgumentList "adminPassword"
	# </powershell>
	#
	param(
	[Parameter(Mandatory=$true)]
	[string]
	$AdminPassword
	)

	Start-Transcript -Path 'c:\bootstrap-transcript.txt' -Force
	Set-StrictMode -Version Latest
	Set-ExecutionPolicy Unrestricted

	$log = 'c:\Bootstrap.txt'

	while (($AdminPassword -eq $null) -or ($AdminPassword -eq ''))
	{
	$AdminPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((Read-Host "Enter a non-null / non-empty Administrator password" -AsSecureString)))
	}

	# move to home, PS is incredibly complex :)
	cd $Env:USERPROFILE
	Set-Location -Path $Env:USERPROFILE
	[Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath

	#change admin password
	net user Administrator $AdminPassword
	Add-Content $log -value "Changed Administrator password"

	$client = new-object System.Net.WebClient

	#check winrm id, if it's not valid and LocalAccountTokenFilterPolicy isn't established, do it
	$id = &winrm id
	if (($id -eq $null) -and (Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name LocalAccountTokenFilterPolicy -ErrorAction SilentlyContinue) -eq $null)
	{
	New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name LocalAccountTokenFilterPolicy -value 1 -propertyType dword
	Add-Content $log -value "Added LocalAccountTokenFilterPolicy since winrm id could not be executed"
	}

	&winrm quickconfig `-q
	&winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1000"}'
	&winrm set winrm/config '@{MaxTimeoutms="1800000"}'
	&winrm set winrm/config/client/auth '@{Basic="true"}'
	&winrm set winrm/config/service/auth '@{Basic="true"}'
	&winrm set winrm/config/service '@{AllowUnencrypted="true"}'
	Add-Content $log -value "Ran quickconfig for winrm"

	&netsh advfirewall firewall add rule name="WinRM" dir=in action=allow protocol=TCP localport=5985 profile=public
	Add-Content $log -value "Ran firewall config to allow incoming winrm"

	Stop-Transcript