ausarb/UserData.xml

## UserData.xml
<powershell>
$rdpTemplate = @"
screen mode id:i:2
use multimon:i:0
desktopwidth:i:1920
desktopheight:i:1200
session bpp:i:32
winposstr:s:0,3,0,0,800,600
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:THEADDRESS
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
"@

function Output-RdpShortcut {
    param([string]$shortcutName, [string]$address)
    Set-Content -Path "C:\Users\Public\Desktop\$($shortcutName).rdp" -Value $rdpTemplate.replace("THEADDRESS", $address)
}

Output-RdpShortcut -shortcutName 'another-jump1' -address 'another-jump1.example.com'
Output-RdpShortcut -shortcutName 'another-jump2' -address 'another-jump2.example.com'

Write-Host "Installing Chocolatey."
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
refreshenv

# sdelete to clean up log files later
choco install sdelete -y

# Install DUO security first so that we're protected before creating any local users.
# The admin user is safe because the instance isn't even created with a key pair.
$duo_creds = (Get-SECSecretValue -SecretId duo-security-jump-host-integration).SecretString | ConvertFrom-Json
choco install duo-authentication -y --package-parameters="'/IKEY:$($duo_creds.integration_key) /SKEY:$($duo_creds.secret_key) /HOST:$($duo_creds.api_hostname) /AUTOPUSH:#1 /FAILOPEN:#1 /RDPONLY:#0'"
$duo_creds = $null
# Only the commercial version of choco supports securely passing parameters to installers, so sdelete the logs to hide the sensitive DUO info
sdelete "C:\ProgramData\chocolatey\logs\*.log"

Write-Host "Creating local user"
$creds = (Get-SECSecretValue -SecretId jump-host-local-user-creds).SecretString | ConvertFrom-Json
$password = ConvertTo-SecureString $creds.password -AsPlainText -Force
$username = $creds.username
$creds = $null
New-LocalUser -Name $username -Password $password -PasswordNeverExpires

Add-LocalGroupMember -Group "Administrators" -Member $username
Add-LocalGroupMember -Group "Remote Desktop Users" -Member $username

choco install googlechrome -y
choco install notepadplusplus -y
choco install vscode -y
choco install sourcetree -y
choco install mobaxterm -y
choco install awscli -y
choco install docker-desktop -y

# Enable automatic updates and installs
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 4
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AutomaticMaintenanceEnabled -Value 1
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallDay -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallEveryWeek -Value 1
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallTime -Value 3

Restart-Computer -Force # Reboot is required for docker-desktop but it's good practice to do it at the end anyways
Add-LocalGroupMember -Group "docker-users" -Member $username
</powershell>
	<powershell>
	$rdpTemplate = @"
	screen mode id:i:2
	use multimon:i:0
	desktopwidth:i:1920
	desktopheight:i:1200
	session bpp:i:32
	winposstr:s:0,3,0,0,800,600
	compression:i:1
	keyboardhook:i:2
	audiocapturemode:i:0
	videoplaybackmode:i:1
	connection type:i:7
	networkautodetect:i:1
	bandwidthautodetect:i:1
	displayconnectionbar:i:1
	enableworkspacereconnect:i:0
	disable wallpaper:i:0
	allow font smoothing:i:0
	allow desktop composition:i:0
	disable full window drag:i:1
	disable menu anims:i:1
	disable themes:i:0
	disable cursor setting:i:0
	bitmapcachepersistenable:i:1
	full address:s:THEADDRESS
	audiomode:i:0
	redirectprinters:i:1
	redirectcomports:i:0
	redirectsmartcards:i:1
	redirectclipboard:i:1
	redirectposdevices:i:0
	autoreconnection enabled:i:1
	authentication level:i:2
	prompt for credentials:i:0
	negotiate security layer:i:1
	remoteapplicationmode:i:0
	alternate shell:s:
	shell working directory:s:
	gatewayhostname:s:
	gatewayusagemethod:i:4
	gatewaycredentialssource:i:4
	gatewayprofileusagemethod:i:0
	promptcredentialonce:i:0
	gatewaybrokeringtype:i:0
	use redirection server name:i:0
	rdgiskdcproxy:i:0
	kdcproxyname:s:
	"@

	function Output-RdpShortcut {
	param([string]$shortcutName, [string]$address)
	Set-Content -Path "C:\Users\Public\Desktop\$($shortcutName).rdp" -Value $rdpTemplate.replace("THEADDRESS", $address)
	}

	Output-RdpShortcut -shortcutName 'another-jump1' -address 'another-jump1.example.com'
	Output-RdpShortcut -shortcutName 'another-jump2' -address 'another-jump2.example.com'

	Write-Host "Installing Chocolatey."
	Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
	refreshenv

	# sdelete to clean up log files later
	choco install sdelete -y

	# Install DUO security first so that we're protected before creating any local users.
	# The admin user is safe because the instance isn't even created with a key pair.
	$duo_creds = (Get-SECSecretValue -SecretId duo-security-jump-host-integration).SecretString \| ConvertFrom-Json
	choco install duo-authentication -y --package-parameters="'/IKEY:$($duo_creds.integration_key) /SKEY:$($duo_creds.secret_key) /HOST:$($duo_creds.api_hostname) /AUTOPUSH:#1 /FAILOPEN:#1 /RDPONLY:#0'"
	$duo_creds = $null
	# Only the commercial version of choco supports securely passing parameters to installers, so sdelete the logs to hide the sensitive DUO info
	sdelete "C:\ProgramData\chocolatey\logs\*.log"

	Write-Host "Creating local user"
	$creds = (Get-SECSecretValue -SecretId jump-host-local-user-creds).SecretString \| ConvertFrom-Json
	$password = ConvertTo-SecureString $creds.password -AsPlainText -Force
	$username = $creds.username
	$creds = $null
	New-LocalUser -Name $username -Password $password -PasswordNeverExpires

	Add-LocalGroupMember -Group "Administrators" -Member $username
	Add-LocalGroupMember -Group "Remote Desktop Users" -Member $username

	choco install googlechrome -y
	choco install notepadplusplus -y
	choco install vscode -y
	choco install sourcetree -y
	choco install mobaxterm -y
	choco install awscli -y
	choco install docker-desktop -y

	# Enable automatic updates and installs
	Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 4
	Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AutomaticMaintenanceEnabled -Value 1
	Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 0
	Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallDay -Value 0
	Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallEveryWeek -Value 1
	Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallTime -Value 3

	Restart-Computer -Force # Reboot is required for docker-desktop but it's good practice to do it at the end anyways
	Add-LocalGroupMember -Group "docker-users" -Member $username
	</powershell>