christrotter/winrm-for-packer.ps1

## winrm-for-packer.ps1
<#
  Much of this is direct from the Packer documentation:
  https://www.packer.io/intro/getting-started/build-image.html#a-windows-example

  Everything else from random other blogs.

  'PostToSlack' is one of our in-house functions, just sends stuff to a slack channel.
#>

Write-Output "Setting the administrator password to facilitate WinRM config."
net user Administrator SuperS3cr3t!
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE

Write-Output "Turning off the firewall entirely, we use security groups for this."
netsh advfirewall set allprofiles state off

PostToSlack "Setting up WinRM for Packer..."
Write-Output "Doing basic winrm configuration..."
# Delete any existing WinRM listeners
winrm delete winrm/config/listener?Address=*+Transport=HTTP  2>$Null
winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null

# Create a new WinRM listener and configure
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'

set-item WSMan:\localhost\Client\AllowUnencrypted -Value True -Force
set-item WSMan:\localhost\Client\Auth\Basic  -Value True -Force
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
Enable-PSRemoting -force

# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force

# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
# This isn't technically necessary, but I'm superstitious about WinRM at this point.
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM

$winrmServiceStatus = (Get-Service winrm).Status
if ($winrmServiceStatus -ne 'Running') {
    PostToSlack ":red-x: WinRM not running!!"
}
else {
    PostToSlack ":white_check_mark: WinRM is running!!"
}
	<#
	Much of this is direct from the Packer documentation:
	https://www.packer.io/intro/getting-started/build-image.html#a-windows-example

	Everything else from random other blogs.

	'PostToSlack' is one of our in-house functions, just sends stuff to a slack channel.
	#>

	Write-Output "Setting the administrator password to facilitate WinRM config."
	net user Administrator SuperS3cr3t!
	wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE

	Write-Output "Turning off the firewall entirely, we use security groups for this."
	netsh advfirewall set allprofiles state off

	PostToSlack "Setting up WinRM for Packer..."
	Write-Output "Doing basic winrm configuration..."
	# Delete any existing WinRM listeners
	winrm delete winrm/config/listener?Address=*+Transport=HTTP 2>$Null
	winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null

	# Create a new WinRM listener and configure
	winrm create winrm/config/listener?Address=*+Transport=HTTP
	winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
	winrm set winrm/config '@{MaxTimeoutms="7200000"}'
	winrm set winrm/config/service '@{AllowUnencrypted="true"}'
	winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
	winrm set winrm/config/service/auth '@{Basic="true"}'
	winrm set winrm/config/client/auth '@{Basic="true"}'

	set-item WSMan:\localhost\Client\AllowUnencrypted -Value True -Force
	set-item WSMan:\localhost\Client\Auth\Basic -Value True -Force
	set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
	Enable-PSRemoting -force

	# Configure UAC to allow privilege elevation in remote shells
	$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
	$Setting = 'LocalAccountTokenFilterPolicy'
	Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force

	# Configure and restart the WinRM Service; Enable the required firewall exception
	Stop-Service -Name WinRM
	Set-Service -Name WinRM -StartupType Automatic
	# This isn't technically necessary, but I'm superstitious about WinRM at this point.
	netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
	Start-Service -Name WinRM

	$winrmServiceStatus = (Get-Service winrm).Status
	if ($winrmServiceStatus -ne 'Running') {
	PostToSlack ":red-x: WinRM not running!!"
	}
	else {
	PostToSlack ":white_check_mark: WinRM is running!!"
	}