Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
WinRM for Packer
<#
Much of this is direct from the Packer documentation:
https://www.packer.io/intro/getting-started/build-image.html#a-windows-example
Everything else from random other blogs.
'PostToSlack' is one of our in-house functions, just sends stuff to a slack channel.
#>
Write-Output "Setting the administrator password to facilitate WinRM config."
net user Administrator SuperS3cr3t!
wmic useraccount where "name='Administrator'" set PasswordExpires=FALSE
Write-Output "Turning off the firewall entirely, we use security groups for this."
netsh advfirewall set allprofiles state off
PostToSlack "Setting up WinRM for Packer..."
Write-Output "Doing basic winrm configuration..."
# Delete any existing WinRM listeners
winrm delete winrm/config/listener?Address=*+Transport=HTTP 2>$Null
winrm delete winrm/config/listener?Address=*+Transport=HTTPS 2>$Null
# Create a new WinRM listener and configure
winrm create winrm/config/listener?Address=*+Transport=HTTP
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
winrm set winrm/config '@{MaxTimeoutms="7200000"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{MaxConcurrentOperationsPerUser="12000"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client/auth '@{Basic="true"}'
set-item WSMan:\localhost\Client\AllowUnencrypted -Value True -Force
set-item WSMan:\localhost\Client\Auth\Basic -Value True -Force
set-item WSMan:\localhost\Client\TrustedHosts -Value * -Force
Enable-PSRemoting -force
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
# Configure and restart the WinRM Service; Enable the required firewall exception
Stop-Service -Name WinRM
Set-Service -Name WinRM -StartupType Automatic
# This isn't technically necessary, but I'm superstitious about WinRM at this point.
netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new action=allow localip=any remoteip=any
Start-Service -Name WinRM
$winrmServiceStatus = (Get-Service winrm).Status
if ($winrmServiceStatus -ne 'Running') {
PostToSlack ":red-x: WinRM not running!!"
}
else {
PostToSlack ":white_check_mark: WinRM is running!!"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment