Created
April 28, 2020 15:15
-
-
Save mpoore/4ec1b989092e24b18544ae654dde4952 to your computer and use it in GitHub Desktop.
Phase 2 configuration script for Windows 2019 deployment using Packer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Second-phase configuration of vanilla Windows Server installation to progress Packer.io builds | |
# @author Michael Poore | |
# @website https://blog.v12n.io | |
$ErrorActionPreference = "Stop" | |
# Variables | |
$certUrl = "http://<<PKI server>>/CertEnroll" | |
$certRoot = "Root-CA.crt" | |
$certIssuing = "uIssuing-CA.crt" | |
$repository = "http://<<artifactory>>:8082/artifactory/packer-local/windows/common/utils/BGinfo" | |
$bgiBinary = "Bginfo64.exe" | |
$bgiConfig = "v12n.bgi" | |
# SettingSet Explorer view options | |
Write-Host "Setting default Explorer view options" | |
Set-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" "Hidden" 1 | Out-Null | |
Set-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" "HideFileExt" 0 | Out-Null | |
Set-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" "HideDrivesWithNoMedia" 0 | Out-Null | |
Set-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" "ShowSyncProviderNotifications" 0 | Out-Null | |
# Disable system hibernation | |
Write-Host "Disabling system hibernation" | |
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Power\" -Name "HiberFileSizePercent" -Value 0 | Out-Null | |
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Power\" -Name "HibernateEnabled" -Value 0 | Out-Null | |
# Disable TLS 1.0 | |
Write-Host "Disabling TLS 1.0" | |
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.0" | Out-Null | |
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Server" | Out-Null | |
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Client" | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 0 | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "DisabledByDefault" -Value 1 | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0 | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault" -Value 1 | Out-Null | |
# Disable TLS 1.1 | |
Write-Host "Disabling TLS 1.1" | |
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" | Out-Null | |
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" | Out-Null | |
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 0 | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 0 | Out-Null | |
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 | Out-Null | |
# Disable password expiration for Administrator | |
Write-Host "Disabling password expiration for local Administrator user" | |
Set-LocalUser Administrator -PasswordNeverExpires $true | |
# Enabling RDP connections | |
Write-Host "Enabling RDP connections" | |
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes | |
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0 | Out-Null | |
# Install trusted CA certificates | |
# @source: https://github.com/virtualhobbit | |
# Get certificates | |
ForEach ($cert in $certRoot,$certIssuing) { | |
Invoke-WebRequest -Uri ($certUrl + "/" + $cert) -OutFile C:\$cert | |
} | |
# Import Root CA certificate | |
Import-Certificate -FilePath C:\$certRoot -CertStoreLocation 'Cert:\LocalMachine\Root' | |
# Import Issuing CA certificate | |
Import-Certificate -FilePath C:\$certIssuing -CertStoreLocation 'Cert:\LocalMachine\CA' | |
# Delete certificates | |
ForEach ($cert in $certRoot,$certIssuing) { | |
Remove-Item C:\$cert -Confirm:$false | |
} | |
# Install BGinfo | |
# @source: https://github.com/virtualhobbit | |
$regKey = "HKLM:/SOFTWARE/Microsoft/Windows NT/CurrentVersion" | |
If ((Get-ItemProperty $regKey).InstallationType -ne "Server Core") { | |
# Create folder | |
$targetFolder = "C:\Program Files\Bginfo" | |
New-Item $targetFolder -Itemtype Directory | |
# Get files | |
Invoke-WebRequest -Uri $repository/$bgiBinary -OutFile $targetFolder\$bgiBinary | |
Invoke-WebRequest -Uri $repository/$bgiConfig -OutFile $targetFolder\$bgiConfig | |
# Create shortcut | |
$targetFile = "$targetFolder\$bgiBinary" | |
$shortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bginfo.lnk" | |
$scriptShell = New-Object -ComObject WScript.Shell -Verbose | |
$shortcut = $scriptShell.CreateShortcut($shortcutFile) | |
$shortcut.TargetPath = $targetFile | |
$arg1 = """$targetFolder\$bgiConfig""" | |
$arg2 = "/timer:0 /accepteula" | |
$shortcut.Arguments = $arg1 + " " + $arg2 | |
$shortcut.Save() | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment