-
-
Save p0w3rsh3ll/201f5f8ed1eadd81d3156e7d287e53e8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Version 4.0 | |
#Requires -RunAsAdministrator | |
Function Invoke-PostInstallNoWUDeployment { | |
[CmdletBinding()] | |
Param() | |
Begin { | |
$HT = @{ ErrorAction = 'Stop'} | |
$ConfigurationData = @{ | |
AllNodes = | |
@( | |
@{ | |
NodeName = 'localhost' | |
Services = @( | |
@{ Name = 'BITS' ; StartupType = 'Manual' ; BuiltInAccount = 'LocalSystem' ; State = 'Stopped' }, | |
@{ Name = 'wuauserv' ; StartupType = 'Disabled'; BuiltInAccount = 'LocalSystem' ; State = 'Stopped' } | |
) | |
} | |
) | |
} | |
Configuration WXPostInstallControlledWUDSCConfig { | |
param | |
( | |
[string[]]$NodeName = 'localhost' | |
) | |
Import-DscResource -ModuleName 'PSDesiredStateConfiguration' | |
Node $NodeName | |
{ | |
LocalConfigurationManager | |
{ | |
ConfigurationMode = 'ApplyAndAutoCorrect' | |
ConfigurationModeFrequencyMins = 30 | |
RefreshFrequencyMins = 30 | |
RebootNodeIfNeeded = $false | |
} | |
#region services | |
foreach ($s in $Node.Services) | |
{ | |
Service $s.Name | |
{ | |
Name = $s.Name; | |
BuiltInAccount = $s.BuiltInAccount ; | |
StartupType = $s.StartupType ; | |
State = $s.State | |
# State = 'Running'; | |
} | |
} | |
#endregion | |
#region DSC WU UX | |
# BranchReadinessLevel REG_DWORD 0x20 | |
Registry BranchReadinessLevel | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' | |
ValueName = 'BranchReadinessLevel' | |
Ensure = 'Present' | |
ValueData = '32' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
# "ActiveHoursEnd"=dword:00000017 (23) | |
Registry ActiveHoursEnd | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' | |
ValueName = 'ActiveHoursEnd' | |
Ensure = 'Present' | |
ValueData = '23' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
# "ActiveHoursStart"=dword:00000006 (6) | |
Registry ActiveHoursStart | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' | |
ValueName = 'ActiveHoursStart' | |
Ensure = 'Present' | |
ValueData = '6' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
# "DeferFeatureUpdatesPeriodInDays"=dword:000000b9 (185d) | |
Registry DeferFeatureUpdatesPeriodInDays | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' | |
ValueName = 'DeferFeatureUpdatesPeriodInDays' | |
Ensure = 'Present' | |
ValueData = '185' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
# "DeferQualityUpdatesPeriodInDays"=dword:00000019 (25d) | |
Registry DeferQualityUpdatesPeriodInDays | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' | |
ValueName = 'DeferQualityUpdatesPeriodInDays' | |
Ensure = 'Present' | |
ValueData = '25' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
#endregion | |
#region WU Policies | |
Registry AUPowerManagement | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | |
ValueName = 'AUPowerManagement' | |
Ensure = 'Present' | |
ValueData = '0' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
# SetActiveHours | |
Registry SetActiveHours | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | |
ValueName = 'SetActiveHours' | |
Ensure = 'Present' | |
ValueData = '1' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
Registry ActiveHoursStartWU | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | |
ValueName = 'ActiveHoursStart' | |
Ensure = 'Present' | |
ValueData = '6' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
Registry ActiveHoursEndWU | |
{ | |
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' | |
ValueName = 'ActiveHoursEnd' | |
Ensure = 'Present' | |
ValueData = '23' | |
ValueType = 'Dword' | |
Force = $true | |
} | |
#endregion | |
Script RemoveBOM { | |
GetScript = { | |
@{ | |
GetScript = $GetScript | |
SetScript = $SetScript | |
TestScript = $TestScript | |
Result = ($true) | |
} | |
} | |
SetScript = { | |
# Remove BOM because File DSC resource creates a UTF8 file with BOM | |
'On','Off' | | |
Foreach-Object { | |
[System.IO.File]::WriteAllLines( | |
"C:\Users\Public\Desktop\$($_).cmd", | |
(Get-Content -Path "C:\Users\Public\Desktop\$($_).cmd"), | |
(New-Object System.Text.UTF8Encoding($False)) | |
) | |
} | |
} | |
TestScript = { | |
return $false | |
} | |
DependsOn = '[File]WUOnCmd','[File]WUOffCmd' | |
} | |
File WUOnCmd { | |
DestinationPath = 'C:\Users\Public\Desktop\On.cmd' | |
Ensure = 'Present'; | |
Force = $true | |
Contents = @' | |
@echo off | |
%systemroot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass "%systemroot%\WUOn.ps1" | |
pause | |
'@ | |
} | |
File WUOffCmd { | |
DestinationPath = 'C:\Users\Public\Desktop\Off.cmd' | |
Ensure = 'Present'; | |
Force = $true | |
Contents = @' | |
@echo off | |
%systemroot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass "%systemroot%\WUOff.ps1" | |
pause | |
'@ | |
} | |
File WUOn { | |
DestinationPath = 'C:\windows\WUOn.ps1' | |
Ensure = 'Present'; | |
Force = $true | |
Contents = @' | |
#Requires -RunAsAdministrator | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableDualScan" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /f /reg:64 | |
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /f /reg:64 | |
Get-NetAdapter | | |
Get-NetConnectionProfile | | |
ForEach-Object { | |
& (Get-Command -Name "$($env:systemroot)\system32\reg.exe") @( | |
'add',"HKLM\SOFTWARE\Microsoft\DusmSvc\Profiles\$($_.InstanceID)\*",'/v','UserCost','/t','REG_DWORD','/d','0x0','/f','/reg:64' | |
) | |
} | |
Restart-Service -Name 'DusmSvc' -Force -Verbose | |
Set-Service -Name 'wuauserv' -StartupType 'Automatic' -Verbose -Confirm:$false | |
Start-Service -Name 'wuauserv' -PassThru -Verbose -Confirm:$false | |
gpupdate.exe /force /target:computer | |
usoclient.exe RefreshSettings | |
'@ | |
} | |
File WUOff { | |
DestinationPath = 'C:\windows\WUOff.ps1' | |
Ensure = 'Present'; | |
Force = $true | |
Contents = @' | |
#Requires -RunAsAdministrator | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_dword /d 0x1 /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableDualScan" /t REG_dword /d 0x1 /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_dword /d 0x1 /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_dword /d 0x1 /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /t REG_dword /d 0x0 /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /t REG_SZ /d "https://127.0.0.1:8531" /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /t REG_SZ /d "https://127.0.0.1:8531" /f /reg:64 | |
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /t REG_SZ /d "" /f /reg:64 | |
Get-NetAdapter | | |
Get-NetConnectionProfile | | |
ForEach-Object { | |
& (Get-Command -Name "$($env:systemroot)\system32\reg.exe") @( | |
'add',"HKLM\SOFTWARE\Microsoft\DusmSvc\Profiles\$($_.InstanceID)\*",'/v','UserCost','/t','REG_DWORD','/d','0x2','/f','/reg:64' | |
) | |
} | |
Restart-Service -Name 'DusmSvc' -Force -Verbose | |
Stop-Service -Name 'wuauserv' -Force -PassThru -Verbose -Confirm:$false | |
Set-Service -Name 'wuauserv' -StartupType 'Disabled' -Verbose -Confirm:$false | |
gpupdate.exe /force /target:computer | |
usoclient.exe RefreshSettings | |
'@ | |
} | |
} | |
} | |
} | |
Process { | |
# Configure minimal WSMan/WinRM for DSC to work on Windows | |
Write-Verbose -Message 'Configuring WinRM WSMan listener for DSC' | |
Stop-Service -Name WinRM -PassThru | | |
Set-Service -StartupType Automatic -PassThru | | |
Start-Service | |
Get-NetFirewallRule -Name @( | |
'WINRM-HTTP-In-TCP', # Pubic | |
'WINRM-HTTP-In-TCP-NoScope') | #Domain,Private | |
Enable-NetFirewallRule -PassThru | | |
Get-NetFirewallAddressFilter | | |
Set-NetFirewallAddressFilter -RemoteAddress '127.0.0.1' | |
# Disable-NetFirewallRule -Name WINRM-HTTP-In-TCP-NoScope | |
Get-ChildItem -Path WSMan:\localhost\Listener -Include listener* | | |
Remove-Item -Recurse | |
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"} | |
Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $false -Force | |
Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $true -Force | |
# Prepare for DSC | |
Write-Verbose -Message 'Starting to apply DSC configuration' | |
if (-not(test-path -Path "$($env:systemroot)\TEMP\DSC" -PathType Container)){ | |
mkdir -Path "$($env:systemroot)\TEMP\DSC" -Force | |
} | |
# Compile DSC config | |
WXPostInstallControlledWUDSCConfig -OutputPath "$($env:systemroot)\TEMP\DSC" -ConfigurationData $ConfigurationData | |
# Apply it | |
Start-DscConfiguration -Path "$($env:systemroot)\TEMP\DSC" -ComputerName localhost -Verbose -Force -Wait | |
} | |
End { | |
'BITS','wuauserv' | | |
ForEach-Object { | |
Set-Service -Name $_ -StartupType Automatic -PassThru -Verbose | |
Start-Service -Name $_ | |
} | |
# Remove next comment to turn off by default | |
# & 'C:\windows\WUOff.ps1' | |
} | |
} #endof Invoke-PostInstallNoWUDeployment | |
Invoke-PostInstallNoWUDeployment -Verbose >>C:\windows\temp\postinstall.log 3>&1 4>&1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment