Skip to content

Instantly share code, notes, and snippets.

@p0w3rsh3ll

p0w3rsh3ll/DSCNoWU.ps1 Secret

Last active August 31, 2019 16:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save p0w3rsh3ll/201f5f8ed1eadd81d3156e7d287e53e8 to your computer and use it in GitHub Desktop.
Save p0w3rsh3ll/201f5f8ed1eadd81d3156e7d287e53e8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DSCNoWU.ps1
#Requires -Version 4.0
#Requires -RunAsAdministrator
Function Invoke-PostInstallNoWUDeployment {
[CmdletBinding()]
Param()
Begin {
$HT = @{ ErrorAction = 'Stop'}
$ConfigurationData = @{
AllNodes =
@(
@{
NodeName = 'localhost'
Services = @(
@{ Name = 'BITS' ; StartupType = 'Manual' ; BuiltInAccount = 'LocalSystem' ; State = 'Stopped' },
@{ Name = 'wuauserv' ; StartupType = 'Disabled'; BuiltInAccount = 'LocalSystem' ; State = 'Stopped' }
)
}
)
}
Configuration WXPostInstallControlledWUDSCConfig {
param
(
[string[]]$NodeName = 'localhost'
)
Import-DscResource -ModuleName 'PSDesiredStateConfiguration'
Node $NodeName
{
LocalConfigurationManager
{
ConfigurationMode = 'ApplyAndAutoCorrect'
ConfigurationModeFrequencyMins = 30
RefreshFrequencyMins = 30
RebootNodeIfNeeded = $false
}
#region services
foreach ($s in $Node.Services)
{
Service $s.Name
{
Name = $s.Name;
BuiltInAccount = $s.BuiltInAccount ;
StartupType = $s.StartupType ;
State = $s.State
# State = 'Running';
}
}
#endregion
#region DSC WU UX
# BranchReadinessLevel REG_DWORD 0x20
Registry BranchReadinessLevel
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'
ValueName = 'BranchReadinessLevel'
Ensure = 'Present'
ValueData = '32'
ValueType = 'Dword'
Force = $true
}
# "ActiveHoursEnd"=dword:00000017 (23)
Registry ActiveHoursEnd
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'
ValueName = 'ActiveHoursEnd'
Ensure = 'Present'
ValueData = '23'
ValueType = 'Dword'
Force = $true
}
# "ActiveHoursStart"=dword:00000006 (6)
Registry ActiveHoursStart
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'
ValueName = 'ActiveHoursStart'
Ensure = 'Present'
ValueData = '6'
ValueType = 'Dword'
Force = $true
}
# "DeferFeatureUpdatesPeriodInDays"=dword:000000b9 (185d)
Registry DeferFeatureUpdatesPeriodInDays
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'
ValueName = 'DeferFeatureUpdatesPeriodInDays'
Ensure = 'Present'
ValueData = '185'
ValueType = 'Dword'
Force = $true
}
# "DeferQualityUpdatesPeriodInDays"=dword:00000019 (25d)
Registry DeferQualityUpdatesPeriodInDays
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings'
ValueName = 'DeferQualityUpdatesPeriodInDays'
Ensure = 'Present'
ValueData = '25'
ValueType = 'Dword'
Force = $true
}
#endregion
#region WU Policies
Registry AUPowerManagement
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
ValueName = 'AUPowerManagement'
Ensure = 'Present'
ValueData = '0'
ValueType = 'Dword'
Force = $true
}
# SetActiveHours
Registry SetActiveHours
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
ValueName = 'SetActiveHours'
Ensure = 'Present'
ValueData = '1'
ValueType = 'Dword'
Force = $true
}
Registry ActiveHoursStartWU
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
ValueName = 'ActiveHoursStart'
Ensure = 'Present'
ValueData = '6'
ValueType = 'Dword'
Force = $true
}
Registry ActiveHoursEndWU
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'
ValueName = 'ActiveHoursEnd'
Ensure = 'Present'
ValueData = '23'
ValueType = 'Dword'
Force = $true
}
#endregion
Script RemoveBOM {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = ($true)
}
}
SetScript = {
# Remove BOM because File DSC resource creates a UTF8 file with BOM
'On','Off' |
Foreach-Object {
[System.IO.File]::WriteAllLines(
"C:\Users\Public\Desktop\$($_).cmd",
(Get-Content -Path "C:\Users\Public\Desktop\$($_).cmd"),
(New-Object System.Text.UTF8Encoding($False))
)
}
}
TestScript = {
return $false
}
DependsOn = '[File]WUOnCmd','[File]WUOffCmd'
}
File WUOnCmd {
DestinationPath = 'C:\Users\Public\Desktop\On.cmd'
Ensure = 'Present';
Force = $true
Contents = @'
@echo off
%systemroot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass "%systemroot%\WUOn.ps1"
pause
'@
}
File WUOffCmd {
DestinationPath = 'C:\Users\Public\Desktop\Off.cmd'
Ensure = 'Present';
Force = $true
Contents = @'
@echo off
%systemroot%\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass "%systemroot%\WUOff.ps1"
pause
'@
}
File WUOn {
DestinationPath = 'C:\windows\WUOn.ps1'
Ensure = 'Present';
Force = $true
Contents = @'
#Requires -RunAsAdministrator
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableDualScan" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /f /reg:64
reg.exe --% delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /f /reg:64
Get-NetAdapter |
Get-NetConnectionProfile |
ForEach-Object {
& (Get-Command -Name "$($env:systemroot)\system32\reg.exe") @(
'add',"HKLM\SOFTWARE\Microsoft\DusmSvc\Profiles\$($_.InstanceID)\*",'/v','UserCost','/t','REG_DWORD','/d','0x0','/f','/reg:64'
)
}
Restart-Service -Name 'DusmSvc' -Force -Verbose
Set-Service -Name 'wuauserv' -StartupType 'Automatic' -Verbose -Confirm:$false
Start-Service -Name 'wuauserv' -PassThru -Verbose -Confirm:$false
gpupdate.exe /force /target:computer
usoclient.exe RefreshSettings
'@
}
File WUOff {
DestinationPath = 'C:\windows\WUOff.ps1'
Ensure = 'Present';
Force = $true
Contents = @'
#Requires -RunAsAdministrator
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_dword /d 0x1 /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableDualScan" /t REG_dword /d 0x1 /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_dword /d 0x1 /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_dword /d 0x1 /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /t REG_dword /d 0x0 /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /t REG_SZ /d "https://127.0.0.1:8531" /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /t REG_SZ /d "https://127.0.0.1:8531" /f /reg:64
reg.exe --% add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /t REG_SZ /d "" /f /reg:64
Get-NetAdapter |
Get-NetConnectionProfile |
ForEach-Object {
& (Get-Command -Name "$($env:systemroot)\system32\reg.exe") @(
'add',"HKLM\SOFTWARE\Microsoft\DusmSvc\Profiles\$($_.InstanceID)\*",'/v','UserCost','/t','REG_DWORD','/d','0x2','/f','/reg:64'
)
}
Restart-Service -Name 'DusmSvc' -Force -Verbose
Stop-Service -Name 'wuauserv' -Force -PassThru -Verbose -Confirm:$false
Set-Service -Name 'wuauserv' -StartupType 'Disabled' -Verbose -Confirm:$false
gpupdate.exe /force /target:computer
usoclient.exe RefreshSettings
'@
}
}
}
}
Process {
# Configure minimal WSMan/WinRM for DSC to work on Windows
Write-Verbose -Message 'Configuring WinRM WSMan listener for DSC'
Stop-Service -Name WinRM -PassThru |
Set-Service -StartupType Automatic -PassThru |
Start-Service
Get-NetFirewallRule -Name @(
'WINRM-HTTP-In-TCP', # Pubic
'WINRM-HTTP-In-TCP-NoScope') | #Domain,Private
Enable-NetFirewallRule -PassThru |
Get-NetFirewallAddressFilter |
Set-NetFirewallAddressFilter -RemoteAddress '127.0.0.1'
# Disable-NetFirewallRule -Name WINRM-HTTP-In-TCP-NoScope
Get-ChildItem -Path WSMan:\localhost\Listener -Include listener* |
Remove-Item -Recurse
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $false -Force
Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $true -Force
# Prepare for DSC
Write-Verbose -Message 'Starting to apply DSC configuration'
if (-not(test-path -Path "$($env:systemroot)\TEMP\DSC" -PathType Container)){
mkdir -Path "$($env:systemroot)\TEMP\DSC" -Force
}
# Compile DSC config
WXPostInstallControlledWUDSCConfig -OutputPath "$($env:systemroot)\TEMP\DSC" -ConfigurationData $ConfigurationData
# Apply it
Start-DscConfiguration -Path "$($env:systemroot)\TEMP\DSC" -ComputerName localhost -Verbose -Force -Wait
}
End {
'BITS','wuauserv' |
ForEach-Object {
Set-Service -Name $_ -StartupType Automatic -PassThru -Verbose
Start-Service -Name $_
}
# Remove next comment to turn off by default
# & 'C:\windows\WUOff.ps1'
}
} #endof Invoke-PostInstallNoWUDeployment
Invoke-PostInstallNoWUDeployment -Verbose >>C:\windows\temp\postinstall.log 3>&1 4>&1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment