mkropat · July 6, 2019 04:55
diff --git a/provision-base-box.ps1 b/provision-base-box.ps1
 # provision-base-box.ps1 - Prepare Server 2012 for building a Vagrant base box

 # Instructions:
 #
 # 1. Create a new Windows VM in VirtualBox
 # 2. Install Server 2012 R2 onto the VM
 # 3. Download and run this script from within the VM
 # 4. Install Windows Updates within the VM
 # 5. From the host machine, run: `vagrant package --base <name of VM in VirtualBox> --output <name>.box`
 # 6. Then run: `vagrant box add <name> /path/to/<name>.box

 function main {
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -force

    Disable-UAC
    Write-Status "User Access Control (UAC) has been disabled."

    Disable-ServerManagerStartup
    Write-Status "Server Manager is disabled from running at logon."

    Disable-IEEnhancedSecurity
    Write-Status "IE Enhanced Security Configuration (ESC) has been disabled."

    Disable-ShutdownTracker
    Write-Status "Shutdown Tracker has been disabled."

    Disable-AutomaticUpdates
    Write-Status "Windows Update has been disabled."

    Disable-PasswordComplexityRequirements
    Write-Status "Passwords complexity requirements have been eased."

    Enable-RemoteDesktop
    Write-Status "Remote desktop enabled."

    Enable-WinRM
    Write-Status "WinRM has been configured and enabled."

    Disable-Firewall
    Write-Status "Windows Firewall has been disabled."

    Rename-User "Administrator" "vagrant" -ErrorAction SilentlyContinue
    Set-UserPassword "vagrant" "vagrant"
    Write-Status "Created 'vagrant' account from builtin 'Administrator' account."

    Write-Host "Restarting Computer." -ForegroundColor Yellow
    Restart-Computer
 }

 function Disable-UAC {
    New-ItemProperty -Path 'HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -PropertyType DWord -Value 0 -Force | Out-Null
 }

 function Disable-ServerManagerStartup {
    New-ItemProperty -Path 'HKLM:\Software\Microsoft\ServerManager' -Name DoNotOpenServerManagerAtLogon -PropertyType DWord -Value 1 -Force | Out-Null
    New-ItemProperty -Path 'HKCU:Software\Microsoft\ServerManager' -Name CheckedUnattendLaunchSetting -PropertyType DWord -Value 0 -Force | Out-Null
 }

 function Disable-IEEnhancedSecurity {
    $componentBasePath = 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components'
    $componentIds = @( '{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}', '{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' )
    foreach ($id in $componentIds) {
        $path = Join-Path $componentBasePath $id
        Set-ItemProperty -Path $path -Name 'IsInstalled' -Value 0 | Out-Null
    }

    Stop-Process -Name Explorer | Out-Null
 }

 function Disable-ShutdownTracker {
    # Reference: http://www.askvg.com/how-to-disable-remove-annoying-shutdown-event-tracker-in-windows-server-2003-2008/

    $reliabililtyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability"
    If (!(Test-Path $reliabililtyPath)) {
      New-Item -Path $reliabililtyPath
    }

    New-ItemProperty -Path $reliabililtyPath -Name "ShutdownReasonOn" -PropertyType DWord -Value 0 -Force -ErrorAction Continue | Out-Null
    New-ItemProperty -Path $reliabililtyPath -Name "ShutdownReasonUI" -PropertyType DWord -Value 0 -Force -ErrorAction Continue | Out-Null
 }

 function Disable-AutomaticUpdates {
    # Reference: http://www.benmorris.me/2012/05/1st-test-blog-post.html

    $autoUpdateSettings = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings
    $autoUpdateSettings.NotificationLevel = 1
    $autoUpdateSettings.Save()
 }

 function Disable-PasswordComplexityRequirements {
    # Reference: http://vlasenko.org/2011/04/27/removing-password-complexity-requirements-from-windows-server-2008-core/
    $seccfg = [IO.Path]::GetTempFileName()
    try {
        Run-Silently secedit /export /cfg $seccfg
        (Get-Content $seccfg) | foreach { $_ -replace "PasswordComplexity\s*=\s*1", "PasswordComplexity=0" } | Set-Content $seccfg
        Run-Silently secedit /configure /db $env:windir\security\new.sdb /cfg $seccfg /areas SECURITYPOLICY
    } finally {
        Remove-Item $seccfg
    }
 }

 function Enable-RemoteDesktop {
    # Reference: http://social.technet.microsoft.com/Forums/windowsserver/en-US/323d6bab-e3a9-4d9d-8fa8-dc4277be1729/enable-remote-desktop-connections-with-powershell

    $tsSettings = Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices
    $tsSettings.SetAllowTsConnections(1,1) | Out-Null

    $tsGeneralSettings = Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'"
    $tsGeneralSettings.SetUserAuthenticationRequired(0) | Out-Null
 }

 function Enable-WinRM {
    Run-Silently winrm quickconfig -q
    Run-Silently winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'
    Run-Silently winrm set winrm/config '@{MaxTimeoutms="1800000"}'
    Run-Silently winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    Run-Silently winrm set winrm/config/service/auth '@{Basic="true"}'
 }

 function Disable-Firewall {
    Run-Silently netsh advfirewall set allprofiles state off
 }

 function Rename-User {
    [CmdletBinding()]
    param($user, $newName)

    $adsiUser = [adsi]"WinNT://./$user,user"
    $adsiUser.PSBase.Rename($newName)
 }

 function Set-UserPassword($user, $password) {
    Run-Silently net user $user $password
 }

 function Run-Silently {
    param(
        [string]$script,
        [parameter(ValueFromRemainingArguments=$true)] $args
    )

    $output = & $script $args 2>&1 | Out-String
    if (-not $?) {
        Write-Output $output
    }
 }

 function Write-Status($text) {
    Write-Host $text -ForegroundColor Green
 }

 main
	# provision-base-box.ps1 - Prepare Server 2012 for building a Vagrant base box

	# Instructions:
	#
	# 1. Create a new Windows VM in VirtualBox
	# 2. Install Server 2012 R2 onto the VM
	# 3. Download and run this script from within the VM
	# 4. Install Windows Updates within the VM
	# 5. From the host machine, run: `vagrant package --base <name of VM in VirtualBox> --output <name>.box`
	# 6. Then run: `vagrant box add <name> /path/to/<name>.box

	function main {
	Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -force

	Disable-UAC
	Write-Status "User Access Control (UAC) has been disabled."

	Disable-ServerManagerStartup
	Write-Status "Server Manager is disabled from running at logon."

	Disable-IEEnhancedSecurity
	Write-Status "IE Enhanced Security Configuration (ESC) has been disabled."

	Disable-ShutdownTracker
	Write-Status "Shutdown Tracker has been disabled."

	Disable-AutomaticUpdates
	Write-Status "Windows Update has been disabled."

	Disable-PasswordComplexityRequirements
	Write-Status "Passwords complexity requirements have been eased."

	Enable-RemoteDesktop
	Write-Status "Remote desktop enabled."

	Enable-WinRM
	Write-Status "WinRM has been configured and enabled."

	Disable-Firewall
	Write-Status "Windows Firewall has been disabled."

	Rename-User "Administrator" "vagrant" -ErrorAction SilentlyContinue
	Set-UserPassword "vagrant" "vagrant"
	Write-Status "Created 'vagrant' account from builtin 'Administrator' account."

	Write-Host "Restarting Computer." -ForegroundColor Yellow
	Restart-Computer
	}

	function Disable-UAC {
	New-ItemProperty -Path 'HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name EnableLUA -PropertyType DWord -Value 0 -Force \| Out-Null
	}

	function Disable-ServerManagerStartup {
	New-ItemProperty -Path 'HKLM:\Software\Microsoft\ServerManager' -Name DoNotOpenServerManagerAtLogon -PropertyType DWord -Value 1 -Force \| Out-Null
	New-ItemProperty -Path 'HKCU:Software\Microsoft\ServerManager' -Name CheckedUnattendLaunchSetting -PropertyType DWord -Value 0 -Force \| Out-Null
	}

	function Disable-IEEnhancedSecurity {
	$componentBasePath = 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components'
	$componentIds = @( '{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}', '{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' )
	foreach ($id in $componentIds) {
	$path = Join-Path $componentBasePath $id
	Set-ItemProperty -Path $path -Name 'IsInstalled' -Value 0 \| Out-Null
	}

	Stop-Process -Name Explorer \| Out-Null
	}

	function Disable-ShutdownTracker {
	# Reference: http://www.askvg.com/how-to-disable-remove-annoying-shutdown-event-tracker-in-windows-server-2003-2008/

	$reliabililtyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Reliability"
	If (!(Test-Path $reliabililtyPath)) {
	New-Item -Path $reliabililtyPath
	}

	New-ItemProperty -Path $reliabililtyPath -Name "ShutdownReasonOn" -PropertyType DWord -Value 0 -Force -ErrorAction Continue \| Out-Null
	New-ItemProperty -Path $reliabililtyPath -Name "ShutdownReasonUI" -PropertyType DWord -Value 0 -Force -ErrorAction Continue \| Out-Null
	}

	function Disable-AutomaticUpdates {
	# Reference: http://www.benmorris.me/2012/05/1st-test-blog-post.html

	$autoUpdateSettings = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings
	$autoUpdateSettings.NotificationLevel = 1
	$autoUpdateSettings.Save()
	}

	function Disable-PasswordComplexityRequirements {
	# Reference: http://vlasenko.org/2011/04/27/removing-password-complexity-requirements-from-windows-server-2008-core/
	$seccfg = [IO.Path]::GetTempFileName()
	try {
	Run-Silently secedit /export /cfg $seccfg
	(Get-Content $seccfg) \| foreach { $_ -replace "PasswordComplexity\s=\s1", "PasswordComplexity=0" } \| Set-Content $seccfg
	Run-Silently secedit /configure /db $env:windir\security\new.sdb /cfg $seccfg /areas SECURITYPOLICY
	} finally {
	Remove-Item $seccfg
	}
	}

	function Enable-RemoteDesktop {
	# Reference: http://social.technet.microsoft.com/Forums/windowsserver/en-US/323d6bab-e3a9-4d9d-8fa8-dc4277be1729/enable-remote-desktop-connections-with-powershell

	$tsSettings = Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices
	$tsSettings.SetAllowTsConnections(1,1) \| Out-Null

	$tsGeneralSettings = Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'"
	$tsGeneralSettings.SetUserAuthenticationRequired(0) \| Out-Null
	}

	function Enable-WinRM {
	Run-Silently winrm quickconfig -q
	Run-Silently winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'
	Run-Silently winrm set winrm/config '@{MaxTimeoutms="1800000"}'
	Run-Silently winrm set winrm/config/service '@{AllowUnencrypted="true"}'
	Run-Silently winrm set winrm/config/service/auth '@{Basic="true"}'
	}

	function Disable-Firewall {
	Run-Silently netsh advfirewall set allprofiles state off
	}

	function Rename-User {
	[CmdletBinding()]
	param($user, $newName)

	$adsiUser = [adsi]"WinNT://./$user,user"
	$adsiUser.PSBase.Rename($newName)
	}

	function Set-UserPassword($user, $password) {
	Run-Silently net user $user $password
	}

	function Run-Silently {
	param(
	[string]$script,
	[parameter(ValueFromRemainingArguments=$true)] $args
	)

	$output = & $script $args 2>&1 \| Out-String
	if (-not $?) {
	Write-Output $output
	}
	}

	function Write-Status($text) {
	Write-Host $text -ForegroundColor Green
	}

	main