| #Requires -Version 3.0 |
| |
| # This sysprep script is a combination of Ansible's WinRM configuration script |
| # (linked below) and a handful of NDK specific sysprep tasks. They are merged |
| # into a single script because GCE requires that we provide a single sysprep |
| # script. |
| # |
| # https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 |
| |
| # Configure a Windows host for remote management with Ansible |
| # ----------------------------------------------------------- |
| # |
| # This script checks the current WinRM (PS Remoting) configuration and makes |
| # the necessary changes to allow Ansible to connect, authenticate and |
| # execute PowerShell commands. |
| # |
| # All events are logged to the Windows EventLog, useful for unattended runs. |
| # |
| # Use option -Verbose in order to see the verbose output messages. |
| # |
| # Use option -CertValidityDays to specify how long this certificate is valid |
| # starting from today. So you would specify -CertValidityDays 3650 to get |
| # a 10-year valid certificate. |
| # |
| # Use option -ForceNewSSLCert if the system has been SysPreped and a new |
| # SSL Certificate must be forced on the WinRM Listener when re-running this |
| # script. This is necessary when a new SID and CN name is created. |
| # |
| # Use option -EnableCredSSP to enable CredSSP as an authentication option. |
| # |
| # Use option -SkipNetworkProfileCheck to skip the network profile check. |
| # Without specifying this the script will only run if the device's interfaces |
| # are in DOMAIN or PRIVATE zones. Provide this switch if you want to enable |
| # WinRM on a device with an interface in PUBLIC zone. |
| # |
| # Use option -SubjectName to specify the CN name of the certificate. This |
| # defaults to the system's hostname and generally should not be specified. |
| |
| # Written by Trond Hindenes <[email protected]> |
| # Updated by Chris Church <[email protected]> |
| # Updated by Michael Crilly <[email protected]> |
| # Updated by Anton Ouzounov <[email protected]> |
| # Updated by Nicolas Simond <[email protected]> |
| # Updated by Dag Wiers <[email protected]> |
| # Updated by Jordan Borean <[email protected]> |
| # |
| # Version 1.0 - 2014-07-06 |
| # Version 1.1 - 2014-11-11 |
| # Version 1.2 - 2015-05-15 |
| # Version 1.3 - 2016-04-04 |
| # Version 1.4 - 2017-01-05 |
| # Version 1.5 - 2017-02-09 |
| # Version 1.6 - 2017-04-18 |
| |
| # Support -Verbose option |
| [CmdletBinding()] |
| |
| Param ( |
| [string]$SubjectName = $env:COMPUTERNAME, |
| [int]$CertValidityDays = 1095, |
| [switch]$SkipNetworkProfileCheck, |
| $CreateSelfSignedCert = $true, |
| [switch]$ForceNewSSLCert, |
| [switch]$EnableCredSSP |
| ) |
| |
| Function Write-Log |
| { |
| $Message = $args[0] |
| Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message |
| } |
| |
| Function Write-VerboseLog |
| { |
| $Message = $args[0] |
| Write-Verbose $Message |
| Write-Log $Message |
| } |
| |
| Function Write-HostLog |
| { |
| $Message = $args[0] |
| Write-Host $Message |
| Write-Log $Message |
| } |
| |
| Function New-LegacySelfSignedCert |
| { |
| Param ( |
| [string]$SubjectName, |
| [int]$ValidDays = 1095 |
| ) |
| |
| $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" |
| $name.Encode("CN=$SubjectName", 0) |
| |
| $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" |
| $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" |
| $key.KeySpec = 1 |
| $key.Length = 4096 |
| $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" |
| $key.MachineContext = 1 |
| $key.Create() |
| |
| $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" |
| $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") |
| $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" |
| $ekuoids.Add($serverauthoid) |
| $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" |
| $ekuext.InitializeEncode($ekuoids) |
| |
| $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" |
| $cert.InitializeFromPrivateKey(2, $key, "") |
| $cert.Subject = $name |
| $cert.Issuer = $cert.Subject |
| $cert.NotBefore = (Get-Date).AddDays(-1) |
| $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) |
| $cert.X509Extensions.Add($ekuext) |
| $cert.Encode() |
| |
| $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" |
| $enrollment.InitializeFromRequest($cert) |
| $certdata = $enrollment.CreateRequest(0) |
| $enrollment.InstallResponse(2, $certdata, 0, "") |
| |
| # extract/return the thumbprint from the generated cert |
| $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 |
| $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) |
| |
| return $parsed_cert.Thumbprint |
| } |
| |
| # Setup error handling. |
| Trap |
| { |
| $_ |
| Exit 1 |
| } |
| $ErrorActionPreference = "Stop" |
| |
| # Get the ID and security principal of the current user account |
| $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() |
| $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) |
| |
| # Get the security principal for the Administrator role |
| $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator |
| |
| # Check to see if we are currently running "as Administrator" |
| if (-Not $myWindowsPrincipal.IsInRole($adminRole)) |
| { |
| Write-Host "ERROR: You need elevated Administrator privileges in order to run this script." |
| Write-Host " Start Windows PowerShell by using the Run as Administrator option." |
| Exit 2 |
| } |
| |
| $EventSource = $MyInvocation.MyCommand.Name |
| If (-Not $EventSource) |
| { |
| $EventSource = "Powershell CLI" |
| } |
| |
| If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) |
| { |
| New-EventLog -LogName Application -Source $EventSource |
| } |
| |
| # Detect PowerShell version. |
| If ($PSVersionTable.PSVersion.Major -lt 3) |
| { |
| Write-Log "PowerShell version 3 or higher is required." |
| Throw "PowerShell version 3 or higher is required." |
| } |
| |
| # Find and start the WinRM service. |
| Write-Verbose "Verifying WinRM service." |
| If (!(Get-Service "WinRM")) |
| { |
| Write-Log "Unable to find the WinRM service." |
| Throw "Unable to find the WinRM service." |
| } |
| ElseIf ((Get-Service "WinRM").Status -ne "Running") |
| { |
| Write-Verbose "Setting WinRM service to start automatically on boot." |
| Set-Service -Name "WinRM" -StartupType Automatic |
| Write-Log "Set WinRM service to start automatically on boot." |
| Write-Verbose "Starting WinRM service." |
| Start-Service -Name "WinRM" -ErrorAction Stop |
| Write-Log "Started WinRM service." |
| |
| } |
| |
| # WinRM should be running; check that we have a PS session config. |
| If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener))) |
| { |
| If ($SkipNetworkProfileCheck) { |
| Write-Verbose "Enabling PS Remoting without checking Network profile." |
| Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop |
| Write-Log "Enabled PS Remoting without checking Network profile." |
| } |
| Else { |
| Write-Verbose "Enabling PS Remoting." |
| Enable-PSRemoting -Force -ErrorAction Stop |
| Write-Log "Enabled PS Remoting." |
| } |
| } |
| Else |
| { |
| Write-Verbose "PS Remoting is already enabled." |
| } |
| |
| # Make sure there is a SSL listener. |
| $listeners = Get-ChildItem WSMan:\localhost\Listener |
| If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"})) |
| { |
| # We cannot use New-SelfSignedCertificate on 2012R2 and earlier |
| $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays |
| Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" |
| |
| # Create the hashtables of settings to be used. |
| $valueset = @{ |
| Hostname = $SubjectName |
| CertificateThumbprint = $thumbprint |
| } |
| |
| $selectorset = @{ |
| Transport = "HTTPS" |
| Address = "*" |
| } |
| |
| Write-Verbose "Enabling SSL listener." |
| New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset |
| Write-Log "Enabled SSL listener." |
| } |
| Else |
| { |
| Write-Verbose "SSL listener is already active." |
| |
| # Force a new SSL cert on Listener if the $ForceNewSSLCert |
| If ($ForceNewSSLCert) |
| { |
| |
| # We cannot use New-SelfSignedCertificate on 2012R2 and earlier |
| $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays |
| Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint" |
| |
| $valueset = @{ |
| CertificateThumbprint = $thumbprint |
| Hostname = $SubjectName |
| } |
| |
| # Delete the listener for SSL |
| $selectorset = @{ |
| Address = "*" |
| Transport = "HTTPS" |
| } |
| Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset |
| |
| # Add new Listener with new SSL cert |
| New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset |
| } |
| } |
| |
| # Check for basic authentication. |
| $basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"} |
| If (($basicAuthSetting.Value) -eq $false) |
| { |
| Write-Verbose "Enabling basic auth support." |
| Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true |
| Write-Log "Enabled basic auth support." |
| } |
| Else |
| { |
| Write-Verbose "Basic auth is already enabled." |
| } |
| |
| # If EnableCredSSP if set to true |
| If ($EnableCredSSP) |
| { |
| # Check for CredSSP authentication |
| $credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "CredSSP"} |
| If (($credsspAuthSetting.Value) -eq $false) |
| { |
| Write-Verbose "Enabling CredSSP auth support." |
| Enable-WSManCredSSP -role server -Force |
| Write-Log "Enabled CredSSP auth support." |
| } |
| } |
| |
| # Configure firewall to allow WinRM HTTPS connections. |
| $fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" |
| $fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any |
| If ($fwtest1.count -lt 5) |
| { |
| Write-Verbose "Adding firewall rule to allow WinRM HTTPS." |
| netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow |
| Write-Log "Added firewall rule to allow WinRM HTTPS." |
| } |
| ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5)) |
| { |
| Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile." |
| netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any |
| Write-Log "Updated firewall rule to allow WinRM HTTPS for any profile." |
| } |
| Else |
| { |
| Write-Verbose "Firewall rule already exists to allow WinRM HTTPS." |
| } |
| |
| # Test a remoting connection to localhost, which should work. |
| $httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue |
| $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck |
| |
| $httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue |
| |
| If ($httpResult -and $httpsResult) |
| { |
| Write-Verbose "HTTP: Enabled | HTTPS: Enabled" |
| } |
| ElseIf ($httpsResult -and !$httpResult) |
| { |
| Write-Verbose "HTTP: Disabled | HTTPS: Enabled" |
| } |
| ElseIf ($httpResult -and !$httpsResult) |
| { |
| Write-Verbose "HTTP: Enabled | HTTPS: Disabled" |
| } |
| Else |
| { |
| Write-Log "Unable to establish an HTTP or HTTPS remoting session." |
| Throw "Unable to establish an HTTP or HTTPS remoting session." |
| } |
| Write-VerboseLog "PS Remoting has been successfully configured for Ansible." |
| |
| # Begin NDK specific sysprep tasks. |
| |
| $TempDir = $env:TEMP |
| |
| # Disable Internet Explorer Enhanced Security Configuration so we can have a |
| # usable browser. |
| # https://stackoverflow.com/a/9368555/632035 |
| function Disable-InternetExplorerESC { |
| $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" |
| $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" |
| Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 |
| Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 |
| Stop-Process -Name Explorer -Force |
| Write-Host "IE Enhanced Security Configuration (ESC) has been disabled." ` |
| -ForegroundColor Green |
| } |
| |
| function Disable-UserAccessControl { |
| Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` |
| -Name "ConsentPromptBehaviorAdmin" -Value 00000000 |
| Write-Host "User Access Control (UAC) has been disabled." ` |
| -ForegroundColor Green |
| } |
| |
| function Install-Chrome { |
| $ChromeUrl = "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" |
| $ChromeInstaller = "ChromeInstaller.exe" |
| Invoke-WebRequest $ChromeUrl -OutFile "$TempDir\$ChromeInstaller" |
| & "$TempDir\$ChromeInstaller" /silent /install | Out-null |
| rm "$TempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose |
| } |
| |
| function Install-Git { |
| $GitUrl = "https://github.com/git-for-windows/git/releases/download/v2.14.3.windows.1/Git-2.14.3-64-bit.exe" |
| $GitInstaller = "GitInstaller.exe" |
| Invoke-WebRequest $GitUrl -OutFile "$TempDir/$GitInstaller" |
| & "$TempDir\$GitInstaller" /silent | Out-null |
| rm "$TempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose |
| } |
| |
| Disable-InternetExplorerESC |
| Disable-UserAccessControl |
| Install-Chrome |
| Install-Git |
