-
Notifications
You must be signed in to change notification settings - Fork 99
/
Copy pathprovision-winrm.ps1
78 lines (69 loc) · 3.19 KB
/
provision-winrm.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Set-StrictMode -Version Latest
$ProgressPreference = 'SilentlyContinue'
$ErrorActionPreference = 'Stop'
trap {
Write-Host
Write-Host "ERROR: $_"
($_.ScriptStackTrace -split '\r?\n') -replace '^(.*)$','ERROR: $1' | Write-Host
($_.Exception.ToString() -split '\r?\n') -replace '^(.*)$','ERROR EXCEPTION: $1' | Write-Host
Write-Host
Write-Host 'Sleeping for 60m to give you time to look around the virtual machine before self-destruction...'
Start-Sleep -Seconds (60*60)
Exit 1
}
## for troubleshoot purposes, save this script output to a file.
#Start-Transcript C:\winrm-autounattend.txt
## for troubleshoot purposes, save the current user details. this will be later displayed by provision.ps1.
#whoami /all >C:\whoami-autounattend.txt
if (![Environment]::Is64BitProcess) {
throw 'this must run in a 64-bit PowerShell session'
}
if (!(New-Object System.Security.Principal.WindowsPrincipal(
[Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole(
[Security.Principal.WindowsBuiltInRole]::Administrator)) {
throw 'this must run with Administrator privileges (e.g. in a elevated shell session)'
}
# move all (non-domain) network interfaces into the private profile to make winrm happy (it needs at
# least one private interface; for vagrant its enough to configure the first network interface).
# NB in windows server it would be enough to call winrm -force argument, but
# in windows client 10, we must set the network interface profile.
Get-NetConnectionProfile `
| Where-Object {$_.NetworkCategory -ne 'DomainAuthenticated'} `
| Set-NetConnectionProfile -NetworkCategory Private
# configure WinRM.
Write-Output 'Configuring WinRM...'
winrm quickconfig -quiet
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{CredSSP="true"}'
# make sure the WinRM service startup type is delayed-auto
# even when the default config is auto (e.g. Windows 2019
# changed that default).
# WARN do not be tempted to change the default WinRM service startup type from
# delayed-auto to auto, as the later proved to be unreliable.
$result = sc.exe config WinRM start= delayed-auto
if ($result -ne '[SC] ChangeServiceConfig SUCCESS') {
throw "sc.exe config failed with $result"
}
# dump the WinRM configuration.
Write-Output 'WinRM Configuration:'
winrm enumerate winrm/config/listener
winrm get winrm/config
winrm id
# disable UAC remote restrictions.
# see https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
# see https://docs.microsoft.com/en-us/windows/desktop/wmisdk/user-account-control-and-wmi#handling-remote-connections-under-uac
New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' `
-Name LocalAccountTokenFilterPolicy `
-Value 1 `
-Force `
| Out-Null
# make sure winrm can be accessed from any network location.
New-NetFirewallRule `
-DisplayName WINRM-HTTP-In-TCP-VAGRANT `
-Direction Inbound `
-Action Allow `
-Protocol TCP `
-LocalPort 5985 `
| Out-Null