Can I toggle these security settings using Powershell? I was hoping I could run a simple script to do it, since it must be applied to hundreds of computers
Set-Location HCKU:
Set-ItemProperty -Path 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings' -Name SecureProtocols -Value 2688
This enables all 3 TLS protocols.
Thanks f6a4 for pointing me in the right direction
Related
I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?
Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards
open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.
Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}
Is there a way to create group of users with group policy apllied to them via Powershell/CMD?
My machine is not joined to a domain.
I want to prepare a script which I will use multiple times on other local computers/ machines to recreate group policy.
I want e.g restrict user access to Control Panel, Internet Access and stuff like that.
Thanks from advance for answers
For computers not joined to the domain, you can't use Group Policy. You will need to use Local Policy. Many of the items that you are looking for will simply be registry value that you can easily set with a PowerShell script. For example the policy for Hiding Fast User Switching toggles can be toggled like this:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name HideFastUserSwitching -Value 0
You can look up where the values are by reading the .admx templates
Alternatively you could use David Wyatt's PowerShell module to read and modify policy files.
Finally the last option would be create the policy on one computer and then overwrite the .pol files on all the computers and then gpupdate /force. This of course could be scripted with PowerShell.
Copy-Item \\ExampleComputer1\C$\Windows\System32\GroupPolicy\Machine\Registry.pol \\ExampleComputer2\C$\Windows\System32\GroupPolicy\Machine\Registry.pol -Force
Copy-Item \\ExampleComputer1\C$\Windows\System32\GroupPolicy\User\Registry.pol \\ExampleComputer2\C$\Windows\System32\GroupPolicy\User\Registry.pol -Force
Security Templates would have to be exported from the Security Templates mmc snapin and then imported on the other computers with secedit
secedit /configure /db %temp%\temp.sdb /cfg yourcreated.inf
Using that solution --> Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name HideFastUserSwitching -Value 0
Doesn't work.
I mean e.g:
Set-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" -Name NoRecycleBinIcon -Value 1
.admx template.
It should make my desktop recyclebin gone. This is just an example other settings also stays unchanged.
I'd like to simply add some .Net Authorization rules in IIS (7.5 / win 2008 R2) using a powershell script with PS snap in. So far I was able to add some "allow" rules but not any deny ones.
Each time I try, it either does nothing or creates an "allow" rule, which seems odd, like if it was defaulting to allow all the time.
I tried with add-webconfigurationproperty and add-webconfiguration with no luck.
Maybe one of you has the correct command line to use?
For instance:
Add-WebConfiguration "/system.web/authorization" -value #{ElementTagName="Deny";users="*"} -PSPath "IIS:\Sites\Mysite"
Add-WebConfigurationProperty "/system.web/authorization" -Name "collection" -value #{ElementTagName='deny';users='test'} -PSPath "IIS:\Sites\Mysite"
will create 2 "allow" rules.
Same behavior if I remove ElementTagName='deny'. So weird. Like if the deny "mode" was to be accessed in some different way.
And for instance, if I go to IIS 8 and try to generate the script after adding a deny rule, the command line suggested is not working either.
How can I fix this?
The command you should use to add a deny rule in your example is:
Add-WebConfigurationProperty "/system.web/authorization" -PSPath "IIS:\Sites\Mysite" -Name "." -value #{users='test'} -Type "deny"
This bothered me too & I also had trouble getting appcmd to do the same thing. I did get it working in the end & found that the -Type parameter was the important one. This wasn't all that clear to me from the documentation which just says:
The type of property to add.
I'm new to using the windows registry.
Here is my problem and the context:
I need to write a powershell script that will automatically change the following settings in outlook 2007 for a new account in such a way that you will only need to enter the LogonDomain\UserName and Password as outlined in step 2:
Step 1:
Tools -> Account Setting... -> double click the email account -> More Settings... -> Connection -> check the box "Connect to Microsoft Exchange using HTTP" -> Exchange Proxy Setting... -> enter the proxy server (e.g. exmail.example.com) -> check the box "On fast networks..." and "On slow networks..." -> Set "Basic Authentication" in drop down bar -> Ok -> Ok -> next -> finish
Step 2:
Restart Outlook -> Enter LogonDomain and UserName -> Enter Password -> Repeat Step 1 except this time uncheck the box "On fast networks..."
note: some of the setting from step 1 will already be set when you do step 2, such as the name of the proxy server for exchange.
To find the changes made to the registry I used the application RegFromApp, which records every registry change made by a specific process, Outlook in this case. I wrote two scripts to make the changes recorded by RegFromApp after manually carrying out step 1 and 2 on a new account.
When I try to execute step 1 on a new account it fails to make the changes. However, if I manually carry out step 1 and then execute step 2 the appropriate changes are made. Then if I execute step 1 the settings are changed appropriately! Unfortunately, only having step 2 automated isn't good enough. I think the problem lies with "the enter the proxy server" part of step 1. Nowhere in my script lies the string, "exmail.example.com." There are loads of hexadecimal values changed and it possible that "exmail.example.com" is encoded into one of those, but I don't know.
Q: Does anyone know how to set the proxy server for exchange using the registry, if it's possible to do so, or if there is even a reg key for this setting?
Thanks
Patrick
Below is the READ_ME.txt I made for anyone in my company who wishes to do something similar
Task: Set the proxy server for Exchange in outlook 2007
Requirements:
-RegFromApp (\nas\it\MS\ExchangeSetup)
-PowerShell
Method:
-Open Outlook and RegFromApp.
-Select outlook as the process to monitor in RegFromApp
-Make the appropriate changes to the outlook settings.
-The changes to the registry will be recorded in RegFromApp.
-Write a Powershell script to make these changes to the registry.
-To execute the Powershell script automatically you need to make a .BAT file that changes the execution policy
of PowerShell to RemoteSigned temporarily and restores it Restricted for security reasons.
Notes:
-RegFromApp will provide you with every change made to the registry. Only a few of are actually needed to make the appropriate changes to
the settings in Outlook.
-This method should be capable of making changes to any setting of any program running on Window XP or higher and was recommended by a user
on stackoverflow who had to roll out similar changes to a network of 10000 computers.
-To run this script execute exchange_setup.BAT located at \nas\it\MS\ExchangeSetup
PowerShell Script:
Stop-Process -processname outlook
$regkey1 = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a"
$regkey2 = "HKCU:\Software\Microsoft\Exchange"
set-itemproperty -path $regkey1 -name 00036623 -value ([byte[]](0x2b,0x00,0x00,0x00)) #this value is used for binary regkeys
set-itemproperty -path $regkey1 -name 001f6622 -value ([byte[]](0x65,0x00,0x6D,0x00,0x61,0x00,0x69,0x00,0x6C,0x00,0x2E,0x00,0x6A,0x00,0x6F,0x00,0x6E,0x00,0x65,0x00,0x73,0x00,0x65,0x00,0x6E,0x00,0x67,0x00,0x2E,0x00,0x63,0x00,0x6F,0x00,0x6D,0x00,0x00,0x00))
set-itemproperty -path $regkey1 -name 001f6625 -value ([byte[]](0x00,0x00))
set-itemproperty -path $regkey1 -name 00036627 -value ([byte[]](0x01,0x00,0x00,0x00))
set-itemproperty -path $regkey1 -name 00036601 -value ([byte[]](0x84,0x19,0x00,0x00))
set-itemproperty -path $regkey2 -name LogonDomain -value jonesgroup #this value is used for string regkeys
[System.Diagnostics.Process]::Start("outlook").WaitForExit()
set-itemproperty -path $regkey1 -name 00036623 -value ([byte[]](0x23,0x00,0x00,0x00))
[System.Diagnostics.Process]::Start("outlook")
.BAT file:
powershell.exe -executionpolicy remotesigned -file \\nas\it\MS\ExchangeSetup\exchange_setup.ps1
set-executionpolicy restricted
Is there a way to check the option for "Turn on the Windows Location platform" in windows 8 using PowerShell?
This option is available under control panel - Location Settings.
I haven't find any registry setting made for this once when I turn it on manually. If I find any registry setting I could have used that registry option to enable it but unfortunately there is no change in registry.
thanks in advance
Praveen.
Actually, I just used Procmon to see which reg key was being changed and see the key is named 'SensorPermissionState'. If the checkbox is checked (i.e. it's turned on) then the value is 1.
If you clear the checkbox it gets set to 0x00000000
So this should turn it on (seems to require you to be in Admin Shell):
Set-ItemProperty `
-path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}\' `
-name sensorpermissionstate -value 1
And to turn it off
Set-ItemProperty `
-path 'HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}' `
-name sensorpermissionstate -Value 0