We are currently leveraging a VNet at Azure that is configured to force all traffic over our site-to-site connection to on-premise networks and then out through our corporate firewall. All HTTP/HTTPS traffic is proxied.
This is causing significant issue in that newly-provisioned VMs can not see the outside world to access necessary configuration items like Azure Extensions or even no-proxied internal IPs.
To date, I've created a perverse work-around via PowerShell where I provision the VM, bootstrap it with Chef which overrides the proxy settings in order to get to the Chef server which then configures the proxies.
But, until the user fires up Internet Explorer, it does not set the proxies so that they can be used in PowerShell. Specifically, before IE is fired up, [System.Net.GlobalProxySelection]::Select is empty. Once IE has been started, it is populated.
I also tried preconfiguring an image and sysprep'ing it, but sysprep wipes the proxy settings.
As a final step, I created a PowerShell script which I thought would set the proxies. I was going to use this script via Azure Script Extension (assuming it is on the VM by default), but I can't get it to give me the desired results.
So, my question is, how do I make a Windows 2012 R2 (and Windows 2008 R2) newly provisioned VM proxy aware so that other processes in the provisioning sequence will work (i.e., extensions like the Chef extension)?
Here is the script I created (that doesn't perform as expected):
# See: http://www.geoffchappell.com/notes/windows/ie/firstrun.htm
$regKey = 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
$proxyServerToDefine = 'http://<PROXY URI>:<PORT>'
Set-ItemProperty -path $regKey ProxyEnable -value 1
Set-ItemProperty -path $regKey ProxyServer -value $proxyServerToDefine
Set-ItemProperty -path $regKey ProxyOverride -value '137.185.235.196;137.185.235.199'
New-Item -Path 'HKLM:\\Software\\Policies\\Microsoft\\Internet Explorer' -Name 'Main' -Force # Does not exist by default
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Internet Explorer\Main' -Name DisableFirstRunCustomize -Value 1
(New-Object System.Net.WebClient).Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
The trick here was assigning both the HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings AND system account's Internet Settings.
Suggestion: Set your proxy and overrides up once, confirm that it works and then grab the registry values to use in your script.
Here's the list of values I set to make the Users and the System accounts proxy aware:
$userReg = 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
Set-ItemProperty -path $userKey ProxyEnable -value 1
Set-ItemProperty -path $userKey ProxyServer -value ''
Set-ItemProperty -path $userKey ProxyOverride -value ''
$sysReg = 'HKU:\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
Set-ItemProperty -path $sysReg ProxyEnable -value 1
Set-ItemProperty -path $sysReg ProxyServer -value ''
Set-ItemProperty -path $sysReg ProxyOverride -value ''
$sysRegCon = 'HKU:\\S-1-5-18\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\Connections'
$DefaultConnectionSettings = ([byte[](0x46,0x00,...))
$SavedLegacySettings = ([byte[](0x46,0x00,...))
Set-ItemProperty -path $sysRegCon DefaultConnectionSettings -value $DefaultConnectionSettings
Set-ItemProperty -path $sysRegCon SavedLegacySettings -value $SavedLegacySettings
Hope this helps someone else more rapidly down the path...
Related
I want to automate logon process for multiple devices (managed by Intune, Azure Active Directory only) that use different username/password combinations.
Is there a way somehow via Powershell script to get the user's password? I would then use those user's credentials to store registry keys:
$RegKeyPathWinLogon = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $RegKeyPathWinLogon -Name "AutoAdminLogon" -Value "1"
Set-ItemProperty -Path $RegKeyPathWinLogon -Name "DefaultUserName" -Value "$Username"
Set-ItemProperty -Path $RegKeyPathWinLogon -Name "DefaultPassword" -Value "$Password"
I trying to run a command that opens up Software Center on my machine. It works just fine if I run it in Command Prompt but not when I call it from my custom protocol handler in the registry. The main problem is that when called from the protocol handler, via a Toast button, Windows tells me I need a new app to open this.
Here is the command.
"C:\WINDOWS\CCM\ClientUX\SCClient.exe" softwarecenter:Page=Applications FilterType=0 SortType=6 View=Upcoming
Here is how I am setting up the protocol handler in registry
New-item 'HKLM:\SOFTWARE\ToastSoftwareCenter' -force
Set-itemproperty 'HKLM:\SOFTWARE\ToastSoftwareCenter' -name '(DEFAULT)' -value 'url:ToastSoftwareCenter' -force
Set-itemproperty 'HKLM:\SOFTWARE\ToastSoftwareCenter' -name 'URL Protocol' -value '' -force
New-itemproperty -path 'HKLM:\SOFTWARE\ToastSoftwareCenter' -propertytype dword -name 'EditFlags' -value 2162688
New-item 'HKLM:\SOFTWARE\ToastSoftwareCenter\Shell\Open\command' -force
Set-itemproperty 'HKLM:\SOFTWARE\ToastSoftwareCenter\Shell\Open\command' -name '(DEFAULT)' -value '"C:\WINDOWS\CCM\ClientUX\SCClient.exe" softwarecenter:Page=InstallationStatus FilterType=0 SortType=6 View=Upcoming' -force
I have tried appending these other commands on the end of the command to associate it as an exe so it wont ask anymore, but to no avail.
ftype exefile="%1" %*
assoc .exe=exefile\
The commands work when running them from a command prompt but not from the protocol handler. Am I setting it up wrong?
Thank You.
You're creating the protocol in the wrong location. It needs to be created under HKEY_CLASSES_ROOT
You also need to create the PSDrive in order to easily access that location within PowerShell.
New-PSDrive -PSProvider Registry -Root HKEY_CLASSES_ROOT -Name HKCR
New-Item 'HKCR:\ToastSoftwareCenter' -Force
Registering the Application Handling the Custom URI Scheme
I am doing an automated deployment process within a single server that deploys a few different virtual machines. Once all the virtual machines are imported using a base image I start them and rename them and try to setup the auto logon process by setting the expected registry keys.
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoLogonCount" -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultUserName" -Value "$Username" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultPassword" -Value "$Password" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon" -Value "1" -Force
This is wrapped in an Invoke-Command with a working session and passing in the correct information into it. After this has been ran I use [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey( method to obtain the key value information and verify it has been set correctly. Which everything equals what it should.
However once this is complete I do a reboot of the virtual machine but occasionally a vm will not have the registry keys saved and it will not login automatically. When I manually login and look at the registry the keys are blank or not created.
I even have it written up that after the reboot if the registry keys do not equal what they should to try again, and after every attempted reboot to login automatically the keys seemingly disappear. I am running it again as I am writing this to attempt to do it and this time look in the event logs to see if anything is found.
This process can take some time since it doesn't seem to happen consistently and I delete the vms and run the automated process from scratch.
For our website to run we need to:
add site to trusted sites list [Solved]
disable IE protected mode [Solved]
bring down security level for all zones. [facing Issue]
I am automating this site. As a prerequisite i have to take care of security features.
I have create below code. But i am not able to set security level to zero. I can't find 1A10 in zones.
I am adding solved issues code as well. Hoping it might help someone in need
Helpful sites -
https://x86x64.wordpress.com/2014/05/20/powershell-ie-zones-protected-mode-state/
https://support.microsoft.com/en-in/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users
https://blogs.technet.microsoft.com/heyscriptingguy/2015/04/02/update-or-add-registry-key-value-with-powershell/
#1. Add site to trusted sites
#Setting IExplorer settings
Write-Verbose "Now configuring IE"
#Navigate to the domains folder in the registry
set-location "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
set-location ZoneMap\Domains
#Create a new folder with the website name
new-item testsite.site.com/ -Force #website part without https
set-location testsite.site.com/
new-itemproperty . -Name https -Value 2 -Type DWORD -Force
Write-Host "Site added Successfully"
Start-Sleep -s 2
# 2. Disable IE protected mode
# Disabling protected mode and making level 0
#Zone 0 – My Computer
#Zone 1 – Local Intranet Zone
#Zone 2 – Trusted sites Zone
#Zone 3 – Internet Zone
#Zone 4 – Restricted Sites Zone
#“2500” is the value name representing “Protected Mode” tick. 3 means Disabled, 0 – Enabled
#Disable protected mode for all zones
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name 2500 -Value "3"
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" -Name 2500 -Value "3"
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" -Name 2500 -Value "3"
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" -Name 2500 -Value "3"
Write-Host "IE protection mode turned Off successfully"
Start-Sleep -s 2
# 3. Bring down security level for all zones
#Set Level 0 for low
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name 1A10 -Value "0"
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" -Name 1A10 -Value "0"
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" -Name 1A10 -Value "0"
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" -Name 1A10 -Value "0"
Stop-Process -name explorer
Thanks in Advance Guys!!
just remove "0" and replace with 0 it worked for me.
Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" -Name 1A10 -Value 0
Windows 10 allows you to configure Settings > Start > Use Start full screen, I'm trying to find a way to configure this through powershell/dsc scripting/automation. I was able to find the MDM and GPO documentation (https://learn.microsoft.com/en-us/windows/configuration/windows-10-start-layout-options-and-policies) but this does not appear to apply to desktop Windows 10 Pro - powershell has no commands/cmdlets with GP* nouns.
The scripts below, inspired by the .bat-files in this article adjust the local policies and should probably work. I have tested on 10.0.16299.431 (Enterprise).
Based on the article (Created by Shawn Brink, January 24th 2015):
To force fullscreen:
$forceStartSizePath = "\Software\Policies\Microsoft\Windows\Explorer"
New-ItemProperty -Path "HKCU:$forceStartSizePath" -Name "ForceStartSize" -Value 2 -Force
New-ItemProperty -Path "HKLM:$forceStartSizePath" -Name "ForceStartSize" -Value 2 -Force
Stop-Process -name explorer
To force normal mode:
$forceStartSizePath = "\Software\Policies\Microsoft\Windows\Explorer"
New-ItemProperty -Path "HKCU:$forceStartSizePath" -Name "ForceStartSize" -Value 1 -Force
New-ItemProperty -Path "HKLM:$forceStartSizePath" -Name "ForceStartSize" -Value 1 -Force
Stop-Process -name explorer
To reset to default:
$forceStartSizePath = "\Software\Policies\Microsoft\Windows\Explorer"
Remove-ItemProperty -Path "HKCU:$forceStartSizePath" -Name "ForceStartSize"
Remove-ItemProperty -Path "HKLM:$forceStartSizePath" -Name "ForceStartSize"
Stop-Process -name explorer
Note: The last line (making explorer restart) may not desirable, but it will make sure the settings are picked up instantly. Your screen will flicker (if running local) as explorer is restarted.
Also; if parts of the registry-path is missing, you will get an error message. Use Test-Pathand New-Item to check for and create the missing part of the path.