-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy path01-WindowsConfiguration.ps1
236 lines (198 loc) · 12.4 KB
/
01-WindowsConfiguration.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#
# This is as sample script to enable Windows features and other configurations.
#
#Requires -RunAsAdministrator
function Enable-Feature (
[Parameter(Mandatory=$false,Position=0)][string]$featureName,
[Parameter(Mandatory=$false,Position=1)][string]$source = $null )
{
$feature = Get-WindowsOptionalFeature -FeatureName $featureName -Online
if ($feature -eq $null)
{
Log-SetupStep -message "Feature: $featureName not found." -Level Error
return
}
if ($feature.State -ne "Enabled")
{
if ( [string]::IsNullOrWhiteSpace( $source))
{
Log-SetupStep -message "Enabling Feature: $featureName"
$res = Enable-WindowsOptionalFeature -FeatureName $featureName -Online
}
else
{
if (Test-Path -Path $source)
{
Log-SetupStep -message "Enabling Feature: $featureName with source '$source'"
$res = Enable-WindowsOptionalFeature -FeatureName $featureName -Online -Source $source
}
else
{
Log-SetupStep -message "Not Enabling Feature: $featureName with source '$source'. Source not found" -level Warning
}
}
}
else
{
Log-SetupStep -message "Feature: $featureName already enabled."
}
}
Function Enable-IISFeatures ()
{
Enable-Feature -featureName IIS-WebServerRole
Enable-Feature -featureName IIS-WebServer
Enable-Feature -featureName IIS-CommonHttpFeatures
Enable-Feature -featureName IIS-Security
Enable-Feature -featureName IIS-RequestFiltering
Enable-Feature -featureName IIS-StaticContent
Enable-Feature -featureName IIS-DefaultDocument
Enable-Feature -featureName IIS-DirectoryBrowsing
Enable-Feature -featureName IIS-HttpErrors
Enable-Feature -featureName IIS-HttpRedirect
Enable-Feature -featureName IIS-ApplicationDevelopment
Enable-Feature -featureName IIS-WebSockets
Enable-Feature -featureName IIS-ApplicationInit
Enable-Feature -featureName IIS-NetFxExtensibility45
Enable-Feature -featureName IIS-ISAPIExtensions
Enable-Feature -featureName IIS-ISAPIFilter
Enable-Feature -featureName IIS-ASPNET45
Enable-Feature -featureName IIS-HealthAndDiagnostics
Enable-Feature -featureName IIS-HttpLogging
Enable-Feature -featureName IIS-LoggingLibraries
Enable-Feature -featureName IIS-RequestMonitor
Enable-Feature -featureName IIS-HttpTracing
Enable-Feature -featureName IIS-BasicAuthentication
Enable-Feature -featureName IIS-WindowsAuthentication
Enable-Feature -featureName IIS-Performance
Enable-Feature -featureName IIS-HttpCompressionStatic
Enable-Feature -featureName IIS-WebServerManagementTools
Enable-Feature -featureName IIS-ManagementConsole
Enable-Feature -featureName IIS-LegacySnapIn
Enable-Feature -featureName IIS-IIS6ManagementCompatibility
Enable-Feature -featureName IIS-Metabase
Enable-Feature -featureName IIS-WMICompatibility
Enable-Feature -featureName IIS-LegacyScripts
}
function Configure-MSDTC ()
{
Log-SetupStep -message "Entering Configure-MSDTC" -level Information
# Ensure DTC is correctly installed. e.g. the machine was cloned
$dtc = Get-Dtc
if ($dtc -ne $null)
{
Log-SetupStep -message "Uninstalling DTC"
Uninstall-Dtc -Confirm:$false
}
Log-SetupStep -message "Installing DTC"
Install-Dtc
Set-DtcNetworkSetting -DtcName "Local" -AuthenticationLevel "NoAuth" -InboundTransactionsEnabled $True -OutboundTransactionsEnabled $True -RemoteClientAccessEnabled $True -RemoteAdministrationAccessEnabled $False -XATransactionsEnabled $False -LUTransactionsEnabled $False -Confirm:$False;
Log-SetupStep -message "Done Configure-MSDTC" -level Information
}
function Set-COM3NetworkAccess ()
{
# Enable COM+ Network access
# https://social.technet.microsoft.com/Forums/en-US/cf49e572-f3a6-404f-84bd-0eff86ca89ae/com-network-access
Log-SetupStep -message "Starting Set-COM3NetworkAccess" -level Information
$registryPath = "HKLM:\SOFTWARE\Microsoft\COM3"
$Name = "RemoteAccessEnabled"
$value = "1"
if(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
}
else
{
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
}
Log-SetupStep -message "Done Set-COM3NetworkAccess" -level Information
}
function Set-TLSSettings ()
{
Log-SetupStep -message "Set-TLSSettings - Start" -level Information
<#
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc
Make sure following registry settings are set to enable TLS 1.2
#>
if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server") -ne $true) { New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319") -ne $true) { New-Item "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319") -ne $true) { New-Item "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp") -ne $true) { New-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" -force -ea SilentlyContinue | OUT-NULL };
if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp") -ne $true) { New-Item "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" -force -ea SilentlyContinue | OUT-NULL };
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'DisabledByDefault' -Value 0x00000000 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Name 'Enabled' -Value 0x00000001 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 0x00000000 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value 0x00000000 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value 0x00000001 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0x00000000 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value 1 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -Name 'DefaultSecureProtocols' -Value 2688 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp' -Name 'DefaultSecureProtocols' -Value 2688 -PropertyType DWord -Force -ea SilentlyContinue | OUT-NULL ;
Log-SetupStep -message "Set-TLSSettings - Done" -level Information
}
function Set-FwRule()
{ Log-SetupStep -message "Set-FwRule - Start"
$ruleName = "My Custom Rule"
$rule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if ($rule -eq $null)
{
$newRule = New-NetFirewallRule -DisplayName $ruleName -Group "BizTalk" -Direction Inbound -LocalPort 1434 -Protocol UDP -Action Allow -Profile Domain
Log-SetupStep -message "Adding '$ruleName'" -level Information
}
else
{
Log-SetupStep -message "Firewall rule '$ruleName' existed, not changed" -level Warning
}
Enable-NetFirewallRule -DisplayName "COM+ Network Access (DCOM-In)"
Enable-NetFirewallRule -DisplayName "COM+ Remote Administration (DCOM-In)"
Enable-NetFirewallRule -DisplayName "Distributed Transaction Coordinator (RPC)"
Enable-NetFirewallRule -DisplayName "Distributed Transaction Coordinator (RPC-EPMAP)"
Enable-NetFirewallRule -DisplayName "Distributed Transaction Coordinator (TCP-In)"
Enable-NetFirewallRule -DisplayName "Distributed Transaction Coordinator (TCP-Out)"
Log-SetupStep -message "Set-FwRule - Done"
}
function Enable-II32BitAppOnWin64 ([string]$appPool)
{
Log-SetupStep -message "Enable-II32BitAppOnWin64 $appPool - Start"
$pool = Get-IISAppPool -Name $appPool -ErrorAction SilentlyContinue
if ($pool -ne $null)
{
$srvMgr = Get-IISServerManager
$pool.Enable32BitAppOnWin64 = $true
#Commit the local changes to server store.
$srvMgr.CommitChanges()
$pool.Recycle()
}
else
{
Log-SetupStep -message "$appPool - not found!" -level Warning
}
Log-SetupStep -message "Enable-II32BitAppOnWin64 $appPool - Done"
}
################################################################
# Maincode
################################################################
$scriptfolder = [System.IO.Path]::GetDirectoryName( $MyInvocation.InvocationName)
Set-Location $scriptfolder
Import-Module "$scriptfolder\BtsSetupHelper.psm1" -Global -DisableNameChecking
Check-64Bit
Get-ScriptDirectory
$timestamp = [System.DateTime]::Now.ToString("yyyyMMdd_HHmmss")
Enable-Feature -featureName MSMQ
Enable-IISFeatures
# Optional - required for the Sharepoint Adapter
Enable-Feature -featureName Windows-Identity-Foundation
# .NET 3.5 is Not necessary for BizTalk 2020
#Enable-Feature -featureName NetFX3 -source D:\sources\sxs # This row expects the source to be present in the specified path
# Enable Network DTC Access
Configure-MSDTC
Set-COM3NetworkAccess
Set-TLSSettings
Set-FwRule
Enable-II32BitAppOnWin64 -appPool DefaultAppPool