Windows/powershell: Unterschied zwischen den Versionen

Aus SchnallIchNet
Wechseln zu: Navigation, Suche
Zeile 165: Zeile 165:
  
 
  Enable-BitLocker -TpmProtector C:
 
  Enable-BitLocker -TpmProtector C:
 +
 +
 +
== get software installed ==
 +
 +
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
  
  

Version vom 19. März 2020, 17:09 Uhr

Snippets for powershell
Note that Exchange-related powershell commands should be listed here

execution policy

Set-ExecutionPolicy Unrestricted

possible values:

help about_Execution_Policies


external AD-snapin

http://software.dell.com/products/active-roles/powershell.aspx

Nach der Installation dann mit folgendem command einbinden:

Add-PSSnapin Quest.ActiveRoles.ADManagement

Und damit kannst du dann tolle Sachen machen wie:

Get-QADGroup -ContainsMember username


get loadable modules

Get-Module -ListAvailable


import system modules

ImportSystemModules


Set Systemvariables (persistent)

[Environment]::SetEnvironmentVariable("CHRIS", "Yadda", "Machine")
  1. Variable Name
  2. Value
  3. Scope: User or Machine

To see such changes you need to start a new Powershell window
and enter:

Get-ChildItem env:

or

Get-ChildItem env:CHRIS

or

Get-ChildItem env:CHR*

get/set netconnectionprofile

PS C:\> Get-NetConnectionProfile

Name : arifleet.com
InterfaceAlias : Internal
InterfaceIndex : 1
NetworkCategory : DomainAuthenticated
IPv4Connectivity : LocalNetwork
IPv6Connectivity : LocalNetwork

Name : Network
InterfaceAlias : Internet
InterfaceIndex : 3
NetworkCategory : Public
IPv4Connectivity : LocalNetwork
IPv6Connectivity : LocalNetwork

PS C:\> Set-NetConnectionProfile -InterfaceIndex 3 -NetworkCategory Private


get primary DC (PDC)

Netdom Query Fsmo


Logging

Filter log by EventID:

Get-EventLog -LogName "Directory Service" -after $startdate | where { $_.eventid -eq 2889 } | `
select Source, EventID, InstanceId, Message | Export-Csv c:\eventID_2889.csv ";"


get last logon user

RPC-Call:

(Get-WmiObject -Class win32_process -ComputerName $c | Where-Object name -Match explorer).getowner().user


get currently logged on user

get-wmiobject -Class Win32_ComputerSystem | select username


get uptime of system

(get-date) - (gcim Win32_OperatingSystem).LastBootUpTime


timeserver settings

query source servers:

w32tm /query /source


set source servers:

net stop w32time; 
w32tm /config /syncfromflags:manual /manualpeerlist:10.2.8.3;
w32tm /config /reliable:yes;
net start w32time;

Without stopping w32time:

w32tm /config /syncfromflags:manual /manualpeerlist:"time.domain.tld time2.domain.tld" /reliable:yes /update

Sync with timeservers:

w32tm /resync /force

Get Service names

Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Select name


get services and run state:

Get-Service | Where-Object {$_.displayName.contains("smartFIX ")}

or (simulate case insensitive)

Get-Service | Where-Object {$_.displayName.toLower().contains("smartfix ")}


get list of services that start with watch* (case sensitive)

Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Start-Service
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Stop-Service
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Restart-Service


Bitlocker

get-tpm
Initialize-Tpm
Get-BitLockerVolume
Enable-BitLocker -TpmProtector C:


get software installed

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize


get-pendingreboot

Source: [https://gallery.technet.microsoft.com/scriptcenter/Get-PendingReboot-Query-bdb79542]

Function Get-PendingReboot
{
<#
.SYNOPSIS
    Gets the pending reboot status on a local or remote computer.

.DESCRIPTION
    This function will query the registry on a local or remote computer and determine if the
    system is pending a reboot, from Microsoft updates, Configuration Manager Client SDK, Pending Computer 
    Rename, Domain Join or Pending File Rename Operations. For Windows 2008+ the function will query the 
    CBS registry key as another factor in determining pending reboot state.  "PendingFileRenameOperations" 
    and "Auto Update\RebootRequired" are observed as being consistant across Windows Server 2003 & 2008.

    CBServicing = Component Based Servicing (Windows 2008+)
    WindowsUpdate = Windows Update / Auto Update (Windows 2003+)
    CCMClientSDK = SCCM 2012 Clients only (DetermineIfRebootPending method) otherwise $null value
    PendComputerRename = Detects either a computer rename or domain join operation (Windows 2003+)
    PendFileRename = PendingFileRenameOperations (Windows 2003+)
    PendFileRenVal = PendingFilerenameOperations registry value; used to filter if need be, some Anti-
                     Virus leverage this key for def/dat removal, giving a false positive PendingReboot

.PARAMETER ComputerName
    A single Computer or an array of computer names.  The default is localhost ($env:COMPUTERNAME).

.PARAMETER ErrorLog
    A single path to send error data to a log file.

.EXAMPLE
    PS C:\> Get-PendingReboot -ComputerName (Get-Content C:\ServerList.txt) | Format-Table -AutoSize

    Computer CBServicing WindowsUpdate CCMClientSDK PendFileRename PendFileRenVal RebootPending
    -------- ----------- ------------- ------------ -------------- -------------- -------------
    DC01           False         False                       False                        False
    DC02           False         False                       False                        False
    FS01           False         False                       False                        False

    This example will capture the contents of C:\ServerList.txt and query the pending reboot
    information from the systems contained in the file and display the output in a table. The
    null values are by design, since these systems do not have the SCCM 2012 client installed,
    nor was the PendingFileRenameOperations value populated.

.EXAMPLE
    PS C:\> Get-PendingReboot

    Computer           : WKS01
    CBServicing        : False
    WindowsUpdate      : True
    CCMClient          : False
    PendComputerRename : False
    PendFileRename     : False
    PendFileRenVal     : 
    RebootPending      : True

    This example will query the local machine for pending reboot information.

.EXAMPLE
    PS C:\> $Servers = Get-Content C:\Servers.txt
    PS C:\> Get-PendingReboot -Computer $Servers | Export-Csv C:\PendingRebootReport.csv -NoTypeInformation

    This example will create a report that contains pending reboot information.

.LINK
    Component-Based Servicing:
    http://technet.microsoft.com/en-us/library/cc756291(v=WS.10).aspx

    PendingFileRename/Auto Update:
    http://support.microsoft.com/kb/2723674
    http://technet.microsoft.com/en-us/library/cc960241.aspx
    http://blogs.msdn.com/b/hansr/archive/2006/02/17/patchreboot.aspx

    SCCM 2012/CCM_ClientSDK:
    http://msdn.microsoft.com/en-us/library/jj902723.aspx

.NOTES
    Author:  Brian Wilhite
    Email:   bcwilhite (at) live.com
    Date:    29AUG2012
    PSVer:   2.0/3.0/4.0/5.0
    Updated: 27JUL2015
    UpdNote: Added Domain Join detection to PendComputerRename, does not detect Workgroup Join/Change
             Fixed Bug where a computer rename was not detected in 2008 R2 and above if a domain join occurred at the same time.
             Fixed Bug where the CBServicing wasn't detected on Windows 10 and/or Windows Server Technical Preview (2016)
             Added CCMClient property - Used with SCCM 2012 Clients only
             Added ValueFromPipelineByPropertyName=$true to the ComputerName Parameter
             Removed $Data variable from the PSObject - it is not needed
             Bug with the way CCMClientSDK returned null value if it was false
             Removed unneeded variables
             Added PendFileRenVal - Contents of the PendingFileRenameOperations Reg Entry
             Removed .Net Registry connection, replaced with WMI StdRegProv
             Added ComputerPendingRename
#>

[CmdletBinding()]
param(
        [Parameter(Position=0,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
        [Alias("CN","Computer")]
        [String[]]$ComputerName="$env:COMPUTERNAME",
        [String]$ErrorLog
        )

Begin {  }## End Begin Script Block
Process {
  Foreach ($Computer in $ComputerName) {
        Try {
            ## Setting pending values to false to cut down on the number of else statements
            $CompPendRen,$PendFileRename,$Pending,$SCCM = $false,$false,$false,$false
                        
            ## Setting CBSRebootPend to null since not all versions of Windows has this value
            $CBSRebootPend = $null

            ## Querying WMI for build version
            $WMI_OS = Get-WmiObject -Class Win32_OperatingSystem -Property BuildNumber, CSName -ComputerName $Computer -ErrorAction Stop

            ## Making registry connection to the local/remote computer
            $HKLM = [UInt32] "0x80000002"
            $WMI_Reg = [WMIClass] "\\$Computer\root\default:StdRegProv"

            ## If Vista/2008 & Above query the CBS Reg Key
            If ([Int32]$WMI_OS.BuildNumber -ge 6001) {
                    $RegSubKeysCBS = $WMI_Reg.EnumKey($HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\")
                    $CBSRebootPend = $RegSubKeysCBS.sNames -contains "RebootPending"
            }

            ## Query WUAU from the registry
            $RegWUAURebootReq = $WMI_Reg.EnumKey($HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\")
            $WUAURebootReq = $RegWUAURebootReq.sNames -contains "RebootRequired"

            ## Query PendingFileRenameOperations from the registry
            $RegSubKeySM = $WMI_Reg.GetMultiStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager\","PendingFileRenameOperations")
            $RegValuePFRO = $RegSubKeySM.sValue

            ## Query JoinDomain key from the registry - These keys are present if pending a reboot from a domain join operation
            $Netlogon = $WMI_Reg.EnumKey($HKLM,"SYSTEM\CurrentControlSet\Services\Netlogon").sNames
            $PendDomJoin = ($Netlogon -contains 'JoinDomain') -or ($Netlogon -contains 'AvoidSpnSet')

            ## Query ComputerName and ActiveComputerName from the registry
            $ActCompNm = $WMI_Reg.GetStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName\","ComputerName")            
            $CompNm = $WMI_Reg.GetStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\","ComputerName")

            If (($ActCompNm -ne $CompNm) -or $PendDomJoin) {
                $CompPendRen = $true
            }

            ## If PendingFileRenameOperations has a value set $RegValuePFRO variable to $true
            If ($RegValuePFRO) {
                    $PendFileRename = $true
            }

            ## Determine SCCM 2012 Client Reboot Pending Status
            ## To avoid nested 'if' statements and unneeded WMI calls to determine if the CCM_ClientUtilities class exist, setting EA = 0
            $CCMClientSDK = $null
            $CCMSplat = @{
                NameSpace='ROOT\ccm\ClientSDK'
                Class='CCM_ClientUtilities'
                Name='DetermineIfRebootPending'
                ComputerName=$Computer
                ErrorAction='Stop'
            }
            ## Try CCMClientSDK
            Try {
                $CCMClientSDK = Invoke-WmiMethod @CCMSplat
            } Catch [System.UnauthorizedAccessException] {
                $CcmStatus = Get-Service -Name CcmExec -ComputerName $Computer -ErrorAction SilentlyContinue
                If ($CcmStatus.Status -ne 'Running') {
                    Write-Warning "$Computer`: Error - CcmExec service is not running."
                    $CCMClientSDK = $null
                }
            } Catch {
                $CCMClientSDK = $null
            }

            If ($CCMClientSDK) {
                If ($CCMClientSDK.ReturnValue -ne 0) {
                        Write-Warning "Error: DetermineIfRebootPending returned error code $($CCMClientSDK.ReturnValue)"          
                    }
                    If ($CCMClientSDK.IsHardRebootPending -or $CCMClientSDK.RebootPending) {
                        $SCCM = $true
                    }
            }
            
            Else {
                $SCCM = $null
            }

            ## Creating Custom PSObject and Select-Object Splat
            $SelectSplat = @{
                Property=(
                    'Computer',
                    'CBServicing',
                    'WindowsUpdate',
                    'CCMClientSDK',
                    'PendComputerRename',
                    'PendFileRename',
                    'PendFileRenVal',
                    'RebootPending'
                )}
            New-Object -TypeName PSObject -Property @{
                Computer=$WMI_OS.CSName
                CBServicing=$CBSRebootPend
                WindowsUpdate=$WUAURebootReq
                CCMClientSDK=$SCCM
                PendComputerRename=$CompPendRen
                PendFileRename=$PendFileRename
                PendFileRenVal=$RegValuePFRO
                RebootPending=($CompPendRen -or $CBSRebootPend -or $WUAURebootReq -or $SCCM -or $PendFileRename)
            } | Select-Object @SelectSplat

        } Catch {
            Write-Warning "$Computer`: $_"
            ## If $ErrorLog, log the file to a user specified location/path
            If ($ErrorLog) {
                Out-File -InputObject "$Computer`,$_" -FilePath $ErrorLog -Append
            }
        }
  }## End Foreach ($Computer in $ComputerName)
}## End Process

End {  }## End End

}## End Function Get-PendingReboot


Get Group Memberships of AD-Object

Get-ADPrincipalGroupMembership -identity <USER>


Search/Filter Users

Get-ADUser reference: @M$

Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title -SearchBase 'OU=Fleetservices User,DC=fleetservices,DC=intra' \
-Server 'Fleetservices.intra'

or export result to CSV-File

Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title -SearchBase 'OU=HPI,DC=fleet,DC=int' \
-Server 'Fleet.int' | Export-CSV c:\temp\FleetInt.csv

get logon scripts of ad-users:

Get-ADUser -filter * -SearchBase "OU=Eschborn,OU=UserAccounts,OU=Accounts,DC=europe,DC=arifleet,DC=com" \
-properties name,scriptpath | select name,scriptpath


get 'password never expires' flag:

get-aduser -filter * -SearchBase "OU=Accounts,DC=europe,DC=arifleet,DC=com" -properties Name,PasswordNeverExpires,Enabled | `
where { $_.passwordNeverExpires -eq "true" -and $_.Enabled -eq "true"} | `
select SamAccountName,PasswordNeverExpires,Enabled,DistinguishedName | `
sort -property SamAccountName | select-string -pattern "OU=ServiceAccounts" -notMatch


Bulk-Replace UPN domain of users

Import-Module ActiveDirectory
$oldSuffix = "olddomain.tld"
$newSuffix = "newdomain.tld"
$ou = "OU=Stuttgart,OU=UserAccounts,OU=Accounts,DC=europe,DC=newdomain,DC=tld"
$server = "localhost"

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
   $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
   $_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

Bulk-Clear Manager from AD Users

$OU = "OU=Obsolete,DC=dom,DC=domain,DC=tld"
$users = get-aduser -Filter { mail -like "*" -and ObjectClass -eq "user" } -SearchBase $OU -Properties sAMAccountName,manager

# list managers
$users.manager

$users | Set-ADUser -Manager $null

Search/Filter Computers

Get-ADComputer -SearchBase 'OU=Build,OU=MemberServers,dc=europe,dc=arifleet,dc=com' -Filter '*'


Bulk change Group Scope

$MySearchBase = "ou=Groups,ou=ABC,dc=lab,dc=local"

$MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase"

# Print list
$MyGroupList.name

# Set scope
$MyGroupList | Set-ADGroup -GroupScope Universal

# Now we can change to DomainLocal
$MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase"

$MyGroupList.name

$MyGroupList | Set-ADGroup -GroupScope DomainLocal


DNS

set secure zone transfer servers

For all Zones:

Get-DnsServerZone | Select-Object zonename | Set-DnsServerPrimaryZone -SecureSecondaries TransferToSecureServers  -SecondaryServers <IP-1>,<IP-2>,<IP-n>


robocopy

robocopy F:\SOURCE D:\DESTINATION\ /MIR /FFT /Z /W:5 /tee /log:RobocopySync.log
  1. /MIR specifies that robocopy should mirror the source directory and the destination directory. Beware that this may delete files at the destination.
  2. /FFT uses fat file timing instead of NTFS. This means the granularity is a bit less precise.
  3. /W:5 reduces the wait time between failures to 5 seconds instead of the 30 second default.
  4. /R:2 reduces the repeat count of failures to 2 tries instead of the 1000000(!) default retries.
  5. /Z ensures robocopy can resume the transfer of a large file in mid-file instead of restarting.
  6. /B copy files in Backup mode.
  7. /ZB use restartable mode; if access denied use Backup mode.
  8. /MT[:n] Do multi-threaded copies with n threads (default 8).
  9. /CREATE creates directories and zero-length files only.
  10. /XF file [file]... eXclude Files matching given names/paths/wildcards.
  11. /XD dirs [dirs]... eXclude Directories matching given names/paths.
  12. /XA:H makes robocopy ignore hidden files, usually these will be system files that we’re not interested in.
  13. /log:RobocopySync.log write output into logfile instead stdout. Use in combination with /tee to get output to stdout AND logfile
  14. /COPY:copyflag[s] what to COPY for files (default is /COPY:DAT). (copyflags : D=Data, A=Attributes, T=Timestamps). (S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
  15. /COPYALL Same as /COPY:DATSOU)

set thumbnail-image

from an exchange server

Import-RecipientDataProperty -Identity dSchlenzig -Picture -FileData \
([Byte[]]$(Get-Content -path ".\thumb-DOMARI.jpg"  -Encoding Byte -ReadCount 0))


from an AD

$photo = [byte[]](Get-Content path of pic -Encoding byte)
Set-ADUser username -Replace @{thumbnailPhoto=$photo}


get .Net Version installed

wmic /namespace:\\root\cimv2 path win32_product where "name like '%%.NET%%'" get name,version


List files/folderstructure recursively

List files including their relative path and output full UNC Path:

foreach ($myfile in $(ls -R -Name "\\SERVER\Share$\folder\foo\")) {
   $out = "\\SERVER\Share$\folder\foo\" + $myfile
   echo $out >> ./fileList.txt
}


List shared folders

get-WmiObject -class Win32_Share 


get ACL folder permissions

get-acl C:\folder | Format-List
$children = get-childitem e:\

foreach($child in $children) {
   echo $child.name
   (get-acl e:\$child).access | ft -auto IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags
   echo ""
   echo ""
}


set ACL folder permissions

Traverse through whole tree:

foreach ($folder in Get-ChildItem -Path .\Programme -Recurse -Directory) {
   $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
   $acl = Get-Acl $folder.fullname
   $acl.SetAccessRuleProtection($false, $true)  # Inheritance on
   $acl.SetAccessRule($AccessRule)
   Set-Acl -Path $folder.FullName -AclObject $acl
}

This folder only:

foreach ($folder in get-item \\<server>\e$\Folder) {
   $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "ListDirectory", "None", "None", "Allow")
   $acl = Get-Acl $folder.fullname
   $acl.SetAccessRuleProtection($true, $false)  # Inheritance off
   $acl.SetAccessRule($AccessRule)
   Set-Acl -Path $folder.FullName -AclObject $acl
}


Remove permissions by DOMAIN:

$acl = Get-Acl D:\path\to\folder
$rules = $acl.access | Where-Object {
   (-not $_.IsInherited) -and
   $_.IdentityReference -like "DOMAIN\*"
}

foreach($rule in $rules) {
   $acl.RemoveAccessRule($rule)
}


get/set/copy NTFS permissions

Copy some folder eg. E:\Data to F:\DataNew

Since the old and new foldernames differ, we'll have to get the permissions of the root folder:

cd E:\data
icacls . /save ..\DATA-root_perms.txt /c

now we tell icacls that it should get the content of our root folder and traverse (/t) through folder-structure:

icacls .\ /save ..\DATA_perms.txt /c /t

now we have 2 permission files which we can restore on the new folder:

cd F:\DataNew
icacls . /restore E:\DATA-root_perms.txt /c
icacls .\ /restore E:\DATA_perms.txt /c

If you have the same folder name, e.g. you copy from E:\data to F:\data you can do this:

cd e:
icacls .\Data /save .\DATA_perms.txt /c /t
icacls F: /restore E:\DATA_perms.txt /c

where:

/t     Traverse through folders
/c     Continue on errors


setspn

List SPN:

setspn -L <accountname>
setspn -L <hostname>

Register new SPN:

setspn -R <server>

It will register SPN "HOST/server" and "HOST/{DNS of server}"

Register additional SPN (alias) for <server>:

setspn -S host/<serveralias> <server>


top like output

in processor time

While(1) {  
   $p = get-counter '\Process(*)\% Processor Time'; 
   cls; 
   $p.CounterSamples | sort -des CookedValue | select -f 15 | ft -a
}


in percent

while(1) {
   cls; 
   Get-Counter '\Process(*)\% Processor Time' `
   | Select-Object -ExpandProperty countersamples `
   | Select-Object -Property instancename, cookedvalue| ? {$_.instanceName -notmatch "^(idle|_total|system)$"} `
   | Sort-Object -Property cookedvalue -Descending `
   | Select-Object -First 25 `
   | ft InstanceName,@{L='CPU';E={($_.Cookedvalue/100/$env:NUMBER_OF_PROCESSORS).toString('P')}} -AutoSize; 
   sleep 2
}


Delete SPN from host:

setspn -D host/<serveralias> <server>

SCCM Related

Pull pending updates and install

function Get-CMMissingUpdate {

param (
$computer = "localhost"
)

    Get-WmiObject -Query "SELECT * FROM CCM_SoftwareUpdate" -Namespace "ROOT\ccm\ClientSDK" -ComputerName $computer

}


function Install-CMMissingUpdate {

param (
$computer = "localhost"
)

    ([wmiclass]'ROOT\ccm\ClientSDK:CCM_SoftwareUpdatesManager').InstallUpdates([System.Management.ManagementObject[]] (
     Get-WmiObject -Query 'SELECT * FROM CCM_SoftwareUpdate' -namespace 'ROOT\ccm\ClientSDK'))

}


SSL/TLS

yadda


Disable SSL 2.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 –PropertyType DWORD


Disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 –PropertyType DWORD


Enable TLS 1.1 & TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD