Windows/powershell
Snippets for powershell
Note that Exchange-related powershell commands should be listed here
Inhaltsverzeichnis
- 1 execution policy
- 2 external AD-snapin
- 3 get loadable modules
- 4 import system modules
- 5 Remoting
- 6 Set Systemvariables (persistent)
- 7 get/set registry keys
- 8 set AD password
- 9 Clean WinSxS folder
- 10 get/set netconnectionprofile
- 11 get primary DC (PDC)
- 12 Logging
- 13 get last logon user
- 14 get currently logged on user
- 15 get uptime of system
- 16 timeserver settings
- 17 Get Service names
- 18 Bitlocker
- 19 Software
- 20 get-pendingreboot
- 21 Get Group Memberships of AD-Object
- 22 Search/Filter Users
- 23 Search/Filter Computers
- 24 Bulk change Group Scope
- 25 DNS
- 26 robocopy
- 27 set thumbnail-image
- 28 get .Net Version installed
- 29 List files/folderstructure recursively
- 30 List shared folders
- 31 get ACL folder permissions
- 32 set/remove ACL folder permissions
- 33 get/set/copy NTFS permissions
- 34 setspn
- 35 top like output
- 36 SCCM Related
- 37 SSL/TLS
execution policy
Set-ExecutionPolicy Unrestricted
possible values:
help about_Execution_Policies
external AD-snapin
http://software.dell.com/products/active-roles/powershell.aspx
Nach der Installation dann mit folgendem command einbinden:
Add-PSSnapin Quest.ActiveRoles.ADManagement
Und damit kannst du dann tolle Sachen machen wie:
Get-QADGroup -ContainsMember username
get loadable modules
Get-Module -ListAvailable
import system modules
ImportSystemModules
VEEAM Snapin
asnp "VeeamPSSnapIn" -ErrorAction SilentlyContinue
Remoting
Enter-PSSession -computername <computername> [<computername>]: PS C:\>
Set Systemvariables (persistent)
[Environment]::SetEnvironmentVariable("CHRIS", "Yadda", "Machine")
- Variable Name
- Value
- Scope: User or Machine
To see such changes you need to start a new Powershell window
and enter:
Get-ChildItem env:
or
Get-ChildItem env:CHRIS
or
Get-ChildItem env:CHR*
get/set registry keys
get item(s):
Get-ItemProperty 'Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\...' | fl
new folder:
New-Item -Path 'Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOME\Path\Create' -Force | Out-Null
new item:
New-ItemProperty -Path 'Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOME\Path\Create\' -Name MyVar -Value 1 -PropertyType DWORD -Force | Out-Null
set AD password
Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force)
Clean WinSxS folder
to remove unneeded stuff from c:\windows\WinSxS\*.*
do the following:
Get-WindowsFeature | where-object{$_.Installed -eq 0 -and $_.InstallState -eq 'Available'} | uninstall-windowsfeature -remove
get/set netconnectionprofile
PS C:\> Get-NetConnectionProfile Name : arifleet.com InterfaceAlias : Internal InterfaceIndex : 1 NetworkCategory : DomainAuthenticated IPv4Connectivity : LocalNetwork IPv6Connectivity : LocalNetwork Name : Network InterfaceAlias : Internet InterfaceIndex : 3 NetworkCategory : Public IPv4Connectivity : LocalNetwork IPv6Connectivity : LocalNetwork PS C:\> Set-NetConnectionProfile -InterfaceIndex 3 -NetworkCategory Private
If a Domain Network (VPN interface or such) is detected as 'Private' instead of DomainAuthenticated,
restart the 'Network Location Awareness' Service: NlaSvc
Get-Service *nlasvc* | Restart-Service -force
get primary DC (PDC)
Netdom Query Fsmo
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
Logging
Filter log by EventID:
Get-EventLog -LogName "Directory Service" -after $startdate | where { $_.eventid -eq 2889 } | ` select Source, EventID, InstanceId, Message | Export-Csv c:\eventID_2889.csv ";"
get last logon user
RPC-Call:
(Get-WmiObject -Class win32_process -ComputerName $c | Where-Object name -Match explorer).getowner().user
get currently logged on user
get-wmiobject -Class Win32_ComputerSystem | select username
get uptime of system
(get-date) - (gcim Win32_OperatingSystem).LastBootUpTime
timeserver settings
query source servers:
w32tm /query /source
set source servers:
net stop w32time; w32tm /config /syncfromflags:manual /manualpeerlist:10.2.8.3; w32tm /config /reliable:yes; net start w32time;
Without stopping w32time:
w32tm /config /syncfromflags:manual /manualpeerlist:"time.domain.tld time2.domain.tld" /reliable:yes /update
Sync with timeservers:
w32tm /resync /force
Get Service names
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Select name
get services and run state:
Get-Service | Where-Object {$_.displayName.contains("smartFIX ")}
or (simulate case insensitive)
Get-Service | Where-Object {$_.displayName.toLower().contains("smartfix ")}
get list of services that start with watch* (case sensitive)
Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Start-Service Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Stop-Service Get-Service | Where-Object {$_.displayName.StartsWith("watch")} | Restart-Service
Bitlocker
get-tpm
Initialize-Tpm
Get-BitLockerVolume
Enable-BitLocker -TpmProtector C:
Enable-BitLocker -RecoveryPasswordProtector C:
Software
get software installed
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
or
Get-WmiObject -Class win32_product [-ComputerName hvs00] -Filter "Name like '%symantec%'"
remove/uninstall software
$b = Get-WmiObject -Class win32_product [-ComputerName hvs00] -Filter "Name like '%symantec%'" $b.Uninstall() __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 1 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ReturnValue : 0 <-- Check ReturnValue is equal 0 PSComputerName :
get-pendingreboot
Source: [https://gallery.technet.microsoft.com/scriptcenter/Get-PendingReboot-Query-bdb79542]
Function Get-PendingReboot { <# .SYNOPSIS Gets the pending reboot status on a local or remote computer. .DESCRIPTION This function will query the registry on a local or remote computer and determine if the system is pending a reboot, from Microsoft updates, Configuration Manager Client SDK, Pending Computer Rename, Domain Join or Pending File Rename Operations. For Windows 2008+ the function will query the CBS registry key as another factor in determining pending reboot state. "PendingFileRenameOperations" and "Auto Update\RebootRequired" are observed as being consistant across Windows Server 2003 & 2008. CBServicing = Component Based Servicing (Windows 2008+) WindowsUpdate = Windows Update / Auto Update (Windows 2003+) CCMClientSDK = SCCM 2012 Clients only (DetermineIfRebootPending method) otherwise $null value PendComputerRename = Detects either a computer rename or domain join operation (Windows 2003+) PendFileRename = PendingFileRenameOperations (Windows 2003+) PendFileRenVal = PendingFilerenameOperations registry value; used to filter if need be, some Anti- Virus leverage this key for def/dat removal, giving a false positive PendingReboot .PARAMETER ComputerName A single Computer or an array of computer names. The default is localhost ($env:COMPUTERNAME). .PARAMETER ErrorLog A single path to send error data to a log file. .EXAMPLE PS C:\> Get-PendingReboot -ComputerName (Get-Content C:\ServerList.txt) | Format-Table -AutoSize Computer CBServicing WindowsUpdate CCMClientSDK PendFileRename PendFileRenVal RebootPending -------- ----------- ------------- ------------ -------------- -------------- ------------- DC01 False False False False DC02 False False False False FS01 False False False False This example will capture the contents of C:\ServerList.txt and query the pending reboot information from the systems contained in the file and display the output in a table. The null values are by design, since these systems do not have the SCCM 2012 client installed, nor was the PendingFileRenameOperations value populated. .EXAMPLE PS C:\> Get-PendingReboot Computer : WKS01 CBServicing : False WindowsUpdate : True CCMClient : False PendComputerRename : False PendFileRename : False PendFileRenVal : RebootPending : True This example will query the local machine for pending reboot information. .EXAMPLE PS C:\> $Servers = Get-Content C:\Servers.txt PS C:\> Get-PendingReboot -Computer $Servers | Export-Csv C:\PendingRebootReport.csv -NoTypeInformation This example will create a report that contains pending reboot information. .LINK Component-Based Servicing: http://technet.microsoft.com/en-us/library/cc756291(v=WS.10).aspx PendingFileRename/Auto Update: http://support.microsoft.com/kb/2723674 http://technet.microsoft.com/en-us/library/cc960241.aspx http://blogs.msdn.com/b/hansr/archive/2006/02/17/patchreboot.aspx SCCM 2012/CCM_ClientSDK: http://msdn.microsoft.com/en-us/library/jj902723.aspx .NOTES Author: Brian Wilhite Email: bcwilhite (at) live.com Date: 29AUG2012 PSVer: 2.0/3.0/4.0/5.0 Updated: 27JUL2015 UpdNote: Added Domain Join detection to PendComputerRename, does not detect Workgroup Join/Change Fixed Bug where a computer rename was not detected in 2008 R2 and above if a domain join occurred at the same time. Fixed Bug where the CBServicing wasn't detected on Windows 10 and/or Windows Server Technical Preview (2016) Added CCMClient property - Used with SCCM 2012 Clients only Added ValueFromPipelineByPropertyName=$true to the ComputerName Parameter Removed $Data variable from the PSObject - it is not needed Bug with the way CCMClientSDK returned null value if it was false Removed unneeded variables Added PendFileRenVal - Contents of the PendingFileRenameOperations Reg Entry Removed .Net Registry connection, replaced with WMI StdRegProv Added ComputerPendingRename #> [CmdletBinding()] param( [Parameter(Position=0,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [Alias("CN","Computer")] [String[]]$ComputerName="$env:COMPUTERNAME", [String]$ErrorLog ) Begin { }## End Begin Script Block Process { Foreach ($Computer in $ComputerName) { Try { ## Setting pending values to false to cut down on the number of else statements $CompPendRen,$PendFileRename,$Pending,$SCCM = $false,$false,$false,$false ## Setting CBSRebootPend to null since not all versions of Windows has this value $CBSRebootPend = $null ## Querying WMI for build version $WMI_OS = Get-WmiObject -Class Win32_OperatingSystem -Property BuildNumber, CSName -ComputerName $Computer -ErrorAction Stop ## Making registry connection to the local/remote computer $HKLM = [UInt32] "0x80000002" $WMI_Reg = [WMIClass] "\\$Computer\root\default:StdRegProv" ## If Vista/2008 & Above query the CBS Reg Key If ([Int32]$WMI_OS.BuildNumber -ge 6001) { $RegSubKeysCBS = $WMI_Reg.EnumKey($HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\") $CBSRebootPend = $RegSubKeysCBS.sNames -contains "RebootPending" } ## Query WUAU from the registry $RegWUAURebootReq = $WMI_Reg.EnumKey($HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\") $WUAURebootReq = $RegWUAURebootReq.sNames -contains "RebootRequired" ## Query PendingFileRenameOperations from the registry $RegSubKeySM = $WMI_Reg.GetMultiStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager\","PendingFileRenameOperations") $RegValuePFRO = $RegSubKeySM.sValue ## Query JoinDomain key from the registry - These keys are present if pending a reboot from a domain join operation $Netlogon = $WMI_Reg.EnumKey($HKLM,"SYSTEM\CurrentControlSet\Services\Netlogon").sNames $PendDomJoin = ($Netlogon -contains 'JoinDomain') -or ($Netlogon -contains 'AvoidSpnSet') ## Query ComputerName and ActiveComputerName from the registry $ActCompNm = $WMI_Reg.GetStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName\","ComputerName") $CompNm = $WMI_Reg.GetStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\","ComputerName") If (($ActCompNm -ne $CompNm) -or $PendDomJoin) { $CompPendRen = $true } ## If PendingFileRenameOperations has a value set $RegValuePFRO variable to $true If ($RegValuePFRO) { $PendFileRename = $true } ## Determine SCCM 2012 Client Reboot Pending Status ## To avoid nested 'if' statements and unneeded WMI calls to determine if the CCM_ClientUtilities class exist, setting EA = 0 $CCMClientSDK = $null $CCMSplat = @{ NameSpace='ROOT\ccm\ClientSDK' Class='CCM_ClientUtilities' Name='DetermineIfRebootPending' ComputerName=$Computer ErrorAction='Stop' } ## Try CCMClientSDK Try { $CCMClientSDK = Invoke-WmiMethod @CCMSplat } Catch [System.UnauthorizedAccessException] { $CcmStatus = Get-Service -Name CcmExec -ComputerName $Computer -ErrorAction SilentlyContinue If ($CcmStatus.Status -ne 'Running') { Write-Warning "$Computer`: Error - CcmExec service is not running." $CCMClientSDK = $null } } Catch { $CCMClientSDK = $null } If ($CCMClientSDK) { If ($CCMClientSDK.ReturnValue -ne 0) { Write-Warning "Error: DetermineIfRebootPending returned error code $($CCMClientSDK.ReturnValue)" } If ($CCMClientSDK.IsHardRebootPending -or $CCMClientSDK.RebootPending) { $SCCM = $true } } Else { $SCCM = $null } ## Creating Custom PSObject and Select-Object Splat $SelectSplat = @{ Property=( 'Computer', 'CBServicing', 'WindowsUpdate', 'CCMClientSDK', 'PendComputerRename', 'PendFileRename', 'PendFileRenVal', 'RebootPending' )} New-Object -TypeName PSObject -Property @{ Computer=$WMI_OS.CSName CBServicing=$CBSRebootPend WindowsUpdate=$WUAURebootReq CCMClientSDK=$SCCM PendComputerRename=$CompPendRen PendFileRename=$PendFileRename PendFileRenVal=$RegValuePFRO RebootPending=($CompPendRen -or $CBSRebootPend -or $WUAURebootReq -or $SCCM -or $PendFileRename) } | Select-Object @SelectSplat } Catch { Write-Warning "$Computer`: $_" ## If $ErrorLog, log the file to a user specified location/path If ($ErrorLog) { Out-File -InputObject "$Computer`,$_" -FilePath $ErrorLog -Append } } }## End Foreach ($Computer in $ComputerName) }## End Process End { }## End End }## End Function Get-PendingReboot
Get Group Memberships of AD-Object
Get-ADPrincipalGroupMembership -identity <USER>
Search/Filter Users
Get-ADUser reference: @M$
Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title -SearchBase 'OU=Fleetservices User,DC=fleetservices,DC=intra' \ -Server 'Fleetservices.intra'
or export result to CSV-File
Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Title -SearchBase 'OU=HPI,DC=fleet,DC=int' \ -Server 'Fleet.int' | Export-CSV c:\temp\FleetInt.csv
get logon scripts of ad-users:
Get-ADUser -filter * -SearchBase "OU=Eschborn,OU=UserAccounts,OU=Accounts,DC=europe,DC=arifleet,DC=com" \ -properties name,scriptpath | select name,scriptpath
get 'password never expires' flag:
get-aduser -filter * -SearchBase "OU=Accounts,DC=europe,DC=arifleet,DC=com" -properties Name,PasswordNeverExpires,Enabled | ` where { $_.passwordNeverExpires -eq "true" -and $_.Enabled -eq "true"} | ` select SamAccountName,PasswordNeverExpires,Enabled,DistinguishedName | ` sort -property SamAccountName | select-string -pattern "OU=ServiceAccounts" -notMatch
Bulk-Replace UPN domain of users
Import-Module ActiveDirectory $oldSuffix = "olddomain.tld" $newSuffix = "newdomain.tld" $ou = "OU=Stuttgart,OU=UserAccounts,OU=Accounts,DC=europe,DC=newdomain,DC=tld" $server = "localhost" Get-ADUser -SearchBase $ou -filter * | ForEach-Object { $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix) $_ | Set-ADUser -server $server -UserPrincipalName $newUpn }
Bulk-Clear Manager from AD Users
$OU = "OU=Obsolete,DC=dom,DC=domain,DC=tld" $users = get-aduser -Filter { mail -like "*" -and ObjectClass -eq "user" } -SearchBase $OU -Properties sAMAccountName,manager # list managers $users.manager $users | Set-ADUser -Manager $null
Search/Filter Computers
Get-ADComputer -SearchBase 'OU=Build,OU=MemberServers,dc=europe,dc=arifleet,dc=com' -Filter '*'
Bulk change Group Scope
$MySearchBase = "ou=Groups,ou=ABC,dc=lab,dc=local" $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Global"' -SearchBase "$MySearchBase" # Print list $MyGroupList.name # Set scope $MyGroupList | Set-ADGroup -GroupScope Universal # Now we can change to DomainLocal $MyGroupList = get-adgroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "Universal"' -SearchBase "$MySearchBase" $MyGroupList.name $MyGroupList | Set-ADGroup -GroupScope DomainLocal
DNS
set secure zone transfer servers
For all Zones:
Get-DnsServerZone | Select-Object zonename | Set-DnsServerPrimaryZone -SecureSecondaries TransferToSecureServers -SecondaryServers <IP-1>,<IP-2>,<IP-n>
robocopy
robocopy F:\SOURCE D:\DESTINATION\ /MIR /FFT /Z /W:5 /tee /log:RobocopySync.log
- /MIR specifies that robocopy should mirror the source directory and the destination directory. Beware that this may delete files at the destination.
- /FFT uses fat file timing instead of NTFS. This means the granularity is a bit less precise.
- /W:5 reduces the wait time between failures to 5 seconds instead of the 30 second default.
- /R:2 reduces the repeat count of failures to 2 tries instead of the 1000000(!) default retries.
- /Z ensures robocopy can resume the transfer of a large file in mid-file instead of restarting.
- /B copy files in Backup mode.
- /ZB use restartable mode; if access denied use Backup mode.
- /MT[:n] Do multi-threaded copies with n threads (default 8).
- /CREATE creates directories and zero-length files only.
- /XF file [file]... eXclude Files matching given names/paths/wildcards.
- /XD dirs [dirs]... eXclude Directories matching given names/paths.
- /XA:H makes robocopy ignore hidden files, usually these will be system files that we’re not interested in.
- /log:RobocopySync.log write output into logfile instead stdout. Use in combination with /tee to get output to stdout AND logfile
- /COPY:copyflag[s] what to COPY for files (default is /COPY:DAT). (copyflags : D=Data, A=Attributes, T=Timestamps). (S=Security=NTFS ACLs, O=Owner info, U=aUditing info).
- /COPYALL Same as /COPY:DATSOU)
set thumbnail-image
from an exchange server
Import-RecipientDataProperty -Identity dSchlenzig -Picture -FileData \ ([Byte[]]$(Get-Content -path ".\thumb-DOMARI.jpg" -Encoding Byte -ReadCount 0))
from an AD
$photo = [byte[]](Get-Content path of pic -Encoding byte) Set-ADUser username -Replace @{thumbnailPhoto=$photo}
get .Net Version installed
wmic /namespace:\\root\cimv2 path win32_product where "name like '%%.NET%%'" get name,version
List files/folderstructure recursively
List files including their relative path and output full UNC Path:
foreach ($myfile in $(ls -R -Name "\\SERVER\Share$\folder\foo\")) { $out = "\\SERVER\Share$\folder\foo\" + $myfile echo $out >> ./fileList.txt }
get-WmiObject -class Win32_Share
get ACL folder permissions
get-acl C:\folder | Format-List
$children = get-childitem e:\ foreach($child in $children) { echo $child.name (get-acl e:\$child).access | ft -auto IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags echo "" echo "" }
set/remove ACL folder permissions
Traverse through whole tree:
foreach ($folder in Get-ChildItem -Path .\Programme -Recurse -Directory) { $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") $acl = Get-Acl $folder.fullname $acl.SetAccessRuleProtection($false, $true) # Inheritance on $acl.SetAccessRule($AccessRule) Set-Acl -Path $folder.FullName -AclObject $acl }
This folder only:
foreach ($folder in get-item \\<server>\e$\Folder) { $AccessRule = New-Object System.Security.Accesscontrol.FileSystemAccessRule ("domain\user", "ListDirectory", "None", "None", "Allow") $acl = Get-Acl $folder.fullname $acl.SetAccessRuleProtection($true, $false) # Inheritance off $acl.SetAccessRule($AccessRule) Set-Acl -Path $folder.FullName -AclObject $acl }
Remove permissions by DOMAIN:
$acl = Get-Acl D:\path\to\folder $rules = $acl.access | Where-Object { (-not $_.IsInherited) -and $_.IdentityReference -like "DOMAIN\*" } foreach($rule in $rules) { $acl.RemoveAccessRule($rule) }
Remove a User/Group completely from ACLs:
(This includes all Allow AND Deny rules)
$acl = Get-Acl D:\path $usersid = New-Object System.Security.Principal.Ntaccount("CREATOR OWNER") $acl.PurgeAccessRules($usersid) $acl | Set-Acl D:\path
get/set/copy NTFS permissions
Copy some folder eg. E:\Data to F:\DataNew
Since the old and new foldernames differ, we'll have to get the permissions of the root folder:
cd E:\data icacls . /save ..\DATA-root_perms.txt /c
now we tell icacls that it should get the content of our root folder and traverse (/t) through folder-structure:
icacls .\ /save ..\DATA_perms.txt /c /t
now we have 2 permission files which we can restore on the new folder:
cd F:\DataNew icacls . /restore E:\DATA-root_perms.txt /c icacls .\ /restore E:\DATA_perms.txt /c
If you have the same folder name, e.g. you copy from E:\data to F:\data you can do this:
cd e: icacls .\Data /save .\DATA_perms.txt /c /t icacls F: /restore E:\DATA_perms.txt /c
where:
/t Traverse through folders /c Continue on errors
setspn
List SPN:
setspn -L <accountname>
setspn -L <hostname>
Register new SPN:
setspn -R <server>
It will register SPN "HOST/server" and "HOST/{DNS of server}"
Register additional SPN (alias) for <server>:
setspn -S host/<serveralias> <server>
top like output
in processor time
While(1) { $p = get-counter '\Process(*)\% Processor Time'; cls; $p.CounterSamples | sort -des CookedValue | select -f 15 | ft -a }
in percent
while(1) { cls; Get-Counter '\Process(*)\% Processor Time' ` | Select-Object -ExpandProperty countersamples ` | Select-Object -Property instancename, cookedvalue| ? {$_.instanceName -notmatch "^(idle|_total|system)$"} ` | Sort-Object -Property cookedvalue -Descending ` | Select-Object -First 25 ` | ft InstanceName,@{L='CPU';E={($_.Cookedvalue/100/$env:NUMBER_OF_PROCESSORS).toString('P')}} -AutoSize; sleep 2 }
Delete SPN from host:
setspn -D host/<serveralias> <server>
SCCM Related
Pull pending updates and install
function Get-CMMissingUpdate { param ( $computer = "localhost" ) Get-WmiObject -Query "SELECT * FROM CCM_SoftwareUpdate" -Namespace "ROOT\ccm\ClientSDK" -ComputerName $computer } function Install-CMMissingUpdate { param ( $computer = "localhost" ) ([wmiclass]'ROOT\ccm\ClientSDK:CCM_SoftwareUpdatesManager').InstallUpdates([System.Management.ManagementObject[]] ( Get-WmiObject -Query 'SELECT * FROM CCM_SoftwareUpdate' -namespace 'ROOT\ccm\ClientSDK')) }
SSL/TLS
yadda
Disable SSL 2.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 –PropertyType DWORD
Disable SSL 3.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 –PropertyType DWORD
Enable TLS 1.1 & TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 –PropertyType DWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD