Start a new topic

Configuring Server 2016 for script execution

Scripting errors related to new windows security features have been observed on Server 2016.  The solution is to disable the new windows defender features and force TLS 1.2


===========================================================================================================================

Scripting errors referring to SSL or TLS issues on Window Server 2016 can be resolved by running the script below and adding the TLS version to the script.

===========================================================================================================================

#Enable TLS 1.2 on server 2016

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 –PropertyType DWORD



Add this block to the top of your script to force TLS 1.2

#Force 1.2 in the script

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12



===========================================================================================================================

Disabling all windows defender features in Server 2016 for script execution can be done by running the script below on the vCommader server and the target.

===========================================================================================================================

<#
This script prepares windows server 2016 for remote interaction with scripts and workflows.
- Disables UAC
- Disables all features of Windows Defender
#>
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'EnableLUA' -value 0 -PropertyType DWORD -Force -Confirm:$false
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Force
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -name 'DisableAntiSpyware' -value 1 -PropertyType DWORD -Force -Confirm:$false
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Force
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -name 'DisableBehaviorMonitoring' -value 1 -PropertyType DWORD -Force -Confirm:$false
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -name 'DisableOnAccessProtection' -value 1 -PropertyType DWORD -Force -Confirm:$false
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -name 'DisableScanOnRealtimeEnable' -value 1 -PropertyType DWORD -Force -Confirm:$false

Login or Signup to post a comment