Start a new topic

Configuring Server 2016 for script execution

Scripting errors related to new windows security features have been observed on Server 2016.  The solution is to disable the new windows defender features and force TLS 1.2


===========================================================================================================================

Scripting errors referring to SSL or TLS issues on Window Server 2016 can be resolved by running the script below and adding the TLS version to the script.

===========================================================================================================================

#Enable TLS 1.2 on server 2016

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 –PropertyType DWORD



Add this block to the top of your script to force TLS 1.2

#Force 1.2 in the script

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12



===========================================================================================================================

Disabling all windows defender features in Server 2016 for script execution can be done by running the script below on the vCommader server and the target.

===========================================================================================================================

<#
This script prepares windows server 2016 for remote interaction with scripts and workflows.
- Disables UAC
- Disables all features of Windows Defender
#>
New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'EnableLUA' -value 0 -PropertyType DWORD -Force -Confirm:$false
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Force
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -name 'DisableAntiSpyware' -value 1 -PropertyType DWORD -Force -Confirm:$false
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Force
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -name 'DisableBehaviorMonitoring' -value 1 -PropertyType DWORD -Force -Confirm:$false
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -name 'DisableOnAccessProtection' -value 1 -PropertyType DWORD -Force -Confirm:$false
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -name 'DisableScanOnRealtimeEnable' -value 1 -PropertyType DWORD -Force -Confirm:$false


Disable UAC is required for some guest command steps if you want to modify protected area.

https://zhengwu.org/access-deny-when-run-powershell-scripts-on-windows-server/


Hi Wu,


You are correct, UAC will prevent many guest commands from running.  Disabling UAC in templates is not an uncommon practice among System Administrators and the solution in the link you provided is one way to achieve this.


You can also enable\disable UAC by running the commands below.  It is a best practice to have UAC enabled after initial configuration by Commander by either manually enabling it or enforcing it with group policy.


Disable UAC:

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'EnableLUA' -value 0 -PropertyType DWORD -Force -Confirm:$false


Enable UAC:

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name 'EnableLUA' -value 1 -PropertyType DWORD -Force -Confirm:$false


Login or Signup to post a comment