This is a script to do a basic Windows configuration all through PowerShell
The script will do the following:
1. Give the computer an IP address, DNS server and gateway
2. Give the computer a name
3. Disable scanning of mapped drives for Windows defender
4. Set the connection profile to private
5. Open all firewall ports to the local LAN
6. Enable SMB connections from remote computers
7. Create a scheduled task to start the AppLocker service
8. Create some users and add them to groups
9. Set the user’s passwords to never expire and prevent change password on login
10. Install a list of applications using Chocolatey (see here for more detail)
11. Enable SMB v1
$IPAddress = Read-Host -prompt "Enter IP Address" $ComputerName = Read-Host -prompt "Computer Name" Set-MpPreference -DisableRealtimeMonitoring $false Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 $PName = Get-NetConnectionProfile | select Name -ExpandProperty Name Set-NetConnectionProfile -Name $PName -NetworkCategory Private New-NetIPAddress –IPAddress $IPAddress -DefaultGateway “192.168.0.1” -PrefixLength 24 -InterfaceIndex (Get-NetAdapter).InterfaceIndex -addressfamily ipv4 Set-DnsClientServerAddress -InterfaceAlias (Get-NetAdapter).InterfaceAlias -ServerAddresses 192.168.0.1 Start-Sleep -Seconds 15 New-NetFirewallRule -DisplayName 'All Local Traffic' -Profile @('Domain', 'Private') -Direction inbound -Action Allow -Protocol TCP -LocalPort ('0-65535') -RemotePort ('0-65535') New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "FilterAdministratorToken" -PropertyType "dword" -Value '00000000' New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -PropertyType "dword" -Value '00000001' Start-Sleep -Seconds 60 $Trigger= New-ScheduledTaskTrigger –AtStartup $User= "NT AUTHORITY\SYSTEM" $Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\System\Start_AppLocker.ps1" Register-ScheduledTask -TaskName "Start AppLocker" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force Start-Sleep -Seconds 10 $password = ConvertTo-SecureString "MyPassword" -AsPlainText -Force $usergroup = "Users" $admingroup = "Administrators" $remotegroup = "Remote Desktop Users" $users = @( "User" "Admin" "Plexsvc" ) foreach ($user in $users) { New-LocalUser -Name "$user" -Password $Password Add-LocalGroupMember -Group "$usergroup" -Member "$user" Add-LocalGroupMember -Group "$remotegroup" -Member "$user" Set-LocalUser -Name "$user" -PasswordNeverExpires $true $expUser = [ADSI]"WinNT://localhost/$user,user" $expUser.passwordExpired = 0 $expUser.setinfo() If ($user -eq 'Admin' ) { Add-LocalGroupMember -Group "$admingroup" -Member "$user" } } cd c:\temp Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) choco feature enable -n allowGlobalConfirmation choco install .\packages.config –y cup all Enable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -All Rename-Computer -NewName $ComputerName -Restart -force