In an earlier blog entry I discussed Puppet and how to create a user for Puppet to run under.
I use Puppet to fix problems with new Windows 10 computers and VMs. The core of the Puppet configuration is a PowerShell script which is deployed and runs on the nodes.
The default node in the site.pp file imports a class configuration which controls the PowerShell script.
node default {
class { 'configuration': }
#other stuff
}#node
The site.pp file of the configuration module defines the configuration class. Among other things it defines a class ntrights, a class basic and a class configure_puppet_windows_user (see Configure Puppet User via Puppet).
class configuration {
class { 'configuration::basic': }
}#class
The class basic runs a basic configuration script.
class configuration::basic {
if $operatingsystem == 'windows' {
file { 'C:\Windows\Temp\BasicConfiguration.ps1':
ensure => file,
source_permissions => ignore,
source => 'puppet:///files/BasicConfiguration.ps1',
before => Exec['basic_configuration'],
}#file
exec { 'basic_configuration':
require => File['C:\Windows\Temp\BasicConfiguration.ps1'],
command => 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy remotesigned -file C:\Windows\Temp\BasicConfiguration.ps1',
}#exec
}#if
}#class
And this is a version of the BasicConfiguration.ps1 script:
# Allow PowerShell scripts
Set-ExecutionPolicy "Unrestricted"
# Disable notifications
Set-Service "wscsvc" -StartupType "Automatic"
$pathExplorerRegistry = "HKLM:\Software\Policies\Microsoft\Windows\Explorer"
if (!(Test-Path $pathExplorerRegistry)) {
New-Item -ItemType "Directory" $pathExplorerRegistry
}#if
Set-ItemProperty $pathExplorerRegistry "DisableNotificationCenter" 1
# Disable "Superfetch"
Set-Service SysMain -StartupType Disabled
# Disable automatic updates
$pathWindowsUpdateAU = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
if (!(Test-Path $pathWindowsUpdateAU)) {
New-Item -ItemType Directory $pathWindowsUpdateAU -Force
}#if
Set-ItemProperty $pathWindowsUpdateAU "AUOptions" 1
$cs = Get-WmiObject Win32_ComputerSystem
if (!($cs.PartOfDomain)) {
Set-Service "wuauserv" -StartupType "Automatic"
}#if
# Disable error reporting
$pathErrorReporting = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting"
Set-ItemProperty $pathErrorReporting "Disabled" 1
# Disable Firewall
Get-NetFirewallProfile | Where-Object {$_.Name -eq "Domain"} | Set-NetFirewallProfile -Enabled "False"
Get-NetFirewallProfile | Where-Object {$_.Name -eq "Private"} | Set-NetFirewallProfile -Enabled "False"
# Enable search service
$sSearchService = "wsearch"
if (!((Get-Service $sSearchService).Status -eq "Running")) {
Set-Service $sSearchService -StartupType "Automatic"
Start-Service $sSearchService
}#if
# Install root certificate if file exists
$pathRootCertificate = "C:\Windows\Temp\SomeCert.cer"
if (Test-Path $pathRootCertificate) {
$pathRootCertificateStore = "Cert:\LocalMachine\Root\"
Push-Location
Set-Location $pathRootCertificateStore
Import-Certificate $pathRootCertificate
Pop-Location
}#if
# Map public drive for all users
$pathCurrentVersionRun = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"
$pathCurrentVersionRunOnce = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"
New-ItemProperty $pathCurrentVersionRunOnce -Name "RemovePublicDrive" -Value "net use p: /delete" -PropertyType "string"
New-ItemProperty $pathCurrentVersionRun -Name "MapPublicDrive" -Value "net use p: \\MyServer\public /persistent:yes" -PropertyType "string"
I hope this helps someone. Modify as required.