Using Puppet to Tame Windows 10

In an earlier blog entry I discussed Puppet and how to create a user for Puppet to run under.

I use Puppet to fix problems with new Windows 10 computers and VMs. The core of the Puppet configuration is a PowerShell script which is deployed and runs on the nodes.

The default node in the site.pp file imports a class configuration which controls the PowerShell script.

node default {
  class { 'configuration': }
  #other stuff

The site.pp file of the configuration module defines the configuration class. Among other things it defines a class ntrights, a class basic and a class configure_puppet_windows_user (see Configure Puppet User via Puppet).

class configuration {
class { 'configuration::basic': }

The class basic runs a basic configuration script.

class configuration::basic {
  if $operatingsystem == 'windows' {
    file { 'C:\Windows\Temp\BasicConfiguration.ps1':
      ensure => file,
      source_permissions => ignore,
      source => 'puppet:///files/BasicConfiguration.ps1',
      before => Exec['basic_configuration'],
    exec { 'basic_configuration':
      require => File['C:\Windows\Temp\BasicConfiguration.ps1'],
      command => 'C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy remotesigned -file C:\Windows\Temp\BasicConfiguration.ps1',

And this is a version of the BasicConfiguration.ps1 script:

# Allow PowerShell scripts
Set-ExecutionPolicy "Unrestricted"

# Disable notifications
Set-Service "wscsvc" -StartupType "Automatic"
$pathExplorerRegistry = "HKLM:\Software\Policies\Microsoft\Windows\Explorer"
if (!(Test-Path $pathExplorerRegistry)) {
New-Item -ItemType "Directory" $pathExplorerRegistry
Set-ItemProperty $pathExplorerRegistry "DisableNotificationCenter" 1

# Disable "Superfetch"
Set-Service SysMain -StartupType Disabled

# Disable automatic updates
$pathWindowsUpdateAU = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"
if (!(Test-Path $pathWindowsUpdateAU)) {
New-Item -ItemType Directory $pathWindowsUpdateAU -Force
Set-ItemProperty $pathWindowsUpdateAU "AUOptions" 1
$cs = Get-WmiObject Win32_ComputerSystem
if (!($cs.PartOfDomain)) {
Set-Service "wuauserv" -StartupType "Automatic"

# Disable error reporting
$pathErrorReporting = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting"
Set-ItemProperty $pathErrorReporting "Disabled" 1

# Disable Firewall
Get-NetFirewallProfile | Where-Object {$_.Name -eq "Domain"} | Set-NetFirewallProfile -Enabled "False"
Get-NetFirewallProfile | Where-Object {$_.Name -eq "Private"} | Set-NetFirewallProfile -Enabled "False"

# Enable search service
$sSearchService = "wsearch"
if (!((Get-Service $sSearchService).Status -eq "Running")) {
Set-Service $sSearchService -StartupType "Automatic"
Start-Service $sSearchService

# Install root certificate if file exists
$pathRootCertificate = "C:\Windows\Temp\SomeCert.cer"
if (Test-Path $pathRootCertificate) {
$pathRootCertificateStore = "Cert:\LocalMachine\Root\"
Set-Location $pathRootCertificateStore
Import-Certificate $pathRootCertificate

# Map public drive for all users
$pathCurrentVersionRun = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"
$pathCurrentVersionRunOnce = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"
New-ItemProperty $pathCurrentVersionRunOnce -Name "RemovePublicDrive" -Value "net use p: /delete" -PropertyType "string"
New-ItemProperty $pathCurrentVersionRun -Name "MapPublicDrive" -Value "net use p: \\MyServer\public /persistent:yes" -PropertyType "string"

I hope this helps someone. Modify as required.

 © Andrew Brehm 2016