Windows onboarding and configuration/security scripts

nct · August 22, 2023, 11:53pm

Does anyone have scripts they use through Itarian when onboarding Windows machines to tweak the settings or make the OS more secure? Thanks.

DevoteamEndpointSecu · August 29, 2023, 4:06pm

Well, no but yes.

We don’t have a specific ITarian script for that, but maybe you could use the generic “Run PowerShell Script” procedure along with a well-known hardening script like the “Windows-Optimize-Harden-Debloat”. May be worth testing.

My two cents.

KamilleParisian · September 5, 2023, 2:56pm

Thank you so much for the links.

RT-AMS-ITarian · September 6, 2023, 2:26pm

Scripts like this can really help protect devices, but you have to be extremely careful they do not rip out or disable services and features that you might need or applications rely on.

That being said, the idea of having ITarian run the PS is completely possible, and this would be a good use of the “run once” schedule of a procedure with the ticket box option of run when profile is assigned to a device.

dminga · October 4, 2023, 2:03pm

My org has a registry edit that disables the ability to upgrade to Windows 11 for now. We also create and set a local admin user, disable the buitin administrator, and we set a couple other minor things such as timezone. Nothing to major. But they are all procedures we have attached to the default profile and set to run on a schedule as well as immediately upon the profile being assigned to a device.

nct · October 4, 2023, 2:15pm

Hi @dminga

Would you be able to share the script?
I think some of these scripts are already on the scripts’ site.

Thanks

dminga · October 4, 2023, 3:11pm

There are three different ones that we set to run immediately. I think a couple are in the script library but here is a copy.

Create an admin account, add it to administrators group, and disable the default administrator:

*If the admin account you are creating already exists it updates the password and group to the existing

import os
from subprocess import PIPE, Popen

# Specify the new password for the admin account to be changed.
passwd = "@@@@@@@"
# Specify the account which you want to change the password or else leave it blank if single admin account is present.
account = "@@@@@@@"

# Get the list of all Administrators group users
u_fil_a_usr = os.popen("net localgroup Administrators ").read().split()[15:-4]
fil_a_usr = []
if u_fil_a_usr:
    for i in u_fil_a_usr:
        if i != 'Administrator' and i != 'DefaultAccount':
            fil_a_usr.append(i)

# Check if there are multiple admin accounts and prompt the user to specify which account to use
if len(fil_a_usr) > 1 and not account:
    print "More than one user admin account exists in this Desktop."
    account = raw_input("Please specify which account you want to change the password: ")

# If the user account does not exist, create it
if account not in fil_a_usr:
    os.system('net user %s %s /add' % (account, passwd))

# Add the user to the Administrators group
os.system('net localgroup Administrators %s /add' % account)

# Change the password of the user account
obj = Popen('net user "%s" "%s"' % (account, passwd), shell=True, stdout=PIPE, stderr=PIPE)
r, e = obj.communicate()
if e:
    print e
else:
    if r:
        print r
        print "Password changed successfully for the user %s" % account
    else:
        print "Password changed successfully for the user %s" % account

# Disable the administrator account if it's not already disabled
admin_disabled = os.popen('net user administrator | findstr /C:"Account active"').read().strip().endswith("No")
if not admin_disabled:
    os.system('net user administrator /active:no')
    print "Disabled the administrator account."

# Display the updated list of Administrators group users
print "The current users in the Administrators group are:"
u_fil_a_usr = os.popen("net localgroup Administrators ").read().split()[15:-4]
for i in u_fil_a_usr:
    if i != 'Administrator' and i != 'DefaultAccount':
        print i

Windows 11 Upgrade Disable via registry:

#To define a particular parameter, replace the 'parameterName' inside itsm.getParameter('parameterName') with that parameter's name
command1=r'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v TargetReleaseVersion ^ /t REG_DWORD /d 1 /f' #Please edit your comand here.
command2=r'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v TargetReleaseVersionInfo ^ /t REG_SZ /d 21H2 /f'
import ctypes
from subprocess import PIPE, Popen
def ecmd(command):
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)

    with disable_file_system_redirection():
        obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
    out, err = obj.communicate()
    ret=obj.returncode
    if ret==0:
        if out:
            return out.strip()
        else:
            return ret
    else:
        if err:
            return err.strip()
        else:
            return ret
print ecmd(command1)
print ecmd(command2)

Set NTP Server to Custom Parameters:

your_timerserver = itsm.getParameter('Time_Server')  # enter your timeserver here
default_timezone = itsm.getParameter('Time_Zone')    # enter your timezone here

import os
import ctypes
import time

class disable_file_system_redirection:
    _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
    _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection

    def __enter__(self):
        self.old_value = ctypes.c_long()
        self.success = self._disable(ctypes.byref(self.old_value))

    def __exit__(self, type, value, traceback):
        if self.success:
            self._revert(self.old_value)

def main(cmd):
    with disable_file_system_redirection():
        cmd_output = os.popen(cmd).read()
        return cmd_output

def synchronize_with_ntp(time_server):
    c = "w32tm /unregister"
    main(c)

    c1 = "net stop w32time"
    main(c1)

    a = "w32tm /register"
    main(a)

    b = "net start w32time"
    main(b)

    d = "w32tm /config /manualpeerlist:{} /syncfromflags:manual /reliable:yes /update".format(time_server)
    main(d)

    f = "w32tm /query /peers"
    e = main(f)

    if "NTP" in e:
        return "Synchronized with NTP"
    else:
        g = "w32tm /config /manualpeerlist:time.google.com /syncfromflags:manual /reliable:yes /update"
        g1 = main(g)
        time.sleep(10)
        g2 = main(f)

        if "NTP" in g2:
            return "Synchronized with NTP"
        else:
            return "Not Synchronized"

def enable_dynamic_timezone():
    tz_cmd = 'tzutil /dynamic'
    main(tz_cmd)

def set_default_timezone(timezone):
    tz_cmd = 'tzutil /s "{}"'.format(timezone)
    main(tz_cmd)

result = synchronize_with_ntp(your_timerserver)
set_default_timezone(default_timezone)
enable_dynamic_timezone()

if result == "Synchronized with NTP":
    print("Time synchronization successful.")
else:
    print("Time synchronization failed.")

nct · October 4, 2023, 8:22pm

@dminga thanks, just be aware if you are setting the password via the script, it is retained in the logs on Itarian.

dminga · October 4, 2023, 8:33pm

Yeah that is one of our gripes about it.

nct · October 4, 2023, 8:50pm

I’ve posted a feature request about this.

dminga · October 5, 2023, 7:20pm

Yeah I was the second person to up vote that very feature request.