Remove a DSC config

  • Context:

I’ve recently setup a Desired State Configuration (DSC) configuration on a computer that had the Hyper-V role installed.
The DSC configuration was supposed to apply once and reboot the computer once done.

  • Problem:

I was using a script resource but I failed to make it bulletproof.
The test part of the script resource always failed and returned false when the Hyper-V role was present.
It created a reboot loop.
I had to find a quick way to stop the DSC config to apply and remove it.

  • Solution:
Stop-DscConfiguration -Force -Verbose
Remove-DscConfigurationDocument -Stage Current,Pending -Force -Verbose

Register a remote endpoint with DSC

  • Context:

I’ve been using Desired State Configuration (DSC) recently on a Windows 10 computer to create a custom remote endpoint configuration.

  • Issues:

Using the Register-PSSessionConfiguration with a -Force switch parameter breaks the push.
The error message says:
The WS-Management service cannot process the operation. The operation is being attempted on a client session that is unusable. This may be related to a recent restart of the WS-Management service. Please create a new client session and retry the operation if re-executing the operation does not have undesired behavior.
+ CategoryInfo : InvalidOperation: (root/Microsoft/…gurationManager:String) [], CimException
+ FullyQualifiedErrorId : HRESULT 0x803381fa
+ PSComputerName : localhost

If you specify a -Verbose switch parameter when you push the configuration with Start-DscConfiguration cmdlet, the verbose stream of the Register-PSSessionConfiguration cmdlet is still streamed although it’s explicitly turned off.

  • Solution:

The solution consisted in:

  1. turning off the verbose stream from the Register-PSSessionConfiguration cmdlet by enclosing this cmdlet in scriptblock executed by the Start-Job cmdlet.
  2. removing the -Force switch parameter that restarts and breaks the push
  3. using a -NoRestartService switch parameter with the Register-PSSessionConfiguration cmdlet

Create an ASCII encoded file with DSC

  • Context:

I’ve been using Desired State Configuration (DSC) recently to create a cmd file on every users’ desktop.

  • Issue:

DSC creates a UTF8 file with a BOM. The file is executed but not its first line. The File DSC resource doesn’t allow to specify an encoding

  • Solution:

I’ve used a File resource to create the content and a dependent child script resource that removes the BOM.

# Remove BOM because File DSC resource creates a UTF8 file with BOM
[System.IO.File]::WriteAllLines(
  'C:\Users\Public\Desktop\myCmdFile.cmd',
  (Get-Content -Path 'C:\Users\Public\Desktop\myCmdFile.cmd'), 
  (New-Object System.Text.UTF8Encoding($False))
)

Minimal WSMan requirement to push locally a Desired State Configuration

I’ve been working on a deployment scenario where I’ll provision new computers from a PBR (Push Button Reset) image.

These laptops will run Windows 8.1 and the PBR image is actually a sysprep image that is configured to run a post-install script.

When the PC is provisionned or reset, the PBR image is applied/expanded to the C: drive and the post-install script is run at the end of the OOBE (Out-of-Box Experience) phase, just before the user can logon.

To configure Windows Updates settings, some registry keys, services,… DSC (Desired State Configuration) is the way to go as it’ll ensure the PC remains compliant even if there’s a drift later between 2 resets or/and the PC isn’t connected to any network.

As you may know DSC depends on WSMan and not on PSRemoting.
There’s a myth about PSRemoting that was uncovered by PowerShell Magazine and Windows PowerShell MVP Aleksandar Nikolic:
DSC-RemotingMyth

If I push a DSC config without configuring WSMan, I hit a wall and get this message:
The client cannot connect to the destination specified in the request.
Verify that the service on the destination is running and is accepting requests.
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig”.
+ CategoryInfo : ConnectionError: (root/Microsoft/…gurationManager:String) [], CimException
+ FullyQualifiedErrorId : HRESULT 0x80338012
+ PSComputerName : localhost


I’d also get the above error message whenever the WinRM service is stopped or the WSMan listener is absent.

To fix it, I should run the following the Set-WSManQuickConfig because the computer isn’t joined to a domain.

Set-WSManQuickConfig -SkipNetworkProfileCheck

This would enable the WinRM firewall rule for the ‘Public’ profile and expose the WinRM to the localNetwork it’s connected to.
It would also set the LocalAccountTokenFilterPolicy registry value to remove the UAC remote restriction.

The above steps aren’t required to push locally (vs. over the wire) a DSC configuration.
The attack surface can actually be reduced so that the DSC configuration can only be pushed locally.
The non-domain joined Windows 8.1 PBR images can leverage DSC as soon as I:

# 1. Enable and start the WinRM service
Stop-Service -Name WinRM -PassThru | 
Set-Service -StartupType Automatic -PassThru | 
Start-Service

# 2. Enable and restrict the firewall rules 
# to localhost instead of LocalNetwork
Get-NetFirewallRule -Name @(
    'WINRM-HTTP-In-TCP', # Pubic
    'WINRM-HTTP-In-TCP-NoScope') | #Domain,Private
Enable-NetFirewallRule -PassThru | 
Get-NetFirewallAddressFilter | 
Set-NetFirewallAddressFilter -RemoteAddress "127.0.0.1"

# 3. Add a listener (the firewall already enforces a restriction)
Get-ChildItem -Path WSMan:\localhost\Listener -Include listener* | 
Remove-Item -Recurse
New-WSManInstance winrm/config/Listener -SelectorSet @{
    Address="*";
    Transport="http";
}

# 4. Disable Kerberos, not required in workgroup for local authentication
Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos  -Value $false -Force
Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $true  -Force

VoilĂ , my post-installation DSC configuration can be pushed locally whenever Windows 8.1 is reset on the device.

Deploy Sysmon with PowerShell Desired State Configuration

The technet page of sysmon 2.0 provided the following advanced configuration sample:

@'
<Sysmon schemaversion="1.0">
    <Configuration>
        <!-- Capture all hashes -->
        <Hashing>*</Hashing>
        <!-- Enable network logging -->
        <Network />
    </Configuration>
    <Rules>
        <!-- Log all drivers except if the signature -->
        <!-- contains Microsoft or Windows -->
        <DriverLoad default="include">
        <Signature condition="contains">microsoft</Signature>
        <Signature condition="contains">windows</Signature>
        </DriverLoad>
        <!-- Do not log process termination -->
        <ProcessTerminate />
        <!-- Log network connection if the destination port equal 443 -->
        <NetworkConnect>
        <DestinationPort>443</DestinationPort>
        </NetworkConnect>
    </Rules>
</Sysmon>
'@


If you want to do more advanced stuff, my fellow Windows PowerSell MVP Carlos Perez wrote an awesome module named Posh-Sysmon that would help you create XML configuration for Sysmon.

April 20, 2015, Sysmon 3.0 was published 🙂
It delivers a version 2.0 of the XML schema which looks like this:

@'
<Sysmon schemaversion="2.0">
 <!-- Capture all hashes -->
 <HashAlgorithms>*</HashAlgorithms>
 <EventFiltering>
  <!-- Log all drivers except if the signature -->
  <!-- contains Microsoft or Windows -->
  <DriverLoad onmatch="include">
   <Signature condition="contains">microsoft</Signature>
   <Signature condition="contains">windows</Signature>
  </DriverLoad>
  <!-- Do not log process termination -->
  <ProcessTerminate onmatch="include"/>
  <!-- Log network connection if the destination port equal 443 -->
  <NetworkConnect onmatch="include">
   <DestinationPort>443</DestinationPort>
  </NetworkConnect>
 </EventFiltering>
</Sysmon>
'@

sysmon.v3.sample.config

In March 2015, I’ve asked the following question to Thomas Garnier who co-authored this awesome sysmon tool with Mark Russinovich.

Unfortunately, there’s no way currently in version 2.0 or 3.0 to dump the configuration directly to XML 😐
But, that’s not a huge problem for PowerShell 😉
The only trick that made the reverse engineering experience consistent was to read the dumped rules from the bottom up 😎

Let’s see a capture of the DSC configuration that deploys sysmon when it runs for the first time:
deploy-sysmon.1
If I run the same configuration a 2nd time, all the TEST phases performed are skipped (which is a good thing):
deploy-sysmon.2

Quick and dirty!
But Sysmon got deployed and configured through Desired State Configuration on a Windows Server 2012 R2 and its built-in PowerShell version 4.0

#Requires -Version 4.0
#Requires -RunAsAdministrator
Configuration SysmonDSC {
param
(
[string[]]$NodeName = 'localhost'
)
Node $NodeName
{
Script DownloadSysmon {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = $(Test-Path (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath sysmon.exe));
}
}
SetScript = {
try {
# https://msdn.microsoft.com/en-us/library/system.io.path.gettempfilename%28v=vs.110%29.aspx
$tmpfile = [System.IO.Path]::GetTempFileName()
$null = Invoke-WebRequest -Uri 'https://live.sysinternals.com/Sysmon.exe' `
-OutFile $tmpfile -ErrorAction Stop
Write-Verbose -Message 'Sucessfully downloaded Sysmon.exe'
Unblock-File -Path $tmpfile -ErrorAction Stop
$exefile = Join-Path -Path (Split-Path -Path $tmpfile -Parent) -ChildPath 'a.exe'
if (Test-Path $exefile) {
Remove-Item -Path $exefile -Force -ErrorAction Stop
}
$tmpfile | Rename-Item -NewName 'a.exe' -Force -ErrorAction Stop
} catch {
Write-Verbose -Message "Something went wrong $($_.Exception.Message)"
}
}
TestScript = {
$s = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath a.exe -ErrorAction SilentlyContinue
if (-not(Test-Path -Path $s -PathType Leaf)) {
Write-Verbose -Message "Cannot find sysmon.exe in temp"
return $false
}
if(
(Get-FileHash -Path $s -Algorithm SHA256).Hash -eq 'E6BA49275B3EC33232D91741CAEF1B99A58460EEB4BC44F26086FE076FAD333A' -and
(Get-AuthenticodeSignature -FilePath $s).Status.value__ -eq 0 # Valid
) {
Write-Verbose -Message 'Successfully found a valid signed sysmon.exe'
return $true
} else {
Write-Verbose -Message 'A valid signed sysmon.exe was not found'
return $false
}
}
}
Registry SysmonEULA {
Key = 'HKEY_USERS\S-1-5-18\Software\Sysinternals\System Monitor'
ValueName = 'EulaAccepted';
ValueType = 'DWORD'
ValueData = '1'
Ensure = 'Present'
Force = $true;
}
Script InstallSysmon {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = $(if (@(Get-Service -Name sysmon,sysmondrv).Count -eq 2) { $true } else { $false });
}
}
SetScript = {
$sysmonbin = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath a.exe
$s = Copy-Item -Path $sysmonbin -Destination "$($env:systemroot)\system32\sysmon.exe" -PassThru -Force
try {
$null = Start-Process -FilePath $s -ArgumentList @('-i','-accepteula') -PassThru -NoNewWindow -ErrorAction Stop | Wait-Process
Write-Verbose -Message 'Successfully installed sysmon'
} catch {
throw $_
}
}
TestScript = {
if(
Get-WinEvent -ListLog * | Where LogName -eq 'Microsoft-Windows-Sysmon/Operational'
) {
Write-Verbose -Message "Sysmon is installed"
return $true
} else {
Write-Verbose -Message "Sysmon isn't installed"
return $false
}
}
DependsOn = '[Script]DownloadSysmon','[Registry]SysmonEULA'
}
Script ConfigureSysmon {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = $();
}
}
SetScript = {
$s = "$($env:systemroot)\system32\sysmon.exe"
$null = Start-Process -FilePath $s -ArgumentList @('-c','--') -PassThru -NoNewWindow | Wait-Process
$null = Start-Process -FilePath $s -ArgumentList @('-c','C:\windows\temp\polSysmon.xml') -PassThru -NoNewWindow | Wait-Process
}
TestScript = {
Function Convert-SysmonConfigToXMLBlob {
[CmdletBinding()]
Param()
try {
$t = [system.io.path]::GetTempFileName()
$null = Start-Process -FilePath "$($env:systemroot)\system32\sysmon.exe" -ArgumentList @('-c') `
-NoNewWindow -PassThru -RedirectStandardOutput $t -ErrorAction Stop -Wait
} catch {
Write-Warning "Dumping sysmon config went wrong!"
break
}
if($config = Get-Content $t) {
'<Sysmon schemaversion="2.0">'
$Hashing = (([regex]'\s-\sHashingAlgorithms:\s+(?<Hash>.*)').Match(@($config)[3]) | Select -expand Groups)[-1].Value
' <HashAlgorithms>{0}</HashAlgorithms>' -f $Hashing
if (@($config)[7] -match '^Rule\sconfiguration\s\(version\s\d{1}\.\d{1,2}\):$') {
' <EventFiltering>'
$prop = @()
(($config)[-1..-(($config).Length-8)]) | ForEach-Object {
if ($_ -notmatch '\s-\s.*') {
$prop += $_
} else {
$node,$attribute = ([regex]'\s-\s(?<NodeName>\w+)\s+onm(n)?atch:\s(?<attribute>.*clude)').Matches($_).Groups |
Select -Last 2| Select -expand Value
if ($prop) {
' <{0} onmatch="{1}">' -f $node,$attribute
$prop | ForEach-Object {
$ChildNode,$filter,$value = ([regex]"\s+(?<ChildNode>\w+)\s+filter:\s(?<filter>\w+)\s+value:\s'(?<Value>.*)'").Matches($_).Groups |
Select -Last 3 | Select -Expand Value
' <{0} condition="{1}">{2}</{0}>' -f $ChildNode,$filter,$value
}
' </{0}>' -f $node
} else {
' <{0} onmatch="{1}"/>' -f $node,$attribute
}
$prop = @()
}
}
' </EventFiltering>'
}
'</Sysmon>'
} else {
Write-Warning "Cannot find output in $t"
}
} #endof function
if(
Compare-Object -ReferenceObject ([xml](Convert-SysmonConfigToXMLBlob)).InnerXML `
-DifferenceObject ([xml](Get-Content -Path C:\windows\temp\invpolSysmon.xml -Encoding UTF8 )).InnerXml
) {
Write-Verbose -Message "Sysmon needs to be configured"
return $false
} else {
Write-Verbose -Message "Sysmon is already configured"
return $true
}
}
DependsOn = '[Script]InstallSysmon','[Registry]SysmonEULA','[File]SysmonXMLPol','[File]InvSysmonXMLPol'
}
File SysmonXMLPol {
DestinationPath = 'C:\windows\temp\polSysmon.xml'
Ensure = 'Present';
Force = $true
Contents = @'
<Sysmon schemaversion="2.0">
<HashAlgorithms>SHA1,SHA256,IMPHASH</HashAlgorithms>
<EventFiltering>
<DriverLoad onmatch="include">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<ProcessTerminate onmatch="include"/>
<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
</NetworkConnect>
</EventFiltering>
</Sysmon>
'@
}
File InvSysmonXMLPol {
DestinationPath = 'C:\windows\temp\invpolSysmon.xml'
Ensure = 'Present';
Force = $true
Contents = @'
<Sysmon schemaversion="2.0">
<HashAlgorithms>SHA1,SHA256,IMPHASH</HashAlgorithms>
<EventFiltering>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
<ProcessTerminate onmatch="include"/>
<DriverLoad onmatch="include">
<Signature condition="contains">windows</Signature>
<Signature condition="contains">microsoft</Signature>
</DriverLoad>
</EventFiltering>
</Sysmon>
'@
}
}
}
if (-not(test-path -Path C:\DSC -PathType Container)){
mkdir C:\DSC
}
# Compile the configuration file to a MOF format
SysmonDSC -OutputPath C:\DSC
# Run the configuration on localhost
Start-DscConfiguration -Path C:\DSC -ComputerName localhost -Verbose -Force -Wait
view raw Deploy-Sysmon.ps1 hosted with ❤ by GitHub

PS: If you check the different revisions of the gist file, you can get a DSC configuration that works against sysmon version 2.0 😀

Deploy and configure EMET 5.2 with PSDSC

I’ve been using EMET (The Enhanced Mitigation Experience Toolkit) and advocating for it since 2010…

Now with DSC (Desired State Configuration) and PowerShell, it can be fairly easy to deploy and configure it compared to my previous post about Applocker.

I’ve created two scripts, one to install EMET and one to remove it (because of continuous delivery of every product, right?) that can be run as of Windows 8.1 and Windows 2012 R2. Yes, DSC is built-in PowerShell version 4.0 that was released along with Windows 8.1 in August 2013.

The configuration of EMET 5.2 is based on XML files although EMET 5.2 can also get its configuration by GPO in a domain environment.
The XML configuration that you’ll find below is an export made with the EMET_Conf.exe after an import from the “Recommended Software.xml” profile provided under “C:\Program Files (x86)\EMET 5.2\Deployment\Protection Profiles\”.
Although I probably could, I chose to not handle Certificate Pinning rules because a new GUID for each rule is generated by the XML export made with EMET_conf.exe. If I did, it would have complicated the comparison made by the Test-TargetResource and probably slow it down.
I know that the built-in package DSC resource can download the file from the web if I specify a URL as a package source but I preferred to rely on my own custom script to download the file as it performs some additional steps such as checking the integrity of the file (is it the hash we expect) and whether the file is digitally signed (and recognized as such for the time being).

#Requires -Version 4.0
#Requires -RunAsAdministrator
configuration RemoveEMET52 {
param
(
[string[]]$NodeName = 'localhost'
)
Node $NodeName
{
Script DownloadEMET52 {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = $(Test-Path (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'EMET 5.2 Setup.msi'));
}
}
SetScript = {
try {
$tmpfile = [System.IO.Path]::GetTempFileName()
$null = Invoke-WebRequest -Uri 'http://download.microsoft.com/download/7/0/A/70AF5150-10DD-4838-ACFC-C4390B05620A/EMET%205.2%20Setup.msi' `
-OutFile $tmpfile -ErrorAction Stop
Write-Verbose -Message 'Sucessfully downloaded EMET 5.2 MSI Package'
Unblock-File -Path $tmpfile -ErrorAction Stop
$package = Join-Path -Path (Split-Path -Path $tmpfile -Parent) -ChildPath 'EMET 5.2 Setup.msi' -ErrorAction SilentlyContinue
if (Test-Path $package) {
Remove-Item -Path $package -Force -ErrorAction Stop
}
$tmpfile | Rename-Item -NewName 'EMET 5.2 Setup.msi' -Force -ErrorAction Stop
} catch {
Write-Verbose -Message "Something went wrong $($_.Exception.Message)"
}
}
TestScript = {
$MSI = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'EMET 5.2 Setup.msi' -ErrorAction SilentlyContinue
if (-not(Test-Path -Path $MSI -PathType Leaf)) {
return $false
}
if(
(Get-FileHash -Path $MSI -Algorithm SHA256).Hash -eq '7125CA4ACC33BDDF46657039277D8FDE752618A00B51604D2890E9E429EA4DD3' -and
(Get-AuthenticodeSignature -FilePath $MSI).Status.value__ -eq 0 # Valid
) {
Write-Verbose -Message 'Successfully found a valid signed EMET 5.2 package'
return $true
} else {
Write-Verbose -Message 'A valid signed package of EMET 5.2 was not found'
return $false
}
}
}
Package UninstallEMET52msi {
Name = 'EMET 5.2';
Path = 'C:\Windows\Temp\EMET 5.2 Setup.msi';
ProductId = '{F4DCB44D-F072-43A1-B4A5-57619C7B22D2}';
Arguments = '/norestart' ;
Ensure = 'Absent';
DependsOn = "[Script]DownloadEMET52"
}
}
}
if (-not(test-path -Path C:\DSC -PathType Container)){
mkdir C:\DSC
}
# Compile the configuration file to a MOF format
RemoveEMET52 -OutputPath C:\DSC
# Run the configuration on localhost
Start-DscConfiguration -Path C:\DSC -ComputerName localhost -Verbose -Force -Wait
view raw Remove-EMET52.ps1 hosted with ❤ by GitHub

#Requires -Version 4.0
#Requires -RunAsAdministrator
Configuration DeployEMET52 {
Param
(
[string[]]$NodeName = 'localhost'
)
Node $NodeName
{
# Step1: Download
Script DownloadEMET52 {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = $(Test-Path (Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'EMET 5.2 Setup.msi'));
}
}
SetScript = {
try {
$tmpfile = [System.IO.Path]::GetTempFileName()
$null = Invoke-WebRequest -Uri 'http://download.microsoft.com/download/7/0/A/70AF5150-10DD-4838-ACFC-C4390B05620A/EMET%205.2%20Setup.msi' `
-OutFile $tmpfile -ErrorAction Stop
Write-Verbose -Message 'Sucessfully downloaded EMET 5.2 MSI Package'
Unblock-File -Path $tmpfile -ErrorAction Stop
$package = Join-Path -Path (Split-Path -Path $tmpfile -Parent) -ChildPath 'EMET 5.2 Setup.msi' -ErrorAction SilentlyContinue
if (Test-Path $package) {
Remove-Item -Path $package -Force -ErrorAction Stop
}
$tmpfile | Rename-Item -NewName 'EMET 5.2 Setup.msi' -Force -ErrorAction Stop
} catch {
Write-Verbose -Message "Something went wrong $($_.Exception.Message)"
}
}
TestScript = {
$MSI = Join-Path -Path ([System.IO.Path]::GetTempPath()) -ChildPath 'EMET 5.2 Setup.msi' -ErrorAction SilentlyContinue
if (-not(Test-Path -Path $MSI -PathType Leaf)) {
return $false
}
if(
(Get-FileHash -Path $MSI -Algorithm SHA256).Hash -eq '7125CA4ACC33BDDF46657039277D8FDE752618A00B51604D2890E9E429EA4DD3' -and
(Get-AuthenticodeSignature -FilePath $MSI).Status.value__ -eq 0 # Valid
) {
Write-Verbose -Message 'Successfully found a valid signed EMET 5.2 package'
return $true
} else {
Write-Verbose -Message 'A valid signed package of EMET 5.2 was not found'
return $false
}
}
}
# Step2: Install
Package InstallEMET52msi {
Name = 'EMET 5.2';
Path = 'C:\Windows\Temp\EMET 5.2 Setup.msi';
ProductId = '{F4DCB44D-F072-43A1-B4A5-57619C7B22D2}';
Arguments = '/qn /norestart';
Ensure = 'Present';
LogPath = 'C:\windows\temp\EMET 5.2 Setup.log';
DependsOn = "[Script]DownloadEMET52"
}
# Step3: Configure
File EMETconfigXML {
DestinationPath = 'C:\windows\temp\polEMET52.xml'
Ensure = 'Present';
Force = $true
Contents= @'
<EMET Version="5.2.5546.26803">
<Settings>
<ExploitAction Value="StopProgram" />
<AdvancedSettings DeepHooks="True" AntiDetours="True" BannedFunctions="True" />
<Reporting Telemetry="False" TrayIcon="True" EventLog="True" />
<SystemSettings DEP="Application Opt In" SEHOP="Application Opt In" ASLR="Application Opt In" Pinning="Enabled" />
</Settings>
<EMET_Apps>
<AppConfig Path="*\Adobe\Acrobat*\Acrobat" Executable="Acrobat.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="true">
<eaf_modules>AcroRd32.dll;Acrofx32.dll;AcroForm.api</eaf_modules>
</Mitigation>
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Adobe\Reader*\Reader" Executable="AcroRd32.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="true">
<eaf_modules>AcroRd32.dll;Acrofx32.dll;AcroForm.api</eaf_modules>
</Mitigation>
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="EXCEL.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>flash*.ocx</asr_modules>
</Mitigation>
</AppConfig>
<AppConfig Path="*\Internet Explorer" Executable="iexplore.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="true">
<eaf_modules>mshtml.dll;flash*.ocx;jscript*.dll;vbscript.dll;vgx.dll</eaf_modules>
</Mitigation>
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>npjpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll</asr_modules>
<asr_zones>1;2</asr_zones>
</Mitigation>
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="INFOPATH.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre6\bin" Executable="java.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre7\bin" Executable="java.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre1.8*\bin" Executable="java.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre6\bin" Executable="javaw.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre7\bin" Executable="javaw.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre1.8*\bin" Executable="javaw.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre6\bin" Executable="javaws.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre7\bin" Executable="javaws.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\Java\jre1.8*\bin" Executable="javaws.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="false" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="LYNC.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="MSACCESS.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="MSPUB.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="OIS.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="OUTLOOK.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>flash*.ocx</asr_modules>
</Mitigation>
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="PPTVIEW.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="VISIO.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="VPREVIEW.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
<AppConfig Path="*\OFFICE1*" Executable="WINWORD.EXE">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="true">
<asr_modules>flash*.ocx</asr_modules>
</Mitigation>
</AppConfig>
<AppConfig Path="*\Windows NT\Accessories" Executable="wordpad.exe">
<Mitigation Name="DEP" Enabled="true" />
<Mitigation Name="SEHOP" Enabled="true" />
<Mitigation Name="NullPage" Enabled="true" />
<Mitigation Name="HeapSpray" Enabled="true" />
<Mitigation Name="EAF" Enabled="true" />
<Mitigation Name="EAF+" Enabled="false" />
<Mitigation Name="MandatoryASLR" Enabled="true" />
<Mitigation Name="BottomUpASLR" Enabled="true" />
<Mitigation Name="LoadLib" Enabled="true" />
<Mitigation Name="MemProt" Enabled="true" />
<Mitigation Name="Caller" Enabled="true" />
<Mitigation Name="SimExecFlow" Enabled="true" />
<Mitigation Name="StackPivot" Enabled="true" />
<Mitigation Name="ASR" Enabled="false" />
</AppConfig>
</EMET_Apps>
<Pinning>
<PinRules />
<PinnedSites />
</Pinning>
</EMET>
'@
}
Script ConfigureEMET52 {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = ([xml](Get-Content -Path C:\Windows\temp\polEMETexport.xml)).InnerXML
}
}
SetScript = {
try {
Start-Process -FilePath "C:\Program Files (x86)\EMET 5.2\EMET_Conf.exe" `
-ArgumentList @('--delete_all') -PassThru -NoNewWindow -ErrorAction Stop | Wait-Process
Write-Verbose -Message 'Successfully deleted local EMET config'
Start-Process -FilePath "C:\Program Files (x86)\EMET 5.2\EMET_Conf.exe" `
-ArgumentList @('--import C:\windows\temp\polEMET52.xml') -PassThru -NoNewWindow -ErrorAction Stop| Wait-Process
Write-Verbose -Message 'Successfully imported local EMET config'
} catch {
Write-Verbose -Message "The import of the EMET config went wrong because $($_.Exception.Message)"
}
}
TestScript = {
if (Test-Path "C:\Program Files (x86)\EMET 5.2\EMET_Conf.exe") {
# 1. Export the config
Start-Process -FilePath "C:\Program Files (x86)\EMET 5.2\EMET_Conf.exe" `
-ArgumentList @('--export C:\Windows\temp\polEMETexport.xml') `
-PassThru -NoNewWindow -ErrorAction SilentlyContinue | Wait-Process
if (Test-Path -Path C:\Windows\temp\polEMETexport.xml -PathType Leaf) {
# 2. Compare
if (
Compare-Object -ReferenceObject ([xml](Get-Content -Path C:\Windows\temp\polEMETexport.xml -Encoding Ascii)).InnerXML `
-DifferenceObject ([xml](Get-Content -Path C:\windows\temp\polEMET52.xml -Encoding UTF8 )).InnerXml
) {
Write-Verbose -Message "Current EMET config dump does NOT match"
return $false
} else {
Write-Verbose -Message "Current EMET config dump does match"
return $true
}
} else {
Write-Verbose -Message "The XML dump of the EMET config was not found"
return $false
}
} else {
throw "Someting is wrong with the local EMET installation"
}
}
DependsOn = "[File]EMETconfigXML","[Package]InstallEMET52msi"
}
}
}
if (-not(test-path -Path C:\DSC -PathType Container)){
mkdir C:\DSC
}
# Compile the configuration file to a MOF format
DeployEMET52 -OutputPath C:\DSC
# Run the configuration on localhost
Start-DscConfiguration -Path C:\DSC -ComputerName localhost -Verbose -Force -Wait
view raw Install-EMET52.ps1 hosted with ❤ by GitHub

The initial download takes around 9 seconds.
DSC-Install-EMET52.download
Let’s see what output we get when I first push the configuration:
DSC-Install-EMET52.run1.Package
DSC-Install-EMET52.run1.Config

If I push the configuration as 2nd time, all TEST steps for each resource return false because they are in their expected state and all the SET operations are skipped:
DSC-Install-EMET52.run2

Here’s what happens when I remove EMET 5.2 for the first time if it’s present:
DSC-remove-EMET-1
If I run the removal a 2nd time, I get:
DSC-remove-EMET-2

Configure Applocker with Desired State Configuration

I was working with Desired State Configuration and wondered why a custom DSC resources hasn’t been published yet for Applocker.
Bitlocker has already its experimental DSC resource. Why Applocker doesn’t have one?

I also wondered what it really takes to configure Applocker with PowerShell Desired State Configuration.

First a quick disclaimer is required:

  • Do not apply this on your servers/workstations if you don’t understand what Applocker does.
  • The deny rules are just examples. I don’t have anything against these software editors.
  • Yes, I know that’s not the most secure Applocker configuration as the example below mixes both a very permissive (default) whitelist and a very specific blacklist.

Let’s also quickly examine the Applocker requirements:

  • Applocker rules can be imported from/exported to a XML file using the GUI or using the cmdlets of the built-in Applocker module (it exists since PowerShell version 2.0 on Windows 7).
    XML seems to better way to go although the Applocker policy can be found in the registry under the HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 key.
  • The applocker policy depends on the ‘Application Identity’ service to be enforced.

Based on the above light requirements, it seems that built-in DSC resources would actually make it and allow to deploy an Applocker policy locally.

To configure Applocker, I need first to export the Applocker policy to XML and dump its indented representation to a file.
To solve the indentation issue, I’ve used the Format-XML function written by Jeffrey Snover that you can find on this page.

# http://blogs.msdn.com/b/powershell/archive/2008/01/18/format-xml.aspx
function Format-XML ([xml]$xml, $indent=2)
{
    $StringWriter = New-Object System.IO.StringWriter
    $XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
    $xmlWriter.Formatting = "indented"
    $xmlWriter.Indentation = $Indent
    $xml.WriteContentTo($XmlWriter)
    $XmlWriter.Flush()
    $StringWriter.Flush()
    Write-Output $StringWriter.ToString()
}
Format-XML ([xml](Get-AppLockerPolicy -Effective -Xml)) -indent 2 | 
Out-File -FilePath ~/Documents\Applocker-pol.xml -Encoding ascii

The second step consists in creating the file locally with the XML content thanks to the built-in File DSC resource.
To decide whether to apply the policy, I’ll export the current effective Applocker policy and compare it to the XML file.
Once the Applocker policy is applied, I’ll start the required service.

Here is what the DSC configuration looks like to deploy locally an Applocker policy.

Configuration localApplockerDSCConfig {
param
(
[string[]]$NodeName = 'localhost'
)
Node $NodeName
{
Service AppIDsvc {
Name = 'AppIDSvc'
StartupType = 'Automatic'
State = 'Running'
BuiltinAccount = 'LocalService'
DependsOn = "[File]XMLPol","[Script]ApplyLocalApplockerPol"
}
Script ApplyLocalApplockerPol {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = ([xml](Get-AppLockerPolicy -Effective -Xml)).InnerXML
}
}
SetScript = {
Set-AppLockerPolicy -XMLPolicy 'C:\windows\temp\polApplocker.xml'
}
TestScript = {
if(
Compare-Object -ReferenceObject ([xml](Get-AppLockerPolicy -Effective -Xml)).InnerXML `
-DifferenceObject ([xml](Get-Content 'C:\windows\temp\polApplocker.xml')).InnerXml
) {
return $false
} else {
return $true
}
}
DependsOn = "[File]XMLPol"
}
File XMLPol {
DestinationPath = 'C:\windows\temp\polApplocker.xml'
Ensure = 'Present';
Force = $true
Contents = @'
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="25118d14-e4db-482e-a936-447c8c93739a" Name="Signed by O=TREND MICRO, INC., L=TAIPEI, S=TAIWAN, C=TW" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=TREND MICRO, INC., L=TAIPEI, S=TAIWAN, C=TW" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="9f30c729-3921-46d9-9df8-eecbfb014ecd" Name="Signed by O=ORACLE AMERICA, INC., L=REDWOOD SHORES, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=ORACLE AMERICA, INC., L=REDWOOD SHORES, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="dcb1232c-6fed-4d95-935f-2dc3fd5ab90e" Name="MICROSOFT MONITORING AGENT, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT MONITORING AGENT" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="68017eb1-38e2-4011-8e56-dc104b27b527" Name="%HOT%\*" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%HOT%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="Enabled">
<FilePublisherRule Id="1260ef26-70ff-4391-b719-ead2b2578cf8" Name="MICROSOFT MONITORING AGENT, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT MONITORING AGENT" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="1f8d1b9c-997c-4ba0-8cf1-999559d44fef" Name="Signed by O=PUPPET LABS, L=PORTLAND, S=OREGON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=PUPPET LABS, L=PORTLAND, S=OREGON, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="42fdff7a-12ce-4b11-9f9b-dc85c02802b5" Name="Signed by O=TREND MICRO, INC., L=TAIPEI, S=TAIWAN, C=TW" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=TREND MICRO, INC., L=TAIPEI, S=TAIWAN, C=TW" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="465dec27-a086-4915-9f83-a1a697e63091" Name="%HOT%\*" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%HOT%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\Installer\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*.*" />
</Conditions>
</FilePathRule>
</RuleCollection>
<RuleCollection Type="Script" EnforcementMode="Enabled">
<FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="082de031-a84f-4243-9efa-33d3389481f2" Name="%HOT%\*" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%HOT%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
</RuleCollection>
</AppLockerPolicy>
'@
}
}
}
if (-not(test-path -Path C:\DSC -PathType Container)){
mkdir C:\DSC
}
# Compile the configuration file to a MOF format
localApplockerDSCConfig -OutputPath C:\DSC
# Run the configuration on localhost
Start-DscConfiguration -Path C:\DSC -ComputerName localhost -Verbose -Force -Wait

It only takes a service, a file, a script resource and less than 5 seconds to deploy an Applocker policy locally. 😎


If I apply it one more time, we can see that all the tests performed are skipped as my system is already in the desired state.


If I open the local group policy editor, we can see the following:

The above configuration was just for testing purposes, right 😉
Here’s how to achieve the exact opposite, i.e., clear the local Applocker policy and stop the required service.

Configuration NoLocalApplockerDSCConfig {
param
(
[string[]]$NodeName = 'localhost'
)
Node $NodeName
{
Service AppIDsvc {
Name = 'AppIDSvc'
StartupType = 'Manual'
State = 'Stopped'
BuiltinAccount = 'LocalService'
DependsOn = "[File]XMLPol","[Script]ApplyLocalApplockerPol"
}
Script ApplyLocalApplockerPol {
GetScript = {
@{
GetScript = $GetScript
SetScript = $SetScript
TestScript = $TestScript
Result = ([xml](Get-AppLockerPolicy -Effective -Xml)).InnerXML
}
}
SetScript = {
Set-AppLockerPolicy -XMLPolicy 'C:\windows\temp\polApplocker.xml'
}
TestScript = {
if(
Compare-Object -ReferenceObject ([xml](Get-AppLockerPolicy -Effective -Xml)).InnerXML `
-DifferenceObject ([xml](Get-Content 'C:\windows\temp\polApplocker.xml')).InnerXml
) {
return $false
} else {
return $true
}
}
DependsOn = "[File]XMLPol"
}
File XMLPol {
DestinationPath = 'C:\windows\temp\polApplocker.xml'
Ensure = 'Present';
Force = $true
Contents = @'
<AppLockerPolicy Version="1" />
'@
}
}
}
if (-not(test-path -Path C:\DSC -PathType Container)){
mkdir C:\DSC
}
# Compile the configuration file to a MOF format
NoLocalApplockerDSCConfig -OutputPath C:\DSC
# Run the configuration on localhost
Start-DscConfiguration -Path C:\DSC -ComputerName localhost -Verbose -Force -Wait

Let’s remove the existing Applocker local policy for the 1rst time:

Again, applied one more time, we can see that all the tests performed are skipped as my system is already in the desired state.


Nice, isn’t it? DSC and PowerShell bring more than just automation! I love it 😀

Follow-up: configuring a proxy with DSC

While working on a custom DSC (Desired State Configuration) resource that forces the Windows Update Agent to opt-in to Microsoft Update, I found a major caveat with my previous blog post about configuring a proxy per machine with DSC.

My server wouldn’t opt-in to Microsoft Update (MU) and when it tried, it last ~20 seconds which is an excessive amount of time. Under my user account, the registration takes less than a second.

Here’s the code I’m using inside the DSC resource and at command prompt.

(New-Object -ComObject Microsoft.Update.ServiceManager).
AddService2('7971f918-a847-4430-9279-4a52d1efe18d',7,"");

I couldn’t understand why and started a procmon trace.

The WindowsUpdate.log file acknowledged that it lasts 20 seconds and indicated that it doesn’t use the proxy set per machine 😦

The procmon trace indicated that the Windows Update service was looking for the WinHttpSettings value and couldn’t find it

My bad 😦
That’s what I actually set in my DSC configuration as I set the WinHttpSetting as absent.

To fix it, I duplicated the DefaultConnectionSettings item and set the exact same value for the WinHttpSettings item

And now the registration is back to normal:

I also found a second problem while reading the verbose output when applying the DSC configuration 😦

[ Start Test ] [[Registry]ProxyAddressPerMachineDefaultConnectionSettings]
VERBOSE: [MyComputerName]: [[Registry]ProxyAddressPerMachineDefaultConnectionSettings] Registry key value ‘HKLM:\software\microsoft\windows\currentversion\internet settings\connections\DefaultConnectionSettings’ of type ‘Binary’ does not contain data ‘46000000040000000300000015…0’

The DSC Test-TargetResource function always returned false because the registry value set in the first place was somehow “autocorrected”.
The fact that the Test-TargetResource always returns false isn’t normal.

I recommended in my original post to extract the value from the registry like this:

$regkey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
-join (
(Get-ItemProperty -Path  $regkey -Name DefaultConnectionSettings).DefaultConnectionSettings |
 Foreach-Object { '{0:X2}' -f $_ })

…which is the wrong way and the root cause of the above behavior I described.

My bad 😦 Sorry about that.

I fixed my issue by capturing correctly the hexadecimal value from the registry 😀

$regkey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
-join (
(Get-ItemProperty -Path  $regkey -Name DefaultConnectionSettings).DefaultConnectionSettings |
 Foreach-Object { '{0:X1}' -f $_ })

DSC: configuring a proxy

What’s the first thing you do when you configure a new server?
After configuring the network stack, the time and allowing remote desktop, I make sure that the server has access to Internet so that all the other operations (like downloading drivers, packages, Windows updates, activating Windows,…) that depend on this link run smoothly.

In a corporate environment, accessing the Internet is usually done through a proxy server.
I’ll share with you an old trick I’m using since Windows XP: how to configure a proxy per machine with Desired State Configuration (DSC) and avoid other admins messing with it 😀

You can configure proxy settings via

  • a response file (unattend.xml) when the computer is provisioned with Microsoft-Windows-IE-ClientNetworkProtocolImplementation component
  • Group policies
  • That’s out-of-scope as we don’t know if the machine is domain or workgroup joined

  • IE branding
  • Remember the IEAK, it’s based on a INS file located in C:\Program Files (x86)\Internet Explorer\Custom and some registry settings

    The problem with this approach is that you need to indicate the version of Internet Explorer in the INS file. That’s why it’s not a suitable way to proceed.

  • the Registry
  • This method doesn’t depend on the version of Internet Explorer and whether the machine is workgroup or domain joined. It’s thus the most suitable way to go 🙂

I’ve created 5 small DSC configurations to illustrate 4 basic scenarios and 1 to restore to user based proxy settings. (Note that you mix some scenarios together to match your needs and your environment configuration)

  • NoProxy.ps1 will define proxy settings per machine and configure it to access directly Internet
  • ProxyAutodetect.ps1 will define proxy settings per machine and let autodetect enabled (~default user config but per machine)
  • ProxyURL.ps1 will define a proxy configuration script URL (set to http://myproxy.fqdn/proxy.pac in my example below)
  • Proxy.ps1 will define a proxy address set to myproxy.fqdn on port 8888 for every protocols and bypass proxy server for local addresses
  • RestorePerUserProxy.ps1 will delete all per machine settings and rely back on user settings

(I’ve stored the samples as Gist files, so that you can use the OneGet Gist provider made by Doug Finke to get them 😉 )

If you want to use these configurations, you may need to modify my sample configurations and replace the binary value for both DefaultConnectionSettings and SavedLegacySettings. You actually need to capture them on a working computer where you configured manually Internet Explorer settings for your environment.
Then you can extract the binary value from the HKCU hive with the following code:

$regkey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
-join ( 
(Get-ItemProperty -Path  $regkey -Name DefaultConnectionSettings).DefaultConnectionSettings |
 Foreach-Object { '{0:X2}' -f $_ })
-join ( 
(Get-ItemProperty -Path $regkey -Name SavedLegacySettings).SavedLegacySettings |
 Foreach-Object { '{0:X2}' -f $_ })

Here are the 5 small DSC samples with what you get in UI as a result. Enjoy 😎

  • NoProxy.ps1

  • # Define proxy settings per machine and configure it to access directly Internet
    Configuration NoProxy {
    Registry ProxyPerMachinePolicy
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxySettingsPerUser'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineWinHttPSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'WinHttPSettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineDefaultConnectionSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'DefaultConnectionSettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '4600000003000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineSavedLegacySettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'SavedLegacySettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '4600000008000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineProxyEnable
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyEnable'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineProxyServer
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyServer'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineProxyOverride
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyOverride'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineAutoConfigURL
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'AutoConfigURL'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineLockAutoConfig
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Autoconfig'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineLockProxy
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Proxy'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    }
    view raw NoProxy.ps1 hosted with ❤ by GitHub

  • ProxyAutodetect.ps1

  • # Define proxy settings per machine and let autodetect enabled (~default user config per machine)
    Configuration AutodetectProxy {
    Registry ProxyPerMachinePolicy
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxySettingsPerUser'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineWinHttPSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'WinHttPSettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineDefaultConnectionSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'DefaultConnectionSettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineSavedLegacySettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'SavedLegacySettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineProxyEnable
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyEnable'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineProxyServer
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyServer'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineProxyOverride
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyOverride'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineAutoConfigURL
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'AutoConfigURL'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineLockAutoConfig
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Autoconfig'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineLockProxy
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Proxy'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    }
    view raw ProxyAutodetect.ps1 hosted with ❤ by GitHub

  • ProxyURL.ps1

  • # Define a proxy URL for a configuration script
    Configuration ProxyURL {
    Registry ProxyPerMachinePolicy
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxySettingsPerUser'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineWinHttPSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'WinHttPSettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineDefaultConnectionSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'DefaultConnectionSettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '46000000040000000500000000000000000000001D000000687474703A2F2F6D7970726F78792E6671646E2F70726F78792E7061630000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineSavedLegacySettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'SavedLegacySettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '46000000090000000500000000000000000000001D000000687474703A2F2F6D7970726F78792E6671646E2F70726F78792E7061630000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineProxyEnable
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyEnable'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineProxyServer
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyServer'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineProxyOverride
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyOverride'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineAutoConfigURL
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'AutoConfigURL'
    Ensure = 'Present'
    ValueData = 'http://myproxy.fqdn/proxy.pac'
    ValueType = 'String'
    Force = $true
    }
    Registry ProxyPerMachineLockAutoConfig
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Autoconfig'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineLockProxy
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Proxy'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    }
    view raw ProxyURL.ps1 hosted with ❤ by GitHub

  • Proxy.ps1

  • # Define a proxy
    Configuration Proxy {
    Registry ProxyPerMachinePolicy
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxySettingsPerUser'
    Ensure = 'Present'
    ValueData = '0'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineWinHttPSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'WinHttPSettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineDefaultConnectionSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'DefaultConnectionSettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '460000000300000003000000110000006D7970726F78792E6671646E3A38383838070000003C6C6F63616C3E000000000000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineSavedLegacySettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'SavedLegacySettings'
    Ensure = 'Present'
    ValueType = 'Binary'
    ValueData = '460000000800000003000000110000006D7970726F78792E6671646E3A38383838070000003C6C6F63616C3E000000000000000000000000000000000000000000000000000000000000000000000000'
    Force = $true
    }
    Registry ProxyPerMachineProxyEnable
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyEnable'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineProxyServer
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyServer'
    Ensure = 'Present'
    ValueData = 'myproxy.fqdn:8888'
    ValueType = 'String'
    Force = $true
    }
    Registry ProxyPerMachineProxyOverride
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyOverride'
    Ensure = 'Present'
    Force = $true
    ValueData = '<local>'
    ValueType = 'String'
    }
    Registry ProxyPerMachineAutoConfigURL
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'AutoConfigURL'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineLockAutoConfig
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Autoconfig'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    Registry ProxyPerMachineLockProxy
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Proxy'
    Ensure = 'Present'
    ValueData = '1'
    ValueType = 'Dword'
    Force = $true
    }
    }
    view raw Proxy.ps1 hosted with ❤ by GitHub

  • RestorePerUserProxy.ps1
  • # nothing per machine, rely on user settings (default config of Windows)
    Configuration ProxyPerUser {
    Registry ProxyPerMachinePolicy
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxySettingsPerUser'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineWinHttPSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'WinHttPSettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineDefaultConnectionSettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'DefaultConnectionSettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineSavedLegacySettings
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
    ValueName = 'SavedLegacySettings'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineProxyEnable
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyEnable'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineProxyServer
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyServer'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineProxyOverride
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'ProxyOverride'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineAutoConfigURL
    {
    Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
    ValueName = 'AutoConfigURL'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineLockAutoConfig
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Autoconfig'
    Ensure = 'Absent'
    Force = $true
    }
    Registry ProxyPerMachineLockProxy
    {
    Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
    ValueName = 'Proxy'
    Ensure = 'Absent'
    Force = $true
    }
    }