Last active
July 8, 2024 15:51
-
-
Save byBretema/06943f1596f06edbfdf4273be5007a43 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################## | |
| ### Skandal/POET - Windows post-install script ### | |
| ################################################## | |
| #Requires -RunAsAdministrator | |
| param ( | |
| [Parameter(Mandatory = $false)] [switch]$skip_password = $false, | |
| [Parameter(Mandatory = $false)] [switch]$skip_visuals = $false, | |
| [Parameter(Mandatory = $false)] [switch]$skip_vnc = $false, | |
| [Parameter(Mandatory = $false)] [switch]$skip_ssh = $false, | |
| [Parameter(Mandatory = $false)] [switch]$skip_turn_off_updates_and_tasks = $false | |
| ) | |
| #============================================================================== | |
| # Helpers | |
| #============================================================================== | |
| function DownloadToTemp { | |
| param ( | |
| [Parameter(Mandatory = $true)] [string]$url, | |
| [Parameter(Mandatory = $true)] [string]$ext | |
| ) | |
| $tempFile = [System.IO.Path]::GetTempFileName() | |
| Invoke-WebRequest $url -OutFile $tempFile | |
| $finalFile = [System.IO.Path]::ChangeExtension($tempFile, "." + ($ext.Trim('.'))) | |
| Rename-Item -Path $tempFile -NewName $finalFile | |
| return $finalFile | |
| } | |
| function SafeSetProp { | |
| param ( | |
| [Parameter(Mandatory = $true)] [string]$Path, | |
| [Parameter(Mandatory = $true)] [string]$Name, | |
| [Parameter(Mandatory = $true)] $Value, | |
| [Parameter(Mandatory = $false)] [string]$Type = "DWord" | |
| ) | |
| if (-not (Test-Path $Path)) { | |
| New-Item -Path $Path -Force 1>$null 2>$null | |
| } | |
| Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value 1>$null 2>$null | |
| } | |
| #============================================================================== | |
| # Some defaults | |
| #============================================================================== | |
| Write-Host "| Applying defaults" | |
| # show hidden files | |
| Write-Host " - Activating: Show hidden files and folders" | |
| SafeSetProp "HKCU:/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced" "Hidden" 1 | |
| # show all extensions | |
| Write-Host " - Activating: Show all files extensions" | |
| SafeSetProp "HKCU:/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced" "HideFileExt" 0 | |
| # hide search box/icon from taskbar | |
| Write-Host " - Hiding: Search box / icon" | |
| SafeSetProp "HKCU:/Software/Microsoft/Windows/CurrentVersion/Search" "SearchboxTaskbarMode" 0 | |
| # hide duplicate removable drives from navigation pane of File Explorer | |
| Write-Host " - Hiding: Duplicate drives" | |
| Remove-Item "HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Desktop/NameSpace/DelegateFolders/{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}" 1>$null 2>$null | |
| # no telemetry | |
| Write-Host " - Disabling: Telemetry" | |
| SafeSetProp "HKCU:/Software/Microsoft/Windows/CurrentVersion/AdvertisingInfo" "Enabled" 0 | |
| SafeSetProp "HKCU:/Software/Microsoft/Windows/CurrentVersion/Privacy" "TailoredExperiencesWithDiagnosticDataEnabled" 0 | |
| SafeSetProp "HKCU:/Software/Microsoft/Speech_OneCore/Settings/OnlineSpeechPrivacy" "HasAccepted" 0 | |
| SafeSetProp "HKCU:/Software/Microsoft/Input/TIPC" "Enabled" 0 | |
| SafeSetProp "HKCU:/Software/Microsoft/InputPersonalization" "RestrictImplicitInkCollection" 1 | |
| SafeSetProp "HKCU:/Software/Microsoft/InputPersonalization" "RestrictImplicitTextCollection" 1 | |
| SafeSetProp "HKCU:/Software/Microsoft/InputPersonalization/TrainedDataStore" "HarvestContacts" 0 | |
| SafeSetProp "HKCU:/Software/Microsoft/Personalization/Settings" "AcceptedPrivacyPolicy" 0 | |
| SafeSetProp "HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/DataCollection" "AllowTelemetry" 0 | |
| SafeSetProp "HKCU:/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced" "Start_TrackProgs" 0 | |
| #============================================================================== | |
| # Defender exclusions | |
| #============================================================================== | |
| Write-Host "| Updating Windows-Defender exclusions" | |
| # folders | |
| Write-Host " - Adding folders" | |
| @( "$env:ProgramFiles/Skandal", "$env:ProgramFiles/OpenSSH" ) | ForEach-Object { | |
| Add-MpPreference -ExclusionPath $_ | |
| } | |
| # processes | |
| Write-Host " - Adding processes" | |
| @("poet-creator.exe", "POETLauncher.exe", "StartDialog.exe" ) | ForEach-Object { | |
| Add-MpPreference -ExclusionProcess $_ | |
| } | |
| #============================================================================== | |
| # Password stuff | |
| #============================================================================== | |
| if (-not $skip_password) { | |
| Write-Host "| Updating Password settings" | |
| # never expires | |
| Write-Host " - Password never expire" | |
| Set-LocalUser -Name "$env:USERNAME" -PasswordNeverExpires $true 1>$null 2>$null | |
| # allow blank passwords | |
| Write-Host " - Allow blank password" | |
| SafeSetProp "HKLM:/SYSTEM/CurrentControlSet/Control/Lsa" "LimitBlankPasswordUse" 0 | |
| } | |
| #============================================================================== | |
| # Disable windows tasks and updates | |
| #============================================================================== | |
| if (-not $skip_turn_off_updates_and_tasks) { | |
| Write-Host "| Turning off updates and tasks" | |
| Write-Host " - Disabling services" | |
| @( "wuauserv", "WaaSMedicSvc", "UsoSvc" ) | ForEach-Object { | |
| Set-Service -Name $_ -StartupType Disabled 1>$null 2>$null | |
| Stop-Service -Name $_ 1>$null 2>$null | |
| } | |
| Write-Host " - Disabling tasks" | |
| @("usbceip", "edge", "consolidator", "silentcleanup", "dmclient", "schedule", "defender") | ForEach-Object { | |
| Get-ScheduledTask -TaskName *$_* | ForEach-Object { | |
| Disable-ScheduledTask -TaskName $_.TaskName 1>$null 2>$null | |
| } | |
| } | |
| @("WindowsUpdate", "UpdateOrchestrator") | ForEach-Object { | |
| Get-ScheduledTask -TaskPath *$_* | ForEach-Object { | |
| Disable-ScheduledTask -TaskName $_.TaskName 1>$null 2>$null | |
| } | |
| } | |
| # disable processes | |
| Write-Host " - Disabling tasks and processes" | |
| Stop-Process -Name "MoUsoCoreWorker" -Force -PassThru 1>$null 2>$null | |
| Stop-Process -Name "TiWorker" -Force -PassThru 1>$null 2>$null | |
| # update registry stuff | |
| Write-Host " - Updating things on registry..." | |
| SafeSetProp "HKLM:/Software/Microsoft/WindowsUpdate/UX/Settings" "UxOption" 1 | |
| SafeSetProp "HKLM:/SYSTEM/ControlSet001/Services/WaaSMedicSvc" "Start" 4 | |
| # disable notifications | |
| Write-Host " - Disabling updates notifications..." | |
| $AUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings | |
| $AUSettings.NotificationLevel = 1 | |
| $AUSettings.Save 1>$null 2>$null | |
| } | |
| #============================================================================== | |
| # Vistual stuff | |
| #============================================================================== | |
| if (-not $skip_visuals) { | |
| Write-Host "| Visuals" | |
| # walpaper | |
| Write-Host " - Removing wallpaper..." | |
| SafeSetProp "HKCU:/Control Panel/Desktop" "Wallpaper" "" String | |
| # bg | |
| Write-Host " - Setting bg color as black..." | |
| SafeSetProp "HKCU:/Control Panel/Colors" "Background" "0 0 0" String | |
| # dark mode | |
| Write-Host " - Enabling dark-mode..." | |
| SafeSetProp "HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Themes" "AppsUseLightTheme" 0 | |
| SafeSetProp "HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Themes" "SystemUsesLightTheme" 0 | |
| SafeSetProp "HKCU:/SOFTWARE/Microsoft/Windows/CurrentVersion/Themes/Personalize" "AppsUseLightTheme" 0 | |
| SafeSetProp "HKCU:/SOFTWARE/Microsoft/Windows/CurrentVersion/Themes/Personalize" "SystemUsesLightTheme" 0 | |
| } | |
| #============================================================================== | |
| # TightVNC | |
| #============================================================================== | |
| if (-not $skip_vnc) { | |
| Write-Host "| TightVNC" | |
| # install | |
| Write-Host " - Downloading" | |
| $tightvnc_msi = $(DownloadToTemp "https://www.tightvnc.com/download/2.8.81/tightvnc-2.8.81-gpl-setup-64bit.msi" "msi") | |
| Write-Host " - Installing" | |
| Start-Process msiexec.exe -Wait -ArgumentList "/i $tightvnc_msi /passive SET_USEVNCAUTHENTICATION=1 VALUE_OF_USEVNCAUTHENTICATION=0 SET_USECONTROLAUTHENTICATION=1 VALUE_OF_USECONTROLAUTHENTICATION=0" | |
| # add auto-start | |
| Write-Host " - Adding auto-start" | |
| $vncCmd = "& '$env:ProgramFiles/TightVNC/tvnserver.exe' -start -silent; " | |
| $vncCmd += "& '$env:ProgramFiles/TightVNC/tvnserver.exe' -controlservice -shareprimary; " | |
| foreach ($loc in $shortcutLocs) { | |
| $s = $shortcutShell.CreateShortcut("$loc / TightVncStartAndTrim.lnk") | |
| $s.TargetPath = "powershell.exe" | |
| $s.Arguments = "-NoProfile -NoLogo -command `"$vncCmd`"" | |
| $s.Save() | |
| } | |
| # config active instance | |
| Write-Host " - Configuring active instance to use only main screen" | |
| & "$env:ProgramFiles/TightVNC/tvnserver.exe" -controlservice -shareprimary | |
| } | |
| #============================================================================== | |
| # OpenSSH | |
| #============================================================================== | |
| if (-not $skip_ssh) { | |
| Write-Host "| OpenSSH" | |
| # download | |
| Write-Host " - Downloading" | |
| $openssh_msi = $(DownloadToTemp "https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win64-v9.2.2.0.msi" "msi") | |
| # install | |
| Write-Host " - Installing" | |
| Start-Process msiexec.exe -Wait -ArgumentList "/i $openssh_msi /passive" | |
| # start up | |
| Write-Host " - Starting up services" | |
| Get-Service -Name *ssh* | Set-Service -StartupType Automatic | |
| Get-Service -Name *ssh* | Start-Service | |
| # add firewall rule | |
| Write-Host " - Adding firewall rule" | |
| New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 1>$null 2>$null | |
| # add config rules | |
| Write-Host " - Generating sshd config" | |
| $sshd_config = "${env:ProgramData}/ssh/sshd_config" | |
| $backup_time = $(Get-Date -Format "yyyyMMddHHmmss") | |
| Move-Item -Force $sshd_config "$sshd_config.$backup_time.bak" 1>$null 2>$null | |
| New-Item -Force $sshd_config 1>$null | |
| Add-Content $sshd_config "" | |
| Add-Content $sshd_config "Subsystem sftp sftp-server.exe" # Links to the sftp-server executable | |
| Add-Content $sshd_config "" | |
| Add-Content $sshd_config "AuthorizedKeysFile .ssh/authorized_keys" | |
| Add-Content $sshd_config "" | |
| Add-Content $sshd_config "Match Group administrators" | |
| Add-Content $sshd_config " AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys" | |
| Add-Content $sshd_config "" | |
| Add-Content $sshd_config "PasswordAuthentication yes" # Must be 'yes' for security and to avoid weird issues | |
| Add-Content $sshd_config "PermitEmptyPasswords yes" # Allows empty passwords | |
| Add-Content $sshd_config "" | |
| Add-Content $sshd_config "ChrootDirectory %h/Documents" # Limit SFTP acces to Documents folder | |
| #Add-Content $sshd_config "ForceCommand internal-sftp" # Block ssh access forcing only SFTP | |
| # restart the service | |
| Write-Host " - Restarting sshd service" | |
| Start-Sleep 2 | |
| Restart-Service -Name sshd | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment