PowerShell Execution Policies

My last post talked about PowerShell execution policies briefly. I thought I’d do a quick post on what those are and what they mean.

There are 4 PowerShell execution policies:
Restricted:
• No scripts are allowed to run regardless of location.
• This is the default execution policy.
• Running commands from a PowerShell window is allowed.
Unrestricted:
• Unsigned scripts are allowed to run, all scripts can run.
• You will still be prompted if scripts are not run from the local computer.
AllSigned:
• Scripts that are digitally signed are allowed to run.
• Prompts you before running scripts from trusted publishers.
• You will still be prompted if scripts are not run from the local computer.
RemoteSigned:
• Scripts that are digitally signed are allowed to run from a trusted publisher can run.
• Does not require digital signatures on scripts run from the
local computer.
• Does not prompt you before running scripts from trusted publishers.
• You will still be prompted if scripts are not run from the local computer.

MDT 2010, Server 2008 & Roles and Features

I’ve spent some time with MDT 2010 deploying Server 2008 & Windows 7.  I can build a Server 2008 x86, x64, or R2 server with minimal interaction.  Basically boot, enter a name, select the task sequence and walk away.  While setting this up I started thinking about roles and features.  The stock MDT ability to add roles and features is nice, I like it, but it’s not as flexible as I want.  I don’t want a bunch of different task sequences for different roles and features.  Granted the core would be the same, but there must be a cleaner way. 

What I did was create applications, and sometimes bundles, to handle installing roles and features.  That way I have minimal task sequences and all I need to do to build a Server 2008 R2 server with IIS, Hyper-V, and Windows Process Activation Service all I do is select them from the application list.  (Note: I haven’t actually tried that combination, it’s just an example.)  This can all be done with a little two-line powershell script for each role or feature.  Even better I just created a folder under applications in the MDT console and called it Server Roles & Features.  I’m still in process of gathering prerequisites for all the roles and features, I’ve come across some like the server must be part of a domain before installing Remote Desktop Services & the processor must support hardware virtualization for Hyper-V, etc.  The only one I’ve hit so far that won’t install is WSUS.

This is the powershell code to do it:

#######################################################################

#Import the Server Manager command console to use later to add, remove, or query features or roles.

import-module servermanager

#Add Windows features or roles by passing the component name to the add-windowsfeature cmd.  Use a comma to seperate multiple features.

# This example is installing default IIS and Windows Process Activation Service.  Some components require a reboot before more can be installed.

add-windowsfeature Web-Server, WAS

#######################################################################

Basically copy that code into notepad and save it as .ps1 and that’s it.  There is one caveat with this; with making no changes out of the box to Server 2008 powershell may be configured to restricted mode.  That means no powershell scripts will run period.  To get around that I went into my task sequence and during the State Restore phase I added a command line item called “Enable Powershell” it’s just running “powershell.exe -Command Set-ExecutionPolicy Unrestricted -force” or you could also use RemoteSigned.  Then depending on your environment you can just copy that item and place it at the end to lock powershell back down if needed by setting back to Restricted or something else.  The other item of note, if you are doing a LTI deployment or your PowerShell script is running from a UNC location you’ll need to add that location one of the more open IE zones during the build.  I just added my deployment server to the Intranet zone because this is all happening prior to joining a domain.  Even if you change the execution policy to unrestricted it will still prompt you to allow because it’s running from a remote location.

When I was talking to someone about this they asked about how did I know IIS is called Web-Server and Windows Process Activation Service was called WAS?  Well, I used the query cmdlet to get all that and dumped it to a spreadsheet.  I’ll include that info at the end of this post.

This post has been a little disjointed, so if anyone has questions feel free to ask or if people want some screen shots I could post those later.  Here’s the dump of feature display names and short names:

Display Name	Name
[ ] Active Directory Certificate Services	AD-Certificate
[ ] Certification Authority	ADCS-Cert-Authority
[ ] Certification Authority WEB Enrollment	ADCS-WEB-Enrollment
[ ] Online Responder	ADCS-Online-Cert
[ ] Network Device Enrollment Service	ADCS-Device-Enrollment
[ ] Certificate Enrollment WEB Service	ADCS-Enroll-WEB-Svc
[ ] Certificate Enrollment Policy WEB Service	ADCS-Enroll-WEB-Pol
[ ] Active Directory Domain Services	AD-Domain-Services
[ ] Active Directory Domain Controller	ADDS-Domain-Controller
[ ] Identity Management for UNIX	ADDS-Identity-Mgmt
[ ] Server for Network Information Services	ADDS-NIS
[ ] Password Synchronization	ADDS-Password-Sync
[ ] Administration Tools	ADDS-IDMU-Tools
[ ] Active Directory Federation Services	AD-Federation-Services
[ ] Federation Service	ADFS-Federation
[ ] Federation Service Proxy	ADFS-Proxy
[ ] AD FS WEB Agents	ADFS-WEB-Agents
[ ] Claims-aware Agent	ADFS-Claims
[ ] Windows Token-based Agent	ADFS-Windows-Token
[ ] Active Directory Lightweight Directory Services	ADLDS
[ ] Active Directory Rights Management Services	ADRMS
[ ] Active Directory Rights Management Server	ADRMS-Server
[ ] Identity Federation Support	ADRMS-Identity
[ ] Application Server	Application-Server
[ ] .NET Framework 3.5.1	AS-NET-Framework
[ ] WEB Server (IIS) Support	AS-WEB-Support
[ ] COM+ Network Access	AS-Ent-Services
[ ] TCP Port Sharing	AS-TCP-Port-Sharing
[ ] Windows Process Activation Service Support	AS-WAS-Support
[ ] HTTP Activation	AS-HTTP-Activation
[ ] Message Queuing Activation	AS-MSMQ-Activation
[ ] TCP Activation	AS-TCP-Activation
[ ] Named Pipes Activation	AS-Named-Pipes
[ ] Distributed Transactions	AS-Dist-Transaction
[ ] Incoming Remote Transactions	AS-Incoming-Trans
[ ] Outgoing Remote Transactions	AS-Outgoing-Trans
[ ] WS-Atomic Transactions	AS-WS-Atomic
[ ] DHCP Server	DHCP
[ ] DNS Server	DNS
[ ] Fax Server	Fax
[ ] File Services	File-Services
[ ] File Server	FS-FileServer
[ ] Distributed File System	FS-DFS
[ ] DFS Namespaces	FS-DFS-Namespace
[ ] DFS Replication	FS-DFS-Replication
[ ] File Server Resource Manager	FS-Resource-Manager
[ ] Services for Network File System	FS-NFS-Services
[ ] Windows Search Service	FS-Search-Service
[ ] Windows Server 2003 File Services	FS-Win2003-Services
[ ] Indexing Service	FS-Indexing-Service
[ ] BranchCache for network files	FS-BranchCache
[ ] Hyper-V	Hyper-V
[ ] Network Policy and Access Services	NPAS
[ ] Network Policy Server	NPAS-Policy-Server
[ ] Routing and Remote Access Services	NPAS-RRAS-Services
[ ] Remote Access Service	NPAS-RRAS
[ ] Routing	NPAS-Routing
[ ] Health Registration Authority	NPAS-Health
[ ] Host Credential Authorization Protocol	NPAS-Host-Cred
[ ] Print and Document Services	Print-Services
[ ] Print Server	Print-Server
[ ] LPD Service	Print-LPD-Service
[ ] Internet Printing	Print-Internet
[ ] Distributed Scan Server	Print-Scan-Server
[ ] Remote Desktop Services	Remote-Desktop-Services
[ ] Remote Desktop Session Host	RDS-RD-Server
[ ] Remote Desktop Virtualization Host	RDS-Virtualization
[ ] Remote Desktop Licensing	RDS-Licensing
[ ] Remote Desktop Connection Broker	RDS-Connection-Broker
[ ] Remote Desktop Gateway	RDS-Gateway
[ ] Remote Desktop WEB Access	RDS-WEB-Access
[ ] WEB Server (IIS)	WEB-Server
[ ] WEB Server	WEB-WEBServer
[ ] Common HTTP Features	WEB-Common-Http
[ ] Static Content	WEB-Static-Content
[ ] Default Document	WEB-Default-Doc
[ ] Directory Browsing	WEB-Dir-Browsing
[ ] HTTP Errors	WEB-Http-Errors
[ ] HTTP Redirection	WEB-Http-Redirect
[ ] WEBDAV Publishing	WEB-DAV-Publishing
[ ] Application Development	WEB-App-Dev
[ ] ASP.NET	WEB-Asp-Net
[ ] .NET Extensibility	WEB-Net-Ext
[ ] ASP	WEB-ASP
[ ] CGI	WEB-CGI
[ ] ISAPI Extensions	WEB-ISAPI-Ext
[ ] ISAPI Filters	WEB-ISAPI-Filter
[ ] Server Side Includes	WEB-Includes
[ ] Health and Diagnostics	WEB-Health
[ ] HTTP Logging	WEB-Http-Logging
[ ] Logging Tools	WEB-Log-Libraries
[ ] Request Monitor	WEB-Request-Monitor
[ ] Tracing	WEB-Http-Tracing
[ ] Custom Logging	WEB-Custom-Logging
[ ] ODBC Logging	WEB-ODBC-Logging
[ ] Security	WEB-Security
[ ] Basic Authentication	WEB-Basic-Auth
[ ] Windows Authentication	WEB-Windows-Auth
[ ] Digest Authentication	WEB-Digest-Auth
[ ] Client Certificate Mapping Authentic…	WEB-Client-Auth
[ ] IIS Client Certificate Mapping Authe…	WEB-Cert-Auth
[ ] URL Authorization	WEB-Url-Auth
[ ] Request Filtering	WEB-Filtering
[ ] IP and Domain Restrictions	WEB-IP-Security
[ ] Performance	WEB-Performance
[ ] Static Content Compression	WEB-Stat-Compression
[ ] Dynamic Content Compression	WEB-Dyn-Compression
[ ] Management Tools	WEB-Mgmt-Tools
[ ] IIS Management Console	WEB-Mgmt-Console
[ ] IIS Management Scripts and Tools	WEB-Scripting-Tools
[ ] Management Service	WEB-Mgmt-Service
[ ] IIS 6 Management Compatibility	WEB-Mgmt-Compat
[ ] IIS 6 Metabase Compatibility	WEB-Metabase
[ ] IIS 6 WMI Compatibility	WEB-WMI
[ ] IIS 6 Scripting Tools	WEB-Lgcy-Scripting
[ ] IIS 6 Management Console	WEB-Lgcy-Mgmt-Console
[ ] FTP Server	WEB-Ftp-Server
[ ] FTP Service	WEB-Ftp-Service
[ ] FTP Extensibility	WEB-Ftp-Ext
[ ] IIS Hostable WEB Core	WEB-WHC
[ ] Windows Deployment Services	WDS
[ ] Deployment Server	WDS-Deployment
[ ] Transport Server	WDS-Transport
[ ] Windows Server Update Services	OOB-WSUS
[ ] .NET Framework 3.5.1 Features	NET-Framework
[ ] .NET Framework 3.5.1	NET-Framework-Core
[ ] WCF Activation	NET-Win-CFAC
[ ] HTTP Activation	NET-HTTP-Activation
[ ] Non-HTTP Activation	NET-Non-HTTP-Activ
[ ] Background Intelligent Transfer Service (BITS)	BITS
[ ] IIS Server Extension	BITS-IIS-Ext
[ ] BitLocker Drive Encryption	BitLocker
[ ] BranchCache	BranchCache
[ ] Connection Manager Administration Kit	CMAK
[ ] Desktop Experience	Desktop-Experience
[ ] DirectAccess Management Console	DAMC
[ ] Failover Clustering	Failover-Clustering
[ ] Group Policy Management	GPMC
[ ] Ink and Handwriting Services	Ink-Handwriting
[ ] Ink Support	IH-Ink-Support
[ ] Handwriting Recognition	IH-Handwriting
[ ] Internet Printing Client	Internet-Print-Client
[ ] Internet Storage Name Server	ISNS
[ ] LPR Port Monitor	LPR-Port-Monitor
[ ] Message Queuing	MSMQ
[ ] Message Queuing Services	MSMQ-Services
[ ] Message Queuing Server	MSMQ-Server
[ ] Directory Service Integration	MSMQ-Directory
[ ] Message Queuing Triggers	MSMQ-Triggers
[ ] HTTP Support	MSMQ-HTTP-Support
[ ] Multicasting Support	MSMQ-Multicasting
[ ] Routing Service	MSMQ-Routing
[ ] Message Queuing DCOM Proxy	MSMQ-DCOM
[ ] Multipath I/O	Multipath-IO
[ ] Network Load Balancing	NLB
[ ] Peer Name Resolution Protocol	PNRP
[ ] Quality Windows Audio Video Experience	qWave
[ ] Remote Assistance	Remote-Assistance
[ ] Remote Differential Compression	RDC
[ ] Remote Server Administration Tools	RSAT
[ ] Role Administration Tools	RSAT-Role-Tools
[ ] Active Directory Certificate Services Tools	RSAT-ADCS
[ ] Certification Authority Tools	RSAT-ADCS-Mgmt
[ ] Online Responder Tools	RSAT-Online-Responder
[ ] AD DS and AD LDS Tools	RSAT-AD-Tools
[ ] AD DS Tools	RSAT-ADDS
[ ] AD DS Snap-Ins and Command-Line …	RSAT-ADDS-Tools
[ ] Active Directory Administrative …	RSAT-AD-AdminCenter
[ ] Server for NIS Tools	RSAT-SNIS
[ ] AD LDS Snap-Ins and Command-Line Tools	RSAT-ADLDS
[ ] Active Directory module for Windows …	RSAT-AD-PowerShell
[ ] Active Directory Rights Management Servi…	RSAT-RMS
[ ] DHCP Server Tools	RSAT-DHCP
[ ] DNS Server Tools	RSAT-DNS-Server
[ ] Fax Server Tools	RSAT-Fax
[ ] File Services Tools	RSAT-File-Services
[ ] Distributed File System Tools	RSAT-DFS-Mgmt-Con
[ ] File Server Resource Manager Tools	RSAT-FSRM-Mgmt
[ ] Services for Network File System Tools	RSAT-NFS-Admin
[ ] Hyper-V Tools	RSAT-Hyper-V
[ ] Network Policy and Access Services Tools	RSAT-NPAS
[ ] Print and Document Services Tools	RSAT-Print-Services
[ ] Remote Desktop Services Tools	RSAT-RDS
[ ] Remote Desktop Session Host Tools	RSAT-RDS-RemoteApp
[ ] Remote Desktop Gateway Tools	RSAT-RDS-Gateway
[ ] Remote Desktop Licensing Tools	RSAT-RDS-Licensing
[ ] Remote Desktop Connection Broker Tools	RSAT-RDS-Conn-Broker
[ ] WEB Server (IIS) Tools	RSAT-WEB-Server
[ ] Windows Deployment Services Tools	RSAT-WDS
[ ] Feature Administration Tools	RSAT-Feature-Tools
[ ] BitLocker Drive Encryption Administratio…	RSAT-BitLocker
[ ] BitLocker Drive Encryption Tools	RSAT-Bitlocker-DriveEnc
[ ] BitLocker Recovery Password Viewer	RSAT-Bitlocker-RecPwd
[ ] BITS Server Extensions Tools	RSAT-Bits-Server
[ ] Failover Clustering Tools	RSAT-Clustering
[ ] Network Load Balancing Tools	RSAT-NLB
[ ] SMTP Server Tools	RSAT-SMTP
[ ] WINS Server Tools	RSAT-WINS
[ ] RPC over HTTP Proxy	RPC-over-HTTP-Proxy
[ ] Simple TCP/IP Services	Simple-TCPIP
[ ] SMTP Server	SMTP-Server
[ ] SNMP Services	SNMP-Services
[ ] SNMP Service	SNMP-Service
[ ] SNMP WMI Provider	SNMP-WMI-Provider
[ ] Storage Manager for SANs	Storage-Mgr-SANS
[ ] Subsystem for UNIX-based Applications	Subsystem-UNIX-Apps
[ ] Telnet Client	Telnet-Client
[ ] Telnet Server	Telnet-Server
[ ] TFTP Client	TFTP-Client
[ ] Windows Biometric Framework	Biometric-Framework
[ ] Windows Internal Database	Windows-Internal-DB
[ ] Windows PowerShell Integrated Scripting Environm…	PowerShell-ISE
[ ] Windows Process Activation Service	WAS
[ ] Process Model	WAS-Process-Model
[ ] .NET Environment	WAS-NET-Environment
[ ] Configuration APIs	WAS-Config-APIs
[ ] Windows Server Backup Features	Backup-Features
[ ] Windows Server Backup	Backup
[ ] Command-line Tools	Backup-Tools
[ ] Windows Server Migration Tools	Migration
[ ] Windows System Resource Manager	WSRM
[ ] Windows TIFF IFilter	TIFF-IFilter
[ ] WinRM IIS Extension	WinRM-IIS-Ext
[ ] WINS Server	WINS-Server
[ ] Wireless LAN Service	Wireless-Networking
[ ] XPS Viewer	XPS-Viewer

I call it Remote View…

How many times has someone come up and asked “I’m having a problem with <insert device here>.”  Wouldn’t it be nice to be able to know what processes or services are running right now?  Who’s logged in, when it was last booted, what’s installed, and other things?  Wouldn’t also be great to get all that information in real-time?  I got a call from a support person once who claimed a process was “hung” and he wanted to kill it.  I told him to wait and used the tool to watch the running processes from my desk.  I watched the process exit and told him “ok it’s done, you should be fine.”  He started to say “how do you know it’s…..  Oh wait its gone.  It’s done.  How’d you know that?”  Of course my answer was “its magic”.  All I did was watch the process in question and watched the memory usage change, as I watched it go down I was then able to see the process disappear from the list.  MAGIC!!!

I got sick and tired of people asking for help, but giving zero information.  So I wrote a series of scripts to get information, general info (make, model, etc), installed apps, patches, etc.  You know the “normal” things.  I then got tired of using the individual scripts and thought it’d be really cool to put everything in one console.  So I did. 

I’ve been working on and off on a project I call Remote View for a while.  I have a 1.0 version that works, but me being me, wanted to make it better.  It started as a HTA with an Excel object, I wouldn’t even call that one 1.0.  That was better than a bunch of scripts, but I had a friend test it from a remote site and the performance wasn’t as good as I wanted for him.  So I moved to VB.  The performance was much better.   Then I was able to re-write almost all the code from being WMI queries or other methods to straight VB.NET code and the performance got even better.  Plus I was able to add functions that I had issues with before or didn’t even have before.  That’s where it stood for a while.  I still thought it could be better though.  That’s when I decided that to really get what I wanted I needed to do another big re-write. 

The new version, that I’m still working on, has some I think cool features:

• It’s multithreaded, no more “UI lockup” while processing.  Plus now you can cancel a query if you want before it finishes.  Plus a little progress bar to let you know something is still happening.
• The way connection / computer history is done it’s totally different.  I can now even add notes about a computer in the history.  That makes it much easier to remember why it’s in my history.
• Gathering user information has been totally redone and much faster.
• Gathering service information has been totally redone.  It’s faster and gathers more information.

It’s still a work in progress, but I’m pretty happy with it so far.  The one question I’m still struggling with is Event Log information.  I currently have it setup to select a date from a picker and then it grabs all events from that date until now.  I’ve also had it so it only grab logs from that exact date.  Which do you think is better?  I lean towards more information as long as the performance it’s totally trashed.  I’ve attached some pictures of it from its early HTA days until today.  Any comments or ideas are always welcome.  Keep in mind I’m not a developer, I’m just a guy  teaching myself VB in my free time…

 

PS…  I’ve also writen a GUI for USMT and a crude how to find the owner by number of logins app that I may post info about in the future….

This was the original version in HTA form.

The VB.NET 1.0 Version

The new working 2.0 version General Information screen

The new working 2.0 version Installed Apps screen

The new working 2.0 version User Info screen

The new working 2.0 version Installed Patches screen

The new working 2.0 version Process Information screen

The new working 2.0 version Service Information screen

The new working 2.0 version Startup Information screen

MDT 2010 & VM Player 3 Beta

So I’ve been playing with MDT 2010 for a little while now.  I have to say I like the changes.  I really like the new sub folder options and the profile’s idea is an interesting one.  I was able to setup two totally independent distribution points, one for server & one for workstation, and Server 2008 and Windows 7 unattended builds up and running in no time.  I separated them really for no technical reason, just a to do it thing.  Although it is kind of nice to have them separate but in the same console.   I also created separate media points for both too, makes creating VM’s quick and easy.  Everything is on the .ISO and no network traffic.   Gotta love: boot from a disk, enter a user name / password, give it a name and walk away.  Full media is even better, boot from a disk, give it a name, walk away. 

Speaking of VM’s.  I’ve traditionally been a VMWare guy, but have been forced to use VPC for the last 8 months.  VPC wasn’t as bad as I thought, I really miss multiple snapshots, virtual networks, and teams though.  You can do snapshots in VPC but it’s a manual process and pain to do, VPC on Windows 7 is starting to move in a good direction.  Finally USB support welcome to 2009.  I heard about VMWare Player 3 Beta and decided to check it out.  It’s basically VMWare’s answer to VPC, you can now create VM’s and multiple monitor support (which I was really surprised worked well it was just like a physical PC doing dual monitors no lag for me).  I really wish we’d get the ability for 1 snapshot though.  I understand not including teams and multiple snapshots because then why pay for workstation, but limited snapshots would be great.

My first blog….

This is my first blog ever, very exciting.  In the future I’ll be posting tech stuff on MDT 2008/2010 (Microsoft Deployment Toolkit), Windows 7 (and probably XP I guess), maybe some Server 2008 deployment, maybe SCCM, scripting (VBS, starting on PowerShell, VB.NET), and whatever else I want.  Feel free to leave comments…..