PowerShell Core proxy issues - windows

I just wanted to share this with you all. If I knew what to ask for, I would have created a ticket up front. But what I found online was partly misleading.
It was a combination of searching and trying, until I finally found the solution.
This issues was related to running PowerShell Core on a corporate machine, initially setup for Proxy use.
Problem description
After fresh installation of PowerShell Core, Install-Module where unable to resolve package source and Invoke-WebRequest "any-external-url" reported "No such host". This is all under Windows 10.

Solution to my issue
I had to do all of this to bypass the proxy.
First was to unset the Environment Variable for the proxy. (Maybe you also need to do this for HTTP_PROXY environment variable)
Set-Item -Path Env:HTTPS_PROXY -Value ""
Reset proxy for HttpClient
[System.Net.Http.HttpClient]::DefaultProxy = New-Object System.Net.WebProxy($null)
Reset proxy for HttpWebRequest
[System.Net.HttpWebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy($null)
I ended up adding them to the PowerShell 7 profile.
Hope it save some time for at least one more soul. :)

Related

Install PSWindowsUpdate Module Issue

enter image description here
Recently we want to update security and critical patches using command for customer's windows domain servers, and the PSWindowsUpdate Module seems is very suitable.
However, we tried to install it via "Install-Module -Name PSWindowsUpdate -Force" and also allow those servers can access Internet URL(.microsoft.com/.powershellgallery.com etc), but it still failed as screenshot
We google some links and use TLS1.2, however it still can't work and that very confused us that "WARNING: Source Location 'https://www.powershellgallery.com/api/v2/package/PSWindowsUpdate/2.2.0.3' is not valid."
I also tried to do that on my laptop with same method, it can work perfectly and there is no any error on powershell.
Customer windows server is Win2019 Datacenter and Standard
Customer powershell version is 5.1.17763.2931
We have no idea on the difference and how to install, any suggestion?
You may try the following command before installing PSWindowsupdate
Install-PackageProvider -name NuGet -MinimumVersion 2.8.5.201 -Force

Why are Windows proxy lost when executing code via Ansible (remote WinRM)?

In automating Windows (2012R2 and 2016) builds, I found that even though I set a system-wide proxy via netsh, I still had to set the HKCU values for IE because some commands would not work without those values set. I would have to open IE and visit a site, any site, to initialize those settings, which was annoying.
I was able to find some PowerShell code that could "initialize" the IE proxy settings so I did not have to open IE and visit a site, shown below:
$Source=#"
[DllImport("wininet.dll")]
public static extern bool InternetSetOption(int hInternet, int dwOption, int lpBuffer, int dwBufferLength);
"#
$wininet = Add-Type -memberDefinition $Source -passthru -name InternetSettings
$wininet::InternetSetOption([IntPtr]::Zero, 95, [IntPtr]::Zero, 0)|out-null
$wininet::InternetSetOption([IntPtr]::Zero, 37, [IntPtr]::Zero, 0)|out-null
The above code is from https://vanderpaal.com.au/2016/09/30/live-proxy-setting-change/ (thanks!)
The above code works great when executed manually via RDP session. I set the IE proxy values correctly, I run the above code, and I can then do whatever I want - it all works. The commands that require the IE settings work fine.
I have been trying to run more code via remote WinRM using things like Ansible and SSM (in AWS). When I do, weird things happen.
Specifically, the IE proxy registry entries get deleted and reset back to defaults. So, the order of doing things via script is:
Write IE proxy values to the registry via script called by Ansible or SSM.
Run the initialize proxy code listed above.
IE values from #1 are gone...
I am at a loss as to why the registry values get deleted. I am 100% sure they get deleted - I can script a reg query before and after the initialize proxy commands - before the commands they exist, and after the commands they do not. This does not happen when I run the same scripts manually on the server in an RDP session - that is, the proxy command does NOT delete the entries.
I have replicated this in both Ansible and SSM, both of which use PowerShell and WinRM to run commands. The scripts reside on the actual server, and Ansible/SSM tell the system to execute the scripts.
I have verified that HKCU actually exists during Ansible execution of the scripts.
Because the IE values get deleted, the initialize command does me no good when the following commands that require the IE values execute. Those commands fail with errors like so:
PackageManagement\Install-Package : No match was found for the specified
search criteria and module name ''
The commands I am running (which fail) are just install module commands, like so:
Install-Module -Name PSWindowsUpdate -Proxy http://proxy.foo.com:80 -Confirm:$false -Force
Install-Module -Name PowerShellGet -Proxy http://proxy.foo.com:80 -Confirm:$false -Force
Anyone know why the IE proxy registry values get deleted when I run the code above via Ansible or SSM? The proxy values in question are:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable" - this gets reset to 0
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer" - this gets deleted
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride" - this gets deleted
had the same problem. and found out that the damned ie wizard was the root cause.
u have to add following key to registry before u can access ie components...:
desc: "Remove IE 11 first run Wizard"
path: "HKLM:\\Software\\Policies\\Microsoft\\Internet Explorer\\Main"
name: "DisableFirstRunCustomize"
data: "1"
type: "dword"

What is setting AutoAdminLogon to 0 (MSS-Legacy)

I am having an issue getting AutoAdminLogon working with my Windows Server 2008 R2 Image. It is an Amazon Windows Server 2008 R2 CIS Level 2 Benchmark AMI from the Amazon Marketplace.
The issue I am having is when I set the AutoAdminLogin to 1 and do a gpupdate or reboot it reverts back to 0.
I am using Packer to provision my AMI so the steps I am going through are Remove PowerShell 3.0 then reboot. The AutoAdminLogon is set before the reboot but gpupdate runs when the system restarts gpupdate reverts the setting back to 0.
The AutoAdminLogon is needed because the server needs to reboot several times during the provisioning.
Steps are
1. Remove PowerShell 3.0
2. Reboot
3. AutoAdminLogon
4. Install .Net 4.5.2
5. Install Windows Management Framework 5.1
6. Reboot.
At this point, Packer will try to connect using WINRM to finish provisioning the instance to capture as an AMI.
I know it has something to do with the MSS-Legacy settings applied to the AMI. But how do I un-apply them? Or just the AutoAdminLogin set to Disabled?
I have tried using secedit:
secedit /export /cfg c:\temp\secpol.cfg
(gc C:\temp\secpol.cfg).replace('AutoAdminLogon=1,"0"','AutoAdminLogon=1,"1"') | Out-File C:\temp\secpol.cfg
secedit /configure /db c:\windows\security\secedit.sdb /cfg c:\temp\secpol.cfg
Reference: Modify Local Security Policy using Powershell
I have tried the steps listed here: https://docs.bmc.com/docs/tssa89/rollback-of-cis-and-pciv2-templates-after-remediation-does-not-work-808908846.html
Here is also a link to the Script I have modified to do the PowerShell Upgrade:
https://github.com/jborean93/ansible-windows/blob/master/scripts/Upgrade-PowerShell.ps1
Now if I download the MSS-Legacy GPO templates and use the GUI to set the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) to Enabled,
It will work and the setting will stick after reboots or gpudpate. But I need a way to do this in a scripted manner because there is no interaction with the Instance during the Bakery process.
I cannot do the steps using a GUI as this is part of our AMI bakery process.
Thanks so much I look forward to seeing peoples thoughts.
I've just come across this "fun"!
I used the PolicyFileEditor PowerShell module and a lot of trial and error, coupled with the information in your question (thanks for that!) to get this working.
My OS is Windows Server 2016, so hopefully it also works for Windows Server 2008 R2 (not that anyone should be using that anymore).
Here's the PowerShell code that I'm using in my Packer build:
Install-Module PolicyFileEditor
Import-Module PolicyFileEditor
# Change the Autologon GPO setting
Set-PolicyFileEntry -Path "$env:windir\system32\GroupPolicy\Machine\registry.pol" -Key "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ValueName "AutoAdminLogon" -Data "1"
# Force the policy update to occur
gpupdate /force
# Configure the auto login user and password so that the next restart has autologin
$loginPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $loginPath -Name "DefaultUserName " -Value "<your_admin_user>" -Type String
Set-ItemProperty -Path $loginPath -Name "DefaultPassword" -Value "<your_admin_password>" -Type String
There's also another registry value that you need to specify which is the AutoLogonCount. AutoAdminLogon is directly correlated to the logon count for how many times the system will automatically logon after a reboot.
If your logon count is not set, this may be the reason why it's resetting to 0.
If you want this to be set infinitely, just set it 999999 or something ridiculously high.
You can refer to this MSDN for more information:
MSGina.dll
Note that the Type for AutoLogonCount should be REG_DWORD
Instead of having to restart the computer, you can try the following command:
# Force the policy update to occur w/o restart
echo N | gpupdate.exe /target:Computer /force

Add SSL Certificate to Windows Docker Container

How can I add a .cer-Certificate inside a Docker container? It has to be done via powershell since the container has no interface to open mms.exe.
This is a good tutorial for .pfx-Certificates. Since I have a .cer-file without private key, I have to adapt it slightly.
The powershell command from the documentation
Import-Certificate -FilePath C:\myCertificateToAdd.cert -CertStoreLocation Cert:\CurrentUser\Root\ gets stuck whenever called.
The problem does not appear when importing to the LocalMachine folder:
Import-Certificate -FilePath C:\myCertificateToAdd.cert -CertStoreLocation Cert:\LocalMachine\Root\
Like this, the certificate is importet to every "CurrentUser" on the machine. If this is ok, as for the typical DockerContainer, the problem is solved.

How do I set the http proxy in a subshell launched from a windows service

I am writing a windows service which takes an uploaded file, runs signtool.exe on it to do the signing and timestamping and then serves the signed file back.
The code for this works when run as a standalone server using twisted however if I try and run it as a service it fails with the error "Signing succeeded, but an error occurred while attempting to timestamp".
If I replace the signcode subprocess call with a curl.exe call which explicitly uses the proxy then this succeeds.
I have set the proxy in internet explorer and running the command manually works. Is there another way of setting an http proxy for signtool/signcode or another way of doing this (I am keen for it to be a service for ease of integration in to some other monitoring systems)?
I have the same issue but running signtool via cygwin ssh (using a password). The timestamping only works via the proxy and over ssh if I login at least once through the gui (e.g. via rdesktop). I don't even have to be logged in to the gui after that for it to work via ssh, I just have to make sure I login at least once via the gui. Whatever it's doing upon graphical login survives a reboot too. One difference however is that I'm setting the proxy settings dynamically using the same powershell that I'm launching via ssh :
$reg_key = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-ItemProperty -path $reg_key ProxyServer -value 192.168.0.3:8888
Set-ItemProperty -path $reg_key ProxyOverride -value "<local>"
Set-ItemProperty -path $reg_key ProxyEnable -value 1
I tried launching explorer.exe &, notepad &, and iexplorer.exe & from ssh but it didn't help. I'll see about hard coding the proxy settings and also if its possible to have the signing user be logged into the gui after boot. Also will check to make sure ssh is launched with cygrunsrv -i or that it's allowed to interact with the desktop is checked in services.
The system reverts its image if it's halted (vmware delta image) (that's how I'm able to duplicate the problem), but I can always change it, which it looks like I might have to do to figure out this problem.
Finally figured it out with some help from the comment here :
http://blogs.msdn.com/b/askie/archive/2013/05/09/user-proxy-settings-showing-up-in-local-system-account-correct-way-to-apply-proxy-settings.aspx#10606266
Looks like the setting actually has to be set in the binary file :
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
This binary file doesn't get created in the registry until after graphical login even with the powershell settings I made above. Easiest way is to login (assuming you have the registry settings I made with powershell above, or set it manually through the internet options ui in the gui), export the HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections path, and the import it with :
regedit /s path_to_proxy_settings.reg
If you want it to apply for all users you need to apply the same file under:
HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
as mentioned in the post. There may be other ways as mentioned here https://serverfault.com/questions/34940/how-do-i-configure-proxy-settings-for-local-system , but the above was the easiest for me.

Resources