Created
February 10, 2023 14:05
-
-
Save soulemike/0dfc4103a7fe8f2a7656545fe4ce0791 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Import-Module ActiveDirectory | |
| Import-Module DnsServer | |
| Import-Module PKI | |
| Import-Module Microsoft.WSMan.Management | |
| ####################### | |
| ### Once Per Domain ### | |
| ####################### | |
| #Generate a new self-signed wildcard certificate for the domain | |
| $cert = New-SelfSignedCertificate -DnsName "*.$($env:USERDNSDOMAIN)","localhost" -CertStoreLocation Cert:\LocalMachine\My\ -NotAfter (Get-Date).AddYears(5) | |
| #Export public/private certificate | |
| Export-PfxCertificate -Cert $cert.PSPath -FilePath "$env:USERPROFILE\Desktop\$env:USERDNSDOMAIN.pfx" -Password $(ConvertTo-SecureString -String "SecurePassword1" -Force -AsPlainText) | |
| #Export public certificate | |
| Export-Certificate -Cert $cert.PSPath -FilePath "$env:USERPROFILE\Desktop\$env:USERDNSDOMAIN.cer" | |
| #Publish public key as trusted root | |
| certutil -dspublish -f $env:USERPROFILE\Desktop\$env:USERDNSDOMAIN.cer RootCA | |
| #Copy public/private certificate to central share | |
| Copy-Item $env:USERPROFILE\Desktop\$env:USERDNSDOMAIN.pfx \\$env:USERDNSDOMAIN\NETLOGON | |
| #Add CNAME for WAC Gateway | |
| Add-DnsServerResourceRecordCName -Name WAC -HostNameAlias "$env:COMPUTERNAME.$env:USERDNSDOMAIN" -ZoneName $env:USERDNSDOMAIN | |
| #Create WAC groups - These will need to synchronize with AADC | |
| New-ADGroup -Name "SG-WAC-Admin" -SamAccountName SG-WAC-Admin -GroupCategory Security -GroupScope DomainLocal -DisplayName "Windows Admin Center Administrators" -Path (Get-ADDomain).UsersContainer | |
| New-ADGroup -Name "SG-WAC-User" -SamAccountName SG-WAC-User -GroupCategory Security -GroupScope DomainLocal -DisplayName "Windows Admin Center Users" -Path (Get-ADDomain).UsersContainer | |
| ######################################## | |
| ### Per Windows Admin Center Gateway ### | |
| ######################################## | |
| #Download the install binary | |
| Invoke-WebRequest https://aka.ms/WACDownload -OutFile $env:USERPROFILE\Desktop\wac.msi | |
| #Generate a new self-signed wildcard certificate for WAC | |
| #$cert = New-SelfSignedCertificate -DnsName "*.$($env:USERDNSDOMAIN)" -CertStoreLocation Cert:\LocalMachine\My\ -NotAfter (Get-Date).AddYears(5) | |
| #Install WAC | |
| msiexec.exe /i $env:USERPROFILE\Desktop\wac.msi SME_PORT=443 SME_THUMBPRINT=$($cert.Thumbprint) SSL_CERTIFICATE_OPTION=installed /qn | |
| ######################### | |
| ### Per Client System ### | |
| ######################### | |
| #Import public/private certificate | |
| $cert = Import-PfxCertificate -FilePath "\\$env:USERDNSDOMAIN\NETLOGON\$env:USERDNSDOMAIN.pfx" -CertStoreLocation Cert:\LocalMachine\My\ -Exportable -Password $(ConvertTo-SecureString -String "SecurePassword1" -Force -AsPlainText) | |
| #Verify the listener is not already configured | |
| Get-WSManInstance -ResourceURI winrm/config/listener -SelectorSet @{Address="*";Transport="HTTPS"} | |
| #Create a new HTTPS listener | |
| New-WSManInstance -ResourceURI winrm/config/listener -SelectorSet @{Address="*";Transport="HTTPS"} -ValueSet @{Hostname="*.test.com";CertificateThumbprint="$($cert.Thumbprint)"} | |
| #Verify there are no current rules allowing TCP/5986 | |
| Get-NetFirewallPortFilter|?{$_.LocalPort -eq 5986}|Get-NetFirewallRule | |
| #Create a new firewall rule | |
| New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Direction Inbound -LocalPort 5986 -Protocol TCP -Action Allow | |
| #Enable Kerberos SSO | |
| Set-ADComputer -Identity (Get-ADComputer $env:COMPUTERNAME) -PrincipalsAllowedToDelegateToAccount (Get-ADComputer <#Windows Admin Center#>) | |
| ############################# | |
| ### Configure WAC Gateway ### | |
| ############################# | |
| #Import the WAC Modules | |
| gci $env:ProgramFiles'\Windows Admin Center\PowerShell\Modules\'|%{Import-Module $_.FullName} | |
| #Create a temporary csv | |
| $csv=ni .\temp$(Get-Random -Minimum 100 -Maximum 999).csv | |
| #Update the csv to include all enabled Windows Servers in the environment | |
| Get-ADComputer -Filter "operatingSystem -like '*Windows Server*' -and enabled -eq 'true'" -Properties "operatingSystem"|select @{N="name";E={$_.DNSHostName}}, @{N="type";E={"msft.sme.connection-type.server"}}, @{N="tags";E={$_.operatingSystem}}, @{N="groupId";E={"global"}}|Export-Csv $csv.Name -nti | |
| #Import the servers to WAC | |
| ### There is a known bug in the Import-Connections function as of version 2103 - https://github.com/MicrosoftDocs/windowsserverdocs/issues/3492#issuecomment-807439063_ | |
| Import-Connection "https://wac.$($env:USERDNSDOMAIN)" -fileName $csv.Name | |
| #Remove the temporary csv | |
| rm $csv | |
| ######################################## | |
| ### Per WAC Gateway + Per AAD Tenant ### | |
| ######################################## | |
| #Settings > Gateway > Azure | |
| ##Register the WAC Gateway with Azure AD | |
| #Azure Portal > Azure AD > App Registrations > WAC Gateway > Manage > API Permissions | |
| ##Ensure Admin Consent is provided | |
| #Azure Portal > Azure AD > Enterprise Apps > WAC Gateway > Manage > Properties | |
| ##User assignment required: Yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment