I am currently experimenting with Windows Server 2012, System Center Virtual Machine Manager 2012 SP1, and automation of various processes related to creating/building Server 2012 virtual machines.
I have a script that will create a new Server 2012 VM, customise it, join it to my Active Directory in a “Build” OU, log it on and then try and run a PowerShell script to further configure the server.
Except that the script fails to run for a variety of reasons. Which has been most annoying, and has taken the best part of a day to resolve.
To save you the hassle:
- Create a GPO (Group Policy Object) with the following settings, link it to the OU where your server will appear:
- Computer Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page – Site to Zone Assignment List: Enabled: Value name: *.rcmtech.co.uk Value: 2
- Computer Configuration – Policies – Administrative Templates – Windows Components – Windows PowerShell – Turn on Script Execution: Enabled: Allow all scripts
- User Configuration – Preferences – Control Panel Settings – Scheduled Tasks – Scheduled Task (Windows Vista and later):
- Action: Replace
- Name: Server Build Launcher
- When running the task, use the following user account: %LogonDomain\%LogonUser%
- Run only when the user is logged on
- Run with highest privileges
- Configure for: Windows 7
- Begin the task: At log on
- Any user
- Action: Start a program
- Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Add arguments: -NoExit -File \\ad.rcmtech.co.uk\netlogon\config\serverbuild\serverbuildlauncher.ps1
- Allow task to be run on demand
- Remove this item when it is no longer applied.
- I disabled Internet Explorer Enhanced Security Configuration. I did this by using Microsoft-Windows-IE-ESC in the specialize section, and setting IEHardenAdmin to false. I did this by using the following bit of PowerShell talking to SCVMM to modify the temporary template that the new VM is built from:
$Template = Get-SCVMTemplate -Name $TempTemplateName $Unattend = $Template.UnattendSettings $Unattend.Add("3/Microsoft-Windows-IE-ESC/IEHardenAdmin","false") Set-SCVMTemplate -VMTemplate $Template -UnattendSettings $Unattend | Out-Null
The important bit is: all of it, really. The IE ESC and the Trusted Sites bits need doing or you’ll get:
Security warning Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. Do you want to ru \\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1? [D] Do not run [R] Run Once [S] Suspend [?] Help (default is "D"):
If you don’t set the PowerShell Script Execution policy to Allow all you’ll get an error:
File \\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1 cannot be loaded. The file \\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1 is not digitally signed. The script will not execute on the system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + \\ad.rcmtech.co.uk\netlogon\Config\ServerBuild\ServerBuildLauncher.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) , PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccess
…at least if your PowerShell execution policy is set to RemoteSigned. Check what it is with: