DSCResources/xWinRM/xWinRM.psm1
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [parameter(Mandatory = $true)] [ValidateSet('HTTP','HTTPS')] [System.String] $Protocol, [ValidateSet('Present','Absent')] [System.String] $Ensure, [System.String] $HTTPSCertThumpprint = 'Self' ) #Write-Verbose "Use this cmdlet to deliver information about command processing." #Write-Debug "Use this cmdlet to write debug information while troubleshooting." $httplistener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like '*HTTP' } $httpslistener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like '*HTTPS*' } $returnValue = @{ Protocol = $Protocol Ensure = $Ensure Service_Basic = (Get-ChildItem -Path WSMan:\localhost\Service\Auth\Basic -ErrorAction SilentlyContinue).Value Client_Basic = (Get-ChildItem -Path WSMan:\localhost\Client\Auth\Basic -ErrorAction SilentlyContinue).Value Client_Digest = (Get-ChildItem -Path WSMan:\localhost\Client\Auth\Digest -ErrorAction SilentlyContinue).Value Service_Kerberos = (Get-ChildItem -Path WSMan:\localhost\Service\Auth\Kerberos -ErrorAction SilentlyContinue).Value Client_Kerberos = (Get-ChildItem -Path WSMan:\localhost\Client\Auth\Kerberos -ErrorAction SilentlyContinue).Value Service_Negotiate = (Get-ChildItem -Path WSMan:\localhost\Service\Auth\Negotiate -ErrorAction SilentlyContinue).Value Client_Negotiate = (Get-ChildItem -Path WSMan:\localhost\Client\Auth\Negotiate -ErrorAction SilentlyContinue).Value Service_Certificate = (Get-ChildItem -Path WSMan:\localhost\Service\Auth\Certificate -ErrorAction SilentlyContinue).Value Client_Certificate = (Get-ChildItem -Path WSMan:\localhost\Client\Auth\Certificate -ErrorAction SilentlyContinue).Value Service_CredSSP = (Get-ChildItem -Path WSMan:\localhost\Service\Auth\CredSSP -ErrorAction SilentlyContinue).Value Client_CredSSP = (Get-ChildItem -Path WSMan:\localhost\Client\Auth\CredSSP -ErrorAction SilentlyContinue).Value Service_AllowUnencrypted = (Get-ChildItem -Path WSMan:\localhost\Service\AllowUnencrypted -ErrorAction SilentlyContinue).Value Client_AllowUnencrypted = (Get-ChildItem -Path WSMan:\localhost\Client\AllowUnencrypted -ErrorAction SilentlyContinue).Value HttpPort = (Get-ChildItem -Path ('WSMan:\localhost\listener\' + $httplistener.Name) -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Name -eq 'Port' }).Value HttpsPort = (Get-ChildItem -Path ('WSMan:\localhost\listener\' + $httpslistener.Name) -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Name -eq 'Port' }).Value MaxEnvelopeSizekb = (Get-ChildItem -Path WSMan:\localhost\MaxEnvelopeSizekb -ErrorAction SilentlyContinue).Value MaxTimeoutms = (Get-ChildItem -Path WSMan:\localhost\MaxTimeoutms -ErrorAction SilentlyContinue).Value MaxBatchItems = (Get-ChildItem -Path WSMan:\localhost\MaxBatchItems -ErrorAction SilentlyContinue).Value MaxProviderRequests = (Get-ChildItem -Path WSMan:\localhost\MaxProviderRequests -ErrorAction SilentlyContinue).Value MaxMemoryPerShellMB = (Get-ChildItem -Path WSMan:\localhost\Shell\MaxMemoryPerShellMB -ErrorAction SilentlyContinue).Value CurrentHTTPSCertThumpprint = (Get-ChildItem -Path ('WSMan:\localhost\listener\' + $httpslistener.Name) -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Name -eq 'CertificateThumbprint' }).Value ConfiguredValue = $HTTPSCertThumpprint } $returnValue } function Set-TargetResource { [CmdletBinding()] param ( [parameter(Mandatory = $true)] [ValidateSet('HTTP','HTTPS')] [System.String] $Protocol, [ValidateSet('Present','Absent')] [System.String] $Ensure, [ValidateSet('true','false')] [System.String] $Service_Basic = 'true', [ValidateSet('true','false')] [System.String] $Client_Basic = 'true', [ValidateSet('true','false')] [System.String] $Client_Digest = 'true', [ValidateSet('true','false')] [System.String] $Service_Kerberos = 'true', [ValidateSet('true','false')] [System.String] $Client_Kerberos = 'true', [ValidateSet('true','false')] [System.String] $Service_Negotiate = 'true', [ValidateSet('true','false')] [System.String] $Client_Negotiate = 'true', [ValidateSet('true','false')] [System.String] $Service_Certificate = 'false', [ValidateSet('true','false')] [System.String] $Client_Certificate = 'true', [ValidateSet('true','false')] [System.String] $Service_CredSSP = 'false', [ValidateSet('true','false')] [System.String] $Client_CredSSP = 'false', [ValidateSet('true','false')] [System.String] $Service_AllowUnencrypted = 'false', [ValidateSet('true','false')] [System.String] $Client_AllowUnencrypted = 'false', [System.String] $HttpPort = 5985, [System.String] $HttpsPort = 5986, [System.String] $MaxEnvelopeSizekb = 500, [System.String] $MaxTimeoutms = 60000, [System.String] $MaxBatchItems = 32000, [System.String] $MaxProviderRequests = 4294967295, [System.String] $MaxMemoryPerShellMB = 1024, [System.String] $HTTPSCertThumpprint = 'Self' ) #Write-Verbose "Use this cmdlet to deliver information about command processing." #Write-Debug "Use this cmdlet to write debug information while troubleshooting." #Include this line if the resource requires a system reboot. #$global:DSCMachineStatus = 1 if ($Ensure -eq 'Present') { Write-Verbose -Message 'Ensure is set to present' if ((Test-Path -Path WSMan:\localhost) -eq $false -or (Get-ChildItem -Path WSMan:\localhost\Listener) -eq $null) { Write-Verbose -Message 'Could not find WinRM config... enabling' Enable-PSRemoting } else { Write-Verbose -Message 'Found an existing WinRM config' } if ($Protocol -eq 'HTTP') { $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTP' } Write-Verbose -Message 'Configuring Basic auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $Service_Basic Write-Verbose -Message 'Configuring Basic auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Basic -Value $Client_Basic Write-Verbose -Message 'Configuring Digest auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Digest -Value $Client_Digest Write-Verbose -Message 'Configuring Kerberos auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $Service_Kerberos Write-Verbose -Message 'Configuring Kerberos auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Kerberos -Value $Client_Kerberos Write-Verbose -Message 'Configuring Negotiate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $Service_Negotiate Write-Verbose -Message 'Configuring Negotiate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Negotiate -Value $Client_Negotiate Write-Verbose -Message 'Configuring Certificate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $Service_Certificate Write-Verbose -Message 'Configuring Certificate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Certificate -Value $Client_Certificate Write-Verbose -Message 'Configuring CredSSP auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\CredSSP -Value $Service_CredSSP Write-Verbose -Message 'Configuring CredSSP auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\CredSSP -Value $Client_CredSSP Write-Verbose -Message 'Configuring WinRM service encryption option' Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $Service_AllowUnencrypted Write-Verbose -Message 'Configuring WinRM client encryption option' Set-Item -Path WSMan:\localhost\Client\AllowUnencrypted -Value $Client_AllowUnencrypted Write-Verbose -Message 'Configuring Max Envelope Size' Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value $MaxEnvelopeSizekb Write-Verbose -Message 'Configuring Max timeout' Set-Item -Path WSMan:\localhost\MaxTimeoutms -Value $MaxTimeoutms Write-Verbose -Message 'Configuring Max batch items' Set-Item -Path WSMan:\localhost\MaxBatchItems -Value $MaxBatchItems Write-Verbose -Message 'Configuring Max provider requests' Set-Item -Path WSMan:\localhost\MaxProviderRequests -Value $MaxProviderRequests Write-Verbose -Message 'Configuring Max memory per shell' Set-Item -Path WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value $MaxMemoryPerShellMB Write-Verbose -Message "Configuring the HTTP listener: $($listener.Name) port to $HttpPort" Set-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '\Port') -Value $HttpPort -Force Write-Verbose -Message 'Stopping WinRM service' Stop-Service -Name WinRM -Force -NoWait Start-Sleep -Seconds 10 $service = Get-Service -Name WinRM while ($service.Status -ne 'stopped') { Write-Verbose -Message "Service hasn't stopped after 10 seconds. ending the process" $id = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId Stop-Process -Id $id -Force Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } $service = Get-Service -Name WinRM while ($service.Status -eq 'stopped') { Write-Verbose -Message 'Starting WinRM service' Start-Service -Name WinRM Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } } else { Write-Verbose -Message 'Configuring Basic auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $Service_Basic Write-Verbose -Message 'Configuring Basic auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Basic -Value $Client_Basic Write-Verbose -Message 'Configuring Digest auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Digest -Value $Client_Digest Write-Verbose -Message 'Configuring Kerberos auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $Service_Kerberos Write-Verbose -Message 'Configuring Kerberos auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Kerberos -Value $Client_Kerberos Write-Verbose -Message 'Configuring Negotiate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $Service_Negotiate Write-Verbose -Message 'Configuring Negotiate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Negotiate -Value $Client_Negotiate Write-Verbose -Message 'Configuring Certificate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $Service_Certificate Write-Verbose -Message 'Configuring Certificate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Certificate -Value $Client_Certificate Write-Verbose -Message 'Configuring CredSSP auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\CredSSP -Value $Service_CredSSP Write-Verbose -Message 'Configuring CredSSP auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\CredSSP -Value $Client_CredSSP Write-Verbose -Message 'Configuring WinRM service encryption option' Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $Service_AllowUnencrypted Write-Verbose -Message 'Configuring WinRM client encryption option' Set-Item -Path WSMan:\localhost\Client\AllowUnencrypted -Value $Client_AllowUnencrypted Write-Verbose -Message 'Configuring Max Envelope Size' Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value $MaxEnvelopeSizekb Write-Verbose -Message 'Configuring Max timeout' Set-Item -Path WSMan:\localhost\MaxTimeoutms -Value $MaxTimeoutms Write-Verbose -Message 'Configuring Max batch items' Set-Item -Path WSMan:\localhost\MaxBatchItems -Value $MaxBatchItems Write-Verbose -Message 'Configuring Max provider requests' Set-Item -Path WSMan:\localhost\MaxProviderRequests -Value $MaxProviderRequests Write-Verbose -Message 'Configuring Max memory per shell' Set-Item -Path WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value $MaxMemoryPerShellMB $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } if ($listener -ne $null -and $HTTPSCertThumpprint -ne 'Self') { Write-Verbose -Message 'Configuring the HTTPS listener port' Write-Verbose -Message "Configuring the HTTP listener: $($listener.Name) port to $HttpPort" Set-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '\Port') -Value $HttpsPort -Force Write-Verbose -Message "Configuring the HTTP listener: $($listener.Name) certificate to $HTTPSCertThumpprint" Set-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '\CertificateThumbprint') -Value $HTTPSCertThumpprint } elseif ($listener -eq $null -and $HTTPSCertThumpprint -eq 'Self') { Write-Verbose -Message 'Removing old self signed certificate' foreach ($item in (Get-ChildItem -Path cert:\LocalMachine\My -DnsName WinRM | Where-Object -FilterScript { $_.FriendlyName -eq 'WinRM Self-signed cert' })) { Remove-Item -Path $item.PSPath -Force } Write-Verbose -Message 'Generating new self signed certificate' if ((Get-WmiObject -Class Win32_OperatingSystem).caption -like 'Microsoft Windows Server 2016*') { $Cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName 'WinRM' -FriendlyName 'WinRM Self-signed cert' -KeyExportPolicy NonExportable -NotAfter (Get-Date).AddYears(10) } else { . ("$PSScriptRoot"+ '\New-SelfSignedCertificateEx.ps1') New-SelfSignedCertificateEx -NotAfter (Get-Date).AddYears(10) -FriendlyName 'WinRM Self-signed cert' -StoreLocation LocalMachine -StoreName My -Subject 'CN=WinRM' -EKU "Server Authentication", "Client authentication" -SignatureAlgorithm sha256 $Cert = Get-ChildItem -Path cert:\LocalMachine\My -DnsName WinRM } Write-Verbose -Message 'Creating the HTTPS listener' New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force Write-Verbose -Message 'Configuring the HTTPS listener port' $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } Set-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '\Port') -Value $HttpsPort -Force } elseif ($listener -ne $null -and $HTTPSCertThumpprint -eq 'Self') { Write-Verbose -Message 'Removing old self signed certificate' foreach ($item in (Get-ChildItem -Path cert:\LocalMachine\My -DnsName WinRM | Where-Object -FilterScript { $_.FriendlyName -eq 'WinRM Self-signed cert' })) { Remove-Item -Path $item.PSPath -Force } Write-Verbose -Message 'Generating new self signed certificate' if ((Get-WmiObject -Class Win32_OperatingSystem).caption -like 'Microsoft Windows Server 2016*') { $Cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName 'WinRM' -FriendlyName 'WinRM Self-signed cert' -KeyExportPolicy NonExportable -NotAfter (Get-Date).AddYears(10) } else { . ("$PSScriptRoot"+ '\New-SelfSignedCertificateEx.ps1') New-SelfSignedCertificateEx -NotAfter (Get-Date).AddYears(10) -FriendlyName 'WinRM Self-signed cert' -StoreLocation LocalMachine -StoreName My -Subject 'CN=WinRM' -EKU "Server Authentication", "Client authentication" -SignatureAlgorithm sha256 $Cert = Get-ChildItem -Path cert:\LocalMachine\My -DnsName WinRM } Write-Verbose -Message 'Creating the HTTPS listener' Set-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '\CertificateThumbprint') -Value $Cert.Thumbprint -Force Write-Verbose -Message 'Configuring the HTTPS listener port' $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } Set-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '\Port') -Value $HttpsPort -Force } Write-Verbose -Message 'Stopping WinRM service' Stop-Service -Name WinRM -Force -NoWait -PassThru Start-Sleep -Seconds 10 $service = Get-Service -Name WinRM while ($service.Status -ne 'stopped') { Write-Verbose -Message "Service hasn't stopped after 10 seconds. ending the process" $id = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId Stop-Process -Id $id -Force Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } $service = Get-Service -Name WinRM while ($service.Status -eq 'stopped') { Write-Verbose -Message 'Starting WinRM service' Start-Service -Name WinRM Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } } } else { Write-Verbose -Message 'Ensure is set to absent' if ($Protocol -eq 'HTTP') { Write-Verbose -Message 'Configuring Basic auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $Service_Basic Write-Verbose -Message 'Configuring Basic auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Basic -Value $Client_Basic Write-Verbose -Message 'Configuring Digest auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Digest -Value $Client_Digest Write-Verbose -Message 'Configuring Kerberos auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $Service_Kerberos Write-Verbose -Message 'Configuring Kerberos auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Kerberos -Value $Client_Kerberos Write-Verbose -Message 'Configuring Negotiate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $Service_Negotiate Write-Verbose -Message 'Configuring Negotiate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Negotiate -Value $Client_Negotiate Write-Verbose -Message 'Configuring Certificate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $Service_Certificate Write-Verbose -Message 'Configuring Certificate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Certificate -Value $Client_Certificate Write-Verbose -Message 'Configuring CredSSP auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\CredSSP -Value $Service_CredSSP Write-Verbose -Message 'Configuring CredSSP auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\CredSSP -Value $Client_CredSSP Write-Verbose -Message 'Configuring WinRM service encryption option' Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $Service_AllowUnencrypted Write-Verbose -Message 'Configuring WinRM client encryption option' Set-Item -Path WSMan:\localhost\Client\AllowUnencrypted -Value $Client_AllowUnencrypted Write-Verbose -Message 'Configuring Max Envelope Size' Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value $MaxEnvelopeSizekb Write-Verbose -Message 'Configuring Max timeout' Set-Item -Path WSMan:\localhost\MaxTimeoutms -Value $MaxTimeoutms Write-Verbose -Message 'Configuring Max batch items' Set-Item -Path WSMan:\localhost\MaxBatchItems -Value $MaxBatchItems Write-Verbose -Message 'Configuring Max provider requests' Set-Item -Path WSMan:\localhost\MaxProviderRequests -Value $MaxProviderRequests Write-Verbose -Message 'Configuring Max memory per shell' Set-Item -Path WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value $MaxMemoryPerShellMB Write-Verbose -Message 'Removing HTTP listener' $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTP' } Remove-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '*') -Force -Recurse Write-Verbose -Message 'Stopping WinRM service' Stop-Service -Name WinRM -Force -NoWait -PassThru Start-Sleep -Seconds 10 $service = Get-Service -Name WinRM while ($service.Status -ne 'stopped') { Write-Verbose -Message "Service hasn't stopped after 10 seconds. ending the process" $id = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId Stop-Process -Id $id -Force Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } $service = Get-Service -Name WinRM while ($service.Status -eq 'stopped') { Write-Verbose -Message 'Starting WinRM service' Start-Service -Name WinRM Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } } else { Write-Verbose -Message 'Configuring Basic auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $Service_Basic Write-Verbose -Message 'Configuring Basic auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Basic -Value $Client_Basic Write-Verbose -Message 'Configuring Digest auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Digest -Value $Client_Digest Write-Verbose -Message 'Configuring Kerberos auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Kerberos -Value $Service_Kerberos Write-Verbose -Message 'Configuring Kerberos auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Kerberos -Value $Client_Kerberos Write-Verbose -Message 'Configuring Negotiate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Negotiate -Value $Service_Negotiate Write-Verbose -Message 'Configuring Negotiate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Negotiate -Value $Client_Negotiate Write-Verbose -Message 'Configuring Certificate auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\Certificate -Value $Service_Certificate Write-Verbose -Message 'Configuring Certificate auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\Certificate -Value $Client_Certificate Write-Verbose -Message 'Configuring CredSSP auth for the WinRM service' Set-Item -Path WSMan:\localhost\Service\Auth\CredSSP -Value $Service_CredSSP Write-Verbose -Message 'Configuring CredSSP auth for the WinRM client' Set-Item -Path WSMan:\localhost\Client\Auth\CredSSP -Value $Client_CredSSP Write-Verbose -Message 'Configuring WinRM service encryption option' Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $Service_AllowUnencrypted Write-Verbose -Message 'Configuring WinRM client encryption option' Set-Item -Path WSMan:\localhost\Client\AllowUnencrypted -Value $Client_AllowUnencrypted Write-Verbose -Message 'Configuring Max Envelope Size' Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value $MaxEnvelopeSizekb Write-Verbose -Message 'Configuring Max timeout' Set-Item -Path WSMan:\localhost\MaxTimeoutms -Value $MaxTimeoutms Write-Verbose -Message 'Configuring Max batch items' Set-Item -Path WSMan:\localhost\MaxBatchItems -Value $MaxBatchItems Write-Verbose -Message 'Configuring Max provider requests' Set-Item -Path WSMan:\localhost\MaxProviderRequests -Value $MaxProviderRequests Write-Verbose -Message 'Configuring Max memory per shell' Set-Item -Path WSMan:\localhost\Shell\MaxMemoryPerShellMB -Value $MaxMemoryPerShellMB Write-Verbose -Message 'Removing HTTPS listener' $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } Remove-Item -Path ('WSMan:\localhost\listener\' + $($listener.Name) + '*') -Force -Recurse Write-Verbose -Message 'Stopping WinRM service' Stop-Service -Name WinRM -Force -NoWait -PassThru Start-Sleep -Seconds 10 $service = Get-Service -Name WinRM while ($service.Status -ne 'stopped') { Write-Verbose -Message "Service hasn't stopped after 10 seconds. ending the process" $id = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'WinRM'" | Select-Object -ExpandProperty ProcessId Stop-Process -Id $id -Force Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } $service = Get-Service -Name WinRM while ($service.Status -eq 'stopped') { Write-Verbose -Message 'Starting WinRM service' Start-Service -Name WinRM Start-Sleep -Seconds 1 $service = Get-Service -Name WinRM } } } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [parameter(Mandatory = $true)] [ValidateSet('HTTP','HTTPS')] [System.String] $Protocol, [ValidateSet('Present','Absent')] [System.String] $Ensure, [ValidateSet('true','false')] [System.String] $Service_Basic = 'true', [ValidateSet('true','false')] [System.String] $Client_Basic = 'true', [ValidateSet('true','false')] [System.String] $Client_Digest = 'true', [ValidateSet('true','false')] [System.String] $Service_Kerberos = 'true', [ValidateSet('true','false')] [System.String] $Client_Kerberos = 'true', [ValidateSet('true','false')] [System.String] $Service_Negotiate = 'true', [ValidateSet('true','false')] [System.String] $Client_Negotiate = 'true', [ValidateSet('true','false')] [System.String] $Service_Certificate = 'false', [ValidateSet('true','false')] [System.String] $Client_Certificate = 'true', [ValidateSet('true','false')] [System.String] $Service_CredSSP = 'false', [ValidateSet('true','false')] [System.String] $Client_CredSSP = 'false', [ValidateSet('true','false')] [System.String] $Service_AllowUnencrypted = 'false', [ValidateSet('true','false')] [System.String] $Client_AllowUnencrypted = 'false', [System.String] $HttpPort = 5985, [System.String] $HttpsPort = 5986, [System.String] $MaxEnvelopeSizekb = 500, [System.String] $MaxTimeoutms = 60000, [System.String] $MaxBatchItems = 32000, [System.String] $MaxProviderRequests = 4294967295, [System.String] $MaxMemoryPerShellMB = 1024, [System.String] $HTTPSCertThumpprint = 'Self' ) #Write-Verbose "Use this cmdlet to deliver information about command processing." #Write-Debug "Use this cmdlet to write debug information while troubleshooting." if ($Ensure -eq 'Present') { if ($Protocol -eq 'HTTP') { Write-Verbose -Message "Attempting to find $Protocol listener" $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTP' } if ($listener -ne $null) { Write-Verbose -Message "Found $Protocol listener" $target = Get-TargetResource -Protocol $Protocol -Ensure $Ensure if ( $Service_Basic -eq $target.Service_Basic -and $Service_Kerberos -eq $target.Service_Kerberos -and $Service_Negotiate -eq $target.Service_Negotiate -and $Service_Certificate -eq $target.Service_Certificate -and $Service_CredSSP -eq $target.Service_CredSSP -and $Client_Basic -eq $target.Client_Basic -and $Client_Kerberos -eq $target.Client_Kerberos -and $Client_Negotiate -eq $target.Client_Negotiate -and $Client_Certificate -eq $target.Client_Certificate -and $Client_CredSSP -eq $target.Client_CredSSP -and $Service_AllowUnencrypted -eq $target.Service_AllowUnencrypted -and $Client_AllowUnencrypted -eq $target.Client_AllowUnencrypted -and $HttpPort -eq $target.HttpPort -and $MaxEnvelopeSizekb -eq $target.MaxEnvelopeSizekb -and $MaxTimeoutms -eq $target.MaxTimeoutms -and $MaxBatchItems -eq $target.MaxBatchItems -and $MaxProviderRequests -eq $target.MaxProviderRequests -and $MaxMemoryPerShellMB -eq $target.MaxMemoryPerShellMB ) { Write-Verbose -Message 'Everything matches' return $true } else { Write-Verbose -Message 'Not everything matches' return $false } } else { Write-Verbose -Message "Could not find $Protocol listener" return $false } } else { if ($HTTPSCertThumpprint -ne 'Self') { Write-Verbose -Message 'HTTPSCertThumpprint specified' Write-Verbose -Message "Attempting to find $Protocol listener" $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } if ($listener -ne $null) { Write-Verbose -Message "Found $Protocol listener" $target = Get-TargetResource -Protocol $Protocol -Ensure $Ensure if ( $Service_Basic -eq $target.Service_Basic -and $Service_Kerberos -eq $target.Service_Kerberos -and $Service_Negotiate -eq $target.Service_Negotiate -and $Service_Certificate -eq $target.Service_Certificate -and $Service_CredSSP -eq $target.Service_CredSSP -and $Client_Basic -eq $target.Client_Basic -and $Client_Kerberos -eq $target.Client_Kerberos -and $Client_Negotiate -eq $target.Client_Negotiate -and $Client_Certificate -eq $target.Client_Certificate -and $Client_CredSSP -eq $target.Client_CredSSP -and $Service_AllowUnencrypted -eq $target.Service_AllowUnencrypted -and $Client_AllowUnencrypted -eq $target.Client_AllowUnencrypted -and $HttpsPort -eq $target.HttpsPort -and $MaxEnvelopeSizekb -eq $target.MaxEnvelopeSizekb -and $MaxTimeoutms -eq $target.MaxTimeoutms -and $MaxBatchItems -eq $target.MaxBatchItems -and $MaxProviderRequests -eq $target.MaxProviderRequests -and $MaxMemoryPerShellMB -eq $target.MaxMemoryPerShellMB -and $HTTPSCertThumpprint -eq $target.HTTPSCertThumpprint ) { Write-Verbose -Message 'Everything matches' return $true } else { Write-Verbose -Message 'Not everything matches' return $false } } else { Write-Verbose -Message "Could not find $Protocol listener" return $false } } else { Write-Verbose -Message 'HTTPSCertThumpprint is set to self signed' Write-Verbose -Message "Attempting to find $Protocol listener" $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } if ($listener -ne $null) { Write-Verbose -Message "Found $Protocol listener" $target = Get-TargetResource -Protocol $Protocol -Ensure $Ensure if ( $Service_Basic -eq $target.Service_Basic -and $Service_Kerberos -eq $target.Service_Kerberos -and $Service_Negotiate -eq $target.Service_Negotiate -and $Service_Certificate -eq $target.Service_Certificate -and $Service_CredSSP -eq $target.Service_CredSSP -and $Client_Basic -eq $target.Client_Basic -and $Client_Kerberos -eq $target.Client_Kerberos -and $Client_Negotiate -eq $target.Client_Negotiate -and $Client_Certificate -eq $target.Client_Certificate -and $Client_CredSSP -eq $target.Client_CredSSP -and $Service_AllowUnencrypted -eq $target.Service_AllowUnencrypted -and $Client_AllowUnencrypted -eq $target.Client_AllowUnencrypted -and $HttpsPort -eq $target.HttpsPort -and $MaxEnvelopeSizekb -eq $target.MaxEnvelopeSizekb -and $MaxTimeoutms -eq $target.MaxTimeoutms -and $MaxBatchItems -eq $target.MaxBatchItems -and $MaxProviderRequests -eq $target.MaxProviderRequests -and $MaxMemoryPerShellMB -eq $target.MaxMemoryPerShellMB -and $HTTPSCertThumpprint -eq 'Self' ) { Write-Verbose -Message 'Everything matches' return $true } else { Write-Verbose -Message 'Not everything matches' return $false } } else { Write-Verbose -Message "Could not find $Protocol listener" return $false } } } } if ($Ensure -eq 'Absent') { if ($Protocol -eq 'HTTP') { Write-Verbose -Message "Attempting to find $Protocol listener" $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTP' } if ($listener -ne $null) { Write-Verbose -Message "Found $Protocol listener" return $false } else { Write-Verbose -Message "Could not find $Protocol listener" return $true } } else { Write-Verbose -Message "Attempting to find $Protocol listener" $listener = Get-ChildItem -Path WSMan:\localhost\listener -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.Keys -like 'Transport=HTTPS' } if ($listener -ne $null) { Write-Verbose -Message "Found $Protocol listener" return $false } else { Write-Verbose -Message "Could not find $Protocol listener" return $true } } } } Export-ModuleMember -Function *-TargetResource |