Update to 1903

Vagrant/Vagrantfile

@@ -3,7 +3,7 @@ Vagrant.configure("2") do |config|
   config.vm.define "logger" do |cfg|
     cfg.vm.box = "bento/ubuntu-16.04"
     cfg.vm.hostname = "logger"
-    config.vm.provision :shell, path: "bootstrap.sh"
+    cfg.vm.provision :shell, path: "bootstrap.sh"
     cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
 
     cfg.vm.provider "vmware_desktop" do |v, override|
@@ -26,7 +26,7 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.define "dc" do |cfg|
-    cfg.vm.box = "detectionlab/win2016"
+    cfg.vm.box = "../Packer/windows_2016_vmware.box"
     cfg.vm.hostname = "dc"
     cfg.vm.boot_timeout = 600
     cfg.winrm.transport = :plaintext
@@ -54,6 +54,7 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/configure-rdp-user-gpo.ps1", privileged: false
+    cfg.vm.provision "shell", path: "scripts/configure-disable-windows-defender-gpo.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
     cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
@@ -79,7 +80,7 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.define "wef" do |cfg|
-    cfg.vm.box = "detectionlab/win2016"
+    cfg.vm.box = "../Packer/windows_2016_vmware.box"
     cfg.vm.hostname = "wef"
     cfg.vm.boot_timeout = 600
     cfg.vm.communicator = "winrm"
@@ -130,12 +131,12 @@ Vagrant.configure("2") do |config|
   end
 
   config.vm.define "win10" do |cfg|
-    cfg.vm.box = "detectionlab/win10"
+    cfg.vm.box = "../Packer/windows_10_vmware.box"
     cfg.vm.hostname = "win10"
-    cfg.vm.boot_timeout = 600
+    cfg.vm.boot_timeout = 1200
     cfg.vm.communicator = "winrm"
     cfg.winrm.basic_auth_only = true
-    cfg.winrm.timeout = 300
+    cfg.winrm.timeout = 1200
     cfg.winrm.retry_limit = 20
     cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
 

Vagrant/resources/GPO/disable_windows_defender/manifest.xml

@@ -0,0 +1 @@
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T05:30:50]]></BackupTime><ID><![CDATA[{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst><BackupInst><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T03:55:32]]></BackupTime><ID><![CDATA[{1E7FB85D-6EA1-4B41-A58D-EE7A938D28C8}]]></ID><Comment><![CDATA[Disable Windows Defender]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst></Backups>

Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/Backup.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-535525547-1807146305-221323077-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-535525547-1807146305-221323077-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-535525547-1807146305-221323077-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 ab 78 eb 1f 41 dd b6 6b 45 1f 31 0d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Disable Windows Defender]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[196611]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{288D6F79-F949-4C97-BE07-8997DBE821BC}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{288D6F79-F949-4C97-BE07-8997DBE821BC}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{288D6F79-F949-4C97-BE07-8997DBE821BC}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>

Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/DomainSysvol/GPO/Machine/comment.cmtx

@@ -0,0 +1,12 @@
+<?xml version='1.0' encoding='utf-8'?>
+<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions">
+  <policyNamespaces>
+    <using prefix="ns0" namespace="Microsoft.Policies.WindowsDefender"></using>
+  </policyNamespaces>
+  <comments>
+    <admTemplate></admTemplate>
+  </comments>
+  <resources minRequiredRevision="1.0">
+    <stringTable></stringTable>
+  </resources>
+</policyComments>

Vagrant/resources/GPO/disable_windows_defender/{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}/bkupInfo.xml

@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T05:30:50]]></BackupTime><ID><![CDATA[{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst>

Vagrant/resources/windows/shutup10.cfg

@@ -1,18 +1,18 @@
 ############################################################################
-# This file was created with O&O ShutUp10 and can be imported onto another computer. 
+# This file was created with O&O ShutUp10 and can be imported onto another computer.
 #
 # Download the application at https://www.oo-software.com/en/shutup10
-# You can then import the file from within the program. 
+# You can then import the file from within the program.
 #
 # Alternatively you can import it automatically over a command line. Simply use
-# the following parameter: 
+# the following parameter:
 # ooshutup10.exe <path to file>
-# 
-# Selecting the Option /quiet ends the app right after the import and the user does not 
+#
+# Selecting the Option /quiet ends the app right after the import and the user does not
 # get any feedback about the import.
 #
 # We are always happy to answer any questions you may have!
-# (c) 2015-2018 O&O Software GmbH, Berlin. https://www.oo-software.com/
+# Copyright © O&O Software GmbH https://www.oo-software.com/
 ############################################################################
 
 P001	+
@@ -58,6 +58,7 @@ S010	+
 E001	+
 E002	+
 E003	+
+E008	+
 E007	+
 E010	+
 E009	+
@@ -125,4 +126,4 @@ M012	+
 M013	+
 M014	+
 M015	+
-N001	+
+N001	-

Vagrant/scripts/MakeWindows10GreatAgain.ps1

@@ -11,16 +11,14 @@ if ($onedrive) {
 }
 c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall
 
-Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Running Update-Help..."
-Update-Help -Force -ErrorAction SilentlyContinue
-
-Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..."
-$appname = "Microsoft Edge"
-((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
-$appname = "Microsoft Store"
-((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
-$appname = "Mail"
-((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
+# Fix in 1903
+#Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Removing Microsoft Store and Edge shortcuts from the taskbar..."
+#$appname = "Microsoft Edge"
+#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
+#$appname = "Microsoft Store"
+#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
+#$appname = "Mail"
+#((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() | ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt(); $exec = $true}
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Disabling automatic screen turnoff in order to prevent screen locking..."
 powercfg -change -monitor-timeout-ac 0
@@ -33,10 +31,11 @@ Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading ShutUp10..."
 $shutUp10DownloadUrl = "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
 $shutUp10RepoPath = "C:\Users\vagrant\AppData\Local\Temp\OOSU10.exe"
 if (-not (Test-Path $shutUp10RepoPath)) {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing ShutUp10 and disabling Windows Defender"
   Invoke-WebRequest -Uri "$shutUp10DownloadUrl" -OutFile $shutUp10RepoPath
   . $shutUp10RepoPath c:\vagrant\resources\windows\shutup10.cfg /quiet /force
 } else {
-  Write-Host "ShutUp10 was already installed. Moving On."
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) ShutUp10 was already installed. Moving On."
 }
 
 # Remove the Edge shortcut from the Desktop

Vagrant/scripts/configure-disable-windows-defender-gpo.ps1

@@ -0,0 +1,29 @@
+# Purpose: Install the GPO that disables Windows Defender
+Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Importing the GPO to disable Windows Defender..."
+Import-GPO -BackupGpoName 'Disable Windows Defender' -Path "c:\vagrant\resources\GPO\disable_windows_defender" -TargetName 'Disable Windows Defender' -CreateIfNeeded
+
+$OU = "ou=Workstations,dc=windomain,dc=local"
+$gPLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name 'Disable Windows Defender'
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+  New-GPLink -Name 'Disable Windows Defender' -Target $OU -Enforced yes
+}
+else
+{
+  Write-Host "Disable Windows Defender GPO was already linked at $OU. Moving On."
+}
+$OU = "ou=Servers,dc=windomain,dc=local"
+$gPLinks = $null
+$gPLinks = Get-ADOrganizationalUnit -Identity $OU -Properties name,distinguishedName, gPLink, gPOptions
+$GPO = Get-GPO -Name 'Disable Windows Defender'
+If ($gPLinks.LinkedGroupPolicyObjects -notcontains $gpo.path)
+{
+    New-GPLink -Name 'Disable Windows Defender' -Target $OU -Enforced yes
+}
+else
+{
+  Write-Host "Disable Windows Defender GPO was already linked at $OU. Moving On."
+}
+gpupdate /force