# For Windows Server 2012, 2012R2, 2016, and 2019
#
# Copy and paste the below into an administrator-level PowerShell window on a new and non-production server.   
# 
# Some commands will cause network disconnections, and others require a full restart to take effect
#Changelog:
# 11/11/2021: Added in code to update power settings to "high performance"
# 11/12/2021: Added in code to add a daily 3AM trigger for the defrag scheduled task
# 11/15/2021: Added in Enable-ScheduledTask for the defrag in case it isn't.
# 5/17/2022: Added in Powershell updates, google chrome install
#
$SNMPCommunity = "INSI" # Change to your own Community String
$TimeSet = $true # Used later if needed
Import-Module ServerManager
#Installs Telnet client
Add-WindowsFeature telnet-client
#Disables Windows Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
#Enable Remote Powershell and Management commands
Enable-PSRemoting -Force
#Enable RDP
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
#Set Windows Update to check for updates but not download or install
If(!(Test-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate)) { New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\ -Name WindowsUpdate }
If(!(Test-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU)) { 	New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name AU }
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 2 -Type DWord
#Disable Windows Update popups, windows updates still runs when requested
cmd /c "takeown /f c:\windows\system32\musnotification.exe"
cmd /c "icacls c:\windows\system32\musnotification.exe /deny Everyone:(X)"
cmd /c "takeown /f c:\windows\system32\musnotificationux.exe"
cmd /c "icacls c:\windows\system32\musnotificationux.exe /deny Everyone:(X)"
#Disable Internet Explorer Enhanced Security Configuration
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0
#Disable Server Manager auto-start on login
Disable-ScheduledTask -TaskName "\Microsoft\Windows\Server Manager\ServerManager"
#Disable Customer Experience Improvement Program tasks
Disable-ScheduledTask -TaskName "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
Disable-ScheduledTask -TaskName "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
Disable-ScheduledTask -TaskName "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
#Disable Application Experience Scheduled Tasks
Disable-ScheduledTask -TaskName "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
Disable-ScheduledTask -TaskName "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
#Install and configure SNMP
Add-WindowsFeature SNMP-Service,SNMP-WMI-Provider -IncludeManagementTools
If((Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers\").1 -eq "localhost" ) { Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers" -Name "1"    }
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\SNMP\Parameters" -Name "EnableAuthenticationTraps" -Value 0
If( (Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" -Name $SNMPCommunity -ErrorAction SilentlyContinue) -eq $null ) { New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" -Name $SNMPCommunity -Value 4 -PropertyType DWORD          }
#Sets power to "High Performance"
$p = Get-CimInstance -Name root\cimv2\power -Class win32_PowerPlan -Filter "ElementName = 'High Performance'"      
powercfg /setactive ([string]$p.InstanceID).Replace("Microsoft:PowerPlan\{","").Replace("}","")
#Sets the defrag to run daily at 3AM instead of randomly
$tasktrigger = New-ScheduledTaskTrigger -Daily -At 3:00AM
Set-ScheduledTask -TaskName 'Microsoft\Windows\Defrag\ScheduledDefrag' -Trigger $tasktrigger
Enable-ScheduledTask 'Microsoft\Windows\Defrag\ScheduledDefrag'
#Disables Windows from turning off the NICs to save power  **Warning: Causes brief network reset**
Get-NetAdapter | Disable-NetAdapterPowerManagement
#Set the Time Zone (Requires Powershell 5.1, default version in Server 2016, installable in all versions since Windows 7 SP1)
if ($PSVersionTable.PSVersion -ge [Version]'5.1.0') {Set-TimeZone "Eastern Standard Time"} else { $TimeSet = $false }
#Set Pagefile to 1x memory and static **Reboot required**
$computersys = Get-WmiObject Win32_ComputerSystem -EnableAllPrivileges;
$computersys.AutomaticManagedPagefile = $False;
$computersys.Put();
$physmembytes = (Get-WmiObject -class "cim_physicalmemory" | Measure-Object -Property Capacity -Sum).Sum
$physmemmb = $physmembytes / 1024 / 1024
$pagefile = Get-WmiObject -Query "Select * From Win32_PageFileSetting Where Name like '%pagefile.sys'";
$pagefile.InitialSize = $physmemmb;
$pagefile.MaximumSize = $physmemmb;
$pagefile.Put();
if (!$TimeSet) { Write-Warning "You need to set the timezone manually" }
#PLEASE GIVE UP

#Other Userful commands, update as needed, for Windows Server or desktops since Windows 2012/Windows 8
#
#Requires an admin-level powershell window, each command needs to be updated for your specific environment.  Both commands will restart the computer/server
#
#Before Domain join
Rename-Computer -Restart -newname NEWSERVERNAME
#Join to the domain
add-computer -domainname domain.local -Credential domain\domainadmin -restart -force

#Install latest Google Chrome browser
$Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest 'https://dl.google.com/chrome/install/latest/chrome_installer.exe' -Outfile $env:temp\chrome_installer.exe ; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer
Get-Service | where-object {$_.name -like '*googleupdater*'} | set-service -startuptype disabled


#Remove Windows Defender, to be used if other AV/MDR is being installed
Uninstall-WindowsFeature -Name Windows-Defender

#For Server2022 after an update: remove Azure Arc setup
Remove-WindowsFeature AzureArcSetup

#Server2016 needs to have Powershell set to use TLS1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

#PSWindowsUpdate
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -MicrosoftUpdate -install -AcceptAll -Verbose -Autoreboot

#WinGet
Install-Module -Name Microsoft.WinGet.Client
winget upgrade --all --silent --accept-source-agreements --accept-package-agreements --disable-interactivity

#Install latest Powershell
winget install --id Microsoft.Powershell --source winget