前往小程序,Get更优阅读体验!
立即前往
发布
社区首页 >专栏 >AWS的Windows机器通过UserData设置密码并开启winrm

AWS的Windows机器通过UserData设置密码并开启winrm

原创
作者头像
Windows技术交流
修改2024-12-11 21:41:47
修改2024-12-11 21:41:47
1160
举报
文章被收录于专栏:Windows技术交流

之所以在腾讯云的开发者社区提友商云,自然是多云对比的背景。

要看winrm状态,看监听是其次,主要得看防火墙状态,尤其是netsh.exe firewall show state显示的RemoteAdminMode(说白了有没有执行winrm quickconfig -q -force,有没有在防火墙放行RemoteAdmin)

代码语言:txt
复制
阿里云的windows公共镜像(>=2008R2),sysprep镜像,没有执行winrm quickconfig -q -force,winrm默认没监听5985端口,防火墙默认没开启
腾讯云的windows公共镜像(>2008R2),sysprep镜像,没有执行winrm quickconfig -q -force,winrm,默认监听了5985端口,防火墙默认没开启
AWS的windows公共镜像(微软生命周期内,目前是>=2016),sysprep镜像,winrm默认监听5985端口,防火墙默认开启,但防火墙默认没有放行RemoteAdmin

这里分别介绍下AWS、阿里云、腾讯云分别怎么通过UserData设置密码并开启winrm

一、AWS(userdata标志是成对的<powershell></powershell>,不是#ps1,也不是[powershell]

代码语言:txt
复制
<powershell>

net user Administrator "你的密码"

#Start-Service winrm
if($(get-service winrm).Status -notmatch "Running"){cmd.exe /c net start winrm}

netsh firewall set service remotedesktop enable

netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Domain
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Standard

netsh firewall set service RemoteAdmin enable
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Current

netsh advfirewall firewall add rule name="Open Port 5985" dir=in action=allow protocol=TCP localport=5985

# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
Set-Item WSMan:localhost\client\trustedhosts -value * -force -EA 0 2>&1 >$null
winrm quickconfig -q 2>&1 > $null
winrm quickconfig -q -force 2>&1 > $null
restart-service winrm 2>&1 > $null

netsh.exe firewall show state >c:\fw.txt
</powershell>

二、阿里云(userdata标志是[powershell],不是成对的<powershell></powershell>,也不是#ps1)

代码语言:txt
复制
[powershell]
#ps1
# MAKE SURE IN YOUR PACKER CONFIG TO SET:
#
#
#    "winrm_username": "Administrator",
#    "winrm_insecure": true,
#    "winrm_use_ssl": true,
#
#

net user Administrator "你的密码"

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

#Start-Service winrm
if($(get-service winrm).Status -notmatch "Running"){cmd.exe /c net start winrm}

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "Continue"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
cmd.exe /c net start winrm

netsh firewall set service remotedesktop enable

netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Domain
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Standard

netsh firewall set service RemoteAdmin enable
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Current

netsh advfirewall firewall add rule name="Open Port 5985" dir=in action=allow protocol=TCP localport=5985
netsh advfirewall firewall add rule name="Open Port 5986" dir=in action=allow protocol=TCP localport=5986
# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto

winrm quickconfig -q -force 2>&1 > $null
winrm quickconfig -q 2>&1 > $null

Set-Item WSMan:localhost\client\trustedhosts -value * -Force -Confirm:$false -EA 0 2>&1 >$null

restart-service winrm 2>&1 > $null

netstat -ato|findstr ":5985 :5986"
winrs -r:http://127.0.0.1:5985 hostname

三、腾讯云(userdata标志是#ps1或成对的<powershell></powershell>,不是[powershell])

代码语言:txt
复制
#ps1
<powershell>

# MAKE SURE IN YOUR PACKER CONFIG TO SET:
#
#
#    "winrm_username": "Administrator",
#    "winrm_insecure": true,
#    "winrm_use_ssl": true,
#
#

net user Administrator "你的密码"

write-output "Running User Data Script"
write-host "(host) Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

#Start-Service winrm
if($(get-service winrm).Status -notmatch "Running"){cmd.exe /c net start winrm}

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "Continue"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto
cmd.exe /c net start winrm

netsh firewall set service remotedesktop enable

netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Domain
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Standard

netsh firewall set service RemoteAdmin enable
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL
#netsh.exe firewall set service type=RemoteAdmin mode=ENABLE scope=ALL  profile=Current

netsh advfirewall firewall add rule name="Open Port 5985" dir=in action=allow protocol=TCP localport=5985
netsh advfirewall firewall add rule name="Open Port 5986" dir=in action=allow protocol=TCP localport=5986
# Restart WinRM, and set it so that it auto-launches on startup.
cmd.exe /c net stop winrm
cmd.exe /c sc.exe config winrm start= auto

winrm quickconfig -q -force 2>&1 > $null
winrm quickconfig -q 2>&1 > $null

Set-Item WSMan:localhost\client\trustedhosts -value * -Force -Confirm:$false -EA 0 2>&1 >$null

restart-service winrm 2>&1 > $null

netstat -ato|findstr ":5985 :5986"
winrs -r:http://127.0.0.1:5985 hostname

</powershell>

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档