├── Search Websites ├── list.txt └── SearchWebsite.ps1 ├── Azure Stack HCI Prep ├── 1-Nested Virtualization.ps1 ├── 0-HCI-ADPrep.ps1 ├── 3-NAT Switch L2 Node 0.ps1 ├── 3-NAT Switch L2 Node 1.ps1 ├── 3-NAT Switch L2 Node 2.ps1 ├── 4-HCI ARC Setup.ps1 └── 2-NAT Switch L1.ps1 ├── AA-Install_IIS.ps1 ├── Storage ├── _AZ Snapshot.ps1 ├── Set Blob Access Tier.ps1 ├── Download-Blob-NoSecurity.ps1 ├── AzureFilesADAuth.ps1 ├── Storage Spaces │ ├── Tiered Storage Pools.ps1 │ └── Tiered_Pool Max_Performance.ps1 ├── _Azure-Files-Handles.ps1 ├── Snapshot & Replicate.ps1 ├── Download-Blob-with-Security.ps1 ├── Download-Blob-Function.ps1 ├── Prepare a Windows VHD or VHDX to upload to Azure.ps1 └── azure_disk_encryption_PREP.ps1 ├── Build Resources ├── CloudBuild │ ├── MangedID.json │ ├── VNET-Cloud-VDI │ ├── KeyVault.json │ └── NSG-AVD.json ├── Build_vNET.ps1 └── Build_Global_Network.ps1 ├── Certificate_Self Signed.ps1 ├── Disable IPv6.ps1 ├── VMSS-Domain-Join.ps1 ├── _Role Based Access Control └── Custom RBAC.ps1 ├── Chocolatey PS Module.ps1 ├── Azure AD ├── AzureAD Connect.ps1 ├── Build Domain Controller.ps1 ├── Create AzureAD Users.ps1 └── Create Users.ps1 ├── RouteTable.ps1 ├── Secure Password └── SecurePassword.ps1 ├── AutoResize.ps1 ├── Hybrid Connectivity ├── Point-to-Site.ps1 ├── OPEN VPN Point-to-Site.ps1 └── Site-to-Site.ps1 ├── VMScaleSets └── VMSS_App.ps1 ├── SysPrepScript.ps1 └── ______BUILD & Delete Muli Subsciptions.ps1 /Search Websites/list.txt: -------------------------------------------------------------------------------- 1 | https://www.youtube.com/AzureAcademy 2 | https://azure.microsoft.com/en-us/overview/what-is-saas/ 3 | https://en.wikipedia.org/wiki/PowerShell 4 | https://azure.microsoft.com/en-us/overview/what-is-paas/ 5 | https://azure.microsoft.com/en-us/overview/what-is-iaas/ -------------------------------------------------------------------------------- /Azure Stack HCI Prep/1-Nested Virtualization.ps1: -------------------------------------------------------------------------------- 1 | 2 | Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true 3 | 4 | 5 | ############################### 6 | # Nested Virtualization # 7 | ############################### 8 | $Nodes = (get-VM).name 9 | foreach ($Node in $Nodes) { 10 | Set-VMProcessor ` 11 | -VMName $Node ` 12 | -ExposeVirtualizationExtensions $true 13 | } 14 | 15 | 16 | -------------------------------------------------------------------------------- /Search Websites/SearchWebsite.ps1: -------------------------------------------------------------------------------- 1 | $List = Get-Content -LiteralPath 'C:\_VSTS\GitHub\Dean Cefola\DeploymentScripts\David\list.txt' 2 | foreach ($Uri in $List) { 3 | $w = Invoke-WebRequest -Uri $Uri 4 | $Text = $w.AllElements | Where-Object tagname -EQ "P" | Select-Object innerText 5 | $results = $Text.innerText 6 | If (($results) -match 'code name "Monad"'){ 7 | write "$URI - oh YEAH!" 8 | } 9 | else { 10 | write "$URI - no joy" 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /Azure Stack HCI Prep/0-HCI-ADPrep.ps1: -------------------------------------------------------------------------------- 1 | Install-Module AsHciADArtifactsPreCreationTool -Repository PSGallery -Force -Verbose 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | New-HciAdObjectsPreCreation ` 10 | -Deploy ` 11 | -AzureStackLCMUserCredential (Get-Credential) ` 12 | -AsHciOUName "" ` 13 | -AsHciPhysicalNodeList @("Node-0","Node-1","Node-2") ` 14 | -DomainFQDN "" ` 15 | -AsHciClusterName "" ` 16 | -AsHciDeploymentPrefix "" 17 | 18 | -------------------------------------------------------------------------------- /AA-Install_IIS.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 11-30-2017 3 | # Usage : Install IIS to Windows Server 4 | #******************************************************************************** 5 | # Date Version Changes 6 | #------------------------------------------------------------------------ 7 | # 11/30/2017 1.0 Intial Version 8 | # 9 | #********************************************************************************* 10 | # 11 | #> 12 | install-windowsfeature -name Web-Server -IncludeManagementTools 13 | Set-Location -Path c:\inetpub\wwwroot 14 | Add-Content iisstart.htm "

WELCOME to my Web Server $env:COMPUTERNAME, Azure Academy Rocks!

" 15 | Invoke-command -ScriptBlock{iisreset} 16 | -------------------------------------------------------------------------------- /Storage/_AZ Snapshot.ps1: -------------------------------------------------------------------------------- 1 | 2 | 3 | [CmdletBinding()] 4 | ############################## 5 | # WVD Script Parameters # 6 | ############################## 7 | Param ( 8 | [Parameter(Mandatory=$true)] 9 | [string]$RGName, 10 | [Parameter(Mandatory=$true)] 11 | [string]$VMName 12 | ) 13 | 14 | $a = Get-AzVM -ResourceGroupName $RGName -Name $VMName 15 | $DiskName = $a.storageprofile.osdisk.name 16 | #$DiskSize = $a.storageprofile.osdisk.DiskSizeGB 17 | $SourceDisk = Get-AzDisk ` 18 | -ResourceGroupName $a.ResourceGroupName ` 19 | -DiskName $DiskName 20 | $snapshotconfig = New-AzSnapshotConfig ` 21 | -Location eastus ` 22 | -DiskSizeGB 127 ` 23 | -OsType Windows ` 24 | -CreateOption Empty ` 25 | -EncryptionSettingsEnabled $false ` 26 | -SourceResourceId $SourceDisk.id 27 | 28 | $A | New-AzSnapshot -Snapshot $snapshotconfig; 29 | 30 | -------------------------------------------------------------------------------- /Build Resources/CloudBuild/MangedID.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "name": { 6 | "type": "String" 7 | }, 8 | "location": { 9 | "type": "String" 10 | }, 11 | "tagsByResource": { 12 | "type": "Object" 13 | } 14 | }, 15 | "resources": [ 16 | { 17 | "type": "Microsoft.ManagedIdentity/userAssignedIdentities", 18 | "apiVersion": "2018-11-30", 19 | "name": "[parameters('name')]", 20 | "location": "[parameters('location')]", 21 | "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.ManagedIdentity/userAssignedIdentities'), parameters('tagsByResource')['Microsoft.ManagedIdentity/userAssignedIdentities'], json('{}')) ]", 22 | "properties": {} 23 | } 24 | ] 25 | } -------------------------------------------------------------------------------- /Storage/Set Blob Access Tier.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 1-12-2019 3 | # Usage : Set Blob Storage Access Tier 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 1/12/2019 1.0 Intial Version 9 | # 10 | # 11 | #*************************************************************************** 12 | #> 13 | 14 | $RGName = 'CON-UE2-PD1-Shared-RG-01' 15 | $STName = 'msdean' 16 | $Container = 'sap' 17 | $StorageTier = "Cool" 18 | $Key = (Get-AzureRmStorageAccountKey -ResourceGroupName $RGName -Name $STName | select -First 1).Value 19 | $Context = New-AzureStorageContext -StorageAccountName $STName -StorageAccountKey $Key 20 | $Blob = Get-AzureStorageBlob -Container $Container -Context $Context 21 | 22 | $Blob.icloudblob.setstandardblobtier($StorageTier) 23 | 24 | 25 | -------------------------------------------------------------------------------- /Azure Stack HCI Prep/3-NAT Switch L2 Node 0.ps1: -------------------------------------------------------------------------------- 1 | ###################### 2 | # NAT V-Switch # 3 | ###################### 4 | $switchName = "VmNAT" 5 | 6 | New-VMSwitch ` 7 | -Name $switchName ` 8 | -SwitchType Internal 9 | 10 | Wait-Event -Timeout 2 11 | 12 | New-NetNat ` 13 | –Name LocalNAT ` 14 | –InternalIPInterfaceAddressPrefix “172.18.0.0/24” 15 | 16 | Wait-Event -Timeout 2 17 | 18 | $ifIndex = (Get-NetAdapter | ? {$_.name -like "*$switchName)"}).ifIndex 19 | 20 | New-NetIPAddress ` 21 | -IPAddress 172.18.0.1 ` 22 | -InterfaceIndex $ifIndex ` 23 | -PrefixLength 24 24 | 25 | 26 | ##################### 27 | # DHCP Server # 28 | ##################### 29 | Install-WindowsFeature -Name DHCP –IncludeManagementTools 30 | 31 | Add-DhcpServerV4Scope ` 32 | -Name "DHCP-$switchName" ` 33 | -StartRange 172.18.0.50 ` 34 | -EndRange 172.18.0.100 ` 35 | -SubnetMask 255.255.255.0 36 | 37 | Set-DhcpServerV4OptionValue ` 38 | -Router 172.18.0.1 ` 39 | -DnsServer 168.63.129.16 40 | 41 | Restart-service dhcpserver 42 | -------------------------------------------------------------------------------- /Azure Stack HCI Prep/3-NAT Switch L2 Node 1.ps1: -------------------------------------------------------------------------------- 1 | ###################### 2 | # NAT V-Switch # 3 | ###################### 4 | $switchName = "VmNAT" 5 | 6 | New-VMSwitch ` 7 | -Name $switchName ` 8 | -SwitchType Internal 9 | 10 | Wait-Event -Timeout 2 11 | 12 | New-NetNat ` 13 | –Name LocalNAT ` 14 | –InternalIPInterfaceAddressPrefix “172.18.1.0/24” 15 | 16 | Wait-Event -Timeout 2 17 | 18 | $ifIndex = (Get-NetAdapter | ? {$_.name -like "*$switchName)"}).ifIndex 19 | 20 | New-NetIPAddress ` 21 | -IPAddress 172.18.1.1 ` 22 | -InterfaceIndex $ifIndex ` 23 | -PrefixLength 24 24 | 25 | 26 | ##################### 27 | # DHCP Server # 28 | ##################### 29 | Install-WindowsFeature -Name DHCP –IncludeManagementTools 30 | 31 | Add-DhcpServerV4Scope ` 32 | -Name "DHCP-$switchName" ` 33 | -StartRange 172.18.1.50 ` 34 | -EndRange 172.18.1.100 ` 35 | -SubnetMask 255.255.255.0 36 | 37 | Set-DhcpServerV4OptionValue ` 38 | -Router 172.18.1.1 ` 39 | -DnsServer 168.63.129.16 40 | 41 | Restart-service dhcpserver 42 | -------------------------------------------------------------------------------- /Azure Stack HCI Prep/3-NAT Switch L2 Node 2.ps1: -------------------------------------------------------------------------------- 1 | ###################### 2 | # NAT V-Switch # 3 | ###################### 4 | $switchName = "VmNAT" 5 | 6 | New-VMSwitch ` 7 | -Name $switchName ` 8 | -SwitchType Internal 9 | 10 | Wait-Event -Timeout 2 11 | 12 | New-NetNat ` 13 | –Name LocalNAT ` 14 | –InternalIPInterfaceAddressPrefix “172.18.2.0/24” 15 | 16 | Wait-Event -Timeout 2 17 | 18 | $ifIndex = (Get-NetAdapter | ? {$_.name -like "*$switchName)"}).ifIndex 19 | 20 | New-NetIPAddress ` 21 | -IPAddress 172.18.2.1 ` 22 | -InterfaceIndex $ifIndex ` 23 | -PrefixLength 24 24 | 25 | 26 | ##################### 27 | # DHCP Server # 28 | ##################### 29 | Install-WindowsFeature -Name DHCP –IncludeManagementTools 30 | 31 | Add-DhcpServerV4Scope ` 32 | -Name "DHCP-$switchName" ` 33 | -StartRange 172.18.2.50 ` 34 | -EndRange 172.18.2.100 ` 35 | -SubnetMask 255.255.255.0 36 | 37 | Set-DhcpServerV4OptionValue ` 38 | -Router 172.18.2.1 ` 39 | -DnsServer 168.63.129.16 40 | 41 | Restart-service dhcpserver 42 | -------------------------------------------------------------------------------- /Azure Stack HCI Prep/4-HCI ARC Setup.ps1: -------------------------------------------------------------------------------- 1 | 2 | ######################## 3 | # Azure ARC Prep # 4 | ######################## 5 | Register-PSRepository -Default -InstallationPolicy Trusted 6 | 7 | Install-Module AzsHCI.ARCinstaller 8 | 9 | Install-Module Az.Accounts -Force 10 | Install-Module Az.ConnectedMachine -Force 11 | Install-Module Az.Resources -Force 12 | 13 | 14 | ########################## 15 | # Azure ARC Config # 16 | ########################## 17 | $Tenant = "YourTenantID" 18 | $Subscription = "YourSubscriptionID" 19 | $RG = "YourResourceGroupName" 20 | $Region = "eastus" 21 | Connect-AzAccount ` 22 | -SubscriptionId $Subscription ` 23 | -TenantId $Tenant ` 24 | -DeviceCode 25 | 26 | $ARMtoken = (Get-AzAccessToken).Token 27 | $id = (Get-AzContext).Account.Id 28 | 29 | Invoke-AzStackHciArcInitialization ` 30 | -SubscriptionID $Subscription ` 31 | -ResourceGroup $RG ` 32 | -TenantID $Tenant ` 33 | -Region $Region ` 34 | -Cloud "AzureCloud" ` 35 | -ArmAccessToken $ARMtoken ` 36 | -AccountID $id 37 | 38 | 39 | -------------------------------------------------------------------------------- /Storage/Download-Blob-NoSecurity.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-15-2018 3 | # Usage : Download Blob from Azure With Container Access 4 | 5 | #************************************************************************ 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 01/04/2019 1.0 Intial Version 9 | # 10 | #************************************************************************ 11 | # 12 | #> 13 | 14 | #################### 15 | # Input Array # 16 | #################### 17 | $Url = 'https://msdean.blob.core.windows.net/sap/Containers.ps1' 18 | $LocalPath = "C:\temp\Containers.ps1" 19 | #param([string]$url, [string]$path) 20 | 21 | if(!(Split-Path -parent $LocalPath) -or !(Test-Path -pathType Container (Split-Path -parent $LocalPath))) { 22 | $LocalPath = Join-Path $pwd (Split-Path -leaf $LocalPath) 23 | } 24 | 25 | "Downloading [$url]`nSaving at [$LocalPath]" 26 | $client = new-object System.Net.WebClient 27 | $client.DownloadFile($url, $LocalPath) 28 | -------------------------------------------------------------------------------- /Azure Stack HCI Prep/2-NAT Switch L1.ps1: -------------------------------------------------------------------------------- 1 | ###################### 2 | # NAT V-Switch # 3 | ###################### 4 | $switchName = "VmNAT" 5 | 6 | New-VMSwitch ` 7 | -Name $switchName ` 8 | -SwitchType Internal 9 | 10 | Wait-Event -Timeout 2 11 | 12 | New-NetNat -Name "LocalNat" ` 13 | -InternalIPInterfaceAddressPrefix "192.168.100.0/24" ` 14 | -Verbose 15 | 16 | Wait-Event -Timeout 2 17 | 18 | $ifIndex = (Get-NetAdapter | ? {$_.name -like "*$switchName)"}).ifIndex 19 | 20 | New-NetIPAddress ` 21 | -IPAddress 192.168.100.1 ` 22 | -InterfaceIndex $ifIndex ` 23 | -AddressFamily IPv4 ` 24 | -PrefixLength 24 25 | 26 | 27 | ##################### 28 | # DHCP Server # 29 | ##################### 30 | Install-WindowsFeature -Name DHCP –IncludeManagementTools 31 | 32 | Add-DhcpServerV4Scope ` 33 | -Name "DHCP-$switchName" ` 34 | -StartRange 192.168.100.1 ` 35 | -EndRange 192.168.100.254 ` 36 | -SubnetMask 255.255.255.0 37 | 38 | Set-DhcpServerV4OptionValue ` 39 | -Router 192.168.100.1 ` 40 | -DnsServer 20.0.4.4,168.63.129.16 41 | 42 | Restart-service dhcpserver 43 | -------------------------------------------------------------------------------- /Certificate_Self Signed.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 11-19-2019 3 | # Usage : Self-Signed Certificates 4 | # 5 | #******************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 11/19/2019 1.0 Intial Version 9 | # 10 | 11 | #********************************************************************************* 12 | # 13 | #> 14 | 15 | $cert = New-SelfSignedCertificate ` 16 | -CertStoreLocation Cert:\LocalMachine\My ` 17 | -DnsName <"ENTER-DNS-NAME"> ` 18 | -Type CodeSigningCert ` 19 | -Subject <"ENTER-SUBJECT-NAME"> ` 20 | -notafter (Get-Date).AddMonths(24) ` 21 | -Verbose 22 | $cert 23 | $secPassword = ConvertTo-SecureString -String '' -Force -AsPlainText 24 | $certPath = "Cert:\LocalMachine\My\$($Cert.Thumbprint)" 25 | Export-PfxCertificate -Cert $certPath -FilePath 'C:\temp\MSAzureAcademy-CodeSigning.pfx' -Password $secPassword 26 | 27 | # Import-PfxCertificate -Password $secPassword -FilePath 'C:\temp\WVD\MSIX\Code Signing Cert\MSAzureAcademy CodeSigning.pfx' -CertStoreLocation 'Cert:\LocalMachine\TrustedPublisher' 28 | -------------------------------------------------------------------------------- /Disable IPv6.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 01-08-2014 3 | # Usage : Disable IPv6 4 | # 5 | #*********************************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 01-08-2014 1.0 Intial Version 9 | # 10 | #************************************************************************************************ 11 | #> 12 | 13 | 14 | #------------------------------Disable IPv6------------------------------# 15 | Netsh int teredo set state disabled 16 | Netsh int isatap set state disabled 17 | Netsh int 6to4 set state disabled undoonstop=disabled 18 | Write-Host -ForegroundColor Green "IPv6 Disabled on" 19 | Write-Host -ForegroundColor Yellow -BackgroundColor Black $env:COMPUTERNAME 20 | 21 | 22 | #------------------------------Change Registry Settings------------------------------# 23 | Push-Location 24 | Set-Location HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters 25 | New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -Name "DisabledComponents" -PropertyType "DWord" -Value 4294967295 26 | 27 | Pop-Location 28 | -------------------------------------------------------------------------------- /VMSS-Domain-Join.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param ( 3 | $DomainName, 4 | $DomainArmUserName, 5 | $DomainArmPass, 6 | $OUPath, 7 | $ResourceGroup, 8 | $ScaleSetObject 9 | ) 10 | 11 | Write-Host "Join the VMSS instances to $DomainName ..."; 12 | 13 | $domainJoinName = "vmssjoindomain" 14 | 15 | # JoinOptions.NETSETUP_JOIN_DOMAIN | JoinOptions.NETSETUP_ACCT_CREATE 16 | $Settings = @{ 17 | "Name" = $DomainName; 18 | "User" = $DomainArmUserName; 19 | "Restart" = "true"; 20 | "Options" = 3; 21 | "OUPath" = $OUPath; 22 | } 23 | 24 | $ProtectedSettings = @{ 25 | "Password" = $DomainArmPass 26 | } 27 | 28 | try { 29 | Remove-AzVmssExtension ` 30 | -VirtualMachineScaleSet $ScaleSetObject ` 31 | -Name $domainJoinName ` 32 | -ErrorAction SilentlyContinue | Out-Null 33 | } 34 | catch { 35 | Write-Host "Remove existing domain join extension failed. Ignore if it is VMSS creation."; 36 | Write-Host "Error info: $_" 37 | } 38 | 39 | Add-AzVmssExtension ` 40 | -VirtualMachineScaleSet $ScaleSetObject ` 41 | -Publisher "Microsoft.Compute" ` 42 | -Type "JsonADDomainExtension" ` 43 | -TypeHandlerVersion 1.3 ` 44 | -Name $domainJoinName ` 45 | -Setting $Settings ` 46 | -ProtectedSetting $ProtectedSettings ` 47 | -AutoUpgradeMinorVersion $true ` 48 | -Verbose | Out-Null 49 | -------------------------------------------------------------------------------- /_Role Based Access Control/Custom RBAC.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 10-15-2017 3 | # Usage : Create Custom RBAC Role 4 | 5 | #************************************************************************ 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 10/15/2017 1.0 Intial Version 9 | # 10 | #************************************************************************ 11 | # 12 | #> 13 | 14 | #################### 15 | # Input Array # 16 | #################### 17 | $role = Get-AzureRmRoleDefinition -Name "Owner" 18 | 19 | 20 | ################################# 21 | # Create Custom RBAC Role # 22 | ################################# 23 | $role.Id = $null 24 | $role.Name = "Deletion Manager" 25 | $role.Description = "Can Delete Resource Groups." 26 | $role.Actions.RemoveRange(0,$role.Actions.Count) 27 | $role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/delete") 28 | $role.AssignableScopes.Clear() 29 | $role.AssignableScopes.Add("/subscriptions/3a8206a1-e9f3-44a2-84f0-e532b9862258") 30 | 31 | 32 | ########################### 33 | # Apply Custom Role # 34 | ########################### 35 | New-AzureRmRoleDefinition -Role $role 36 | 37 | 38 | -------------------------------------------------------------------------------- /Chocolatey PS Module.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 02-23-2021 3 | # Usage : PS Gallery / Chocolatey Setup 4 | 5 | #******************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 02/23/2021 1.0 Initial Version 9 | # 10 | #********************************************************************************* 11 | # 12 | #> 13 | 14 | 15 | #################################### 16 | # Check PSGallery Repository # 17 | #################################### 18 | $PSRepo = Get-PSRepository -Name PSGallery -ErrorAction SilentlyContinue 19 | if ($PSRepo -eq $false){ 20 | write-host 'Add PSGallery Repository' 21 | Register-PSRepository -Default 22 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose 23 | } 24 | else { 25 | write-host 'Set PSGallery Repository as Trusted' 26 | Set-PSRepository -Name PSGallery -InstallationPolicy Trusted -Verbose 27 | } 28 | 29 | 30 | ############################ 31 | # Install Chocolatey # 32 | ############################ 33 | Install-Module ` 34 | -Name chocolatey ` 35 | -RequiredVersion 0.0.71 ` 36 | -Force ` 37 | -AllowClobber ` 38 | -AllowPrerelease ` 39 | -Repository PSGallery ` 40 | -AcceptLicense ` 41 | -Verbose 42 | Import-Module -Name chocolatey -------------------------------------------------------------------------------- /Azure AD/AzureAD Connect.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-01-2019 3 | # Usage : Azure AD Connect 4 | 5 | #******************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 08/01/2019 1.0 Intial Version 9 | # 10 | # 11 | #********************************************************************************* 12 | # 13 | #> 14 | 15 | 16 | #################################### 17 | # Install PowerShell Modules # 18 | #################################### 19 | Find-Module -Name AzureAD | Install-Module -Force -AllowClobber -Verbose 20 | Find-Module -Name AZ | Install-Module -Force -AllowClobber -Verbose 21 | Find-Module -Name AzureRM | Install-Module -Force -AllowClobber -Verbose 22 | Find-Module -Name MSonline | Install-Module -Force -AllowClobber -Verbose 23 | 24 | 25 | 26 | ################################ 27 | # Authenticate to Azure # 28 | ################################ 29 | $Admin = 'WVD@MSAzureAcademy.com' 30 | $creds = Get-Credential ` 31 | -UserName $Admin ` 32 | -Message "Enter Password for Azure Credentials" 33 | 34 | Login-AzAccount -Credential $creds 35 | #Login-AzureRmAccount -Credential $creds 36 | Connect-AzureAD -Credential $creds 37 | connect-msolservice -credential $creds 38 | 39 | 40 | ################################### 41 | # Azure AD Connect Commands # 42 | ################################### 43 | Import-Module ADSync 44 | Start-ADSyncSyncCycle -PolicyType Initial 45 | Start-ADSyncSyncCycle -PolicyType Delta 46 | 47 | 48 | -------------------------------------------------------------------------------- /RouteTable.ps1: -------------------------------------------------------------------------------- 1 | 2 | $UDRTable = @( 3 | @{AddressPrefix='10.10.0.0/16';RTName="rt-10.12.108.0-cus-prod-001";RouteName='rt-10.10.0.0-16';RGName='rg-hub-prod-cus-001';Subnet='10.12.108.0/24';Hub='10.10.0.0/16';NextHopType='VirtualAppliance';NextHop='10.10.201.4'} 4 | @{AddressPrefix='10.11.0.0/16';RTName="rt-10.12.109.0-cus-prod-001";RouteName='rt-10.11.0.0-16';RGName='rg-hub-prod-cus-002';Subnet='10.12.109.0/24';Hub='10.10.0.0/16';NextHopType='VirtualAppliance';NextHop='10.10.201.4'} 5 | ) 6 | ForEach($Job in $UDRTable) { 7 | Get-AzRouteTable ` 8 | -ResourceGroupName $UDRTable.RGName ` 9 | -Name $UDRTable.RTName | ` 10 | Add-AzRouteConfig ` 11 | -Name $UDRTable.RouteName ` 12 | -AddressPrefix $UDRTable.AddressPrefix ` 13 | -NextHopType $UDRTable.NextHopType ` 14 | -NextHopIpAddress $UDRTable.NextHop | ` 15 | Set-AzRouteTable 16 | } 17 | 18 | 19 | $UDRTable = @( 20 | @{AddressPrefix='10.10.0.0/16';RTName="rt-10.12.108.0-cus-prod-001";RouteName='rt-subnetspecific';RGName='rg-hub-prod-cus-001';Subnet='10.12.108.0/24';Hub='10.10.0.0/16';NextHopType='VirtualNetwork';NextHop=''} 21 | @{AddressPrefix='10.11.0.0/16';RTName="rt-10.12.109.0-cus-prod-001";RouteName='rt-subnetspecific';RGName='rg-hub-prod-cus-002';Subnet='10.12.109.0/24';Hub='10.10.0.0/16';NextHopType='VirtualNetwork';NextHop=''} 22 | ) 23 | ForEach($Job in $UDRTable) { 24 | Get-AzRouteTable ` 25 | -ResourceGroupName $UDRTable.RGName ` 26 | -Name $UDRTable.RTName | ` 27 | Add-AzRouteConfig ` 28 | -Name $UDRTable.RouteName ` 29 | -AddressPrefix $UDRTable.Subnet ` 30 | -NextHopType $UDRTable.NextHopType ` 31 | Set-AzRouteTable 32 | } 33 | -------------------------------------------------------------------------------- /Secure Password/SecurePassword.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 01-29-2017 3 | # Usage : Generate Encrypted Passwords 4 | 5 | #******************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 01/29/2017 1.0 Intial Version 9 | # 10 | #********************************************************************************* 11 | # 12 | #> 13 | 14 | # Path to the script to be created: 15 | $path = "C:\temp\EncryptPasswords" 16 | $TemplatePath = "$Path\template.ps1" 17 | if ((Test-Path -LiteralPath $Path) -ne $True) { 18 | Write-Host ` 19 | -ForegroundColor Cyan ` 20 | -BackgroundColor Black ` 21 | "Creating Temp Folder for Import" 22 | New-Item -ItemType Directory 'C:\temp' 23 | } 24 | # Create empty template script: 25 | New-Item -ItemType File $TemplatePath -Force -ErrorAction SilentlyContinue 26 | $pwd = Read-Host 'Enter Password' -AsSecureString 27 | $user = Read-Host 'Enter Username' 28 | $key = 1..32 | ForEach-Object { Get-Random -Maximum 256 } 29 | $pwdencrypted = $pwd | ConvertFrom-SecureString -Key $key 30 | $private:ofs = ' ' 31 | ('$password = "{0}"' -f $pwdencrypted) | Out-File $TemplatePath 32 | ('$key = "{0}"' -f "$key") | Out-File $TemplatePath -Append 33 | '$passwordSecure = ConvertTo-SecureString -String $password -Key ([Byte[]]$key.Split(" "))' | 34 | Out-File $TemplatePath -Append 35 | ('$cred = New-Object system.Management.Automation.PSCredential("{0}", $passwordSecure)' -f $user) | 36 | Out-File $TemplatePath -Append 37 | '$cred' | Out-File $TemplatePath -Append 38 | ise $TemplatePath 39 | -------------------------------------------------------------------------------- /Storage/AzureFilesADAuth.ps1: -------------------------------------------------------------------------------- 1 | #Change the execution policy to unblock importing AzFilesHybrid.psm1 module 2 | Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser 3 | 4 | # Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path 5 | .\CopyToPSPath.ps1 6 | 7 | #Import AzFilesHybrid module 8 | Import-Module -name AzFilesHybrid 9 | 10 | #Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment 11 | $creds = Get-Credential -Message "Enter Creds" 12 | Connect-AzAccount -Credential $creds 13 | 14 | #Select the target subscription for the current session 15 | Select-AzSubscription -SubscriptionId "25603d65-4ffd-4496-815d-417e73e71da3" 16 | 17 | ################### 18 | # Variables # 19 | ################### 20 | $ResrouceGroupName = "" 21 | $StorageAccountName = "" 22 | $OUName = "ACTIVE DIRECTORY OU NAME FOR COMPUTER/SERVICE ACCOUNT OBJECT TO BE CREATED" 23 | 24 | #Register the target storage account with your active directory environment under the target OU 25 | join-AzStorageAccountForAuth ` 26 | -ResourceGroupName $ResrouceGroupName ` 27 | -Name $StorageAccountName ` 28 | -DomainAccountType ComputerAccount ` 29 | -OrganizationalUnitName $OUName ` 30 | -Domain $env:USERDNSDOMAIN 31 | 32 | 33 | #Get the target storage account 34 | $storageaccount = Get-AzStorageAccount ` 35 | -ResourceGroupName $ResrouceGroupName ` 36 | -Name $StorageAccountName 37 | 38 | #List the directory service of the selected service account 39 | $storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions 40 | 41 | #List the directory domain information if the storage account has enabled AD authentication for file shares 42 | $storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties 43 | -------------------------------------------------------------------------------- /Azure AD/Build Domain Controller.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 8-26-2019 3 | # Usage : Build Domain Controller 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 8/26/2019 1.0 Intial Version 9 | # 10 | # 11 | #*************************************************************************** 12 | #> 13 | 14 | 15 | ############################ 16 | # DC Build Variables # 17 | ############################ 18 | $DomainAdmin = $env:USERNAME 19 | $DomainPassword = Read-Host -Prompt "Enter Domain Admin Password" -AsSecureString 20 | $DomainFQDN = Read-Host -Prompt "Enter Fully Qualified Domain Name" 21 | $DomainNetBios = $DomainFQDN.Split('.') | SELECT -First 1 22 | $DomainSuffix = $DomainFQDN.Split('.') | SELECT -last 1 23 | $admin = $DomainAdmin 24 | $DomainUser = $admin + "@" + $domainFQDN 25 | $DomainCredential = New-Object System.Management.Automation.PSCredential ( 26 | $DomainUser, $DomainPassword) 27 | 28 | 29 | ###################### 30 | # DC Build Out # 31 | ###################### 32 | Install-WindowsFeature ` 33 | -Name AD-Domain-Services -IncludeManagementTools 34 | Import-Module ADDSDeployment 35 | Install-ADDSForest ` 36 | -DomainName $DomainFQDN ` 37 | -DomainNetbiosName $DomainNetBios ` 38 | -DatabasePath "C:\NTDS" ` 39 | -LogPath "C:\NTDS" ` 40 | -SysvolPath "C:\SYSVOL" ` 41 | -DomainMode "WinThreshold" ` 42 | -ForestMode "WinThreshold" ` 43 | -CreateDNSDelegation:$false ` 44 | -InstallDns:$true ` 45 | -NoRebootOnCompletion:$true ` 46 | -Force:$true ` 47 | -SafeModeAdministratorPassword $DomainPassword 48 | ; 49 | Restart-Computer -Force 50 | 51 | 52 | -------------------------------------------------------------------------------- /Storage/Storage Spaces/Tiered Storage Pools.ps1: -------------------------------------------------------------------------------- 1 | Get-PhysicalDisk $disks = Get-PhysicalDisk |? {$_.CanPool -eq $true} $PoolName = 'TieredPool' New-StoragePool ` -StorageSubSystemFriendlyName "Windows*" ` -FriendlyName $PoolName ` -PhysicalDisks $disks $Prem_ssd_disks = get-physicaldisk | ? -Property size -EQ 256GB $Prem_ssd_disks | Set-PhysicalDisk -MediaType SCM $STan_ssd_disks = get-physicaldisk | ? -Property size -EQ 512GB $STan_ssd_disks | Set-PhysicalDisk -MediaType SSD $hdd_disks = get-physicaldisk | ? -Property size -EQ 4095GB $hdd_disks | Set-PhysicalDisk -MediaType HDD $Prem_tier = New-StorageTier ` -StoragePoolFriendlyName $PoolName ` -FriendlyName Prem_Tier ` -MediaType SCM $ssd_tier = New-StorageTier ` -StoragePoolFriendlyName $PoolName ` -FriendlyName SSD_Tier ` -MediaType SSD $hdd_tier = New-StorageTier ` -StoragePoolFriendlyName $PoolName ` -FriendlyName HDD_Tier ` -MediaType HDD $vd1 = New-VirtualDisk ` -StoragePoolFriendlyName $PoolName ` -FriendlyName TieredPool` -StorageTiers @($Prem_tier, $ssd_tier, $hdd_tier) ` -StorageTierSizes @(500GB, 1000GB, 8000GB) ` -ResiliencySettingName Simple ` -ProvisioningType fixed ` -FaultDomainAwareness PhysicalDisk ` -Usage Unrestricted ` -AutoWriteCacheSize Initialize-Disk ` -Number (get-disk | select -Last 1).number ` -PartitionStyle GPT New-Volume ` 2 | -StoragePoolFriendlyName $PoolName ` 3 | -FriendlyName $PoolName ` 4 | -AccessPath "M:" ` 5 | -ResiliencySettingName "Simple" ` 6 | -ProvisioningType "Fixed" ` 7 | -StorageTiers @($Prem_tier, $ssd_tier, $hdd_tier) ` 8 | -StorageTierSizes 499GB, 999GB, 7999GB ` 9 | -FileSystem NTFS 10 | -------------------------------------------------------------------------------- /Storage/_Azure-Files-Handles.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 04-08-2020 3 | # Usage : AZURE - File Storage Handles 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 04/08/2020 1.0 Intial Version 9 | # 10 | #*************************************************************************** 11 | # 12 | #> 13 | 14 | 15 | 16 | ###################### 17 | # Set Variables # 18 | ###################### 19 | $rgname = 'ADAuth-FSLogix-WVD' 20 | $StorageAccountName = 'adauthfslogixwvd000' 21 | $shareName = 'fslogix' 22 | 23 | 24 | ################################## 25 | # Set Storage Environment # 26 | ################################## 27 | $stname = Get-AzStorageAccount ` 28 | -ResourceGroupName $rgname ` 29 | -Name $StorageAccountName 30 | $key = Get-AzStorageAccountKey ` 31 | -ResourceGroupName $rgname ` 32 | -Name $stname.StorageAccountName | select -First 1 33 | $storageContext = New-AzStorageContext ` 34 | -StorageAccountName $stname.StorageAccountName ` 35 | -StorageAccountKey $key.value 36 | $share = Get-AzStorageShare -Name $shareName ` 37 | -Context $storageContext 38 | 39 | 40 | ##################################### 41 | # Check for open file handles # 42 | ##################################### 43 | Get-AzStorageFileHandle ` 44 | -Context $storageContext ` 45 | -ShareName $shareName ` 46 | -Recursive ` 47 | | Format-Table -AutoSize 48 | 49 | 50 | ################################# 51 | # Close open file handles # 52 | ################################# 53 | Close-AzStorageFileHandle ` 54 | -Context $storageContext ` 55 | -ShareName "fslogix" ` 56 | -Recursive ` 57 | -CloseAll ` 58 | -Verbose 59 | 60 | -------------------------------------------------------------------------------- /AutoResize.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-01-2022 3 | # Usage : Auto Resize Script / Azure RunBook 4 | #******************************************************************************** 5 | # Date Version Changes 6 | #------------------------------------------------------------------------ 7 | # 08/01/2022 1.0 Intial Version 8 | # 9 | #********************************************************************************* 10 | # 11 | #> 12 | ############################## 13 | # AutoResize Parameters # 14 | ############################## 15 | Param ( 16 | [CmdletBinding()] 17 | [Parameter(Mandatory=$true)] 18 | [string]$LAWorkspaceName, 19 | [Parameter(Mandatory=$true)] 20 | [string]$Region, 21 | [Parameter(Mandatory=$true)] 22 | [string]$VMName, 23 | [Parameter(Mandatory=$true)] 24 | [string]$RGName 25 | ) 26 | #$LAWorkspaceName = 'MSAA-LogAnalytics-r345xqot624z2' 27 | 28 | ################## 29 | # Variables # 30 | ################## 31 | $LAWorkspace = (Get-AzOperationalInsightsWorkspace ` 32 | | Where-Object ` 33 | -Property name ` 34 | -eq $LAWorkspaceName).CustomerId.GUID 35 | 36 | 37 | ################### 38 | # Resize VMs # 39 | ################### 40 | if($RGName -eq $null) { 41 | Write-Host ` 42 | -ForegroundColor Cyan ` 43 | -BackgroundColor Black "Resize VM" 44 | Wait-Event -Timeout 2 45 | set-vmRightSize ` 46 | -targetVMName $VMName ` 47 | -workspaceId $LAWorkspace ` 48 | -region $Region ` 49 | -verbose ` 50 | -WhatIf 51 | } 52 | Else { 53 | Write-Host ` 54 | -ForegroundColor yellow ` 55 | -BackgroundColor Black "Resize Resource Group" 56 | Wait-Event -Timeout 2 57 | set-rsgRightSize ` 58 | -targetRSG $RGName ` 59 | -workspaceId $LAWorkspace ` 60 | -region $Region ` ` 61 | -measurePeriodHours 24 ` 62 | -WhatIf ` 63 | -Verbose 64 | } 65 | 66 | 67 | -------------------------------------------------------------------------------- /Azure AD/Create AzureAD Users.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-01-2019 3 | # Usage : Create Azure AD Users 4 | 5 | #******************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 08/01/2019 1.0 Intial Version 9 | # 10 | # 11 | #********************************************************************************* 12 | # 13 | #> 14 | 15 | 16 | ################################## 17 | # Azure AD Users Variables # 18 | ################################## 19 | $DomainName = 'MSAzureAcademy' 20 | $DomainSuffix = 'com' 21 | $FQDN = "$DomainName.$DomainSuffix" 22 | $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile 23 | $PasswordProfile.Password = Read-Host -Prompt "Enter Default Password" -AsSecureString 24 | $PasswordProfile.EnforceChangePasswordPolicy = $false 25 | $PasswordProfile.ForceChangePasswordNextLogin = $false 26 | 27 | 28 | ############################### 29 | # Create Azure AD Users # 30 | ############################### 31 | $AzureADUsersList = @( 32 | ,@("AdamWarlock", "AdamWarlock@$FQDN") 33 | ,@("Batman", "Batman@$FQDN") 34 | ,@("BlackWidow", "BlackWidow@$FQDN") 35 | ,@("CaptainAmerica", "CaptainAmerica@$FQDN") 36 | ,@("DrStrange", "DrStrange@$FQDN") 37 | ,@("Gamora", "Gamora@$FQDN ") 38 | ,@("Hulk", "Hulk@$FQDN") 39 | ,@("MariaHill", "MariaHill@$FQDN") 40 | ,@("NickFury", "NickFury@$FQDN") 41 | ,@("Nova", "Nova@$FQDN") 42 | ,@("Rocket", "Rocket@$FQDN") 43 | ,@("Spiderman", "Spiderman@$FQDN") 44 | ,@("StarLord", "StarLord@$FQDN") 45 | ,@("Superman", "Superman@$FQDN") 46 | ,@("Thor", "Thor@$FQDN") 47 | ,@("WonderWoman", "WonderWoman@$FQDN") 48 | ) 49 | ForEach($RM in $AzureADUsersList) { 50 | $RM_Name = $Prefix + $RM[0] 51 | $RM_Email = $RM[1] 52 | New-AzureADUser ` 53 | -DisplayName $RM_Name ` 54 | -PasswordProfile $PasswordProfile ` 55 | -UserPrincipalName $RM_Email ` 56 | -AccountEnabled $true ` 57 | -MailNickName $RM_Name ` 58 | -Verbose 59 | } 60 | -------------------------------------------------------------------------------- /Hybrid Connectivity/Point-to-Site.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 10-17-2017 3 | # Usage : AZURE - Create ExpressRoute 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 10/17/2017 1.0 Intial Version 9 | # 10 | #*************************************************************************** 11 | # 12 | #> 13 | 14 | ############################################### 15 | # Create a self-signed root certificate # 16 | ############################################### 17 | if((Test-Path -Path c:\temp -ErrorAction SilentlyContinue) -eq $false){ 18 | mkdir C:\temp 19 | cd 'C:\temp' 20 | } 21 | else { 22 | cd 'C:\temp' 23 | } 24 | $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` 25 | -Subject "CN=AARoot" ` 26 | -KeyExportPolicy Exportable ` 27 | -HashAlgorithm sha256 ` 28 | -KeyLength 2048 ` 29 | -CertStoreLocation "Cert:\CurrentUser\My" ` 30 | -KeyUsageProperty Sign -KeyUsage CertSign 31 | 32 | 33 | ####################################### 34 | # Generate a client certificate # 35 | ####################################### 36 | New-SelfSignedCertificate ` 37 | -Type Custom ` 38 | -DnsName P2SChildCert ` 39 | -KeySpec Signature ` 40 | -Subject "CN=AAClient" ` 41 | -KeyExportPolicy Exportable ` 42 | -HashAlgorithm sha256 ` 43 | -KeyLength 2048 ` 44 | -CertStoreLocation "Cert:\CurrentUser\My" ` 45 | -Signer $cert ` 46 | -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") 47 | 48 | 49 | ############################# 50 | # Export Certificates # 51 | ############################# 52 | $RootCert = (Get-ChildItem ` 53 | -Path "Cert:\CurrentUser\My\"` 54 | | Where-Object ` 55 | -Property subject ` 56 | -Match AARoot) 57 | $ClientCert = (Get-ChildItem ` 58 | -Path "Cert:\CurrentUser\My\"` 59 | | Where-Object ` 60 | -Property subject ` 61 | -Match AAClient) 62 | Export-Certificate ` 63 | -Type CERT ` 64 | -Cert $RootCert ` 65 | -FilePath 'C:\temp\AARootTemp.cer' ` 66 | -Force 67 | Export-Certificate ` 68 | -Type CERT ` 69 | -Cert $ClientCert ` 70 | -FilePath 'C:\temp\AAClient.cer' ` 71 | -Force 72 | certutil -encode 'C:\temp\AARootTemp.cer' 'AARoot.cer' 73 | Get-Content C:\temp\AARoot.cer 74 | cd c:\ 75 | -------------------------------------------------------------------------------- /Storage/Snapshot & Replicate.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 06-17-2019 3 | # Usage : Take & Replicate VM Disk Snapshot to another Azure Region 4 | 5 | #****************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------------ 8 | # 06/17/2019 1.0 Intial Version 9 | # 10 | #****************************************************************************** 11 | # 12 | #> 13 | 14 | 15 | ########################## 16 | # Get Required Info # 17 | ########################## 18 | $SubscriptionName = 'Azure CXP FTA Internal Subscription DEACEF-2' 19 | $ResourceGroupName = 'Mautic' 20 | $VMName = 'Mautic' 21 | $Destination = 'westus' 22 | 23 | 24 | ############################# 25 | # Get System Variables # 26 | ############################# 27 | $Month = (Get-Date).Month 28 | $Day = (Get-Date).day 29 | $Year = (Get-Date).year 30 | $snapshotName = "Cycle-$Month-$Day-$Year" 31 | $VM = Get-AzureRmVM | ? Name -Match $VMName 32 | $VMLocation = $VM.Location 33 | $VMDiskName = $VM.StorageProfile.OsDisk.Name 34 | $VMDiskSize = $VM.StorageProfile.OsDisk.DiskSizeGB 35 | $VMDiskID = $VM.StorageProfile.OsDisk.ManagedDisk.Id 36 | $RepDiskName = "$VMName-DataDisk-$snapshotName" 37 | 38 | 39 | ############################## 40 | # Take VM Disk SnapShot # 41 | ############################## 42 | $snapshotconfig = New-AzureRmSnapshotConfig -Location $VMLocation -CreateOption copy -SourceUri $VMDiskID 43 | New-AzureRmSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName -Snapshot $snapshotconfig -verbose 44 | $snapshot = Get-AzureRmSnapshot -ResourceGroupName $ResourceGroupName -SnapshotName $snapshotName 45 | 46 | 47 | ######################################## 48 | # Replicate SnapShot to DR Region # 49 | ######################################## 50 | $Disk = Get-AzureRmDisk -ResourceGroupName $ResourceGroupName -DiskName $VMDiskName 51 | $DiskConfig = New-AzureRmDiskConfig -AccountType $disk.Sku.Name -Location $VMLocation -SourceResourceId $snapshot.Id -CreateOption Copy 52 | $NewDisk = New-AzureRmDisk -Disk $DiskConfig -ResourceGroupName $ResourceGroupName -DiskName "$RepDiskName" 53 | 54 | 55 | Move-AzureRmResource -ResourceId '/subscriptions/25603d65-4ffd-4496-815d-417e73e71da3/resourceGroups/Mautic/providers/Microsoft.Compute/disks/Mautic-DataDisk-Cycle-6-18-2019' -DestinationResourceGroupName asdasdad -Force 56 | 57 | -------------------------------------------------------------------------------- /Storage/Download-Blob-with-Security.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-15-2018 3 | # Usage : download a file from Azure Blob storage with Security 4 | 5 | #************************************************************************ 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 08/15/2018 1.0 Intial Version 9 | # 10 | #************************************************************************ 11 | # 12 | #> 13 | 14 | # READ ME # 15 | <# 16 | .Synopsis 17 | download file from Azure Blob Storage with security: 18 | 19 | .Description 20 | Script to download blob from Azure storage with access keys 21 | 22 | .Parameter RGName 23 | Name of the Resource Group the Storage Account is in 24 | 25 | .Parameter STName 26 | Name of the Storage Account 27 | 28 | .Parameter Container 29 | Name of the Storage Account Blob Container 30 | 31 | .Parameter FileName 32 | Name of the File to Download 33 | 34 | .Parameter LocalPath 35 | Path the local folder to download the Blob 36 | 37 | 38 | 39 | .Example 40 | # Download Blob File 41 | Download-BlobFile ` 42 | -RGName $RGName ` 43 | -STName $STName ` 44 | -Container $Container ` 45 | -LocalPath $LocalPath 46 | -FileName $FileName 47 | 48 | #> 49 | 50 | 51 | ######################### 52 | # Input Variables # 53 | ######################### 54 | $RGName = 'con-ue2-pd1-shared-rg-01' 55 | $STName = 'msdean' 56 | $Container = 'test' 57 | $FileName = 'LinuxCommands.txt' 58 | $LocalPath = "C:\temp\$FileName" 59 | 60 | 61 | ################################# 62 | # Set Variables lowercase # 63 | ################################# 64 | $RGName = $RGName.ToLower() 65 | $STName = $STName.ToLower() 66 | $Container = $Container.ToLower() 67 | 68 | 69 | ##################################### 70 | # Get Storage Account Context # 71 | ##################################### 72 | $stokey = (Get-AzureRmStorageAccountKey -ResourceGroupName $RGName -Name $STName).Value[0] 73 | $StorageContext = New-AzureStorageContext ` 74 | -StorageAccountName $STName ` 75 | -StorageAccountKey $stokey 76 | 77 | 78 | ############################ 79 | # Download Blob File # 80 | ############################ 81 | $Uri = "https://$STName.blob.core.windows.net/$Container/$FileName" 82 | $StartTime = Get-Date 83 | $EndTime = $startTime.AddMinutes(5.0) 84 | $SAS = New-AzureStorageBlobSASToken ` 85 | -Context $StorageContext ` 86 | -Container $Container ` 87 | -Blob $FileName ` 88 | -Permission rwd ` 89 | -StartTime $StartTime ` 90 | -ExpiryTime $EndTime 91 | $SecureUri = "$uri$SAS" 92 | $LocalPath = "C:\temp\$FileName" 93 | Wait-Event -Timeout 2 94 | Invoke-WebRequest -Uri $SecureUri -OutFile $LocalPath 95 | -------------------------------------------------------------------------------- /Build Resources/Build_vNET.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-15-2021 3 | # Usage : Create Multiple Virtual Networks 4 | #************************************************************************ 5 | # Date Version Changes 6 | #------------------------------------------------------------------------ 7 | # 08/15/2021 1.0 Intial Version 8 | # 9 | #************************************************************************ 10 | # 11 | #> 12 | 13 | 14 | ################## 15 | # Check RG # 16 | ################## 17 | $RGName = 'vnetMgr' 18 | If (!(Get-AzResourceGroup -name $RGName -ErrorAction SilentlyContinue)) { 19 | Write-Host -ForegroundColor Red -BackgroundColor Black "Creating Resource Group" 20 | New-AzResourceGroup -Name $RGName -Location 'eastus' 21 | } 22 | else { 23 | Write-Host -ForegroundColor Cyan -BackgroundColor Black "Resource Group $RGName already exists" 24 | } 25 | 26 | 27 | #################### 28 | # Input Array # 29 | #################### 30 | $vNETs = @( 31 | @{Name="vNETMgr-0-Prod";Location='northcentralus';AddressPrefix='192.168.0.0/24'} 32 | @{Name="vNETMgr-0-Dev";Location='northcentralus';AddressPrefix='192.168.1.0/24'} 33 | @{Name="vNETMgr-1-Prod";Location='westus';AddressPrefix='192.168.2.0/24'} 34 | @{Name="vNETMgr-1-Dev";Location='westus';AddressPrefix='192.168.3.0/24'} 35 | @{Name="vNETMgr-2-Prod";Location='eastus';AddressPrefix='192.168.4.0/24'} 36 | @{Name="vNETMgr-2-Dev";Location='eastus';AddressPrefix='192.168.5.0/24'} 37 | @{Name="vNETMgr-3-Prod";Location='eastus2';AddressPrefix='192.168.6.0/24'} 38 | @{Name="vNETMgr-3-Dev";Location='eastus2';AddressPrefix='192.168.7.0/24'} 39 | @{Name="vNETMgr-4-Prod";Location='westus2';AddressPrefix='192.168.8.0/24'} 40 | @{Name="vNETMgr-4-Dev";Location='westus2';AddressPrefix='192.168.9.0/24'} 41 | @{Name="vNETMgr-5-Prod";Location='NorthEurope';AddressPrefix='192.168.10.0/24'} 42 | @{Name="vNETMgr-5-Dev";Location='NorthEurope';AddressPrefix='192.168.11.0/24'} 43 | @{Name="vNETMgr-6-Prod";Location='WestEurope';AddressPrefix='192.168.12.0/24'} 44 | @{Name="vNETMgr-6-Dev";Location='WestEurope';AddressPrefix='192.168.13.0/24'} 45 | @{Name="vNETMgr-7-Prod";Location='franceCentral';AddressPrefix='192.168.14.0/24'} 46 | @{Name="vNETMgr-7-Dev";Location='franceCentral';AddressPrefix='192.168.15.0/24'} 47 | @{Name="vNETMgr-0-Lab";Location='eastus';AddressPrefix='172.18.0.0/24'} 48 | @{Name="vNETMgr-1-Lab";Location='eastus';AddressPrefix='172.18.1.0/24'} 49 | @{Name="vNETMgr-2-Lab";Location='eastus';AddressPrefix='172.18.2.0/24'} 50 | @{Name="vNETMgr-3-Lab";Location='eastus';AddressPrefix='172.18.3.0/24'} 51 | ) 52 | 53 | 54 | ##################### 55 | # Build vNETs # 56 | ##################### 57 | foreach ($vNET in $vNETs) { 58 | $Subnet = New-AzVirtualNetworkSubnetConfig -Name Subnet -AddressPrefix $vNET.AddressPrefix 59 | New-AzVirtualNetwork ` 60 | -Name $vnet.Name ` 61 | -ResourceGroupName $RGName ` 62 | -Location $vNET.Location ` 63 | -AddressPrefix $vNET.AddressPrefix ` 64 | -Subnet $Subnet 65 | } 66 | 67 | 68 | -------------------------------------------------------------------------------- /Storage/Download-Blob-Function.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-15-2018 3 | # Usage : Download from Azure Blob FUNCTION 4 | 5 | #************************************************************************ 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 08/15/2018 1.0 Intial Version 9 | # 10 | #************************************************************************ 11 | # 12 | #> 13 | 14 | Function Download-BlobFile { 15 | <# 16 | .Synopsis 17 | download file from Azure Blob Storage with security: 18 | 19 | .Description 20 | Script to download blob from Azure storage with access keys 21 | 22 | .Parameter RGName 23 | Name of the Resource Group the Storage Account is in 24 | 25 | .Parameter STName 26 | Name of the Storage Account 27 | 28 | .Parameter Container 29 | Name of the Storage Account Blob Container 30 | 31 | .Parameter LiteralDestinationPath 32 | Path the local folder to download the Blob 33 | 34 | 35 | 36 | .Example 37 | # Download Blob File 38 | Download-BlobFile ` 39 | -RGName Group1 ` 40 | -STName stname132352 ` 41 | -Container app1 ` 42 | -LiteralDestinationPath c:\temp\file.txt 43 | 44 | #> 45 | [Cmdletbinding()] 46 | Param ( 47 | [Parameter(Mandatory=$true)] 48 | [string]$RGName, 49 | [Parameter(Mandatory=$true)] 50 | [string]$STName, 51 | [Parameter(Mandatory=$true)] 52 | [string]$Container, 53 | [Parameter(Mandatory=$true)] 54 | [string]$LiteralDestinationPath 55 | ) 56 | 57 | Begin { 58 | $RGName = $RGName.ToLower() 59 | $STName = $STName.ToLower() 60 | $Container = $Container.ToLower() 61 | $split = $DestinationPath.split('\') 62 | foreach ($a in $split) { 63 | $FileName = $a 64 | } 65 | write "Starting download of file - $Filename" 66 | } 67 | 68 | Process { 69 | ##################################### 70 | # Get Storage Account Context # 71 | ##################################### 72 | $stokey = (Get-AzureRmStorageAccountKey -ResourceGroupName $RGName -Name $STName).Value[0] 73 | $StorageContext = New-AzureStorageContext ` 74 | -StorageAccountName $STName ` 75 | -StorageAccountKey $stokey 76 | 77 | 78 | ############################ 79 | # Download Blob File # 80 | ############################ 81 | $Uri = "https://$STName.blob.core.windows.net/$Container/$FileName" 82 | $StartTime = Get-Date 83 | $EndTime = $startTime.AddMinutes(5.0) 84 | $SAS = New-AzureStorageBlobSASToken ` 85 | -Context $StorageContext ` 86 | -Container $Container ` 87 | -Blob $FileName ` 88 | -Permission rwd ` 89 | -StartTime $StartTime ` 90 | -ExpiryTime $EndTime 91 | $SecureUri = "$uri$SAS" 92 | Wait-Event -Timeout 2 93 | Invoke-WebRequest -Uri $SecureUri -OutFile $LocalPath 94 | } 95 | 96 | End { 97 | Clear-History 98 | } 99 | 100 | } 101 | 102 | 103 | ######################################### 104 | # Example how to run the Function # 105 | ######################################### 106 | Download-BlobFile ` 107 | -RGName $RGName ` 108 | -STName $STName ` 109 | -Container $Container ` 110 | -LiteralDestinationPath c:\temp\LinuxCommands.txt ` 111 | -Verbose 112 | -------------------------------------------------------------------------------- /VMScaleSets/VMSS_App.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 04-29-2020 3 | # Usage : AZURE VM ScaleSet Applications 4 | #************************************************************************** 5 | # Date Version Changes 6 | #------------------------------------------------------------------------ 7 | # 04/29/2020 1.0 Intial Version 8 | # 9 | #*************************************************************************** 10 | # 11 | #> 12 | ################### 13 | # Setup Lab # 14 | ################### 15 | #Build VM Scale Set 16 | New-AzVmss ` 17 | -ResourceGroupName "myResourceGroup" ` 18 | -VMScaleSetName "myScaleSet" ` 19 | -Location "EastUS" ` 20 | -VirtualNetworkName "myVnet" ` 21 | -SubnetName "mySubnet" ` 22 | -PublicIpAddressName "myPublicIPAddress" ` 23 | -LoadBalancerName "myLoadBalancer" ` 24 | -UpgradePolicyMode "Automatic" 25 | 26 | #Custom Script Extenction to install Web Server 27 | $customConfig = @{ 28 | "fileUris" = (,"https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis.ps1"); 29 | "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File automate-iis.ps1" 30 | } 31 | 32 | # Get information about the scale set 33 | $vmss = Get-AzVmss ` 34 | -ResourceGroupName "myResourceGroup" ` 35 | -VMScaleSetName "myScaleSet" 36 | 37 | #Create a rule to allow traffic over port 80 38 | $nsgFrontendRule = New-AzNetworkSecurityRuleConfig ` 39 | -Name myFrontendNSGRule ` 40 | -Protocol Tcp ` 41 | -Direction Inbound ` 42 | -Priority 200 ` 43 | -SourceAddressPrefix * ` 44 | -SourcePortRange * ` 45 | -DestinationAddressPrefix * ` 46 | -DestinationPortRange 80 ` 47 | -Access Allow 48 | 49 | #Create a network security group and associate it with the rule 50 | $nsgFrontend = New-AzNetworkSecurityGroup ` 51 | -ResourceGroupName "myResourceGroup" ` 52 | -Location EastUS ` 53 | -Name myFrontendNSG ` 54 | -SecurityRules $nsgFrontendRule 55 | $vnet = Get-AzVirtualNetwork ` 56 | -ResourceGroupName "myResourceGroup" ` 57 | -Name myVnet 58 | $frontendSubnet = $vnet.Subnets[0] 59 | $frontendSubnetConfig = Set-AzVirtualNetworkSubnetConfig ` 60 | -VirtualNetwork $vnet ` 61 | -Name mySubnet ` 62 | -AddressPrefix $frontendSubnet.AddressPrefix ` 63 | -NetworkSecurityGroup $nsgFrontend 64 | Set-AzVirtualNetwork ` 65 | -VirtualNetwork $vnet 66 | Get-AzPublicIpAddress ` 67 | -ResourceGroupName "myResourceGroup" ` 68 | | Select IpAddress 69 | 70 | 71 | ######################## 72 | # Install App v1 # 73 | ######################## 74 | # Add the Custom Script Extension to install IIS and configure basic website 75 | $vmss = Add-AzVmssExtension ` 76 | -VirtualMachineScaleSet $vmss ` 77 | -Name "customScript" ` 78 | -Publisher "Microsoft.Compute" ` 79 | -Type "CustomScriptExtension" ` 80 | -TypeHandlerVersion 1.9 ` 81 | -Setting $customConfig 82 | 83 | # Update the scale set and apply the Custom Script Extension to the VM instances 84 | Update-AzVmss ` 85 | -ResourceGroupName "myResourceGroup" ` 86 | -Name "myScaleSet" ` 87 | -VirtualMachineScaleSet $vmss 88 | 89 | 90 | ######################## 91 | # Install App v2 # 92 | ######################## 93 | $customConfigv2 = @{ 94 | "fileUris" = (,"https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"); 95 | "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1" 96 | } 97 | $vmss = Get-AzVmss ` 98 | -ResourceGroupName "myResourceGroup" ` 99 | -VMScaleSetName "myScaleSet" 100 | $vmss.VirtualMachineProfile.ExtensionProfile[0].Extensions[0].Settings = $customConfigv2 101 | Update-AzVmss ` 102 | -ResourceGroupName "myResourceGroup" ` 103 | -Name "myScaleSet" ` 104 | -VirtualMachineScaleSet $vmss 105 | 106 | 107 | ###################### 108 | # Clean Up Lab # 109 | ###################### 110 | Remove-AzResourceGroup -Name "myResourceGroup" -Force -AsJob 111 | 112 | 113 | -------------------------------------------------------------------------------- /Build Resources/CloudBuild/VNET-Cloud-VDI: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "VNET_Name": { 6 | "defaultValue": "VNET-Cloud-VDI", 7 | "type": "String" 8 | } 9 | }, 10 | "variables": {}, 11 | "resources": [ 12 | { 13 | "type": "Microsoft.Network/virtualNetworks", 14 | "apiVersion": "2024-01-01", 15 | "name": "[parameters('VNET_Name')]", 16 | "location": "eastus2", 17 | "tags": { 18 | "Application": "Cloud VDI", 19 | "cost center": "AA-Money", 20 | "Environment": "Dev", 21 | "Owner": "AVD Admin", 22 | "Support Contact": "x1234" 23 | }, 24 | "properties": { 25 | "addressSpace": { 26 | "addressPrefixes": [ 27 | "172.16.0.0/16" 28 | ] 29 | }, 30 | "encryption": { 31 | "enabled": false, 32 | "enforcement": "AllowUnencrypted" 33 | }, 34 | "subnets": [ 35 | { 36 | "name": "Win365", 37 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('VNET_Name'), 'Win365')]", 38 | "properties": { 39 | "addressPrefixes": [ 40 | "172.16.1.0/24" 41 | ], 42 | "delegations": [], 43 | "privateEndpointNetworkPolicies": "Disabled", 44 | "privateLinkServiceNetworkPolicies": "Enabled" 45 | }, 46 | "type": "Microsoft.Network/virtualNetworks/subnets" 47 | }, 48 | { 49 | "name": "AVD-1", 50 | "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('VNET_Name'), 'AVD-1')]", 51 | "properties": { 52 | "addressPrefixes": [ 53 | "172.16.0.0/24" 54 | ], 55 | 56 | "delegations": [], 57 | "privateEndpointNetworkPolicies": "Disabled", 58 | "privateLinkServiceNetworkPolicies": "Enabled" 59 | }, 60 | "type": "Microsoft.Network/virtualNetworks/subnets" 61 | } 62 | ], 63 | "virtualNetworkPeerings": [], 64 | "enableDdosProtection": false 65 | } 66 | }, 67 | { 68 | "type": "Microsoft.Network/virtualNetworks/subnets", 69 | "apiVersion": "2024-01-01", 70 | "name": "[concat(parameters('VNET_Name'), '/AVD-1')]", 71 | "dependsOn": [ 72 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('VNET_Name'))]" 73 | ], 74 | "properties": { 75 | "addressPrefixes": [ 76 | "172.16.0.0/24" 77 | ], 78 | 79 | "delegations": [], 80 | "privateEndpointNetworkPolicies": "Disabled", 81 | "privateLinkServiceNetworkPolicies": "Enabled" 82 | } 83 | }, 84 | { 85 | "type": "Microsoft.Network/virtualNetworks/subnets", 86 | "apiVersion": "2024-01-01", 87 | "name": "[concat(parameters('VNET_Name'), '/Win365')]", 88 | "dependsOn": [ 89 | "[resourceId('Microsoft.Network/virtualNetworks', parameters('VNET_Name'))]" 90 | ], 91 | "properties": { 92 | "addressPrefixes": [ 93 | "172.16.1.0/24" 94 | ], 95 | "delegations": [], 96 | "privateEndpointNetworkPolicies": "Disabled", 97 | "privateLinkServiceNetworkPolicies": "Enabled" 98 | } 99 | } 100 | ] 101 | } -------------------------------------------------------------------------------- /Hybrid Connectivity/OPEN VPN Point-to-Site.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 10-17-2017 3 | # Usage : AZURE - Create ExpressRoute 4 | 5 | #*************************************************************************************** 6 | # Date Version Changes 7 | #--------------------------------------------------------------------------------------- 8 | # 10/17/2017 1.0 Intial Version 9 | # 08/20/2019 2.0 Add OpenVPN 10 | # 08/12/2021 2.1 Updated Cert Names / Added 2 year Expiration 11 | #**************************************************************************************** 12 | # 13 | #> 14 | 15 | ############################################### 16 | # Create a self-signed root certificate # 17 | ############################################### 18 | $CertLocation = "c:\temp\vpn" 19 | if((Test-Path -Path $CertLocation -ErrorAction SilentlyContinue) -eq $false){ 20 | mkdir $CertLocation 21 | cd $CertLocation 22 | } 23 | else { 24 | cd $CertLocation 25 | } 26 | $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` 27 | -Subject "CN=2021Root" ` 28 | -KeyExportPolicy Exportable ` 29 | -HashAlgorithm sha256 ` 30 | -KeyLength 2048 ` 31 | -CertStoreLocation "Cert:\CurrentUser\My" ` 32 | -KeyUsageProperty Sign -KeyUsage CertSign ` 33 | -NotAfter (Get-Date).AddYears(2) 34 | 35 | 36 | ####################################### 37 | # Generate a client certificate # 38 | ####################################### 39 | New-SelfSignedCertificate ` 40 | -Type Custom ` 41 | -DnsName P2SChildCert ` 42 | -KeySpec Signature ` 43 | -Subject "CN=2021Client" ` 44 | -KeyExportPolicy Exportable ` 45 | -HashAlgorithm sha256 ` 46 | -KeyLength 2048 ` 47 | -CertStoreLocation "Cert:\CurrentUser\My" ` 48 | -Signer $cert ` 49 | -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") ` 50 | -NotAfter (Get-Date).AddYears(2) 51 | 52 | 53 | ############################# 54 | # Export Certificates # 55 | ############################# 56 | $RootCert = (Get-ChildItem ` 57 | -Path "Cert:\CurrentUser\My\"` 58 | | Where-Object ` 59 | -Property subject ` 60 | -Match 2021Root) 61 | $ClientCert = (Get-ChildItem ` 62 | -Path "Cert:\CurrentUser\My\"` 63 | | Where-Object ` 64 | -Property subject ` 65 | -Match 2021Client) 66 | Export-Certificate ` 67 | -Type CERT ` 68 | -Cert $RootCert ` 69 | -FilePath "$CertLocation\2021RootTemp.cer" 70 | Export-Certificate ` 71 | -Type CERT ` 72 | -Cert $ClientCert ` 73 | -FilePath "$CertLocation\2021Client.cer" 74 | C:\windows\system32\certutil.exe -encode "$CertLocation\2021RootTemp.cer" '2021Root.cer' 75 | Get-Content $CertLocation\2021Root.cer 76 | $SecurePassword = Read-Host ` 77 | -Prompt "Enter Password to Export Cert with Private Key" ` 78 | -AsSecureString 79 | $ThumbPrint = $ClientCert.Thumbprint 80 | $ExportPrivateCertPath = "Cert:\CurrentUser\My\$ThumbPrint" 81 | Export-PfxCertificate ` 82 | -FilePath "C:\temp\VPN\2021Client.pfx" ` 83 | -Password $SecurePassword ` 84 | -Cert $ExportPrivateCertPath 85 | 86 | 87 | ##################################### 88 | # Add OpenSSL to System Path # 89 | ##################################### 90 | if (-not (Test-Path $profile)) { 91 | New-Item -Path $profile -ItemType File -Force 92 | } 93 | '$env:path = "C:\ProgramData\chocolatey\bin;C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\;c:\windows;c:\windows\system32\wbem;c:\windows\system32\openssh;c:\program files\git\cmd;C:\Users\DrCef\AppData\Local\Microsoft\WindowsApps;C:\Program Files\Microsoft VS Code Insiders\bin;C:\Users\DrCef\AppData\Local\GitHubDesktop\bin;C:\Users\DrCef\AppData\Local\Microsoft\WindowsApps;C:\Program Files (x86)\Microsoft Visual Studio"' | Out-File $profile -Append 94 | '$env:path = "C:\Program Files\OpenSSL\bin"' | Out-File $profile -Append 95 | '$env:OPENSSL_CONF = "C:\temp\VPN\openssl.cnf"' | out-file $profile -Append 96 | . $profile 97 | 98 | 99 | ############################ 100 | # Install Chocolatey # 101 | ############################ 102 | Set-ExecutionPolicy Bypass ` 103 | -Scope Process ` 104 | -Force; ` 105 | Invoke-Expression ((New-Object System.Net.WebClient).DownloadString( 106 | 'https://chocolatey.org/install.ps1' 107 | ) 108 | ) 109 | 110 | 111 | ########################## 112 | # Download OpenSSL # 113 | ########################## 114 | choco install OpenSSL.Light -y --force 115 | Invoke-WebRequest ` 116 | -Uri 'http://web.mit.edu/crypto/openssl.cnf' ` 117 | -OutFile "$CertLocation\openssl.cnf" 118 | 119 | 120 | ########################## 121 | # Download OpenVPN # 122 | ########################## 123 | Invoke-WebRequest ` 124 | -Uri 'https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I607-Win10.exe' ` 125 | -OutFile "$CertLocation\openvpn-install-2.4.7-I607-Win10.exe" 126 | 127 | 128 | ############################# 129 | # Extract Private Key # 130 | ############################# 131 | . $profile 132 | $OpenSSLArgs = "pkcs12 -in C:\temp\vpn\2021Client.pfx -nodes -out c:\temp\vpn\profileinfo.txt" 133 | Start-Process openssl $OpenSSLArgs 134 | 135 | 136 | ######################### 137 | # Install OpenVPN # 138 | ######################### 139 | Start-Process "$CertLocation\openvpn-install-2.4.7-I607-Win10.exe" /S 140 | 141 | 142 | -------------------------------------------------------------------------------- /Hybrid Connectivity/Site-to-Site.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 10-17-2017 3 | # Usage : AZURE - Create Site-to-Site VPN 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 10/17/2017 1.0 Intial Version 9 | # 10/04/2018 1.1 update $PublicIP to be dynamic 10 | # 11 | #*************************************************************************** 12 | # 13 | #> 14 | # !!! Admin priveleges are required in order to run this script !!! # 15 | 16 | ####################### 17 | # Set Variables # 18 | ####################### 19 | $AzureConnectionName = Read-Host -Prompt "Enter Name of the Connection to Azure" 20 | $AzureGatewayIP = Read-Host -Prompt "Enter Azure vNET Gateway's Public IP Address" 21 | $SharedKey = Read-Host -Prompt "Enter Azure vNET Connection Shared Key" 22 | $PublicIP = Invoke-WebRequest -Uri ifconfig.me/all.json 23 | $PublicIP = ($PublicIP.Content | ConvertFrom-Json | select ip_addr).ip_addr 24 | $IPAddressRange = $PublicIP +':100' 25 | Function Invoke-WindowsApi { 26 | <# 27 | .Synopsis 28 | This Function will discover all the Deployments for your Resource Group 29 | After discovery it will enumerate the resources in that deployment 30 | 31 | .Description 32 | Discover resources in azure deployments 33 | 34 | .Parameter RGName 35 | ResourceGroup Name to discover deployments 36 | 37 | .Example 38 | Get-AzureResourceFromDeployments -RGName AzureRGName 39 | 40 | 41 | #> 42 | [Cmdletbinding()] 43 | Param ( 44 | [string] $dllName, 45 | [Type] $returnType, 46 | [string] $methodName, 47 | [Type[]] $parameterTypes, 48 | [Object[]] $parameters 49 | ) 50 | Begin { 51 | ## Begin to build the dynamic assembly 52 | $domain = [AppDomain]::CurrentDomain 53 | $name = New-Object Reflection.AssemblyName 'PInvokeAssembly' 54 | $assembly = $domain.DefineDynamicAssembly($name, 'Run') 55 | $module = $assembly.DefineDynamicModule('PInvokeModule') 56 | $type = $module.DefineType('PInvokeType', "Public,BeforeFieldInit") 57 | $inputParameters = @() 58 | } 59 | Process { 60 | for($counter = 1; $counter -le $parameterTypes.Length; $counter++) { 61 | $inputParameters += $parameters[$counter - 1] 62 | } 63 | $method = $type.DefineMethod($methodName, 'Public,HideBySig,Static,PinvokeImpl',$returnType, $parameterTypes) 64 | ## Apply the P/Invoke constructor 65 | $ctor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([string]) 66 | $attr = New-Object Reflection.Emit.CustomAttributeBuilder $ctor, $dllName 67 | $method.SetCustomAttribute($attr) 68 | ## Create the temporary type, and invoke the method. 69 | $realType = $type.CreateType() 70 | $ret = $realType.InvokeMember($methodName, 'Public,Static,InvokeMethod', $null, $null, $inputParameters) 71 | return $ret 72 | } 73 | End { 74 | 75 | } 76 | } 77 | Function Set-PrivateProfileString { 78 | Param ( 79 | $file, 80 | $category, 81 | $key, 82 | $value 83 | ) 84 | 85 | Begin { 86 | ## Prepare the parameter types and parameter values for the Invoke-WindowsApi script 87 | $parameterTypes = [string], [string], [string], [string] 88 | $parameters = [string] $category, [string] $key, [string] $value, [string] $file 89 | 90 | ## Invoke the API 91 | [void] (Invoke-WindowsApi "kernel32.dll" ([UInt32]) "WritePrivateProfileString" $parameterTypes $parameters) 92 | } 93 | 94 | } 95 | 96 | 97 | ################################## 98 | # Install RRAS Server Role # 99 | ################################## 100 | Import-Module ServerManager 101 | Install-WindowsFeature RemoteAccess -IncludeManagementTools 102 | Add-WindowsFeature -name Routing -IncludeManagementTools 103 | 104 | 105 | ######################### 106 | # Install S2S VPN # 107 | ######################### 108 | Import-Module RemoteAccess 109 | if ((Get-RemoteAccess).VpnS2SStatus -ne "Installed") { 110 | Install-RemoteAccess -VpnType VpnS2S 111 | } 112 | 113 | 114 | ############################### 115 | # Add S2S VPN interface # 116 | ############################### 117 | Add-VpnS2SInterface ` 118 | -Protocol IKEv2 ` 119 | -AuthenticationMethod PSKOnly ` 120 | -NumberOfTries 3 ` 121 | -ResponderAuthenticationMethod PSKOnly ` 122 | -Name $AzureConnectionName ` 123 | -Destination $AzureGatewayIP ` 124 | -IPv4Subnet @("$IPAddressRamge") ` 125 | -SharedSecret $SharedKey 126 | 127 | 128 | ##################################### 129 | # Configure S2S VPN interface # 130 | ##################################### 131 | Set-VpnServerIPsecConfiguration ` 132 | -EncryptionType MaximumEncryption 133 | Set-VpnS2Sinterface ` 134 | -Name $AzureConnectionName ` 135 | -InitiateConfigPayload $false ` 136 | -Persistent ` 137 | -AutoConnectEnabled ` 138 | -Force 139 | 140 | 141 | ############################################# 142 | # S2S VPN connection to be persistent # 143 | ############################################# 144 | Set-PrivateProfileString ` 145 | -file $env:windir\System32\ras\router.pbk ` 146 | -category IdleDisconnectSeconds ` 147 | -key $AzureConnectionName ` 148 | -value 0 149 | Set-PrivateProfileString ` 150 | -file $env:windir\System32\ras\router.pbk ` 151 | -category RedialOnLinkFailure ` 152 | -key $AzureConnectionName ` 153 | -value 1 154 | 155 | ################################## 156 | # Restart the RRAS service # 157 | ################################## 158 | Restart-Service RemoteAccess 159 | 160 | 161 | ################################## 162 | # Connect to Azure gateway # 163 | ################################## 164 | Connect-VpnS2SInterface -Name $AzureConnectionName 165 | 166 | 167 | ######################## 168 | # Get VPN Status # 169 | ######################## 170 | Get-VpnS2SInterface -Name $AzureConnectionName 171 | -------------------------------------------------------------------------------- /Build Resources/CloudBuild/KeyVault.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "KeyVault_Name": { 6 | "defaultValue": "KV-CloudVDI", 7 | "type": "String" 8 | } 9 | }, 10 | "variables": {}, 11 | "resources": [ 12 | { 13 | "type": "Microsoft.KeyVault/vaults", 14 | "apiVersion": "2024-04-01-preview", 15 | "name": "[parameters('KeyVault_Name')]", 16 | "location": "eastus2", 17 | "properties": { 18 | "sku": { 19 | "family": "A", 20 | "name": "Standard" 21 | }, 22 | "tenantId": "10c5dfa7-b5c3-4cf2-9265-f0e32a960967", 23 | "accessPolicies": [ 24 | { 25 | "tenantId": "10c5dfa7-b5c3-4cf2-9265-f0e32a960967", 26 | "objectId": "1f423866-34ba-48d3-9aad-7e7dedcc6b9a", 27 | "permissions": { 28 | "keys": [ 29 | "Get", 30 | "List", 31 | "Update", 32 | "Create", 33 | "Import", 34 | "Delete", 35 | "Recover", 36 | "Backup", 37 | "Restore", 38 | "GetRotationPolicy", 39 | "SetRotationPolicy", 40 | "Rotate" 41 | ], 42 | "secrets": [ 43 | "Get", 44 | "List", 45 | "Set", 46 | "Delete", 47 | "Recover", 48 | "Backup", 49 | "Restore" 50 | ], 51 | "certificates": [ 52 | "Get", 53 | "List", 54 | "Update", 55 | "Create", 56 | "Import", 57 | "Delete", 58 | "Recover", 59 | "Backup", 60 | "Restore", 61 | "ManageContacts", 62 | "ManageIssuers", 63 | "GetIssuers", 64 | "ListIssuers", 65 | "SetIssuers", 66 | "DeleteIssuers" 67 | ] 68 | } 69 | }, 70 | { 71 | "tenantId": "10c5dfa7-b5c3-4cf2-9265-f0e32a960967", 72 | "objectId": "bd79e6f3-fca2-4ae4-aafd-8879fefb45d7", 73 | "permissions": { 74 | "keys": [], 75 | "secrets": [ 76 | "get" 77 | ], 78 | "certificates": [] 79 | } 80 | } 81 | ], 82 | "enabledForDeployment": true, 83 | "enabledForDiskEncryption": true, 84 | "enabledForTemplateDeployment": true, 85 | "enableSoftDelete": true, 86 | "softDeleteRetentionInDays": 90, 87 | "enableRbacAuthorization": true, 88 | "vaultUri": "https://kv-sh-updates.vault.azure.net/", 89 | "provisioningState": "Succeeded", 90 | "publicNetworkAccess": "Enabled" 91 | } 92 | }, 93 | { 94 | "type": "Microsoft.KeyVault/vaults/keys", 95 | "apiVersion": "2024-04-01-preview", 96 | "name": "[concat(parameters('KeyVault_Name'), '/ADE-Key')]", 97 | "location": "eastus2", 98 | "dependsOn": [ 99 | "[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVault_Name'))]" 100 | ], 101 | "properties": { 102 | "attributes": { 103 | "enabled": true, 104 | "nbf": 1717180759, 105 | "exp": 1785523159, 106 | "exportable": false 107 | } 108 | } 109 | }, 110 | { 111 | "type": "Microsoft.KeyVault/vaults/secrets", 112 | "apiVersion": "2024-04-01-preview", 113 | "name": "[concat(parameters('KeyVault_Name'), '/DomainJoiner-Password')]", 114 | "location": "eastus2", 115 | "dependsOn": [ 116 | "[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVault_Name'))]" 117 | ], 118 | "properties": { 119 | "attributes": { 120 | "enabled": true 121 | } 122 | } 123 | }, 124 | { 125 | "type": "Microsoft.KeyVault/vaults/secrets", 126 | "apiVersion": "2024-04-01-preview", 127 | "name": "[concat(parameters('KeyVault_Name'), '/DomainJoiner-Username')]", 128 | "location": "eastus2", 129 | "dependsOn": [ 130 | "[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVault_Name'))]" 131 | ], 132 | "properties": { 133 | "attributes": { 134 | "enabled": true 135 | } 136 | } 137 | }, 138 | { 139 | "type": "Microsoft.KeyVault/vaults/secrets", 140 | "apiVersion": "2024-04-01-preview", 141 | "name": "[concat(parameters('KeyVault_Name'), '/LocalAdmin-Password')]", 142 | "location": "eastus2", 143 | "dependsOn": [ 144 | "[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVault_Name'))]" 145 | ], 146 | "properties": { 147 | "attributes": { 148 | "enabled": true 149 | } 150 | } 151 | }, 152 | { 153 | "type": "Microsoft.KeyVault/vaults/secrets", 154 | "apiVersion": "2024-04-01-preview", 155 | "name": "[concat(parameters('KeyVault_Name'), '/LocalAdmin-Username')]", 156 | "location": "eastus2", 157 | "dependsOn": [ 158 | "[resourceId('Microsoft.KeyVault/vaults', parameters('KeyVault_Name'))]" 159 | ], 160 | "properties": { 161 | "attributes": { 162 | "enabled": true 163 | } 164 | } 165 | } 166 | ] 167 | } -------------------------------------------------------------------------------- /Build Resources/Build_Global_Network.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-15-2024 3 | # Usage : Create Global Virtual Networks 4 | #************************************************************************ 5 | # Date Version Changes 6 | #------------------------------------------------------------------------ 7 | # 08/15/2024 1.0 Intial Version 8 | # 9 | #************************************************************************ 10 | # 11 | #> 12 | 13 | 14 | ######################## 15 | # RGs Input Array # 16 | ######################## 17 | $RGs = @( 18 | @{Name="Expert-vnets-eus2";Location='uksouth'} 19 | @{Name="Expert-vnets-uks";Location='uksouth'} 20 | @{Name="Expert-vnets-JPE";Location='JapanEast'} 21 | ) 22 | 23 | 24 | ################### 25 | # Build RGs # 26 | ################### 27 | foreach ($RG in $RGs) { 28 | $RGName = $RG.Name 29 | If (!(Get-AzResourceGroup -name $RGName -ErrorAction SilentlyContinue)) { 30 | Write-Host -ForegroundColor Red -BackgroundColor Black "Creating Resource Group" 31 | New-AzResourceGroup -Name $RG.Name -Location $RG.Location 32 | } 33 | else { 34 | Write-Host -ForegroundColor Cyan -BackgroundColor Black "Resource Group $RGName already exists" 35 | } 36 | 37 | } 38 | 39 | 40 | ######################### 41 | # hub Input Array # 42 | ######################### 43 | $HubNETs = @( 44 | @{Name="Expert-Hub-eus2";Location='eastus2';AddressPrefix='10.0.0.0/16';RGName='Expert-vnets-eus2';IdentitySubnet='10.0.1.0/24';DNS=@('10.0.1.4','172.18.1.5','192.168.1.5');BastionSubnet='10.0.2.0/26';FirewallSubnet='10.0.3.0/26';FirewallMgtSubnet='10.0.3.64/26'} 45 | @{Name="Expert-Hub-uks";Location='uksouth';AddressPrefix='172.18.0.0/16';RGName='Expert-vnets-uks';IdentitySubnet='172.18.1.0/24';DNS=@('10.0.1.4','172.18.1.5','192.168.1.5');BastionSubnet='172.18.2.0/26';FirewallSubnet='172.18.3.0/26';FirewallMgtSubnet='172.18.3.64/26'} 46 | @{Name="Expert-Hub-jpe";Location='japaneast';AddressPrefix='192.168.0.0/16';RGName='Expert-vnets-jpe';IdentitySubnet='192.168.1.0/24';DNS=@('10.0.1.4','172.18.1.5','192.168.1.5');BastionSubnet='192.168.2.0/26';FirewallSubnet='192.168.3.0/26';FirewallMgtSubnet='192.168.3.64/26'} 47 | ) 48 | 49 | 50 | ##################### 51 | # Build Hubs # 52 | ##################### 53 | foreach ($hub in $HubNETs) { 54 | $IdentitySubnet = New-AzVirtualNetworkSubnetConfig -Name 'Identity' -AddressPrefix $hub.IdentitySubnet 55 | $BastionSubnet = New-AzVirtualNetworkSubnetConfig -Name 'AzureBastionSubnet' -AddressPrefix $hub.BastionSubnet 56 | $FirewallSubnet = New-AzVirtualNetworkSubnetConfig -Name 'AzureFirewallSubnet' -AddressPrefix $hub.FirewallSubnet 57 | $FirewallMgtSubnet = New-AzVirtualNetworkSubnetConfig -Name 'AzureFirewallManagementSubnet' -AddressPrefix $hub.FirewallMgtSubnet 58 | 59 | # Deploy Hub network 60 | $vnet = New-AzVirtualNetwork ` 61 | -Name $hub.Name ` 62 | -ResourceGroupName $hub.RGName ` 63 | -Location $hub.Location ` 64 | -AddressPrefix $hub.AddressPrefix ` 65 | -Subnet $IdentitySubnet, $BastionSubnet, $FirewallSubnet, $FirewallMgtSubnet ` 66 | -DnsServer $hub.DNS 67 | 68 | # Create Public IP for Azure Bastion 69 | $bastionPIP = New-AzPublicIpAddress ` 70 | -Name "$($hub.Name)-Bastion-PIP" ` 71 | -ResourceGroupName $hub.RGName ` 72 | -Location $hub.Location ` 73 | -AllocationMethod Static ` 74 | -Sku Standard ` 75 | -Tier Regional ` 76 | -IpAddressVersion IPv4 ` 77 | -Zone @('1', '2', '3') 78 | 79 | # Create Public IP for Azure Firewall 80 | $firewallPIP = New-AzPublicIpAddress ` 81 | -ResourceGroupName $hub.RGName ` 82 | -Name "$($hub.Name)-Firewall-PIP" ` 83 | -Location $hub.Location ` 84 | -AllocationMethod Static ` 85 | -Sku Standard ` 86 | -Tier Regional ` 87 | -IpAddressVersion IPv4 ` 88 | -Zone @('1', '2', '3') 89 | 90 | # Create Public IP for Azure Firewall Management 91 | $firewallMgrPIP = New-AzPublicIpAddress ` 92 | -ResourceGroupName $hub.RGName ` 93 | -Name "$($hub.Name)-Firewall-MGR-PIP" ` 94 | -Location $hub.Location ` 95 | -AllocationMethod Static ` 96 | -Sku Standard ` 97 | -Tier Regional ` 98 | -IpAddressVersion IPv4 ` 99 | -Zone @('1', '2', '3') 100 | 101 | #Deploy Azure Bastion 102 | $HubVNET = Get-AzVirtualNetwork -Name $hub.name -ResourceGroupName $hub.RGName 103 | New-AzBastion ` 104 | -ResourceGroupName $hub.RGName ` 105 | -Name "$($hub.Name)-Bastion" ` 106 | -VirtualNetwork $HubVNET ` 107 | -PublicIpAddress $bastionPIP 108 | 109 | # Deploy Azure Firewall 110 | New-AzFirewall ` 111 | -ResourceGroupName $hub.RGName ` 112 | -Name "$($hub.Name)-Firewall" ` 113 | -Location $hub.Location ` 114 | -VirtualNetwork $HubVNET ` 115 | -PublicIpAddress $firewallPIP ` 116 | -ManagementPublicIpAddress $firewallMgrPIP ` 117 | -Zone @('1', '2', '3') ` 118 | -SkuTier Basic 119 | } 120 | 121 | 122 | ######################### 123 | # vnet Input Array # 124 | ######################### 125 | $vNETs = @( 126 | @{Name="Expert-Spoke-eu2-AVD";Location='eastus2';AddressPrefix='10.1.0.0/24';RGName='Expert-vnets-eus2'} 127 | @{Name="Expert-Spoke-eu2-SAP";Location='eastus2';AddressPrefix='10.2.0.0/24';RGName='Expert-vnets-eus2'} 128 | @{Name="Expert-Spoke-eu2-EMS";Location='eastus2';AddressPrefix='10.3.0.0/16';RGName='Expert-vnets-eus2'} 129 | @{Name="Expert-Spoke-eu2-VMs";Location='eastus2';AddressPrefix='10.4.0.0/16';RGName='Expert-vnets-eus2'} 130 | @{Name="Expert-Spoke-uks-AVD";Location='uksouth';AddressPrefix='172.18.1.0/24';RGName='Expert-vnets-uks'} 131 | @{Name="Expert-Spoke-uks-SAP";Location='uksouth';AddressPrefix='172.18.2.0/24';RGName='Expert-vnets-uks'} 132 | @{Name="Expert-Spoke-uks-EMS";Location='uksouth';AddressPrefix='172.18.3.0/24';RGName='Expert-vnets-uks'} 133 | @{Name="Expert-Spoke-uks-VMs";Location='uksouth';AddressPrefix='172.18.4.0/24';RGName='Expert-vnets-uks'} 134 | @{Name="Expert-Spoke-jpe-AVD";Location='japaneast';AddressPrefix='192.168.1.0/24';RGName='Expert-vnets-jpe'} 135 | @{Name="Expert-Spoke-jpe-SAP";Location='japaneast';AddressPrefix='192.168.2.0/24';RGName='Expert-vnets-jpe'} 136 | @{Name="Expert-Spoke-jpe-EMS";Location='japaneast';AddressPrefix='192.168.3.0/24';RGName='Expert-vnets-jpe'} 137 | @{Name="Expert-Spoke-jpe-VMs";Location='japaneast';AddressPrefix='192.168.4.0/24';RGName='Expert-vnets-jpe'} 138 | ) 139 | 140 | 141 | ##################### 142 | # Build vNETs # 143 | ##################### 144 | foreach ($vNET in $vNETs) { 145 | $Subnet = New-AzVirtualNetworkSubnetConfig -Name Subnet -AddressPrefix $vNET.AddressPrefix 146 | New-AzVirtualNetwork ` 147 | -Name $vnet.Name ` 148 | -ResourceGroupName $vNET.RGName ` 149 | -Location $vNET.Location ` 150 | -AddressPrefix $vNET.AddressPrefix ` 151 | -Subnet $Subnet 152 | } 153 | 154 | 155 | -------------------------------------------------------------------------------- /Storage/Storage Spaces/Tiered_Pool Max_Performance.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 12-12-2018 3 | # Usage : Create Tiered Storage Pools, Disks & Volumes 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 12/12/2018 1.0 Intial Version 9 | # 10 | # 11 | #*************************************************************************** 12 | #> 13 | 14 | ########################## 15 | # Comments Section # 16 | ########################## 17 | # Assumes physical disks in the default primordial pool 18 | # Creates Mirrored Tiered virtual disks – need even number of SCM, SSD & HDD available disks 19 | # In this example I have 2x 256GB SCM disks + 2x 512GB SSD disks + 2x 4TB HDD physical disks (not counting boot/system disks of course) 20 | # I’d like to end up with # 3 mirrored and tiered vDisks of equal size using the maximum available space, with 25 GB write-back cache 21 | # Customize the following settings to meet your specific hardware configuration 22 | ########################## 23 | # Comments Section # 24 | ########################## 25 | 26 | $PoolName = “TieredPool” 27 | $WBCache = 25 # GB (Default is 1 GB for Tiered disks – 32 MB for non-tiered) 28 | $TieredMirroredvDisks = @("HyperV") # List names of mirrored-tiered vDisks you like to create 29 | $DriveLetters = @("Z") # List drive letters you like to assign to the new volumes 30 | $BlockSize = 32 # KB 31 | # End Data Entery section 32 | # 33 | $Loc = Get-Location 34 | $Date = Get-Date -format yyyyMMdd_hhmmsstt 35 | $logfile = $Loc.path + “\CreateSS_” + $Date + “.txt” 36 | function log ($string, $color) { 37 | if ($Color -eq $null) {$color = “white”} 38 | write-host $string -foregroundcolor $color 39 | $temp = “: ” + $string 40 | $string = Get-Date -format “yyyy.MM.dd hh:mm:ss tt” 41 | $string += $temp 42 | $string | out-file -Filepath $logfile -append 43 | } 44 | 45 | 46 | ################################# 47 | # Create new Storage Pool # 48 | ################################# 49 | $StorageSpaces = Get-StorageSubSystem -FriendlyName *windows* 50 | $PhysicalDisks = Get-PhysicalDisk -CanPool $true | Sort Size | FT DeviceId, FriendlyName, CanPool, Size, HealthStatus, MediaType -AutoSize -ErrorAction SilentlyContinue 51 | Log “Available physical disks:” green 52 | log ($PhysicalDisks | Out-String) 53 | if (!$PhysicalDisks) { 54 | log “Error: no physical disks are available in the primordial pool..stopping” yellow 55 | break 56 | } 57 | get-physicaldisk | ? -Property size -EQ 256GB | Set-PhysicalDisk -MediaType SCM get-physicaldisk | ? -Property size -EQ 512GB | Set-PhysicalDisk -MediaType SSD get-physicaldisk | ? -Property size -EQ 4095GB | Set-PhysicalDisk -MediaType HDD 58 | $PhysicalDisks = Get-PhysicalDisk -CanPool $true -ErrorAction SilentlyContinue | Sort-Object -Property size 59 | 60 | 61 | ################################################### 62 | # Count SCM, SSD & HDD disks, size & errors # 63 | ################################################### 64 | $SCMBytes=0; $SSDBytes=0; $HDDBytes=0 65 | for ($i=0; $i -le $PhysicalDisks.Count; $i++) { 66 | if ($PhysicalDisks[$i].MediaType -eq “SCM”) {$SCM++; $SCMBytes+=$PhysicalDisks[$i].Size} 67 | if ($PhysicalDisks[$i].MediaType -eq “SSD”) {$SSD++; $SSDBytes+=$PhysicalDisks[$i].Size} 68 | if ($PhysicalDisks[$i].MediaType -eq “HDD”) {$HDD++; $HDDBytes+=$PhysicalDisks[$i].Size} 69 | } 70 | $Disks = $HDD + $SSD + $SCM 71 | if ( $Disks -lt 4) { log “Error: Only $Disks disks are available. Need minimum 4 disks for mirrored-tiered storage spaces..stopping” yellow; break } 72 | if ( $SSD -lt 2) { log “Error: Only $SSD SSD disks are available. Need minimum 2 SSD disks for mirrored-tiered storage spaces..stopping” yellow; break } 73 | if ( $HDD -lt 2) { log “Error: Only $HDD HDD disks are available. Need minimum 2 HDD disks for mirrored-tiered storage spaces..stopping” yellow; break } 74 | if ( $SSD % 2 -eq 0) {} else { log “Error: Found $SSD SSD disk(s). Need even number of SSD disks for mirrored storage spaces..stopping” yellow; break } 75 | if ( $HDD % 2 -eq 0) {} else { log “Error: Found $HDD HDD disk(s). Need even number of HDD disks for mirrored storage spaces..stopping” yellow; break } 76 | 77 | 78 | ######################### 79 | # Create new pool # 80 | ######################### 81 | log “Creating new Storage Pool ‘$PoolName’:” green 82 | $Status = New-StoragePool -FriendlyName $PoolName -StorageSubSystemFriendlyName $StorageSpaces.FriendlyName -PhysicalDisks $PhysicalDisks -ErrorAction SilentlyContinue 83 | log ($Status | Out-String) 84 | if ($Status.OperationalStatus -eq “OK”) {log “Storage Pool creation succeeded” green} else { log “Storage Pool creation failed..stopping” yellow; break } 85 | 86 | 87 | ####################################### 88 | # Configure resiliency settings # 89 | ####################################### 90 | Get-StoragePool $PoolName |Set-ResiliencySetting -Name Mirror -NumberofColumnsDefault 1 -NumberOfDataCopiesDefault 2 91 | 92 | 93 | ############################# 94 | # Configure two tiers # 95 | ############################# 96 | Get-StoragePool $PoolName | New-StorageTier –FriendlyName SCMTier –MediaType SCM 97 | Get-StoragePool $PoolName | New-StorageTier –FriendlyName SSDTier –MediaType SSD 98 | Get-StoragePool $PoolName | New-StorageTier –FriendlyName HDDTier –MediaType HDD 99 | $SCMSpace = Get-StorageTier -FriendlyName SCMTier 100 | $SSDSpace = Get-StorageTier -FriendlyName SSDTier 101 | $HDDSpace = Get-StorageTier -FriendlyName HDDTier 102 | 103 | 104 | ####################################### 105 | # Create tiered/mirrored vDisks # 106 | ####################################### 107 | $BlockSizeKB = $BlockSize * 1024 108 | $WBCacheGB = $WBCache * 1024 * 1024 * 1024 # GB 109 | $SCMDSize = $SCMBytes/($TieredMirroredvDisks.Count*2) – ($WBCacheGB + (2*1024*1024*1024)) 110 | $SSDSize = $SSDBytes/($TieredMirroredvDisks.Count*2) – ($WBCacheGB + (2*1024*1024*1024)) 111 | $HDDSize = $HDDBytes/($TieredMirroredvDisks.Count*2) – ($WBCacheGB + (2*1024*1024*1024)) 112 | $temp = 0 113 | ForEach ($vDisk in $TieredMirroredvDisks) { 114 | log “Attempting to create vDisk ‘$vDisk’..” 115 | $Status = Get-StoragePool $PoolName | New-VirtualDisk -FriendlyName $vDisk -ResiliencySettingName Mirror –StorageTiers $SCMSpace, $SSDSpace, $HDDSpace -StorageTierSizes $SCMDSize, $SSDSize,$HDDSize -WriteCacheSize $WBCacheGB 116 | log ($Status | Out-String) 117 | $DriveLetter = $DriveLetters[$temp] 118 | if ($Status.OperationalStatus -eq “OK”) { 119 | log “vDisk ‘$vDisk’ creation succeeded” green 120 | log “Initializing disk ‘$vDisk’..” 121 | $InitDisk = $Status | Initialize-Disk -PartitionStyle GPT -PassThru # Initialize disk 122 | log ($InitDisk | Out-String) 123 | log “Creating new partition on disk ‘$vDisk’, drive letter ‘$DriveLetter’..” 124 | $Partition = $InitDisk | New-Partition -UseMaximumSize -DriveLetter $DriveLetter # Create new partition 125 | log ($Partition | Out-String) 126 | log “Formatting new partition as volume ‘$vDisk’, drive letter ‘$DriveLetter’, NTFS, $BlockSize KB block size..” 127 | $Format = $Partition | Format-Volume -FileSystem NTFS -NewFileSystemLabel $vDisk -AllocationUnitSize $BlockSizeKB -Confirm:$false # Format new partition 128 | log ($Format | Out-String) 129 | } 130 | else { 131 | log “vDisk ‘$vDisk’ creation failed..stopping” yellow; break  132 | } 133 | $temp++ 134 | } 135 | 136 | Invoke-Expression “$env:windir\system32\Notepad.exe $logfile” 137 | 138 | -------------------------------------------------------------------------------- /SysPrepScript.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Script created by John Jenner John.Jenner@microsoft.com 3 | 4 | Updated 12/3/2019 5 | #> 6 | 7 | # The following steps are from: https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image 8 | # https://docs.microsoft.com/en-us/azure/virtual-desktop/install-office-on-wvd-master-image 9 | 10 | 11 | Set-ExecutionPolicy -ExecutionPolicy Unrestricted 12 | 13 | Install-Module -Name PowerShellGet -Repository PSGallery -Force -ErrorAction Stop 14 | Install-Module -Name Az -AllowClobber 15 | 16 | # Set this variable to your FSLogix profile directory 17 | $FSLUNC = "Your File Share Here" 18 | 19 | Write-Host "This script will prepare your image for capture and eventual upload to Azure." 20 | 21 | Write-Host "Disabling Automatic Updates..." 22 | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f 23 | 24 | Write-Host "Moving pagefile.sys to D:\" 25 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name "PagingFiles" -Value "D:\pagefile.sys" -Type MultiString -Force 26 | 27 | Write-Host "Setting OneDrive for Business policies" Run this after you install One Drive 28 | #Configure OneDrive to start at sign-in for all users 29 | #REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDrive /t REG_SZ /d "C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe /background" /f 30 | #Silently configure user accounts 31 | #REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v "SilentAccountConfig" /t REG_DWORD /d 1 /f 32 | #Redirect and move Windows known folders to OneDrive 33 | #REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v "KFMSilentOptIn" /t REG_SZ /d "bad69d79-XXXX-XXXX-9157-966cbd2d9933" /f 34 | 35 | # Enter the following commands into the registry editor to fix 5k resolution support 36 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxMonitors /t REG_DWORD /d 4 /f 37 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxXResolution /t REG_DWORD /d 5120 /f 38 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxYResolution /t REG_DWORD /d 2880 /f 39 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxMonitors /t REG_DWORD /d 4 /f 40 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxXResolution /t REG_DWORD /d 5120 /f 41 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxYResolution /t REG_DWORD /d 2880 /f 42 | 43 | # Enable timezone redirection 44 | Write-Host "Enabling time zone redirection..." 45 | reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 1 /f 46 | 47 | # Disable Storage Sense 48 | Write-Host "Disabling Storage Sense..." 49 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy /v 01 /t REG_DWORD /d 0 /f 50 | 51 | # Remove the WinHTTP proxy 52 | netsh winhttp reset proxy 53 | 54 | # Set Coordinated Universal Time (UTC) time for Windows and the startup type of the Windows Time (w32time) service to Automatically 55 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' -name "RealTimeIsUniversal" -Value 1 -Type DWord -force 56 | Set-Service -Name w32time -StartupType Automatic 57 | 58 | # Set the power profile to the High Performance 59 | powercfg /setactive SCHEME_MIN 60 | 61 | # Make sure that the environmental variables TEMP and TMP are set to their default values 62 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name "TEMP" -Value "%SystemRoot%\TEMP" -Type ExpandString -force 63 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -name "TMP" -Value "%SystemRoot%\TEMP" -Type ExpandString -force 64 | 65 | # Set Windows services to defaults - This typically fails due to a permissions error, need to investigate why. May be due to differences in client vs Server os 66 | Set-Service -Name dhcp -StartupType Automatic 67 | Set-Service -Name IKEEXT -StartupType Automatic 68 | Set-Service -Name iphlpsvc -StartupType Automatic 69 | Set-Service -Name netlogon -StartupType Manual 70 | Set-Service -Name netman -StartupType Manual 71 | Set-Service -Name nsi -StartupType Automatic 72 | Set-Service -Name termService -StartupType Manual 73 | Set-Service -Name RemoteRegistry -StartupType Automatic 74 | Set-Service -Name Winrm -startuptype Automatic 75 | 76 | # Ensure RDP is enabled 77 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0 -Type DWord -force 78 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name "fDenyTSConnections" -Value 0 -Type DWord -force 79 | 80 | # Set RDP Port to 3389 - Unnecessary for WVD due to reverse connect, but helpful for backdoor administration with a jump box 81 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -name "PortNumber" -Value 3389 -Type DWord -force 82 | 83 | # Listener is listening on every network interface 84 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -name "LanAdapter" -Value 0 -Type DWord -force 85 | 86 | # Configure NLA 87 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1 -Type DWord -force 88 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "SecurityLayer" -Value 1 -Type DWord -force 89 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "fAllowSecProtocolNegotiation" -Value 1 -Type DWord -force 90 | 91 | # Set keep-alive value 92 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name "KeepAliveEnable" -Value 1 -Type DWord -force 93 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name "KeepAliveInterval" -Value 1 -Type DWord -force 94 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -name "KeepAliveTimeout" -Value 1 -Type DWord -force 95 | 96 | # Reconnect 97 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -name "fDisableAutoReconnect" -Value 0 -Type DWord -force 98 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -name "fInheritReconnectSame" -Value 1 -Type DWord -force 99 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -name "fReconnectSame" -Value 0 -Type DWord -force 100 | 101 | # Limit number of concurrent sessions 102 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -name "MaxInstanceCount" -Value 4294967295 -Type DWord -force 103 | 104 | # Remove any self signed certs 105 | Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "SSLCertificateSHA1Hash" -force 106 | 107 | # Turn on Firewall 108 | Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True 109 | 110 | # Allow WinRM 111 | REG add "HKLM\SYSTEM\CurrentControlSet\services\WinRM" /v Start /t REG_DWORD /d 2 /f 112 | net start WinRM 113 | Enable-PSRemoting -force 114 | Set-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)" -Enabled True 115 | 116 | # Allow RDP 117 | Set-NetFirewallRule -DisplayGroup "Remote Desktop" -Enabled True 118 | 119 | # Enable File and Printer sharing for ping 120 | Set-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)" -Enabled True 121 | 122 | # Add Defender exclusion for FSLogix 123 | # Add-MpPreference -ExclusionPath $FSLUNC 124 | 125 | #Add FSLogix settings 126 | New-Item -Path HKLM:\Software\FSLogix\ -Name Profiles -Force 127 | New-Item -Path HKLM:\Software\FSLogix\Profiles\ -Name Apps -Force 128 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "Enabled" -Type "Dword" -Value "1" 129 | New-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "VHDLocations" -Value \\eastus2wvdprofiles.file.core.windows.net\wvdfslogix -PropertyType MultiString -Force 130 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "SizeInMBs" -Type "Dword" -Value "1024" 131 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "IsDynamic" -Type "Dword" -Value "1" 132 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "VolumeType" -Type String -Value "vhd" 133 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "LockedRetryCount" -Type "Dword" -Value "12" 134 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "LockedRetryInterval" -Type "Dword" -Value "5" 135 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "ProfileType" -Type "Dword" -Value "3" 136 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "ConcurrentUserSessions" -Type "Dword" -Value "1" 137 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "RoamSearch" -Type "Dword" -Value "2" 138 | New-ItemProperty -Path HKLM:\Software\FSLogix\Profiles\Apps -Name "RoamSearch" -Type "Dword" -Value "2" 139 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "FlipFlopProfileDirectoryName" -Type "Dword" -Value "1" 140 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "SIDDirNamePattern" -Type String -Value "%username%%sid%" 141 | Set-ItemProperty -Path HKLM:\Software\FSLogix\Profiles -Name "SIDDirNameMatch" -Type String -Value "%username%%sid%" 142 | 143 | # Launch Sysprep 144 | Write-Host "We'll now launch Sysprep." 145 | C:\Windows\System32\Sysprep\Sysprep.exe /generalize /oobe /shutdown 146 | 147 | -------------------------------------------------------------------------------- /Storage/Prepare a Windows VHD or VHDX to upload to Azure.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 10/16/2018 3 | # Usage : Prepare a Windows VHD or VHDX to upload to Azure 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 10/16/2018 1.0 Intial Version 9 | # 03/25/2019 2.0 Replace with a cleaner version 10 | #*************************************************************************** 11 | #> 12 | 13 | 14 | # Source for settings https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-prepare-for-upload-vhd-image?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json 15 | 16 | 17 | # Global variables 18 | $Uri = "http://go.microsoft.com/fwlink/?LinkID=394789&clcid=0x409" 19 | $outfile = "$env:windir\temp\WindowsAzureVmAgent.2.7.1198.788.rd_art_stable.161208-0959.fre.msi" 20 | $loc = "$env:windir\temp\sanpolicy.txt" 21 | $logloc ="$env:windir\temp\sanpolicylogfile.txt" 22 | $santext1 = "san policy=onlineall" 23 | $santext2 = "exit" 24 | $MSILOG ="C:\Windows\MSIInstall.log" 25 | $Wshell = New-Object -Comobject Wscript.Shell 26 | 27 | # Verify if Powershell is running under Administrative credentials. 28 | write-host -ForegroundColor Yellow "Validating if the command shell is running under a Administrative context" 29 | 30 | if ( -not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) 31 | { 32 | 33 | Write-Host -ForegroundColor yellow "This PowerShell prompt is not elevated." 34 | Write-Host -ForegroundColor yellow "Please open a new PowerShell session using an Administrative token and please try again." 35 | return 36 | } 37 | 38 | # Creating sanpolicy file 39 | $santext1 | Set-Content $loc 40 | $santext2 | Add-Content $loc 41 | 42 | Write-host -ForegroundColor Yellow "Updating the SAN Policy of the C: drive" 43 | 44 | # Setting content of file 45 | diskpart /s $loc | Out-file $logloc 46 | 47 | Write-host -ForegroundColor Green "Completed! Please validate the diskpart logs located here: $logloc" 48 | 49 | # Allowing PSRemoting on the server 50 | Enable-PSRemoting -Force 51 | 52 | # Resetting NetSH Winhttp Proxy Policy 53 | netsh winhttp reset proxy 54 | 55 | # Set Coordinated Universal Time (UTC) time for Windows and the startup type of the Windows Time (w32time) service to Automatic 56 | 57 | REG ADD HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal /t REG_DWORD /d 1 58 | 59 | # Set services startup to Windows default values 60 | 61 | Write-host -ForegroundColor Yellow "Configuring local services start mode" 62 | 63 | set-service w32time -startmode Automatic 64 | 65 | Set-service bfe -startmode Automatic 66 | 67 | Set-service dcomlaunch -startmode Automatic 68 | 69 | Set-service dhcp -startmode Automatic 70 | 71 | Set-service dnscache -startmode Automatic 72 | 73 | Set-service IKEEXT -startmode Automatic 74 | 75 | Set-service iphlpsvc -startmode Automatic 76 | 77 | Set-service PolicyAgent -startmode Automatic 78 | 79 | Set-service LSM -startmode Automatic 80 | 81 | Set-service netlogon -startmode Automatic 82 | 83 | Set-service netman -startmode Automatic 84 | 85 | Set-service NcaSvc -startmode Automatic 86 | 87 | Set-service netprofm -startmode Automatic 88 | 89 | Set-service NlaSvc -startmode Automatic 90 | 91 | Set-service nsi -startmode Automatic 92 | 93 | Set-service RpcSs -startmode Automatic 94 | 95 | Set-service RpcEptMapper -startmode Automatic 96 | 97 | Set-service termService -startmode Automatic 98 | 99 | Set-service MpsSvc -startmode Automatic 100 | 101 | Set-service WinHttpAutoProxySvc -startmode Automatic 102 | 103 | Set-service LanmanWorkstation -startmode Automatic 104 | 105 | Set-service RemoteRegistry -startmode Automatic 106 | 107 | Set-service wersvc -startmode Automatic 108 | 109 | Write-Host -ForegroundColor Green "Completed!" 110 | 111 | # Update Remote Desktop registry settings 112 | 113 | REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash” 114 | 115 | # Keep Alives for RDP Service 116 | 117 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v KeepAliveEnable /t REG_DWORD /d 1 /f 118 | 119 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v KeepAliveInterval /t REG_DWORD /d 1 /f 120 | 121 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp" /v KeepAliveTimeout /t REG_DWORD /d 1 /f 122 | 123 | # Configure Authentication mode for RDP 124 | 125 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f 126 | 127 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 1 /f 128 | 129 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 1 /f 130 | 131 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 132 | 133 | # Configure Windows Firewall rules for Azure Inbound 134 | 135 | Write-host -ForegroundColor Yellow "Starting to input inbound firewall rules" 136 | 137 | netsh advfirewall firewall set rule dir=in name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=yes 138 | 139 | netsh advfirewall firewall set rule dir=in name="Network Discovery (LLMNR-UDP-In)" new enable=yes 140 | 141 | netsh advfirewall firewall set rule dir=in name="Network Discovery (NB-Datagram-In)" new enable=yes 142 | 143 | netsh advfirewall firewall set rule dir=in name="Network Discovery (NB-Name-In)" new enable=yes 144 | 145 | netsh advfirewall firewall set rule dir=in name="Network Discovery (Pub-WSD-In)" new enable=yes 146 | 147 | netsh advfirewall firewall set rule dir=in name="Network Discovery (SSDP-In)" new enable=yes 148 | 149 | netsh advfirewall firewall set rule dir=in name="Network Discovery (UPnP-In)" new enable=yes 150 | 151 | netsh advfirewall firewall set rule dir=in name="Network Discovery (WSD EventsSecure-In)" new enable=yes 152 | 153 | netsh advfirewall firewall set rule dir=in name="Windows Remote Management (HTTP-In)" new enable=yes 154 | 155 | netsh advfirewall firewall set rule dir=in name="Windows Remote Management (HTTP-In)" new enable=yes 156 | 157 | Write-Host -ForegroundColor Green "Completed!" 158 | 159 | # Configure Windows Firewall rules for Azure Inbound and Outbound 160 | 161 | Write-host -ForegroundColor Yellow "Starting to input inbound and outbound firewall rules" 162 | 163 | netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes 164 | 165 | netsh advfirewall firewall set rule group="Core Networking" new enable=yes 166 | 167 | Write-host -ForegroundColor Green "Completed!" 168 | 169 | # Configure Windows Firewall rules for Azure outbound 170 | 171 | Write-host -ForegroundColor Yellow "Starting to configure outbound firewallrules" 172 | 173 | netsh advfirewall firewall set rule dir=out name="Network Discovery (LLMNR-UDP-Out)" new enable=yes 174 | 175 | netsh advfirewall firewall set rule dir=out name="Network Discovery (NB-Datagram-Out)" new enable=yes 176 | 177 | netsh advfirewall firewall set rule dir=out name="Network Discovery (NB-Name-Out)" new enable=yes 178 | 179 | netsh advfirewall firewall set rule dir=out name="Network Discovery (Pub-WSD-Out)" new enable=yes 180 | 181 | netsh advfirewall firewall set rule dir=out name="Network Discovery (SSDP-Out)" new enable=yes 182 | 183 | netsh advfirewall firewall set rule dir=out name="Network Discovery (UPnPHost-Out)" new enable=yes 184 | 185 | netsh advfirewall firewall set rule dir=out name="Network Discovery (UPnP-Out)" new enable=yes 186 | 187 | netsh advfirewall firewall set rule dir=out name="Network Discovery (WSD Events-Out)" new enable=yes 188 | 189 | netsh advfirewall firewall set rule dir=out name="Network Discovery (WSD EventsSecure-Out)" new enable=yes 190 | 191 | netsh advfirewall firewall set rule dir=out name="Network Discovery (WSD-Out)" new enable=yes 192 | 193 | Write-host -ForegroundColor Green "Completed!" 194 | 195 | # The Dump Log configuration 196 | 197 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 2 /f 198 | 199 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpFolder /t REG_EXPAND_SZ /d "c:\CrashDumps" /f 200 | 201 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpCount /t REG_DWORD /d 10 /f 202 | 203 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /t REG_DWORD /d 2 /f 204 | 205 | # Setting Boot Configuration Data (BCD) settings 206 | 207 | $Wshell.Run("bcdedit /set {bootmgr} integrityservices enable") 208 | $Wshell.Run("bcdedit /set {default} device partition=C:") 209 | $Wshell.Run("bcdedit /set {default} integrityservices enable") 210 | $Wshell.Run("bcdedit /set {default} recoveryenabled Off") 211 | $Wshell.Run("bcdedit /set {default} osdevice partition=C:") 212 | $Wshell.Run("bcdedit /set {default} bootstatuspolicy IgnoreAllFailures") 213 | 214 | # Make sure to download and install the following agent for Azure 215 | # Source: http://go.microsoft.com/fwlink/?LinkID=394789&clcid=0x409 216 | # Downloading the agent 217 | 218 | Write-Host -ForegroundColor Yellow "Starting to download the Microsoft Azure agent!" 219 | Invoke-WebRequest -Uri $Uri -OutFile $outfile; 220 | Unblock-file -path $outfile; 221 | 222 | # Validating if the file downloaded PLEASE NOTE THE FILE IS SUBJECT TO CHANGE IN THE FUTURE!!!!! 223 | Test-path -path "$env:windir\temp\WindowsAzureVmAgent.2.7.1198.788.rd_art_stable.161208-0959.fre.msi" 224 | Write-Host -ForegroundColor Yellow "If you saw the word True then the file downloaded from the internet!" 225 | 226 | # Installing the Azure agent 227 | Write-Host -ForegroundColor Yellow "Starting sto install the Microsoft Azure Agent" 228 | & msiexec.exe /i $outfile /qn /l* $MSILOG 229 | 230 | # Setting sleep for 10 seconds 231 | Start-Sleep -Seconds 30 232 | 233 | # Configuring the system to use D: as the pagefile location 234 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /t REG_MULTI_SZ /v PagingFiles /d "D:\pagefile.sys 0 0" /f 235 | 236 | Write-host -ForegroundColor Yellow "Preparing to start sysprep process and the system will shut off. DO NOT INTERRUPT THE PROCESS!" 237 | 238 | # Setting location to the sysprep directory 239 | Set-Location C:\Windows\system32\Sysprep 240 | 241 | & .\sysprep.exe /oobe /generalize /shutdown 242 | -------------------------------------------------------------------------------- /Azure AD/Create Users.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 8-26-2019 3 | # Usage : Create OU and AD Users Accounts 4 | 5 | #************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 8/26/2019 1.0 Intial Version 9 | # 10 | # 11 | #*************************************************************************** 12 | #> 13 | 14 | 15 | ################################## 16 | # Azure AD Users Variables # 17 | ################################## 18 | $DomainFQDN = (Get-WmiObject -Class win32_computersystem).Domain 19 | $Domain = $DomainFQDN.Split('.') | SELECT -First 1 20 | $DomainSuffix = $DomainFQDN.Split('.') | SELECT -last 1 21 | $DomainSite = (Get-ADDomainController).site 22 | $DomainController = (Get-ADDomainController).Name 23 | $Password = Read-Host -Prompt "Enter Default User Password" -AsSecureString 24 | $OUName = Read-Host -Prompt "Enter Name for AD Organizational Unit" 25 | $UserPath = "OU=$OUName,DC=$DomainName,DC=$DomainSuffix" 26 | Import-Module -Name activedirectory 27 | cd AD: 28 | cd ".\DC=$Domain,DC=$DomainSuffix" 29 | 30 | 31 | ############################# 32 | # Create OU Structure # 33 | ############################# 34 | $CreateADOU = @( 35 | ,@("$OUName", "DC=$Domain,DC=$DomainSuffix") 36 | ,@("_Delegation", "OU=$OUName,DC=$Domain,DC=$DomainSuffix") 37 | ,@("Delegation Permissions", "OU=_Delegation,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 38 | ,@("Delegation Roles", "OU=_Delegation,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 39 | ,@("_GPO Exceptions", "OU=$OUName,DC=$Domain,DC=$DomainSuffix") 40 | ,@("GPO Groups", "OU=_GPO Exceptions,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 41 | ,@("GPO Test", "OU=_GPO Exceptions,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 42 | ,@("RemoteApps", "OU=$OUName,DC=$Domain,DC=$DomainSuffix") 43 | ,@("Azure", "OU=$OUName,DC=$Domain,DC=$DomainSuffix") 44 | ,@("Azure Computers", "OU=Azure,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 45 | ,@("Azure Groups", "OU=Azure,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 46 | ,@("Azure Users", "OU=Azure,OU=$OUName,DC=$Domain,DC=$DomainSuffix") 47 | ) 48 | foreach ($OU in $CreateADOU) { 49 | $DC = $DomainController 50 | $OU_Name = $OU[0] 51 | $OU_Path = $OU[1] 52 | New-ADOrganizationalUnit -Server $DC -Name $OU_Name -Path $OU_Path ` 53 | -ProtectedFromAccidentalDeletion 0 54 | } 55 | 56 | 57 | ############################### 58 | # Create AD Role Groups # 59 | ############################### 60 | $CreateADGroup = @( 61 | ,@("GPO-Exception-IE-AutoDetect", "Disable IE Proxy Auto Detect", "OU=GPO Groups,OU=_GPO Exceptions") 62 | ,@("GPO-Exception-WelcomeMessage", "Disable Windows Welcome Message", "OU=GPO Groups,OU=_GPO Exceptions") 63 | ,@("PERM-Act-As-Part-of-the-Operating-System", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 64 | ,@("PERM-Adjust-memory-quotas-for-a-process", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 65 | ,@("PERM-Create-a-token-object", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 66 | ,@("PERM-Deny-Log-on-Through-Terminal-Services", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 67 | ,@("PERM-Join-to-Domain", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 68 | ,@("PERM-Logon-As-a-Batch-Service", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 69 | ,@("PERM-Manage-Groups", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 70 | ,@("PERM-Manage-OU", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 71 | ,@("PERM-Manage-Reset-Passwords", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 72 | ,@("PERM-Manage-Users", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 73 | ,@("PERM-Replace-a-Process-Level-Token", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 74 | ,@("PERM-Replicate-Directory-Changes", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 75 | ,@("PERM-Restore-Files-and-Directories", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 76 | ,@("PERM-Manage-RDS", "PERM - Security Policy", "OU=Delegation Permissions,OU=_Delegation") 77 | ,@("REMOTEAPP-BPCClient", "Remote Application", "OU=RemoteApps") 78 | ,@("REMOTEAPP-IE", "Remote Application", "OU=RemoteApps") 79 | ,@("REMOTEAPP-MDM-Console", "Remote Application", "OU=RemoteApps") 80 | ,@("REMOTEAPP-MDM-Data", "Remote Application", "OU=RemoteApps") 81 | ,@("REMOTEAPP-MDM-Import", "Remote Application", "OU=RemoteApps") 82 | ,@("REMOTEAPP-MDM-Publisher", "Remote Application", "OU=RemoteApps") 83 | ,@("REMOTEAPP-MDM-Syndicator", "Remote Application", "OU=RemoteApps") 84 | ,@("REMOTEAPP-RDP", "Remote Application", "OU=RemoteApps") 85 | ,@("REMOTEAPP-SAPGui", "Remote Application", "OU=RemoteApps") 86 | ,@("REMOTEAPP-SQL", "Remote Application", "OU=RemoteApps") 87 | ,@("ROLE-FIM-Administration-of-AD", "ROLE - FIM Admin Rights", "OU=Delegation Roles,OU=_Delegation") 88 | ,@("ROLE-SAP-Service-SID-Local-Rights", "ROLE - SAP Service Rights", "OU=Delegation Roles,OU=_Delegation") 89 | ,@("ROLE-SAP-SIDadm-Local-Rights", "ROLE - SAP Module Admin Rights", "OU=Delegation Roles,OU=_Delegation") 90 | ,@("ROLE-SCOM-Admins", "ROLE - SCOM Administration", "OU=Delegation Roles,OU=_Delegation") 91 | ,@("ROLE-SCOM-Operators", "ROLE - SCOM Operators", "OU=Delegation Roles,OU=_Delegation") 92 | ,@("ROLE-RDS-Admin", "ROLE - RDS Administration", "OU=Delegation Roles,OU=_Delegation") 93 | 94 | 95 | ) 96 | foreach ($GP in $CreateADGroup) { 97 | $Root = ",OU=$OUName,DC=$Domain,DC=$DomainSuffix" 98 | $GP_Name = $GP[0] 99 | $GP_Label = $GP[1] 100 | $GP_Path = $GP[2] + $Root 101 | 102 | Write-Host -ForegroundColor Cyan -BackgroundColor Black ` 103 | (" Create New AD Group " + $GP_Name) 104 | "" 105 | "" 106 | New-ADGroup ` 107 | -Name $GP_Name ` 108 | -Description $GP_Label ` 109 | -DisplayName $GP_Name ` 110 | -Path $GP_Path ` 111 | -SamAccountName $GP_Name ` 112 | -GroupScope Global 113 | "" 114 | "" 115 | } 116 | 117 | 118 | ########################################### 119 | # Add Users to AD Permisions Groups # 120 | ########################################### 121 | $PERM_MiscPerms = @( 122 | ,@("PERM-Deny-Log-on-Through-Terminal-Services", "ROLE-SAP-Service-SID-Local-Rights") 123 | ,@("PERM-Restore-Files-and-Directories", "ROLE-SAP-Service-SID-Local-Rights") 124 | ,@("PERM-Act-As-Part-of-the-Operating-System", "ROLE-SAP-SIDadm-Local-Rights") 125 | ,@("PERM-Adjust-memory-quotas-for-a-process", "ROLE-SAP-SIDadm-Local-Rights") 126 | ,@("PERM-Replace-a-Process-Level-Token", "ROLE-SAP-SIDadm-Local-Rights") 127 | ,@("PERM-Manage-Reset-Passwords", "ROLE-FIM-Administration-of-AD") 128 | ,@("PERM-Manage-Users", "ROLE-FIM-Administration-of-AD") 129 | ,@("PERM-Manage-Groups", "ROLE-FIM-Administration-of-AD") 130 | ,@("PERM-Manage-OU", "ROLE-FIM-Administration-of-AD") 131 | ,@("PERM-Manage-RDS", "ROLE-RDS-Admin") 132 | ) 133 | Foreach ($PERM_Misc in $PERM_MiscPerms) { 134 | $MemberName = $PERM_Misc[0] 135 | $GroupName = $PERM_Misc[1] 136 | 137 | Write-Host -ForegroundColor Cyan -BackgroundColor Black ` 138 | ("Add AD User " + $MemberName + " to Group " + $GroupName); 139 | "" 140 | "" 141 | Add-ADGroupMember ` 142 | -Identity $GroupName ` 143 | -Members $MemberName 144 | } 145 | 146 | 147 | ################################# 148 | # Create AD User Accounts # 149 | ################################# 150 | $CreateADUsers = @( 151 | #Marvel Universe 152 | ,@("AdamWarlock", "AdamWarlock@$DomainFQDN", "OU=Azure Users,OU=Azure") 153 | ,@("BlackWidow", "BlackWidow@$DomainFQDN", "OU=Azure Users,OU=Azure") 154 | ,@("CaptainAmerica", "CaptainAmerica@$DomainFQDN", "OU=Azure Users,OU=Azure") 155 | ,@("DrStrange", "DrStrange@$DomainFQDN", "OU=Azure Users,OU=Azure") 156 | ,@("Gamora", "Gamora@$DomainFQDN", "OU=Azure Users,OU=Azure") 157 | ,@("Hulk", "Hulk@$DomainFQDN", "OU=Azure Users,OU=Azure") 158 | ,@("MariaHill", "MariaHill@$DomainFQDN", "OU=Azure Users,OU=Azure") 159 | ,@("NickFury", "NickFury@$DomainFQDN", "OU=Azure Users,OU=Azure") 160 | ,@("Nova", "Nova@$DomainFQDN", "OU=Azure Users,OU=Azure") 161 | ,@("Rocket", "Rocket@$DomainFQDN", "OU=Azure Users,OU=Azure") 162 | ,@("Spiderman", "Spiderman@$DomainFQDN", "OU=Azure Users,OU=Azure") 163 | ,@("StarLord", "StarLord@$DomainFQDN", "OU=Azure Users,OU=Azure") 164 | ,@("Thor", "Thor@$DomainFQDN", "OU=Azure Users,OU=Azure") 165 | #DC Universe 166 | ,@("Batman", "Batman@$DomainFQDN", "OU=Azure Users,OU=Azure") 167 | ,@("CatWoman", "CatWoman@$DomainFQDN", "OU=Azure Users,OU=Azure") 168 | ,@("Superman", "Superman@$DomainFQDN", "OU=Azure Users,OU=Azure") 169 | ,@("BlackAdam", "BlackAdam@$DomainFQDN", "OU=Azure Users,OU=Azure") 170 | ,@("Joker", "Joker@$DomainFQDN", "OU=Azure Users,OU=Azure") 171 | ,@("LexLuthor", "LexLuthor@$DomainFQDN", "OU=Azure Users,OU=Azure") 172 | ,@("Robin", "Robin@$DomainFQDN", "OU=Azure Users,OU=Azure") 173 | ,@("WonderWoman", "WonderWoman@$DomainFQDN", "OU=Azure Users,OU=Azure") 174 | ) 175 | $SecurePassword = $Password 176 | foreach ($ADUser in $CreateADUsers) { 177 | $Root = ",OU=$OUName,DC=$Domain,DC=$DomainSuffix" 178 | $User_Name = $ADUser[0] 179 | $User_Email = $ADUser[1] 180 | $User_Path = $ADUser[2] + $Root 181 | Write-Host -ForegroundColor Cyan -BackgroundColor Black ("Provisioning AD User " + $User_Name); 182 | "" 183 | "" 184 | New-ADUser ` 185 | -AccountPassword $SecurePassword ` 186 | -AuthType Negotiate ` 187 | -Company $DomainName ` 188 | -Department "AD Training" ` 189 | -DisplayName $User_Name ` 190 | -Description "AD User" ` 191 | -Enabled 1 ` 192 | -Name $User_Name ` 193 | -Organization "AD Training" ` 194 | -Path $User_Path ` 195 | -PasswordNeverExpires 1 ` 196 | -EmailAddress $User_Email 197 | } 198 | 199 | 200 | cd c:\ 201 | 202 | -------------------------------------------------------------------------------- /Storage/azure_disk_encryption_PREP.ps1: -------------------------------------------------------------------------------- 1 | 2 | Function New-AzureVMEncryptPrep { 3 | <# 4 | .Synopsis 5 | Create a new resource group or use existing Resource Group 6 | Script will create the following resources 7 | 1. Resource Group if does not exist 8 | 2. Azure AD Application 9 | 3. Azure KeyVault 10 | i. Secrets 11 | 1. Disk Encryption Secret 12 | ii. Assign Azure AD Application KeyVault Permissions 13 | 14 | .Description 15 | Azure Disk Encryption Preperation 16 | 17 | .Parameter Prefix 18 | This code for will be used as a prefix for all resources deployed to keep them unique 19 | 20 | .Parameter ResourceGroupName 21 | This code for will be used as a prefix for all resources deployed to keep them unique 22 | 23 | .Parameter Location 24 | primary Azure region used in this deployment 25 | 26 | .Parameter KeyVaultAdmin 27 | Email address that will administer KeyVault secrets 28 | 29 | .Example 30 | # Create new Azure Deployment 31 | New-AzureVMEncryptPrep ` 32 | -Prefix zx9 ` 33 | -ResourceGroupName zx9-RG-security ` 34 | -Location southcentralus ` 35 | -KeyVaultAdmin KeyVaultAdmin@Contoso.com 36 | 37 | #> 38 | [Cmdletbinding()] 39 | Param ( 40 | [Parameter(Mandatory=$true)] 41 | [string]$Prefix, 42 | [Parameter(Mandatory=$true)] 43 | [string]$ResourceGroupName, 44 | [Parameter(Mandatory=$true)] 45 | [validateset('australiaeast','australiasoutheast','brazilsouth','canadacentral', ` 46 | 'canadaeast','centralindia','centralus','eastasia','eastus','eastus2','japaneast', ` 47 | 'japanwest','koreacentral','koreasouth','northcentralus','northeurope','southcentralus', ` 48 | 'southeastasia','southindia','uksouth','ukwest','westcentralus','westeurope','westindia', ` 49 | 'westus','westus2')] 50 | [string]$Location, 51 | [Parameter(Mandatory=$true)] 52 | [string]$KeyVaultAdmin, 53 | [Parameter(Mandatory=$false)] 54 | [bool]$GenerateKeyCert=$false 55 | 56 | ) 57 | 58 | Begin { 59 | cls 60 | $Prefix = $Prefix.ToLower() 61 | $RGName = $ResourceGroupName 62 | $KVName = $Prefix+"-KeyVault01" 63 | $AADDisplayName = $Prefix+"AzureDiskEncryptApp" 64 | $SecretName = 'AzureDiskEncryption' 65 | $AADClientSecret = $Prefix+"disksecret" 66 | } 67 | 68 | Process { 69 | ################################ 70 | # Create Resource Groups # 71 | ################################ 72 | if ((Get-AzureRmResourceGroup -Name $RGName -ErrorAction SilentlyContinue) -eq $null) { 73 | Write-Host ` 74 | -ForegroundColor Green ` 75 | -BackgroundColor Black ` 76 | "Creating New Azure Resource Group $RGName" 77 | "" 78 | New-AzureRmResourceGroup ` 79 | -Name $RGName ` 80 | -Location $Location 81 | wait-event -Timeout 5 82 | } 83 | Else { 84 | Write-Host ` 85 | -ForegroundColor Yellow ` 86 | -BackgroundColor Black ` 87 | "ResourceGroup $RGName already exists" 88 | "" 89 | wait-event -Timeout 2 90 | } 91 | ################################ 92 | # Create Azure Key Vault # 93 | ################################ 94 | if ((Get-AzureRmKeyVault -ResourceGroupName $RGName -VaultName $KVName -ErrorAction SilentlyContinue) -eq $null) { 95 | Write-Host ` 96 | -ForegroundColor Green ` 97 | -BackgroundColor Black ` 98 | "Creating New Azure KeyVault" 99 | "" 100 | New-AzureRmKeyVault ` 101 | -VaultName $KVName ` 102 | -ResourceGroupName $RGName ` 103 | -Location $Location ` 104 | -EnabledForDeployment ` 105 | -EnabledForTemplateDeployment ` 106 | -EnabledForDiskEncryption ` 107 | -Sku Premium ` 108 | -DefaultProfile (Get-AzureRmContext) 109 | wait-event -timeout 5 110 | '' 111 | Write-Host ` 112 | -ForegroundColor green ` 113 | -BackgroundColor Black ` 114 | "Setting VaultAdmin permissions" 115 | "" 116 | $ID = (Get-AzureRmADUser -UserPrincipalName $KeyVaultAdmin).id.guid 117 | Set-AzureRmKeyVaultAccessPolicy ` 118 | -VaultName $KVName ` 119 | -ResourceGroupName $RGName ` 120 | -ObjectId $ID ` 121 | -PermissionsToSecrets get, list, set, delete, backup, restore, recover, purge ` 122 | -Verbose 123 | } 124 | Else { 125 | Write-Host ` 126 | -ForegroundColor Yellow ` 127 | -BackgroundColor Black ` 128 | "KeyVault $KVName already exists" 129 | "" 130 | wait-event -Timeout 2 131 | } 132 | If (((get-azurermkeyvault -ResourceGroupName $RGName -VaultName $KVName -ErrorAction SilentlyContinue).EnabledForDiskEncryption) -eq $false){ 133 | Write-Host ` 134 | -ForegroundColor Green ` 135 | -BackgroundColor Black ` 136 | "Enabling Disk Encryption" 137 | Set-AzureRmKeyVaultAccessPolicy ` 138 | -ResourceGroupName $RGName ` 139 | -VaultName $KVName ` 140 | -EnabledForDiskEncryption 141 | "" 142 | } 143 | Else { 144 | Write-Host ` 145 | -ForegroundColor Yellow ` 146 | -BackgroundColor Black ` 147 | "Disk Encryption is already Enabled" 148 | "" 149 | } 150 | ##################################################### 151 | # Create Azure Key Vault Secrets # 152 | ##################################################### 153 | if ((Get-AzureKeyVaultSecret -VaultName $KVName -Name $SecretName -ErrorAction SilentlyContinue) -eq $null) { 154 | Write-Host ` 155 | -ForegroundColor Green ` 156 | -BackgroundColor Black ` 157 | "Creating New Local Admin Secret" 158 | "" 159 | $AADSecret = ConvertTo-SecureString ` 160 | -String $AADClientSecret ` 161 | -AsPlainText ` 162 | -Force 163 | Set-AzureKeyVaultSecret ` 164 | -VaultName $KVName ` 165 | -Name $secretName ` 166 | -SecretValue $AADSecret 167 | } 168 | Else { 169 | Write-Host ` 170 | -ForegroundColor Yellow ` 171 | -BackgroundColor Black ` 172 | "Disk Encryption Secret already exists" 173 | "" 174 | } 175 | ##################################################### 176 | # Create Azure AD Application for Encryption # 177 | ##################################################### 178 | If ((Get-AzureRmADApplication -DisplayNameStartWith $AADDisplayName -ErrorAction SilentlyContinue) -eq $null) { 179 | Write-Host ` 180 | -ForegroundColor Green ` 181 | -BackgroundColor Black ` 182 | "Creating Disk Encryption Application" 183 | "" 184 | $AAD_App = New-AzureRmADApplication ` 185 | -DisplayName $AADDisplayName ` 186 | -HomePage "http://homepage$AADDisplayName" ` 187 | -IdentifierUris "http://$AADDisplayName" ` 188 | -Password $AADSecret 189 | $AAD_ID = $AAD_App.ApplicationId.Guid 190 | "" 191 | New-AzureRmADServicePrincipal -ApplicationId $AAD_ID 192 | "" 193 | $AAD_SPN = (Get-AzureRmADServicePrincipal -SearchString $AADDisplayName).Id.Guid 194 | Set-AzureRmKeyVaultAccessPolicy ` 195 | -VaultName $KVName ` 196 | -ResourceGroupName $RGName ` 197 | -ServicePrincipalName $AAD_ID ` 198 | -PermissionsToKeys wrapKey ` 199 | -PermissionsToSecrets set 200 | } 201 | Else { 202 | Write-Host ` 203 | -ForegroundColor Yellow ` 204 | -BackgroundColor Black ` 205 | "Azure AD App already exists" 206 | "" 207 | $AAD_ID = (Get-AzureRmADApplication -DisplayNameStartWith $AADDisplayName).ApplicationId.Guid 208 | $AAD_SPN = (Get-AzureRmADServicePrincipal -SearchString $AADDisplayName).Id.Guid 209 | Set-AzureRmKeyVaultAccessPolicy ` 210 | -VaultName $KVName ` 211 | -ResourceGroupName $RGName ` 212 | -ServicePrincipalName $AAD_ID ` 213 | -PermissionsToKeys wrapKey ` 214 | -PermissionsToSecrets set 215 | } 216 | <############################################## 217 | # Generate Cert for Key Encryption Key # 218 | ############################################## 219 | If(($GenerateKeyCert -eq $true)){ 220 | Write-Host ` 221 | -ForegroundColor Magenta ` 222 | -BackgroundColor Black ` 223 | "New Certificate for Key Encryption Key (KEK) Requested..." 224 | "" 225 | $exportPath = 'C:\temp\' 226 | $exportFile = 'C:\temp\Diskencrypt.pfx' 227 | ######################### 228 | # Create New Cert # 229 | ######################### 230 | If((Get-ChildItem Cert:\Localmachine\my | ? -Property subject -eq 'CN=DiskEncryptionCert' -ErrorAction SilentlyContinue) -eq $null) { 231 | Write-Host ` 232 | -ForegroundColor Green ` 233 | -BackgroundColor Black ` 234 | "Creating New Cert for Key Encryption Key (KEK)" 235 | $Cert = New-SelfSignedCertificate ` 236 | -Subject "CN=DiskEncryptionCert" ` 237 | -CertStoreLocation "cert:\LocalMachine\My" ` 238 | -FriendlyName "DiskEncryptionCert" ` 239 | -NotAfter (Get-Date).AddMonths(60) ` 240 | -KeyAlgorithm RSA ` 241 | -KeyLength 2048 ` 242 | -Type Custom 243 | } 244 | Else { 245 | Wait-Event -Timeout 2 246 | Write-Host ` 247 | -ForegroundColor Yellow ` 248 | -BackgroundColor Black ` 249 | "Cert Already Exists, Verifying Export..." 250 | } 251 | ############################## 252 | # Create Export Folder # 253 | ############################## 254 | if((Test-Path -LiteralPath $exportPath -ErrorAction SilentlyContinue)-eq $false){ 255 | Write-Host ` 256 | -ForegroundColor Green ` 257 | -BackgroundColor Black ` 258 | "Creating Cert Export Folder" 259 | New-Item -Path $exportPath -ItemType Directory -Force 260 | } 261 | Else { 262 | Write-Host ` 263 | -ForegroundColor Yellow ` 264 | -BackgroundColor Black ` 265 | "Export Folder Exists Already...Checking for Certificate" 266 | } 267 | ############################### 268 | # Export Cert to Folder # 269 | ############################### 270 | if((Test-Path -LiteralPath $exportFile -ErrorAction SilentlyContinue) -eq $false) { 271 | Export-PfxCertificate ` 272 | -Cert $Cert ` 273 | -Password (ConvertTo-SecureString "$AADClientSecret" -AsPlainText -Force) ` 274 | -FilePath Diskencrypt.pfx ` 275 | -Force 276 | Write-Host ` 277 | -ForegroundColor Cyan ` 278 | -BackgroundColor Black ` 279 | "Certificate is located at $exportFile" 280 | 281 | } 282 | Else { 283 | Write-Host ` 284 | -ForegroundColor Magenta ` 285 | -BackgroundColor Black ` 286 | "Certificate is available - $exportFile" 287 | } 288 | } 289 | Else { 290 | Write-Host ` 291 | -ForegroundColor Yellow ` 292 | -BackgroundColor Black ` 293 | "No Cert Requested" 294 | } 295 | ############################## 296 | # Upload Cert to Azure # 297 | ############################## 298 | if((Get-AzureKeyVaultCertificate -VaultName $KVName -Name Diskencrypt -ErrorAction SilentlyContinue) -eq $null){ 299 | Write-Host ` 300 | -ForegroundColor Green ` 301 | -BackgroundColor Black ` 302 | "Importing Cert into KeyVault" 303 | 304 | $KVCert = Get-AzureKeyVaultCertificate -VaultName $KVName -Name Diskencrypt 305 | $KVCert.SecretId 306 | } 307 | Else { 308 | Write-Host ` 309 | -ForegroundColor Yellow ` 310 | -BackgroundColor Black ` 311 | "Cert Already Imported to KeyVault" 312 | $KVCert = Get-AzureKeyVaultCertificate -VaultName $KVName -Name Diskencrypt 313 | $KVCert.SecretId 314 | } 315 | #> 316 | ################################## 317 | # Prepare Output Variables # 318 | ################################## 319 | $KV = Get-AzureRmKeyVault -VaultName $KVName -ResourceGroupName $RGName 320 | $KVuri = $KV.VaultUri 321 | } 322 | 323 | End { 324 | Write-host ` 325 | -ForegroundColor Red ` 326 | " ######################## 327 | # Script Outputs # 328 | ######################## 329 | " 330 | 331 | Write-host "Azure AD App name = $AADDisplayName" 332 | Write-host "Azure AD Client ID for Encryption = $AAD_ID" 333 | Write-host "Azure AD Client Secret to Encrypt = $AADClientSecret" 334 | "" 335 | Write-host "Key Vault Name = $KVName" 336 | Write-host "KeyVault RGName = $RGName" 337 | Write-host "Key Vault URL = $KVuri" 338 | 339 | Clear-History 340 | } 341 | 342 | } 343 | 344 | New-AzureVMEncryptPrep ` 345 | -Prefix AA ` 346 | -ResourceGroupName AzureAcademy ` 347 | -Location eastus ` 348 | -KeyVaultAdmin deacef@microsoft.com 349 | -------------------------------------------------------------------------------- /______BUILD & Delete Muli Subsciptions.ps1: -------------------------------------------------------------------------------- 1 | <#Author : Dean Cefola 2 | # Creation Date: 08-01-2019 3 | # Usage : Ignite Prep - 80 subscriptions 4 | 5 | #******************************************************************************** 6 | # Date Version Changes 7 | #------------------------------------------------------------------------ 8 | # 08/01/2019 1.0 Intial Version 9 | # 09/12/2019 2.0 Prep for 80 Ignite Subscriptions 10 | # 10/15/2019 3.0 Testing complete (taking too long) 11 | # 10/25/2019 4.0 Upgrade all processes to PS Jobs 12 | # 13 | #********************************************************************************* 14 | # 15 | #> 16 | 17 | 18 | #################################### 19 | # Install PowerShell Modules # 20 | #################################### 21 | Find-Module -Name AzureAD | Install-Module -Force -AllowClobber -Verbose 22 | Find-Module -Name AZ | Install-Module -Force -AllowClobber -Verbose 23 | Find-Module -Name AzureRM | Install-Module -Force -AllowClobber -Verbose 24 | Find-Module -Name MSonline | Install-Module -Force -AllowClobber -Verbose 25 | Find-Module -Name Az.Blueprint| Install-Module -Force -AllowClobber -Verbose 26 | Find-Module -Name Az.Security | Install-Module -Force -AllowClobber -Verbose 27 | 28 | 29 | ################################ 30 | # Authenticate to Azure # 31 | ################################ 32 | $Admin = '' 33 | $creds = Get-Credential ` 34 | -UserName $Admin ` 35 | -Message "Enter Password for Azure Credentials" 36 | Login-AzAccount -Credential $creds 37 | Connect-AzureAD -Credential $creds 38 | connect-msolservice -credential $creds 39 | 40 | 41 | ################################## 42 | # Azure AD Users Variables # 43 | ################################## 44 | $Prefix = 'IgniteUser' 45 | $DomainName = '' 46 | $DomainSuffix = 'com' 47 | $FQDN = "$DomainName.$DomainSuffix" 48 | $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile 49 | $PasswordProfile.Password = 'Pa$$wd!@#01' 50 | $PasswordProfile.EnforceChangePasswordPolicy = $false 51 | $PasswordProfile.ForceChangePasswordNextLogin = $false 52 | 53 | 54 | ######PREP ENVIRONMENT############PREP ENVIRONMENT############PREP ENVIRONMENT############ 55 | ######PREP ENVIRONMENT############PREP ENVIRONMENT############PREP ENVIRONMENT############ 56 | ######PREP ENVIRONMENT############PREP ENVIRONMENT############PREP ENVIRONMENT############ 57 | ######PREP ENVIRONMENT############PREP ENVIRONMENT############PREP ENVIRONMENT############ 58 | ######PREP ENVIRONMENT############PREP ENVIRONMENT############PREP ENVIRONMENT############ 59 | 60 | 61 | ############################### 62 | # Create Azure AD Users # 63 | ############################### 64 | $Number = 1..80 65 | ForEach($N in $Number){ 66 | $AzureADUsersList = @( 67 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 68 | ) 69 | ForEach($RM in $AzureADUsersList) { 70 | $RM_Name = $RM[0] 71 | $RM_Email = $RM[1] 72 | Start-Job ` 73 | -Name "NewUser-$N" ` 74 | -ScriptBlock { 75 | Connect-AzureAD -Credential $args[5] 76 | New-AzureADUser ` 77 | -DisplayName $args[0] ` 78 | -PasswordProfile $args[1] ` 79 | -UserPrincipalName $args[2] ` 80 | -AccountEnabled $args[3] ` 81 | -MailNickName $args[4] ` 82 | -Verbose 83 | } ` 84 | -ArgumentList $RM_Name, $PasswordProfile, $RM_Email, $true, $RM_Name, $creds ` 85 | -Verbose 86 | } 87 | } 88 | 89 | 90 | ################################################## 91 | # Assign Subscriptions to ManagementGroups # 92 | ################################################## 93 | $Number = 1..20 94 | $TenantID = (Get-AzSubscription | select -First 1).TenantID 95 | $MGAll = (Get-AzManagementGroup -GroupName $TenantID -Expand).Children 96 | $MGGroup = $MGAll | Where-Object type -Match managementGroups 97 | $MGSub = $MGAll | Where-Object type -Match subscription 98 | ForEach($N in $Number){ 99 | $IGNITE_Sub = @( 100 | ,@("Prod", "$Prefix$N") 101 | ) 102 | ForEach($IS in $IGNITE_Sub) { 103 | $MG_Name = $IS[0] 104 | $Sub_Name = $IS[1] 105 | ForEach($S in $Sub_Name) { 106 | $Sub = (Get-AzManagementGroup ` 107 | -GroupName $TenantID ` 108 | -Expand).Children | ` 109 | Where-Object -Property DisplayName -EQ $Sub_Name 110 | $SubID = $Sub.Id.split('/')[2] 111 | Start-Job ` 112 | -Name "MGAssign-$N" ` 113 | -ScriptBlock { 114 | New-AzManagementGroupSubscription ` 115 | -GroupName $args[0] ` 116 | -SubscriptionId $args[1] 117 | } ` 118 | -ArgumentList $MG_Name, $SubID ` 119 | -Verbose 120 | } 121 | } 122 | } 123 | $Number = 21..40 124 | ForEach($N in $Number){ 125 | $IGNITE_Sub = @( 126 | ,@("Dev", "$Prefix$N") 127 | ) 128 | ForEach($IS in $IGNITE_Sub) { 129 | $MG_Name = $IS[0] 130 | $Sub_Name = $IS[1] 131 | ForEach($S in $Sub_Name) { 132 | $Sub = (Get-AzManagementGroup ` 133 | -GroupName $TenantID ` 134 | -Expand).Children | ` 135 | Where-Object -Property DisplayName -EQ $Sub_Name 136 | $SubID = $Sub.Id.split('/')[2] 137 | Start-Job ` 138 | -Name "MGAssign-$N" ` 139 | -ScriptBlock { 140 | New-AzManagementGroupSubscription ` 141 | -GroupName $args[0] ` 142 | -SubscriptionId $args[1] 143 | } ` 144 | -ArgumentList $MG_Name, $SubID ` 145 | -Verbose 146 | } 147 | } 148 | } 149 | $Number = 41..60 150 | ForEach($N in $Number){ 151 | $IGNITE_Sub = @( 152 | ,@("Sandbox", "$Prefix$N") 153 | ) 154 | ForEach($IS in $IGNITE_Sub) { 155 | $MG_Name = $IS[0] 156 | $Sub_Name = $IS[1] 157 | ForEach($S in $Sub_Name) { 158 | $Sub = (Get-AzManagementGroup ` 159 | -GroupName $TenantID ` 160 | -Expand).Children | ` 161 | Where-Object -Property DisplayName -EQ $Sub_Name 162 | $SubID = $Sub.Id.split('/')[2] 163 | Start-Job ` 164 | -Name "MGAssign-$N" ` 165 | -ScriptBlock { 166 | New-AzManagementGroupSubscription ` 167 | -GroupName $args[0] ` 168 | -SubscriptionId $args[1] 169 | } ` 170 | -ArgumentList $MG_Name, $SubID ` 171 | -Verbose 172 | } 173 | } 174 | } 175 | $Number = 61..80 176 | ForEach($N in $Number){ 177 | $IGNITE_Sub = @( 178 | ,@("UAT", "$Prefix$N") 179 | ) 180 | ForEach($IS in $IGNITE_Sub) { 181 | $MG_Name = $IS[0] 182 | $Sub_Name = $IS[1] 183 | ForEach($S in $Sub_Name) { 184 | $Sub = (Get-AzManagementGroup ` 185 | -GroupName $TenantID ` 186 | -Expand).Children | ` 187 | Where-Object -Property DisplayName -EQ $Sub_Name 188 | $SubID = $Sub.Id.split('/')[2] 189 | Start-Job ` 190 | -Name "MGAssign-$N" ` 191 | -ScriptBlock { 192 | New-AzManagementGroupSubscription ` 193 | -GroupName $args[0] ` 194 | -SubscriptionId $args[1] 195 | } ` 196 | -ArgumentList $MG_Name, $SubID ` 197 | -Verbose 198 | } 199 | } 200 | } 201 | 202 | 203 | ############################################ 204 | # Assign Users to Subscription Owner # 205 | ############################################ 206 | $Number = 1..80 207 | ForEach($N in $Number){ 208 | $AzureADUsersList = @( 209 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 210 | ) 211 | ForEach($RM in $AzureADUsersList) { 212 | $RM_Name = $RM[0] 213 | $RM_Email = $RM[1] 214 | $SubID = (Get-AzSubscription | Where-Object name -eq $RM_Name).Id 215 | Select-AzSubscription $SubID 216 | New-AzRoleAssignment ` 217 | -Scope "/subscriptions/$SubID" ` 218 | -SignInName $RM_Email ` 219 | -RoleDefinitionName Owner ` 220 | -ErrorAction SilentlyContinue ` 221 | -Verbose 222 | } 223 | } 224 | 225 | 226 | ######################################### 227 | # Assign CAF-Foundation Blueprint # 228 | ######################################### 229 | $TenantID = (Get-AzSubscription | select -First 1).TenantID 230 | $Number = 1..80 231 | ForEach($N in $Number){ 232 | $AzureADUsersList = @( 233 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 234 | ) 235 | ForEach($RM in $AzureADUsersList) { 236 | $RM_Name = $RM[0] 237 | $RM_Email = $RM[1] 238 | $SubID = (Get-AzSubscription | Where-Object name -eq $RM_Name).Id 239 | Write $SubID 240 | $BPOrgName = "Ignite-$N" 241 | Start-Job ` 242 | -Name "BPAssign-$N" ` 243 | -ScriptBlock { 244 | $blueprintObject = Get-AzBlueprint ` 245 | -ManagementGroupId $args[2] | ` 246 | Where-Object name -EQ CAF-Foundation 247 | New-AzBlueprintAssignment ` 248 | -Name $args[0] ` 249 | -Blueprint $blueprintObject ` 250 | -Location eastus ` 251 | -SubscriptionId $args[1] ` 252 | -Parameter @{ 253 | 'Policy_Allowed-StorageAccount-SKUs' = "Premium_LRS","Standard_LRS","Standard_ZRS" ; 254 | 'Policy_Allowed-VM-SKUs' = "Standard_B1s","Standard_B2ms" ; 255 | 'Policy_CostCenter_Tag' = $args[0] ; 256 | 'Policy_Allowed-Locations' = "australiacentral","australiacentral2",` 257 | "australiaeast","australiasoutheast","centralus","eastus","eastus2",` 258 | "northcentralus","southcentralus","westcentralus","westus","westus2"; 259 | 'Policy_Resource-Types-DENY' = "", "" ; 260 | 'Organization_Name' = $args[0] ; 261 | 'LogAnalytics_DataRetention' = 30 ; 262 | 'LogAnalytics_Location' = "East US"; 263 | 'KV-AccessPolicy' = "23b4fb48-4458-4701-9da9-da8363bce1b2" ; 264 | 'AzureRegion' = "eastus" 265 | } 266 | } ` 267 | -ArgumentList $BPOrgName, $SubID, $TenantID ` 268 | -Verbose 269 | } 270 | 271 | } 272 | 273 | 274 | 275 | ######DELETE RESOURCES############DELETE RESOURCES############DELETE RESOURCES############ 276 | ######DELETE RESOURCES############DELETE RESOURCES############DELETE RESOURCES############ 277 | ######DELETE RESOURCES############DELETE RESOURCES############DELETE RESOURCES############ 278 | ######DELETE RESOURCES############DELETE RESOURCES############DELETE RESOURCES############ 279 | ######DELETE RESOURCES############DELETE RESOURCES############DELETE RESOURCES############ 280 | 281 | 282 | ###################################### 283 | # Remove Blueprint Assignments # 284 | ###################################### 285 | $Number = 1..80 286 | $TenantID = (Get-AzSubscription | select -First 1).TenantID 287 | ForEach($N in $Number){ 288 | $AzureADUsersList = @( 289 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 290 | ) 291 | ForEach($RM in $AzureADUsersList) { 292 | $RM_Name = $RM[0] 293 | $RM_Email = $RM[1] 294 | $SubID = (Get-AzSubscription | Where-Object name -eq $RM_Name).Id 295 | Select-AzSubscription $SubID 296 | Get-AzBlueprintAssignment -SubscriptionId $SubID 297 | $BP = Get-AzBlueprintAssignment 298 | foreach($Assignment in $BP){ 299 | Remove-AzBlueprintAssignment -Name $Assignment.name -Verbose 300 | } 301 | } 302 | } 303 | 304 | 305 | ####################################### 306 | # Reset Security Center to Free # 307 | ####################################### 308 | $Number = 1..80 309 | ForEach($N in $Number){ 310 | $AzureADUsersList = @( 311 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 312 | ) 313 | ForEach($RM in $AzureADUsersList) { 314 | $RM_Name = $RM[0] 315 | $RM_Email = $RM[1] 316 | $SubID = (Get-AzSubscription | Where-Object name -eq $RM_Name).Id 317 | ForEach ($S in $SubID) { 318 | Select-AzSubscription $S 319 | Start-Job ` 320 | -ScriptBlock { 321 | $SecurityCenter = Get-AzSecurityPricing 322 | foreach ($Sec in $SecurityCenter) { 323 | Set-AzSecurityPricing ` 324 | -Name $sec.name ` 325 | -PricingTier Free ` 326 | -Verbose 327 | } 328 | } ` 329 | -Name "Rem-SecCenter-$N" ` 330 | -Verbose 331 | } 332 | } 333 | } 334 | 335 | 336 | ############################### 337 | # Delete Resource Locks # 338 | ############################### 339 | $Number = 1..80 340 | ForEach($N in $Number){ 341 | $AzureADUsersList = @( 342 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 343 | ) 344 | ForEach($RM in $AzureADUsersList) { 345 | $RM_Name = $RM[0] 346 | $RM_Email = $RM[1] 347 | $SubID = (Get-AzSubscription | Where-Object name -eq $RM_Name).Id 348 | ForEach ($S in $SubID) { 349 | Select-AzSubscription $S 350 | Start-Job ` 351 | -ScriptBlock { 352 | Get-AzResourceLock | Remove-AzResourceLock -Force -Verbose 353 | Wait-Event -Timeout 5 354 | } ` 355 | -Name "Rem-Locks-$N" ` 356 | -Verbose 357 | } 358 | } 359 | } 360 | 361 | 362 | ############################### 363 | # Remove Azure Policies # 364 | ############################### 365 | $Number = 1..80 366 | ForEach($N in $Number){ 367 | $AzureADUsersList = @( 368 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 369 | ) 370 | ForEach($RM in $AzureADUsersList) { 371 | $RM_Name = $RM[0] 372 | $RM_Email = $RM[1] 373 | $SubID = (Get-AzSubscription | Where-Object name -eq $RM_Name).Id 374 | ForEach ($S in $SubID){ 375 | Select-AzSubscription $S 376 | $Policy = Get-AzPolicyAssignment -Scope "/subscriptions/$S" 377 | ForEach ($P in $Policy) { 378 | Start-Job ` 379 | -ScriptBlock { 380 | Remove-AzPolicyAssignment -Id $args[0] -Verbose 381 | } ` 382 | -ArgumentList $P.PolicyAssignmentId ` 383 | -Name "Rem-Policy-$N" ` 384 | -Verbose 385 | Wait-Event -Timeout 5 386 | } 387 | } 388 | } 389 | } 390 | 391 | 392 | ################################ 393 | # Delete Resource Groups # 394 | ################################ 395 | $Number = 1..80 396 | ForEach($N in $Number){ 397 | $AzureADUsersList = @( 398 | ,@("$Prefix$N", "$Prefix$N@$FQDN") 399 | ) 400 | ForEach($RM in $AzureADUsersList) { 401 | $RM_Name = $RM[0] 402 | $RM_Email = $RM[1] 403 | $Sub = (Get-AzSubscription | Where-Object name -eq $RM_Name) 404 | ForEach ($S in $Sub){ 405 | Select-AzSubscription $RM_Name 406 | $RG = Get-AzResourceGroup | ` 407 | Where-Object ` 408 | -Property ResourceGroupName ` 409 | -NE cloud-shell-storage-eastus 410 | ForEach ($R in $RG) { 411 | Start-Job ` 412 | -ScriptBlock { 413 | Select-AzSubscription $args[0] 414 | Remove-AzResourceGroup -Name $args[1] -Force 415 | } ` 416 | -ArgumentList $S.Id, $R.ResourceGroupName ` 417 | -Name "Rem-RG$N" ` 418 | -Verbose 419 | Wait-Event -Timeout 5 420 | } 421 | } 422 | } 423 | } 424 | 425 | 426 | ############################### 427 | # Remove Azure AD Users # 428 | ############################### 429 | Get-AzureADUser ` 430 | | Where-Object DisplayName ` 431 | -Match IgniteUser ` 432 | | Remove-AzureADUser ` 433 | -Verbose 434 | 435 | 436 | ###################################################### 437 | # Reset Subscriptions to Root Management Group # 438 | ###################################################### 439 | $TenantID = (Get-AzSubscription | select -First 1).TenantID 440 | $Subs = (Get-AzManagementGroup -GroupName dev -Expand).Children.id 441 | foreach($S in $Subs) { 442 | $ITEM = $S.split('/')[2] 443 | Start-Job ` 444 | -Name "RemMGSub$N" ` 445 | -ScriptBlock { 446 | New-AzManagementGroupSubscription ` 447 | -GroupName $args[0] ` 448 | -SubscriptionId $args[1] ` 449 | -Verbose 450 | } ` 451 | -ArgumentList $TenantID, $ITEM ` 452 | -Verbose 453 | } 454 | $Subs = (Get-AzManagementGroup -GroupName prod -Expand).Children.id 455 | foreach($S in $Subs) { 456 | $ITEM = $S.split('/')[2] 457 | Start-Job ` 458 | -Name "RemMGSub$N" ` 459 | -ScriptBlock { 460 | New-AzManagementGroupSubscription ` 461 | -GroupName $args[0] ` 462 | -SubscriptionId $args[1] ` 463 | -Verbose 464 | } ` 465 | -ArgumentList $TenantID, $ITEM ` 466 | -Verbose 467 | } 468 | $Subs = (Get-AzManagementGroup -GroupName sandbox -Expand).Children.id 469 | foreach($S in $Subs) { 470 | $ITEM = $S.split('/')[2] 471 | Start-Job ` 472 | -Name "RemMGSub$N" ` 473 | -ScriptBlock { 474 | New-AzManagementGroupSubscription ` 475 | -GroupName $args[0] ` 476 | -SubscriptionId $args[1] ` 477 | -Verbose 478 | } ` 479 | -ArgumentList $TenantID, $ITEM ` 480 | -Verbose 481 | } 482 | $Subs = (Get-AzManagementGroup -GroupName uat -Expand).Children.id 483 | foreach($S in $Subs) { 484 | $ITEM = $S.split('/')[2] 485 | Start-Job ` 486 | -Name "RemMGSub$N" ` 487 | -ScriptBlock { 488 | New-AzManagementGroupSubscription ` 489 | -GroupName $args[0] ` 490 | -SubscriptionId $args[1] ` 491 | -Verbose 492 | } ` 493 | -ArgumentList $TenantID, $ITEM ` 494 | -Verbose 495 | } 496 | 497 | 498 | -------------------------------------------------------------------------------- /Build Resources/CloudBuild/NSG-AVD.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "NSG_name": { 6 | "defaultValue": "NSG-AVD", 7 | "type": "String" 8 | } 9 | }, 10 | "variables": {}, 11 | "resources": [ 12 | { 13 | "type": "Microsoft.Network/networkSecurityGroups", 14 | "apiVersion": "2024-01-01", 15 | "name": "[parameters('NSG_name')]", 16 | "location": "eastus2", 17 | "tags": { 18 | 19 | }, 20 | "properties": { 21 | "securityRules": [ 22 | { 23 | "name": "ALLOW--Bastion--VNET--Inbound", 24 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--Bastion--VNET--Inbound')]", 25 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 26 | "properties": { 27 | "protocol": "*", 28 | "sourcePortRange": "*", 29 | "sourceAddressPrefix": "VirtualNetwork", 30 | "destinationAddressPrefix": "VirtualNetwork", 31 | "access": "Allow", 32 | "priority": 2030, 33 | "direction": "Inbound", 34 | "sourcePortRanges": [], 35 | "destinationPortRanges": [ 36 | "8080", 37 | "5701" 38 | ], 39 | "sourceAddressPrefixes": [], 40 | "destinationAddressPrefixes": [] 41 | } 42 | }, 43 | { 44 | "name": "ALLOW--Bastion--ILB--Inbound", 45 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--Bastion--ILB--Inbound')]", 46 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 47 | "properties": { 48 | "protocol": "TCP", 49 | "sourcePortRange": "*", 50 | "destinationPortRange": "443", 51 | "sourceAddressPrefix": "AzureLoadBalancer", 52 | "destinationAddressPrefix": "*", 53 | "access": "Allow", 54 | "priority": 2020, 55 | "direction": "Inbound", 56 | "sourcePortRanges": [], 57 | "destinationPortRanges": [], 58 | "sourceAddressPrefixes": [], 59 | "destinationAddressPrefixes": [] 60 | } 61 | }, 62 | { 63 | "name": "ALLOW--Bastion--GatewayMgr--Inbound", 64 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--Bastion--GatewayMgr--Inbound')]", 65 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 66 | "properties": { 67 | "protocol": "TCP", 68 | "sourcePortRange": "*", 69 | "destinationPortRange": "443", 70 | "sourceAddressPrefix": "GatewayManager", 71 | "destinationAddressPrefix": "*", 72 | "access": "Allow", 73 | "priority": 2010, 74 | "direction": "Inbound", 75 | "sourcePortRanges": [], 76 | "destinationPortRanges": [], 77 | "sourceAddressPrefixes": [], 78 | "destinationAddressPrefixes": [] 79 | } 80 | }, 81 | { 82 | "name": "ALLOW--Bastion--SSL--Inbound", 83 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--Bastion--SSL--Inbound')]", 84 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 85 | "properties": { 86 | "description": "ALLOW--Bastion--SSL--Inbound", 87 | "protocol": "TCP", 88 | "sourcePortRange": "*", 89 | "destinationPortRange": "443", 90 | "sourceAddressPrefix": "Internet", 91 | "destinationAddressPrefix": "*", 92 | "access": "Allow", 93 | "priority": 2000, 94 | "direction": "Inbound", 95 | "sourcePortRanges": [], 96 | "destinationPortRanges": [], 97 | "sourceAddressPrefixes": [], 98 | "destinationAddressPrefixes": [] 99 | } 100 | }, 101 | { 102 | "name": "ALLOW--WAP--Inbound", 103 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--WAP--Inbound')]", 104 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 105 | "properties": { 106 | "protocol": "TCP", 107 | "sourcePortRange": "*", 108 | "destinationPortRange": "443", 109 | "sourceAddressPrefix": "Internet", 110 | "destinationAddressPrefix": "20.0.4.10", 111 | "access": "Allow", 112 | "priority": 1090, 113 | "direction": "Inbound", 114 | "sourcePortRanges": [], 115 | "destinationPortRanges": [], 116 | "sourceAddressPrefixes": [], 117 | "destinationAddressPrefixes": [] 118 | } 119 | }, 120 | { 121 | "name": "ALLOW--WAP--ADFS", 122 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--WAP--ADFS')]", 123 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 124 | "properties": { 125 | "protocol": "TCP", 126 | "sourcePortRange": "*", 127 | "sourceAddressPrefix": "20.0.4.10", 128 | "destinationAddressPrefix": "10.0.4.7", 129 | "access": "Allow", 130 | "priority": 1080, 131 | "direction": "Outbound", 132 | "sourcePortRanges": [], 133 | "destinationPortRanges": [ 134 | "80", 135 | "443", 136 | "5985" 137 | ], 138 | "sourceAddressPrefixes": [], 139 | "destinationAddressPrefixes": [] 140 | } 141 | }, 142 | { 143 | "name": "AVD-Health", 144 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'AVD-Health')]", 145 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 146 | "properties": { 147 | "description": "Session host health monitoring", 148 | "protocol": "TCP", 149 | "sourcePortRange": "*", 150 | "destinationPortRange": "80", 151 | "sourceAddressPrefix": "*", 152 | "destinationAddressPrefix": "168.63.129.16", 153 | "access": "Allow", 154 | "priority": 1070, 155 | "direction": "Outbound", 156 | "sourcePortRanges": [], 157 | "destinationPortRanges": [], 158 | "sourceAddressPrefixes": [], 159 | "destinationAddressPrefixes": [] 160 | } 161 | }, 162 | { 163 | "name": "AVD_MetaData", 164 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'AVD_MetaData')]", 165 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 166 | "properties": { 167 | "description": "Azure Instance Metadata service endpoint", 168 | "protocol": "TCP", 169 | "sourcePortRange": "*", 170 | "destinationPortRange": "80", 171 | "sourceAddressPrefix": "*", 172 | "destinationAddressPrefix": "169.254.169.254", 173 | "access": "Allow", 174 | "priority": 1060, 175 | "direction": "Outbound", 176 | "sourcePortRanges": [], 177 | "destinationPortRanges": [], 178 | "sourceAddressPrefixes": [], 179 | "destinationAddressPrefixes": [] 180 | } 181 | }, 182 | { 183 | "name": "AVDportalstorageblob.blob.core.windows.net", 184 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'AVDportalstorageblob.blob.core.windows.net')]", 185 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 186 | "properties": { 187 | "protocol": "TCP", 188 | "sourcePortRange": "*", 189 | "destinationPortRange": "443", 190 | "sourceAddressPrefix": "*", 191 | "destinationAddressPrefix": "Storage", 192 | "access": "Allow", 193 | "priority": 1050, 194 | "direction": "Outbound", 195 | "sourcePortRanges": [], 196 | "destinationPortRanges": [], 197 | "sourceAddressPrefixes": [], 198 | "destinationAddressPrefixes": [] 199 | } 200 | }, 201 | { 202 | "name": "ALLOW_AzureAD_OUTBOUND", 203 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_AzureAD_OUTBOUND')]", 204 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 205 | "properties": { 206 | "protocol": "TCP", 207 | "sourcePortRange": "*", 208 | "destinationPortRange": "443", 209 | "sourceAddressPrefix": "VirtualNetwork", 210 | "destinationAddressPrefix": "AzureActiveDirectory", 211 | "access": "Allow", 212 | "priority": 1040, 213 | "direction": "Outbound", 214 | "sourcePortRanges": [], 215 | "destinationPortRanges": [], 216 | "sourceAddressPrefixes": [], 217 | "destinationAddressPrefixes": [] 218 | } 219 | }, 220 | { 221 | "name": "ALLOW_KeyVault_OUTBOUND", 222 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_KeyVault_OUTBOUND')]", 223 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 224 | "properties": { 225 | "protocol": "TCP", 226 | "sourcePortRange": "*", 227 | "destinationPortRange": "443", 228 | "sourceAddressPrefix": "VirtualNetwork", 229 | "destinationAddressPrefix": "AzureKeyVault.eastus2", 230 | "access": "Allow", 231 | "priority": 1030, 232 | "direction": "Outbound", 233 | "sourcePortRanges": [], 234 | "destinationPortRanges": [], 235 | "sourceAddressPrefixes": [], 236 | "destinationAddressPrefixes": [] 237 | } 238 | }, 239 | { 240 | "name": "ALLOW_KMS_OUTBOUND", 241 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_KMS_OUTBOUND')]", 242 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 243 | "properties": { 244 | "description": "Allow Access to Azure KMS on port 1688", 245 | "protocol": "TCP", 246 | "sourcePortRange": "*", 247 | "destinationPortRange": "1688", 248 | "sourceAddressPrefix": "VirtualNetwork", 249 | "destinationAddressPrefix": "Internet", 250 | "access": "Allow", 251 | "priority": 1020, 252 | "direction": "Outbound", 253 | "sourcePortRanges": [], 254 | "destinationPortRanges": [], 255 | "sourceAddressPrefixes": [], 256 | "destinationAddressPrefixes": [] 257 | } 258 | }, 259 | { 260 | "name": "ALLOW_KeyVault_Inbound", 261 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_KeyVault_Inbound')]", 262 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 263 | "properties": { 264 | "protocol": "TCP", 265 | "sourcePortRange": "*", 266 | "destinationPortRange": "443", 267 | "sourceAddressPrefix": "AzureKeyVault.eastus2", 268 | "destinationAddressPrefix": "VirtualNetwork", 269 | "access": "Allow", 270 | "priority": 1010, 271 | "direction": "Inbound", 272 | "sourcePortRanges": [], 273 | "destinationPortRanges": [], 274 | "sourceAddressPrefixes": [], 275 | "destinationAddressPrefixes": [] 276 | } 277 | }, 278 | { 279 | "name": "ALLOW_AzureCloud_OUTBOUND", 280 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_AzureCloud_OUTBOUND')]", 281 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 282 | "properties": { 283 | "description": "Agent and SXS stack updates, Agent traffic, Azure Marketplace", 284 | "protocol": "TCP", 285 | "sourcePortRange": "*", 286 | "destinationPortRange": "443", 287 | "sourceAddressPrefix": "VirtualNetwork", 288 | "destinationAddressPrefix": "AzureCloud", 289 | "access": "Allow", 290 | "priority": 1010, 291 | "direction": "Outbound", 292 | "sourcePortRanges": [], 293 | "destinationPortRanges": [], 294 | "sourceAddressPrefixes": [], 295 | "destinationAddressPrefixes": [] 296 | } 297 | }, 298 | { 299 | "name": "ALLOW--ANF--INBOUND", 300 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--ANF--INBOUND')]", 301 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 302 | "properties": { 303 | "protocol": "*", 304 | "sourcePortRange": "*", 305 | "destinationPortRange": "*", 306 | "sourceAddressPrefix": "10.1.0.0/24", 307 | "destinationAddressPrefix": "VirtualNetwork", 308 | "access": "Allow", 309 | "priority": 1000, 310 | "direction": "Inbound", 311 | "sourcePortRanges": [], 312 | "destinationPortRanges": [], 313 | "sourceAddressPrefixes": [], 314 | "destinationAddressPrefixes": [] 315 | } 316 | }, 317 | { 318 | "name": "ALLOW_AVD_Outbound", 319 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_AVD_Outbound')]", 320 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 321 | "properties": { 322 | "protocol": "TCP", 323 | "sourcePortRange": "*", 324 | "destinationPortRange": "443", 325 | "sourceAddressPrefix": "VirtualNetwork", 326 | "destinationAddressPrefix": "WindowsVirtualDesktop", 327 | "access": "Allow", 328 | "priority": 1000, 329 | "direction": "Outbound", 330 | "sourcePortRanges": [], 331 | "destinationPortRanges": [], 332 | "sourceAddressPrefixes": [], 333 | "destinationAddressPrefixes": [] 334 | } 335 | }, 336 | { 337 | "name": "ALLOW_WindowsAdminCenter_Outbound", 338 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_WindowsAdminCenter_Outbound')]", 339 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 340 | "properties": { 341 | "description": "Windows Admin Center Outbound Port", 342 | "protocol": "TCP", 343 | "sourcePortRange": "*", 344 | "destinationPortRange": "443", 345 | "sourceAddressPrefix": "VirtualNetwork", 346 | "destinationAddressPrefix": "WindowsAdminCenter", 347 | "access": "Allow", 348 | "priority": 1090, 349 | "direction": "Outbound", 350 | "sourcePortRanges": [], 351 | "destinationPortRanges": [], 352 | "sourceAddressPrefixes": [], 353 | "destinationAddressPrefixes": [] 354 | } 355 | }, 356 | { 357 | "name": "ALLOW--RDP--VPN--INBOUND", 358 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--RDP--VPN--INBOUND')]", 359 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 360 | "properties": { 361 | "protocol": "TCP", 362 | "sourcePortRange": "*", 363 | "destinationPortRange": "3389", 364 | "sourceAddressPrefix": "VirtualNetwork", 365 | "destinationAddressPrefix": "*", 366 | "access": "Allow", 367 | "priority": 2040, 368 | "direction": "Inbound", 369 | "sourcePortRanges": [], 370 | "destinationPortRanges": [], 371 | "sourceAddressPrefixes": [], 372 | "destinationAddressPrefixes": [] 373 | } 374 | }, 375 | { 376 | "name": "ALLOW_Win365_OUTBOUND", 377 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_Win365_OUTBOUND')]", 378 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 379 | "properties": { 380 | "description": "saprod.infra.windows365.microsoft.com", 381 | "protocol": "TCP", 382 | "sourcePortRange": "*", 383 | "destinationPortRange": "443", 384 | "sourceAddressPrefix": "*", 385 | "destinationAddressPrefix": "13.107.246.40", 386 | "access": "Allow", 387 | "priority": 2050, 388 | "direction": "Outbound", 389 | "sourcePortRanges": [], 390 | "destinationPortRanges": [], 391 | "sourceAddressPrefixes": [], 392 | "destinationAddressPrefixes": [] 393 | } 394 | }, 395 | { 396 | "name": "ALLOW_Attestation_OUTBOUND", 397 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW_Attestation_OUTBOUND')]", 398 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 399 | "properties": { 400 | "protocol": "*", 401 | "sourcePortRange": "*", 402 | "destinationPortRange": "8080", 403 | "sourceAddressPrefix": "*", 404 | "destinationAddressPrefix": "AzureAttestation", 405 | "access": "Allow", 406 | "priority": 2060, 407 | "direction": "Outbound", 408 | "sourcePortRanges": [], 409 | "destinationPortRanges": [], 410 | "sourceAddressPrefixes": [], 411 | "destinationAddressPrefixes": [] 412 | } 413 | }, 414 | { 415 | "name": "ALLOW--AD--INBOUND", 416 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--AD--INBOUND')]", 417 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 418 | "properties": { 419 | "description": "AD Ports ", 420 | "protocol": "TCP", 421 | "sourcePortRange": "*", 422 | "sourceAddressPrefix": "*", 423 | "destinationAddressPrefix": "VirtualNetwork", 424 | "access": "Allow", 425 | "priority": 3000, 426 | "direction": "Inbound", 427 | "sourcePortRanges": [], 428 | "destinationPortRanges": [ 429 | "135", 430 | "389", 431 | "445", 432 | "636", 433 | "3268", 434 | "3269", 435 | "5722", 436 | "49152-65535" 437 | ], 438 | "sourceAddressPrefixes": [], 439 | "destinationAddressPrefixes": [] 440 | } 441 | }, 442 | { 443 | "name": "ALLOW--AD--UDP--INBOUND", 444 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--AD--UDP--INBOUND')]", 445 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 446 | "properties": { 447 | "protocol": "UDP", 448 | "sourcePortRange": "*", 449 | "sourceAddressPrefix": "*", 450 | "destinationAddressPrefix": "VirtualNetwork", 451 | "access": "Allow", 452 | "priority": 3010, 453 | "direction": "Inbound", 454 | "sourcePortRanges": [], 455 | "destinationPortRanges": [ 456 | "42", 457 | "88", 458 | "464" 459 | ], 460 | "sourceAddressPrefixes": [], 461 | "destinationAddressPrefixes": [] 462 | } 463 | }, 464 | { 465 | "name": "ALLOW--AD--ANY--INBOUND", 466 | "id": "[resourceId('Microsoft.Network/networkSecurityGroups/securityRules', parameters('NSG_name'), 'ALLOW--AD--ANY--INBOUND')]", 467 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 468 | "properties": { 469 | "protocol": "*", 470 | "sourcePortRange": "*", 471 | "sourceAddressPrefix": "*", 472 | "destinationAddressPrefix": "VirtualNetwork", 473 | "access": "Allow", 474 | "priority": 3020, 475 | "direction": "Inbound", 476 | "sourcePortRanges": [], 477 | "destinationPortRanges": [ 478 | "53", 479 | "88", 480 | "464", 481 | "42" 482 | ], 483 | "sourceAddressPrefixes": [], 484 | "destinationAddressPrefixes": [] 485 | } 486 | } 487 | ] 488 | } 489 | }, 490 | { 491 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 492 | "apiVersion": "2024-01-01", 493 | "name": "[concat(parameters('NSG_name'), '/ALLOW_Attestation_OUTBOUND')]", 494 | "dependsOn": [ 495 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 496 | ], 497 | "properties": { 498 | "protocol": "*", 499 | "sourcePortRange": "*", 500 | "destinationPortRange": "8080", 501 | "sourceAddressPrefix": "*", 502 | "destinationAddressPrefix": "AzureAttestation", 503 | "access": "Allow", 504 | "priority": 2060, 505 | "direction": "Outbound", 506 | "sourcePortRanges": [], 507 | "destinationPortRanges": [], 508 | "sourceAddressPrefixes": [], 509 | "destinationAddressPrefixes": [] 510 | } 511 | }, 512 | { 513 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 514 | "apiVersion": "2024-01-01", 515 | "name": "[concat(parameters('NSG_name'), '/ALLOW_AzureAD_OUTBOUND')]", 516 | "dependsOn": [ 517 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 518 | ], 519 | "properties": { 520 | "protocol": "TCP", 521 | "sourcePortRange": "*", 522 | "destinationPortRange": "443", 523 | "sourceAddressPrefix": "VirtualNetwork", 524 | "destinationAddressPrefix": "AzureActiveDirectory", 525 | "access": "Allow", 526 | "priority": 1040, 527 | "direction": "Outbound", 528 | "sourcePortRanges": [], 529 | "destinationPortRanges": [], 530 | "sourceAddressPrefixes": [], 531 | "destinationAddressPrefixes": [] 532 | } 533 | }, 534 | { 535 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 536 | "apiVersion": "2024-01-01", 537 | "name": "[concat(parameters('NSG_name'), '/ALLOW_AzureCloud_OUTBOUND')]", 538 | "dependsOn": [ 539 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 540 | ], 541 | "properties": { 542 | "description": "Agent and SXS stack updates, Agent traffic, Azure Marketplace", 543 | "protocol": "TCP", 544 | "sourcePortRange": "*", 545 | "destinationPortRange": "443", 546 | "sourceAddressPrefix": "VirtualNetwork", 547 | "destinationAddressPrefix": "AzureCloud", 548 | "access": "Allow", 549 | "priority": 1010, 550 | "direction": "Outbound", 551 | "sourcePortRanges": [], 552 | "destinationPortRanges": [], 553 | "sourceAddressPrefixes": [], 554 | "destinationAddressPrefixes": [] 555 | } 556 | }, 557 | { 558 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 559 | "apiVersion": "2024-01-01", 560 | "name": "[concat(parameters('NSG_name'), '/ALLOW_KeyVault_Inbound')]", 561 | "dependsOn": [ 562 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 563 | ], 564 | "properties": { 565 | "protocol": "TCP", 566 | "sourcePortRange": "*", 567 | "destinationPortRange": "443", 568 | "sourceAddressPrefix": "AzureKeyVault.eastus2", 569 | "destinationAddressPrefix": "VirtualNetwork", 570 | "access": "Allow", 571 | "priority": 1010, 572 | "direction": "Inbound", 573 | "sourcePortRanges": [], 574 | "destinationPortRanges": [], 575 | "sourceAddressPrefixes": [], 576 | "destinationAddressPrefixes": [] 577 | } 578 | }, 579 | { 580 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 581 | "apiVersion": "2024-01-01", 582 | "name": "[concat(parameters('NSG_name'), '/ALLOW_KeyVault_OUTBOUND')]", 583 | "dependsOn": [ 584 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 585 | ], 586 | "properties": { 587 | "protocol": "TCP", 588 | "sourcePortRange": "*", 589 | "destinationPortRange": "443", 590 | "sourceAddressPrefix": "VirtualNetwork", 591 | "destinationAddressPrefix": "AzureKeyVault.eastus2", 592 | "access": "Allow", 593 | "priority": 1030, 594 | "direction": "Outbound", 595 | "sourcePortRanges": [], 596 | "destinationPortRanges": [], 597 | "sourceAddressPrefixes": [], 598 | "destinationAddressPrefixes": [] 599 | } 600 | }, 601 | { 602 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 603 | "apiVersion": "2024-01-01", 604 | "name": "[concat(parameters('NSG_name'), '/ALLOW_KMS_OUTBOUND')]", 605 | "dependsOn": [ 606 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 607 | ], 608 | "properties": { 609 | "description": "Allow Access to Azure KMS on port 1688", 610 | "protocol": "TCP", 611 | "sourcePortRange": "*", 612 | "destinationPortRange": "1688", 613 | "sourceAddressPrefix": "VirtualNetwork", 614 | "destinationAddressPrefix": "Internet", 615 | "access": "Allow", 616 | "priority": 1020, 617 | "direction": "Outbound", 618 | "sourcePortRanges": [], 619 | "destinationPortRanges": [], 620 | "sourceAddressPrefixes": [], 621 | "destinationAddressPrefixes": [] 622 | } 623 | }, 624 | { 625 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 626 | "apiVersion": "2024-01-01", 627 | "name": "[concat(parameters('NSG_name'), '/ALLOW_Win365_OUTBOUND')]", 628 | "dependsOn": [ 629 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 630 | ], 631 | "properties": { 632 | "description": "saprod.infra.windows365.microsoft.com", 633 | "protocol": "TCP", 634 | "sourcePortRange": "*", 635 | "destinationPortRange": "443", 636 | "sourceAddressPrefix": "*", 637 | "destinationAddressPrefix": "13.107.246.40", 638 | "access": "Allow", 639 | "priority": 2050, 640 | "direction": "Outbound", 641 | "sourcePortRanges": [], 642 | "destinationPortRanges": [], 643 | "sourceAddressPrefixes": [], 644 | "destinationAddressPrefixes": [] 645 | } 646 | }, 647 | { 648 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 649 | "apiVersion": "2024-01-01", 650 | "name": "[concat(parameters('NSG_name'), '/ALLOW_WindowsAdminCenter_Outbound')]", 651 | "dependsOn": [ 652 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 653 | ], 654 | "properties": { 655 | "description": "Windows Admin Center Outbound Port", 656 | "protocol": "TCP", 657 | "sourcePortRange": "*", 658 | "destinationPortRange": "443", 659 | "sourceAddressPrefix": "VirtualNetwork", 660 | "destinationAddressPrefix": "WindowsAdminCenter", 661 | "access": "Allow", 662 | "priority": 1090, 663 | "direction": "Outbound", 664 | "sourcePortRanges": [], 665 | "destinationPortRanges": [], 666 | "sourceAddressPrefixes": [], 667 | "destinationAddressPrefixes": [] 668 | } 669 | }, 670 | { 671 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 672 | "apiVersion": "2024-01-01", 673 | "name": "[concat(parameters('NSG_name'), '/ALLOW_AVD_Outbound')]", 674 | "dependsOn": [ 675 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 676 | ], 677 | "properties": { 678 | "protocol": "TCP", 679 | "sourcePortRange": "*", 680 | "destinationPortRange": "443", 681 | "sourceAddressPrefix": "VirtualNetwork", 682 | "destinationAddressPrefix": "WindowsVirtualDesktop", 683 | "access": "Allow", 684 | "priority": 1000, 685 | "direction": "Outbound", 686 | "sourcePortRanges": [], 687 | "destinationPortRanges": [], 688 | "sourceAddressPrefixes": [], 689 | "destinationAddressPrefixes": [] 690 | } 691 | }, 692 | { 693 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 694 | "apiVersion": "2024-01-01", 695 | "name": "[concat(parameters('NSG_name'), '/ALLOW--AD--ANY--INBOUND')]", 696 | "dependsOn": [ 697 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 698 | ], 699 | "properties": { 700 | "protocol": "*", 701 | "sourcePortRange": "*", 702 | "sourceAddressPrefix": "*", 703 | "destinationAddressPrefix": "VirtualNetwork", 704 | "access": "Allow", 705 | "priority": 3020, 706 | "direction": "Inbound", 707 | "sourcePortRanges": [], 708 | "destinationPortRanges": [ 709 | "53", 710 | "88", 711 | "464", 712 | "42" 713 | ], 714 | "sourceAddressPrefixes": [], 715 | "destinationAddressPrefixes": [] 716 | } 717 | }, 718 | { 719 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 720 | "apiVersion": "2024-01-01", 721 | "name": "[concat(parameters('NSG_name'), '/ALLOW--AD--INBOUND')]", 722 | "dependsOn": [ 723 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 724 | ], 725 | "properties": { 726 | "description": "AD Ports ", 727 | "protocol": "TCP", 728 | "sourcePortRange": "*", 729 | "sourceAddressPrefix": "*", 730 | "destinationAddressPrefix": "VirtualNetwork", 731 | "access": "Allow", 732 | "priority": 3000, 733 | "direction": "Inbound", 734 | "sourcePortRanges": [], 735 | "destinationPortRanges": [ 736 | "135", 737 | "389", 738 | "445", 739 | "636", 740 | "3268", 741 | "3269", 742 | "5722", 743 | "49152-65535" 744 | ], 745 | "sourceAddressPrefixes": [], 746 | "destinationAddressPrefixes": [] 747 | } 748 | }, 749 | { 750 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 751 | "apiVersion": "2024-01-01", 752 | "name": "[concat(parameters('NSG_name'), '/ALLOW--AD--UDP--INBOUND')]", 753 | "dependsOn": [ 754 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 755 | ], 756 | "properties": { 757 | "protocol": "UDP", 758 | "sourcePortRange": "*", 759 | "sourceAddressPrefix": "*", 760 | "destinationAddressPrefix": "VirtualNetwork", 761 | "access": "Allow", 762 | "priority": 3010, 763 | "direction": "Inbound", 764 | "sourcePortRanges": [], 765 | "destinationPortRanges": [ 766 | "42", 767 | "88", 768 | "464" 769 | ], 770 | "sourceAddressPrefixes": [], 771 | "destinationAddressPrefixes": [] 772 | } 773 | }, 774 | { 775 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 776 | "apiVersion": "2024-01-01", 777 | "name": "[concat(parameters('NSG_name'), '/ALLOW--ANF--INBOUND')]", 778 | "dependsOn": [ 779 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 780 | ], 781 | "properties": { 782 | "protocol": "*", 783 | "sourcePortRange": "*", 784 | "destinationPortRange": "*", 785 | "sourceAddressPrefix": "10.1.0.0/24", 786 | "destinationAddressPrefix": "VirtualNetwork", 787 | "access": "Allow", 788 | "priority": 1000, 789 | "direction": "Inbound", 790 | "sourcePortRanges": [], 791 | "destinationPortRanges": [], 792 | "sourceAddressPrefixes": [], 793 | "destinationAddressPrefixes": [] 794 | } 795 | }, 796 | { 797 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 798 | "apiVersion": "2024-01-01", 799 | "name": "[concat(parameters('NSG_name'), '/ALLOW--Bastion--GatewayMgr--Inbound')]", 800 | "dependsOn": [ 801 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 802 | ], 803 | "properties": { 804 | "protocol": "TCP", 805 | "sourcePortRange": "*", 806 | "destinationPortRange": "443", 807 | "sourceAddressPrefix": "GatewayManager", 808 | "destinationAddressPrefix": "*", 809 | "access": "Allow", 810 | "priority": 2010, 811 | "direction": "Inbound", 812 | "sourcePortRanges": [], 813 | "destinationPortRanges": [], 814 | "sourceAddressPrefixes": [], 815 | "destinationAddressPrefixes": [] 816 | } 817 | }, 818 | { 819 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 820 | "apiVersion": "2024-01-01", 821 | "name": "[concat(parameters('NSG_name'), '/ALLOW--Bastion--ILB--Inbound')]", 822 | "dependsOn": [ 823 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 824 | ], 825 | "properties": { 826 | "protocol": "TCP", 827 | "sourcePortRange": "*", 828 | "destinationPortRange": "443", 829 | "sourceAddressPrefix": "AzureLoadBalancer", 830 | "destinationAddressPrefix": "*", 831 | "access": "Allow", 832 | "priority": 2020, 833 | "direction": "Inbound", 834 | "sourcePortRanges": [], 835 | "destinationPortRanges": [], 836 | "sourceAddressPrefixes": [], 837 | "destinationAddressPrefixes": [] 838 | } 839 | }, 840 | { 841 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 842 | "apiVersion": "2024-01-01", 843 | "name": "[concat(parameters('NSG_name'), '/ALLOW--Bastion--SSL--Inbound')]", 844 | "dependsOn": [ 845 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 846 | ], 847 | "properties": { 848 | "description": "ALLOW--Bastion--SSL--Inbound", 849 | "protocol": "TCP", 850 | "sourcePortRange": "*", 851 | "destinationPortRange": "443", 852 | "sourceAddressPrefix": "Internet", 853 | "destinationAddressPrefix": "*", 854 | "access": "Allow", 855 | "priority": 2000, 856 | "direction": "Inbound", 857 | "sourcePortRanges": [], 858 | "destinationPortRanges": [], 859 | "sourceAddressPrefixes": [], 860 | "destinationAddressPrefixes": [] 861 | } 862 | }, 863 | { 864 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 865 | "apiVersion": "2024-01-01", 866 | "name": "[concat(parameters('NSG_name'), '/ALLOW--Bastion--VNET--Inbound')]", 867 | "dependsOn": [ 868 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 869 | ], 870 | "properties": { 871 | "protocol": "*", 872 | "sourcePortRange": "*", 873 | "sourceAddressPrefix": "VirtualNetwork", 874 | "destinationAddressPrefix": "VirtualNetwork", 875 | "access": "Allow", 876 | "priority": 2030, 877 | "direction": "Inbound", 878 | "sourcePortRanges": [], 879 | "destinationPortRanges": [ 880 | "8080", 881 | "5701" 882 | ], 883 | "sourceAddressPrefixes": [], 884 | "destinationAddressPrefixes": [] 885 | } 886 | }, 887 | { 888 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 889 | "apiVersion": "2024-01-01", 890 | "name": "[concat(parameters('NSG_name'), '/ALLOW--RDP--VPN--INBOUND')]", 891 | "dependsOn": [ 892 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 893 | ], 894 | "properties": { 895 | "protocol": "TCP", 896 | "sourcePortRange": "*", 897 | "destinationPortRange": "3389", 898 | "sourceAddressPrefix": "VirtualNetwork", 899 | "destinationAddressPrefix": "*", 900 | "access": "Allow", 901 | "priority": 2040, 902 | "direction": "Inbound", 903 | "sourcePortRanges": [], 904 | "destinationPortRanges": [], 905 | "sourceAddressPrefixes": [], 906 | "destinationAddressPrefixes": [] 907 | } 908 | }, 909 | { 910 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 911 | "apiVersion": "2024-01-01", 912 | "name": "[concat(parameters('NSG_name'), '/ALLOW--WAP--ADFS')]", 913 | "dependsOn": [ 914 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 915 | ], 916 | "properties": { 917 | "protocol": "TCP", 918 | "sourcePortRange": "*", 919 | "sourceAddressPrefix": "20.0.4.10", 920 | "destinationAddressPrefix": "10.0.4.7", 921 | "access": "Allow", 922 | "priority": 1080, 923 | "direction": "Outbound", 924 | "sourcePortRanges": [], 925 | "destinationPortRanges": [ 926 | "80", 927 | "443", 928 | "5985" 929 | ], 930 | "sourceAddressPrefixes": [], 931 | "destinationAddressPrefixes": [] 932 | } 933 | }, 934 | { 935 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 936 | "apiVersion": "2024-01-01", 937 | "name": "[concat(parameters('NSG_name'), '/ALLOW--WAP--Inbound')]", 938 | "dependsOn": [ 939 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 940 | ], 941 | "properties": { 942 | "protocol": "TCP", 943 | "sourcePortRange": "*", 944 | "destinationPortRange": "443", 945 | "sourceAddressPrefix": "Internet", 946 | "destinationAddressPrefix": "20.0.4.10", 947 | "access": "Allow", 948 | "priority": 1090, 949 | "direction": "Inbound", 950 | "sourcePortRanges": [], 951 | "destinationPortRanges": [], 952 | "sourceAddressPrefixes": [], 953 | "destinationAddressPrefixes": [] 954 | } 955 | }, 956 | { 957 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 958 | "apiVersion": "2024-01-01", 959 | "name": "[concat(parameters('NSG_name'), '/AVD_MetaData')]", 960 | "dependsOn": [ 961 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 962 | ], 963 | "properties": { 964 | "description": "Azure Instance Metadata service endpoint", 965 | "protocol": "TCP", 966 | "sourcePortRange": "*", 967 | "destinationPortRange": "80", 968 | "sourceAddressPrefix": "*", 969 | "destinationAddressPrefix": "169.254.169.254", 970 | "access": "Allow", 971 | "priority": 1060, 972 | "direction": "Outbound", 973 | "sourcePortRanges": [], 974 | "destinationPortRanges": [], 975 | "sourceAddressPrefixes": [], 976 | "destinationAddressPrefixes": [] 977 | } 978 | }, 979 | { 980 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 981 | "apiVersion": "2024-01-01", 982 | "name": "[concat(parameters('NSG_name'), '/AVD-Health')]", 983 | "dependsOn": [ 984 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 985 | ], 986 | "properties": { 987 | "description": "Session host health monitoring", 988 | "protocol": "TCP", 989 | "sourcePortRange": "*", 990 | "destinationPortRange": "80", 991 | "sourceAddressPrefix": "*", 992 | "destinationAddressPrefix": "168.63.129.16", 993 | "access": "Allow", 994 | "priority": 1070, 995 | "direction": "Outbound", 996 | "sourcePortRanges": [], 997 | "destinationPortRanges": [], 998 | "sourceAddressPrefixes": [], 999 | "destinationAddressPrefixes": [] 1000 | } 1001 | }, 1002 | { 1003 | "type": "Microsoft.Network/networkSecurityGroups/securityRules", 1004 | "apiVersion": "2024-01-01", 1005 | "name": "[concat(parameters('NSG_name'), '/AVDportalstorageblob.blob.core.windows.net')]", 1006 | "dependsOn": [ 1007 | "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('NSG_name'))]" 1008 | ], 1009 | "properties": { 1010 | "protocol": "TCP", 1011 | "sourcePortRange": "*", 1012 | "destinationPortRange": "443", 1013 | "sourceAddressPrefix": "*", 1014 | "destinationAddressPrefix": "Storage", 1015 | "access": "Allow", 1016 | "priority": 1050, 1017 | "direction": "Outbound", 1018 | "sourcePortRanges": [], 1019 | "destinationPortRanges": [], 1020 | "sourceAddressPrefixes": [], 1021 | "destinationAddressPrefixes": [] 1022 | } 1023 | } 1024 | ] 1025 | } --------------------------------------------------------------------------------