Last Update:

21 Apr 2016

Package Maintainer(s):

Software Author(s):

  • Matt Wrock


boxstarter bootstrapper environment setup

Boxstarter Bootstrapper Module

This is not the latest version of Boxstarter Bootstrapper Module available.

2.8.12 | Updated: 21 Apr 2016



Software Author(s):

  • Matt Wrock

Boxstarter Bootstrapper Module 2.8.12

This is not the latest version of Boxstarter Bootstrapper Module available.

All Checks are Passing

3 Passing Tests

Validation Testing Passed

Verification Testing Passed


Scan Testing Successful:

No detections found in any package files

Learn More

Deployment Method: Individual Install, Upgrade, & Uninstall

To install Boxstarter Bootstrapper Module, run the following command from the command line or from PowerShell:


To upgrade Boxstarter Bootstrapper Module, run the following command from the command line or from PowerShell:


To uninstall Boxstarter Bootstrapper Module, run the following command from the command line or from PowerShell:


Deployment Method:


This applies to both open source and commercial editions of Chocolatey.

1. Enter Your Internal Repository Url

(this should look similar to https://community.chocolatey.org/api/v2/)

2. Setup Your Environment

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

2. Get the package into your environment

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://community.chocolatey.org/api/v2/. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Copy Your Script

choco upgrade boxstarter.bootstrapper -y --source="'INTERNAL REPO URL'" --version="'2.8.12'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:

choco upgrade boxstarter.bootstrapper -y --source="'INTERNAL REPO URL'" --version="'2.8.12'" 

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0

Exit $exitCode

- name: Install boxstarter.bootstrapper
    name: boxstarter.bootstrapper
    version: '2.8.12'
    state: present

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.

chocolatey_package 'boxstarter.bootstrapper' do
  action    :install
  source   'INTERNAL REPO URL'
  version  '2.8.12'

See docs at https://docs.chef.io/resource_chocolatey_package.html.

cChocoPackageInstaller boxstarter.bootstrapper
    Name     = "boxstarter.bootstrapper"
    Version  = "2.8.12"
    Source   = "INTERNAL REPO URL"

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.

package { 'boxstarter.bootstrapper':
  ensure   => '2.8.12',
  provider => 'chocolatey',
  source   => 'INTERNAL REPO URL',

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.

4. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

Package Approved

This package was approved as a trusted package on 21 Apr 2016.


Boxstarter's Bootstrapper module provides a powershell wrapper that supports reboots and automatic logons and exposes commands that can detect pending reboots, perform logging and messaging, and several commands that can configure various windows settings.

Resolve-Path $PSScriptRoot\*.ps1 | 
    % { . $_.ProviderPath }

Import-Module (Join-Path $Boxstarter.BaseDir Boxstarter.WinConfig\BoxStarter.WinConfig.psd1) -global -DisableNameChecking

Export-ModuleMember Invoke-BoxStarter, `
                    Test-PendingReboot, `
                    Invoke-Reboot, `
                    Write-BoxstarterMessage, `
                    Start-TimedSection, `
                    Stop-TimedSection, `
                    Out-Boxstarter, `
                    Enter-BoxstarterLogable, `
function Cleanup-Boxstarter {

    if(Test-Path "$(Get-BoxstarterTempDir)\BoxstarterReEnableUAC") {
        del "$(Get-BoxstarterTempDir)\BoxstarterReEnableUAC"
    if(!$Boxstarter.IsRebooting) { 
        Write-BoxstarterMessage "Cleaning up and not rebooting" -Verbose
        $startup = "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup"
        if( Test-Path "$Startup\boxstarter-post-restart.bat") {
            Write-BoxstarterMessage "Cleaning up restart file" -Verbose
            remove-item "$Startup\boxstarter-post-restart.bat"
            remove-item "$(Get-BoxstarterTempDir)\Boxstarter.Script"
        if(Test-Path "$(Get-BoxstarterTempDir)\Boxstarter.autologon") {
            Write-BoxstarterMessage "Cleaning up autologon registry keys" -Verbose
            $winLogonKey="HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
            $winlogonProps = Import-CLIXML -Path "$(Get-BoxstarterTempDir)\Boxstarter.autologon"
            @("DefaultUserName","DefaultDomainName","DefaultPassword","AutoAdminLogon") | % {
                  Remove-ItemProperty -Path $winLogonKey -Name $_ -ErrorAction SilentlyContinue
                else {
                  Set-ItemProperty -Path $winLogonKey -Name $_ -Value $winlogonProps[$_]
            Remove-Item -Path "$(Get-BoxstarterTempDir)\Boxstarter.autologon"
        if($promptToExit -or $KeepWindowOpen){
            Read-Host 'Type ENTER to exit'

    if(!(Get-IsRemote -PowershellRemoting) -and !$DisableRestart){
            Write-BoxstarterMessage "UAC Enabled. Disabling..."
            New-Item "$(Get-BoxstarterTempDir)\BoxstarterReEnableUAC" -type file | Out-Null

    if(!(Get-IsRemote -PowershellRemoting) -and $BoxstarterPassword.Length -gt 0) {
        Write-BoxstarterMessage "Securely Storing $($currentUser.Domain)\$($currentUser.Name) credentials for automatic logon"
        Set-SecureAutoLogon $currentUser.Name $BoxstarterPassword $currentUser.Domain -BackupFile "$(Get-BoxstarterTempDir)\Boxstarter.autologon"
        Write-BoxstarterMessage "Logon Set"

	Describes how to use Boxstarter to wrap powershell scripts.

	The Boxstarter.Bootstrapper module provides an execution 
	environment for running scripts that may require one or more 
	reboots throughout its exeution process. This can be any 
	powershell script and is ideally suited for scripts that involve 
	the installation of software and system configuration.

	By default, Boxstarter will not reboot a machine even when 
	Invoke-Reboot is called. In order to enable reboots, either the 
	-RebootOk switch parameter bust be set on Invoke-Boxstarter or 
	the RebootOk $Boxstarter property should be true.

	If Reoots are enabled, calling INVOKE-REBOOT will prepare the 
	Boxstarter environment for reboot and force a restart of the 
	local machine. DO NOT CALL RESTART-COMPUTER. This will not allow 
	Boxstarter to propperly prepare for reboot and will disable 
	automatic logon and not allow the Boxstarter script to continue 
	upon reboot.

	While a boxstarter script may have its own rules determining when 
	a reboot is needed, Boxstarter provides a Test-PendingReboot 
	functions which checks several machine settings to determine if a 
	reboot is needed. Credit for this script goes to Brian Wilhite's 
	original contribution at 

	Test-PendingReboot Checks several known registry keys, the windows 
	update service, component based servicing, and configuration manager. 
	If there is any indication that a reboot is pending, Test-PendingReboot 
	returns $True. Boxstarter scripts may then want to call Invoke-Reboot. 
	Many Software Installers will fail if there is a reboot pending.

	If reboots are enabled, Boxstarter will prompt the user for a password 
	when initially calling Invoke-Boxstarter. The password is given to 
	boxstarter as a SecureString. Boxstarter uses the domain and username 
	of the current user. Boxstarter will attempt to authenticate the 
	password up to three times. If the password cannot be authenticated, 
	Boxstarter will continue to run the script but the user will need to 
	manually sign on at logon. If the user succesfully authenticates, 
	Boxstarter stores the pasword in an encrypted area intended for auto 
	logon passwords.

	When the boxstarter script completes, all logon information is removed 
	from the registry and subsequent logons will prompt for credentials.

	When Boxstarter reboots, it simply reruns the script as it was 
	provided. Currently Boxstarter has no checkpointing mechanism to 
	start your script from a specific location. Of coarse, the script 
	author can include such logic. Therefore, it is best to write 
	scripts that can be run in a repeatable manner. For example, the 
	script may want to do its own checks to determine if long running 
	routines like a lengthy software install needs to be run. Is the 
	software already installed? Boxstarter scripts should anticipate 
	that any portion of the script may have been previously executed.

	Boxstarter ensures that scripts run as administrator. If you call 
	Invoke-Boxstarter from a non elevated shell, Boxstarter will 
	launch an elevated shell and run the remainder of the session 
	from tha tshell. If Boxstarter is asked to reboot via Invoke-Reboot 
	and UAC is enabled on the machine, it will disable UAC and then 
	reenable it after the machine is rebooted and the script restarts. 
	This is necessary for an unattended execution experience, otherwise 
	Boxstarter would need to have you accept the UAC prompt after reboot 
	in order to continue the Boxstarter session.

	In order to provide as little interruption as possible during a 
	Boxstarter script execution, Windows Update Service and, if installed, 
	the System Configuration Client are stopped. When Boxstarter 
	completes, these services are restarted. Boxstarter exposes 
	functionality to install Windows Updates (see below) and stopping 
	these services will not impact that functionality.

	Boxstarter provides several Logging functions. These include the 
	ability to log both to the screen and the Boxstarter Log as well as 
	the ability to log to both simultaneously. Boxstarter also enables 
	you t ocapture the standard output and error streams of standard 
	command line executables and utilities and not just the powershell 
	pipeline. See About_Boxstarter_Logging for more details.

	Boxstarter exposes several functions aimed at customizing several 
	Windows settings. All of these are located in the 
	Boxstarter.WinConfig module. These include customizing Windows 
	Explorer, the Windows Task Bar, enabling Remote desktop and much 
	more. See Get-Command -Module Boxstarter.WinConfig for the 
	functions available.



	A Hashtable for persisting Boxstarter settings.

	The Boxstarter variable is a hashtable that is globaly accesible. 
	Different Boxstarter modules may store different settings.
	Some of the bootstrapper module settings available from the 
	Boxstarter variable can also be set from the Invoke-Boxstarter 

		Indicates if the current session was automatically loged on by 
		Boxstarter after a reboot.

		The Root directory containing the Boxstarter Modules and local 
		package repository. By default this is in the users AppData 

		Indicates if Boxstarter has intiated a reboot.

		This points to the path of the Boxstarter log file. By default 
		this is $env:LocalAppData\Boxstarter\boxstarter.log. You may 
		edit this variable to change the location of the log.

		A boolean value indicating if automatic reboots are permited. 
		This is false by default but true if the -RebootOk switch is 
		used when calling Invoke-Boxstarter. You may edit this value 
		to suppress or enable reboots.

		The script that is wraped  by Boxstarter.

		A boolean value that specifies if log messages should be 
		suppressed. The default is false and can be changed at any 
		time. If true, any message logged via Write-BoxstarterMessage 
		or Star-TimedSection will not log to the console or to the 


function Get-BoxstarterTempDir {
    if($env:LocalAppData -and $env:LocalAppData.StartsWith("$env:SystemDrive\Users")){
        $dir = $env:LocalAppData
    else {
        $dir = $env:ProgramData

if(!(Test-Path "$dir\Boxstarter")){mkdir "$dir\Boxstarter" | out-null}
    return "$dir\Boxstarter"
*   This function was written by Brian Wilhite
*   Published at https://gallery.technet.microsoft.com/scriptcenter/Get-PendingReboot-Query-bdb79542
*	Version: 07/27/2015
*   Distributed according to Technet Terms of Use
*   https://technet.microsoft.com/en-us/cc300389.aspx
Function Get-PendingReboot
    Gets the pending reboot status on a local or remote computer.

    This function will query the registry on a local or remote computer and determine if the
    system is pending a reboot, from Microsoft updates, Configuration Manager Client SDK, Pending Computer 
    Rename, Domain Join or Pending File Rename Operations. For Windows 2008+ the function will query the 
    CBS registry key as another factor in determining pending reboot state.  "PendingFileRenameOperations" 
    and "Auto Update\RebootRequired" are observed as being consistant across Windows Server 2003 & 2008.
    CBServicing = Component Based Servicing (Windows 2008+)
    WindowsUpdate = Windows Update / Auto Update (Windows 2003+)
    CCMClientSDK = SCCM 2012 Clients only (DetermineIfRebootPending method) otherwise $null value
    PendComputerRename = Detects either a computer rename or domain join operation (Windows 2003+)
    PendFileRename = PendingFileRenameOperations (Windows 2003+)
    PendFileRenVal = PendingFilerenameOperations registry value; used to filter if need be, some Anti-
                     Virus leverage this key for def/dat removal, giving a false positive PendingReboot

.PARAMETER ComputerName
    A single Computer or an array of computer names.  The default is localhost ($env:COMPUTERNAME).

    A single path to send error data to a log file.

    PS C:\> Get-PendingReboot -ComputerName (Get-Content C:\ServerList.txt) | Format-Table -AutoSize
    Computer CBServicing WindowsUpdate CCMClientSDK PendFileRename PendFileRenVal RebootPending
    -------- ----------- ------------- ------------ -------------- -------------- -------------
    DC01           False         False                       False                        False
    DC02           False         False                       False                        False
    FS01           False         False                       False                        False

    This example will capture the contents of C:\ServerList.txt and query the pending reboot
    information from the systems contained in the file and display the output in a table. The
    null values are by design, since these systems do not have the SCCM 2012 client installed,
    nor was the PendingFileRenameOperations value populated.

    PS C:\> Get-PendingReboot
    Computer           : WKS01
    CBServicing        : False
    WindowsUpdate      : True
    CCMClient          : False
    PendComputerRename : False
    PendFileRename     : False
    PendFileRenVal     : 
    RebootPending      : True
    This example will query the local machine for pending reboot information.
    PS C:\> $Servers = Get-Content C:\Servers.txt
    PS C:\> Get-PendingReboot -Computer $Servers | Export-Csv C:\PendingRebootReport.csv -NoTypeInformation
    This example will create a report that contains pending reboot information.

    Component-Based Servicing:
    PendingFileRename/Auto Update:

    SCCM 2012/CCM_ClientSDK:

    Author:  Brian Wilhite
    Email:   bcwilhite (at) live.com
    Date:    29AUG2012
    PSVer:   2.0/3.0/4.0/5.0
    Updated: 27JUL2015
    UpdNote: Added Domain Join detection to PendComputerRename, does not detect Workgroup Join/Change
             Fixed Bug where a computer rename was not detected in 2008 R2 and above if a domain join occurred at the same time.
             Fixed Bug where the CBServicing wasn't detected on Windows 10 and/or Windows Server Technical Preview (2016)
             Added CCMClient property - Used with SCCM 2012 Clients only
             Added ValueFromPipelineByPropertyName=$true to the ComputerName Parameter
             Removed $Data variable from the PSObject - it is not needed
             Bug with the way CCMClientSDK returned null value if it was false
             Removed unneeded variables
             Added PendFileRenVal - Contents of the PendingFileRenameOperations Reg Entry
             Removed .Net Registry connection, replaced with WMI StdRegProv
             Added ComputerPendingRename


Begin {  }## End Begin Script Block
Process {
  Foreach ($Computer in $ComputerName) {
	Try {
	    ## Setting pending values to false to cut down on the number of else statements
	    $CompPendRen,$PendFileRename,$Pending,$SCCM = $false,$false,$false,$false
	    ## Setting CBSRebootPend to null since not all versions of Windows has this value
	    $CBSRebootPend = $null
	    ## Querying WMI for build version
	    $WMI_OS = Get-WmiObject -Class Win32_OperatingSystem -Property BuildNumber, CSName -ComputerName $Computer -ErrorAction Stop

	    ## Making registry connection to the local/remote computer
	    $HKLM = [UInt32] "0x80000002"
	    $WMI_Reg = [WMIClass] "\\$Computer\root\default:StdRegProv"
	    ## If Vista/2008 & Above query the CBS Reg Key
	    If ([Int32]$WMI_OS.BuildNumber -ge 6001) {
		    $RegSubKeysCBS = $WMI_Reg.EnumKey($HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\")
		    $CBSRebootPend = $RegSubKeysCBS.sNames -contains "RebootPending"		
	    ## Query WUAU from the registry
	    $RegWUAURebootReq = $WMI_Reg.EnumKey($HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\")
	    $WUAURebootReq = $RegWUAURebootReq.sNames -contains "RebootRequired"
	    ## Query PendingFileRenameOperations from the registry
	    $RegSubKeySM = $WMI_Reg.GetMultiStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager\","PendingFileRenameOperations")
	    $RegValuePFRO = $RegSubKeySM.sValue

	    ## Query JoinDomain key from the registry - These keys are present if pending a reboot from a domain join operation
	    $Netlogon = $WMI_Reg.EnumKey($HKLM,"SYSTEM\CurrentControlSet\Services\Netlogon").sNames
	    $PendDomJoin = ($Netlogon -contains 'JoinDomain') -or ($Netlogon -contains 'AvoidSpnSet')

	    ## Query ComputerName and ActiveComputerName from the registry
	    $ActCompNm = $WMI_Reg.GetStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName\","ComputerName")            
	    $CompNm = $WMI_Reg.GetStringValue($HKLM,"SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\","ComputerName")

	    If (($ActCompNm -ne $CompNm) -or $PendDomJoin) {
	        $CompPendRen = $true
	    ## If PendingFileRenameOperations has a value set $RegValuePFRO variable to $true
	    If ($RegValuePFRO) {
		    $PendFileRename = $true

	    ## Determine SCCM 2012 Client Reboot Pending Status
	    ## To avoid nested 'if' statements and unneeded WMI calls to determine if the CCM_ClientUtilities class exist, setting EA = 0
	    $CCMClientSDK = $null
	    $CCMSplat = @{
	    ## Try CCMClientSDK
	    Try {
	        $CCMClientSDK = Invoke-WmiMethod @CCMSplat
	    } Catch [System.UnauthorizedAccessException] {
	        $CcmStatus = Get-Service -Name CcmExec -ComputerName $Computer -ErrorAction SilentlyContinue
	        If ($CcmStatus.Status -ne 'Running') {
	            Write-Warning "$Computer`: Error - CcmExec service is not running."
	            $CCMClientSDK = $null
	    } Catch {
	        $CCMClientSDK = $null

	    If ($CCMClientSDK) {
	        If ($CCMClientSDK.ReturnValue -ne 0) {
		        Write-Warning "Error: DetermineIfRebootPending returned error code $($CCMClientSDK.ReturnValue)"          
		    If ($CCMClientSDK.IsHardRebootPending -or $CCMClientSDK.RebootPending) {
		        $SCCM = $true
	    Else {
	        $SCCM = $null

	    ## Creating Custom PSObject and Select-Object Splat
	    $SelectSplat = @{
	    New-Object -TypeName PSObject -Property @{
	        RebootPending=($CompPendRen -or $CBSRebootPend -or $WUAURebootReq -or $SCCM -or $PendFileRename)
	    } | Select-Object @SelectSplat

	} Catch {
	    Write-Warning "$Computer`: $_"
	    ## If $ErrorLog, log the file to a user specified location/path
	    If ($ErrorLog) {
	        Out-File -InputObject "$Computer`,$_" -FilePath $ErrorLog -Append
  }## End Foreach ($Computer in $ComputerName)			
}## End Process

End {  }## End End

}## End Function Get-PendingReboot
if(!$Global:Boxstarter) { $Global:Boxstarter = @{} }
if(!$Boxstarter.ContainsKey('Log')) {
if(!$Boxstarter.ContainsKey('RebootOk')) { $Boxstarter.RebootOk=$false }
if(!$Boxstarter.ContainsKey('IsRebooting')) { $Boxstarter.IsRebooting=$false }
function Invoke-BoxStarter{
Invokes the Boxstarter bootstrapper

This wraps any PowerShell script block and executes it in an environment tailored for uninterrupted installations
 - Turns off the windows update service during installation to prevent installation conflicts and minimize the need for reboots
 - Imports the Boxstarter.WinConfig module that provides functions for customizing windows
 - Provides Reboot Resiliency by ensuring the package installation is immediately restarted up on reboot if there is a reboot during the installation.
 - Ensures everything runs under administrator permissions
If the password argument is not included and RebootOk is passed, 
the user will be prompted for a password immediately after 
invoking the command and that password will be used for any 
subsequent reboot during the boxstarter run.

.Parameter ScriptToCall
The script that Boxstarter wraps. After Boxstarter shuts down 
the update services and ensures that the console is running as 
an administrator, it invokes this script. The script may call Invoke-Reboot 
at any time and Boxstarter will ensure that the machine is 
rebooted, logged in and the script is rerun.

.Parameter Password
This password will be used to automatically log the user in if a 
reboot is required and reboots are enabled.

.Parameter RebootOk
If set, a reboot will be performed if boxstarter determines that a 
reboot is pending. If no password is supplied to the Password 
parameterBoxstarter will prompt the user to enter a password which 
will be used for automatic logins in the event a restart is 

.PARAMETER KeepWindowOpen
Enabling this switch will prevent the command window from closing and 
prompt the user to pres the Enter key before the window closes. This 
is ideal when not invoking boxstarter from a console.

When set, Boxstarter will never prompt for logon. Use this if using
an account without password validation.

Invoke-Boxstarter {Import-Modler myinstaller;Invoke-MyInstall} -RebootOk

This invokes Boxstarter and invokes MyInstall. If pending 
reboots are detected, boxstarter will restart the machine. Boxstarter
will prompt the user to enter a password which will be used for 
automatic logins in the event a restart is required.

    $BoxStarter.IsRebooting = $false
    $scriptFile = "$(Get-BoxstarterTempDir)\boxstarter.script"
    if(!(Test-Admin)) {
        New-Item $scriptFile -type file -value $ScriptToCall.ToString() -force | out-null
        Write-BoxstarterMessage "User is not running with administrative rights. Attempting to elevate..."
        $unNormalized=(Get-Item "$($Boxstarter.Basedir)\Boxstarter.Bootstrapper\BoxStarter.Bootstrapper.psd1")
            $encryptedPass = convertfrom-securestring -securestring $password
            $passwordArg = "-encryptedPassword $encryptedPass"
        $command = "-ExecutionPolicy bypass -noexit -command Import-Module `"$($unNormalized.FullName)`";Invoke-BoxStarter $(if($RebootOk){'-RebootOk'}) $passwordArg"
        Start-Process powershell -verb runas -argumentlist $command
        if(!(Get-IsRemote)){ Write-BoxstarterLogo }
        $session=Start-TimedSection "Installation session." -Verbose
        if($encryptedPassword){$password = ConvertTo-SecureString -string $encryptedPassword}
            Write-BoxstarterMessage "NoPassword is false checking autologin" -verbose
            $script:BoxstarterPassword=InitAutologon $password
        if($script:BoxstarterPassword -eq $null) {
        Write-BoxstarterMessage "NoPassword is set to $($boxstarter.NoPassword) and RebootOk is set to $($Boxstarter.RebootOk) and the NoPassword parameter passed was $NoPassword" -verbose
        $Boxstarter.ScriptToCall = Resolve-Script $ScriptToCall $scriptFile
        return $true
    catch {
       Log-BoxStarterMessage ($_ | Out-String)
       throw $_
        Cleanup-Boxstarter -KeepWindowOpen:$KeepWindowOpen -DisableRestart:$DisableRestart
        Stop-TimedSection $session
        if($BoxStarter.IsRebooting) {

function RestartNow {
    Write-BoxstarterMessage "Restart Required. Restarting now..."
    Restart-Computer -force -ErrorAction SilentlyContinue

function Read-AuthenticatedPassword {
    while(--$attemptsLeft -ge 0 -and !$val) {
            $Password=Read-Host -AsSecureString "Autologon Password"
            $creds = New-Object System.Management.Automation.PsCredential("$($currentUser.Domain)\$($currentUser.Name)", $password)
            Start-Process "Cmd.exe" -argumentlist "/c","echo" -Credential $creds
            write-BoxstarterMessage "Successfully authenticated password."
            return $password
        catch { }
    write-BoxstarterMessage "Unable to authenticate password for $($currentUser.Domain)\$($currentUser.Name). Proceeding with autologon disabled"
    return $null

function InitAutologon([System.Security.SecureString]$password){
    $autologonKey="HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
    $winlogonProps = Get-ItemProperty -Path $autologonKey
    if($winlogonProps.AutoAdminLogon){$autoLogon=Get-ItemProperty -Path $autologonKey -Name "AutoAdminLogon"}
    if($autoLogon) {
        $autoLogon = $autoLogon.AutoAdminLogon
        if($autoLogon -gt 0) {
            try { $autoLogonCount=Get-ItemProperty -Path $autologonKey -Name "AutoLogonCount" -ErrorAction stop } catch {$global:error.RemoveAt(0)}
            if($autoLogonCount) {$autoLogon=$autoLogonCount.autoLogonCount}
    } else {$autoLogon=0}
    $Boxstarter.AutologedOn = ($autoLogon -gt 0)
    Write-BoxstarterMessage "AutoLogin status is $($Boxstarter.AutologedOn)" -verbose
    if($Boxstarter.RebootOk -and !$Password -and !$Boxstarter.AutologedOn) {
        Write-BoxstarterMessage "Please type CTRL+C or close this window to exit Boxstarter if you do not want to risk a reboot during this Boxstarter install.`r`n" -nologo -Color Yellow
        write-BoxstarterMessage @"
Boxstarter may need to reboot your system. 
Please provide your password so that Boxstarter may automatically log you on. 
Your password will be securely stored and encrypted.
"@ -nologo

    return $password

function Resolve-Script([ScriptBlock]$script, [string]$scriptFile){
    if($script) {return $script.ToString()}
    if(Test-Path $scriptFile) {
        $scriptFile=(Get-Content $scriptFile)
        if($scriptFile.length -gt 0) {
            return $scriptFile
    throw "No Script was specified to call."
function Invoke-Reboot {
Reboots the local machine ensuring Boxstarter restarts 
automatically after reboot and sets up autologon if it a 
password was provided.

Use this command inside of a boxstarter package instead 
of calling Restart-Computer

This command will often be used with the Test-PendingReboot
command. If Test-PendingReboot returns true, one may want 
to call Invoke-Reboot to restart otherwise the remainder of 
the package might fail.

One can use the $Boxstarter variable's RebootOk to enable/disable
reboots. If this is set to $False (the default) then Invoke-Reboot
will not do anything. If Boxstarter was invoked with the -RebootOk
parameter $Boxstarter.RebootOk is set to True.

    if(!$Boxstarter.RebootOk) { 
        Write-BoxstarterMessage "A Reboot was requested but Reboots are suppressed. Either call Invoke-Boxstarter with -RebootOk or set `$Boxstarter.RebootOk to `$true"
    if(!(Get-IsRemote -PowershellRemoting) -and !($Boxstarter.DisableRestart)){
        if(!$Boxstarter.ScriptToCall) {
            Write-BoxstarterMessage "Invoke-Reboot must be called from a Boxstarter package."
        Write-BoxstarterMessage "writing restart file"
        New-Item "$(Get-BoxstarterTempDir)\Boxstarter.script" -type file -value $boxstarter.ScriptToCall -force | Out-Null
        $startup = "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup"
        $restartScript="Call PowerShell -NoProfile -ExecutionPolicy bypass -command `"Import-Module '$($Boxstarter.BaseDir)\Boxstarter.Bootstrapper\boxstarter.bootstrapper.psd1';Invoke-Boxstarter -RebootOk -NoPassword:`$$($Boxstarter.NoPassword.ToString())`""
        New-Item "$startup\boxstarter-post-restart.bat" -type file -force -value $restartScript | Out-Null
    try {
        if(Get-Module Bitlocker -ListAvailable){
            Get-BitlockerVolume | ? {$_.ProtectionStatus -eq "On"  -and $_.VolumeType -eq "operatingSystem"} | Suspend-Bitlocker -RebootCount 1 | out-null
    catch {} # There are several reports of the bitlocker module throwing errors

    if($Boxstarter.SourcePID -ne $Null) {
        Write-BoxstarterMessage "Writing restart marker with pid $($Boxstarter.SourcePID) from $PID" -verbose
        New-Item "$(Get-BoxstarterTempDir)\Boxstarter.$($Boxstarter.SourcePID).restart" -type file -value "" -force | Out-Null

function Restart {
*   This function was written by Andy Arismendi
*   Published at http://poshcode.org/2982
*   Under Creative Commons License 
*   http://creativecommons.org/publicdomain/zero/1.0/legalcode
function Set-SecureAutoLogon {
param (
    [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]

    [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [System.Security.SecureString]

begin {
    [string] $WinlogonPath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
    [string] $WinlogonBannerPolicyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

    [string] $Enable = 1
    [string] $Disable = 0
    #region C# Code to P-invoke LSA LsaStorePrivateData function.
    Add-Type @"
        using System;
        using System.Collections.Generic;
        using System.Text;
        using System.Runtime.InteropServices;

        namespace ComputerSystem
            public class LSAutil
                private struct LSA_UNICODE_STRING
                    public UInt16 Length;
                    public UInt16 MaximumLength;
                    public IntPtr Buffer;

                private struct LSA_OBJECT_ATTRIBUTES
                    public int Length;
                    public IntPtr RootDirectory;
                    public LSA_UNICODE_STRING ObjectName;
                    public uint Attributes;
                    public IntPtr SecurityDescriptor;
                    public IntPtr SecurityQualityOfService;

                private enum LSA_AccessPolicy : long
                    POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
                    POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
                    POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
                    POLICY_TRUST_ADMIN = 0x00000008L,
                    POLICY_CREATE_ACCOUNT = 0x00000010L,
                    POLICY_CREATE_SECRET = 0x00000020L,
                    POLICY_CREATE_PRIVILEGE = 0x00000040L,
                    POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
                    POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
                    POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
                    POLICY_SERVER_ADMIN = 0x00000400L,
                    POLICY_LOOKUP_NAMES = 0x00000800L,
                    POLICY_NOTIFICATION = 0x00001000L

                [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
                private static extern uint LsaRetrievePrivateData(
                            IntPtr PolicyHandle,
                            ref LSA_UNICODE_STRING KeyName,
                            out IntPtr PrivateData

                [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
                private static extern uint LsaStorePrivateData(
                        IntPtr policyHandle,
                        ref LSA_UNICODE_STRING KeyName,
                        ref LSA_UNICODE_STRING PrivateData

                [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
                private static extern uint LsaOpenPolicy(
                    ref LSA_UNICODE_STRING SystemName,
                    ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
                    uint DesiredAccess,
                    out IntPtr PolicyHandle

                [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
                private static extern uint LsaNtStatusToWinError(
                    uint status

                [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
                private static extern uint LsaClose(
                    IntPtr policyHandle

                [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
                private static extern uint LsaFreeMemory(
                    IntPtr buffer

                private LSA_OBJECT_ATTRIBUTES objectAttributes;
                private LSA_UNICODE_STRING localsystem;
                private LSA_UNICODE_STRING secretName;

                public LSAutil(string key)
                    if (key.Length == 0)
                        throw new Exception("Key length zero");

                    objectAttributes = new LSA_OBJECT_ATTRIBUTES();
                    objectAttributes.Length = 0;
                    objectAttributes.RootDirectory = IntPtr.Zero;
                    objectAttributes.Attributes = 0;
                    objectAttributes.SecurityDescriptor = IntPtr.Zero;
                    objectAttributes.SecurityQualityOfService = IntPtr.Zero;

                    localsystem = new LSA_UNICODE_STRING();
                    localsystem.Buffer = IntPtr.Zero;
                    localsystem.Length = 0;
                    localsystem.MaximumLength = 0;

                    secretName = new LSA_UNICODE_STRING();
                    secretName.Buffer = Marshal.StringToHGlobalUni(key);
                    secretName.Length = (UInt16)(key.Length * UnicodeEncoding.CharSize);
                    secretName.MaximumLength = (UInt16)((key.Length + 1) * UnicodeEncoding.CharSize);

                private IntPtr GetLsaPolicy(LSA_AccessPolicy access)
                    IntPtr LsaPolicyHandle;

                    uint ntsResult = LsaOpenPolicy(ref this.localsystem, ref this.objectAttributes, (uint)access, out LsaPolicyHandle);

                    uint winErrorCode = LsaNtStatusToWinError(ntsResult);
                    if (winErrorCode != 0)
                        throw new Exception("LsaOpenPolicy failed: " + winErrorCode);

                    return LsaPolicyHandle;

                private static void ReleaseLsaPolicy(IntPtr LsaPolicyHandle)
                    uint ntsResult = LsaClose(LsaPolicyHandle);
                    uint winErrorCode = LsaNtStatusToWinError(ntsResult);
                    if (winErrorCode != 0)
                        throw new Exception("LsaClose failed: " + winErrorCode);

                public void SetSecret(string value)
                    LSA_UNICODE_STRING lusSecretData = new LSA_UNICODE_STRING();

                    if (value.Length > 0)
                        //Create data and key
                        lusSecretData.Buffer = Marshal.StringToHGlobalUni(value);
                        lusSecretData.Length = (UInt16)(value.Length * UnicodeEncoding.CharSize);
                        lusSecretData.MaximumLength = (UInt16)((value.Length + 1) * UnicodeEncoding.CharSize);
                        //Delete data and key
                        lusSecretData.Buffer = IntPtr.Zero;
                        lusSecretData.Length = 0;
                        lusSecretData.MaximumLength = 0;

                    IntPtr LsaPolicyHandle = GetLsaPolicy(LSA_AccessPolicy.POLICY_CREATE_SECRET);
                    uint result = LsaStorePrivateData(LsaPolicyHandle, ref secretName, ref lusSecretData);

                    uint winErrorCode = LsaNtStatusToWinError(result);
                    if (winErrorCode != 0)
                        throw new Exception("StorePrivateData failed: " + winErrorCode);

process {

    try {
        $ErrorActionPreference = "Stop"
        $decryptedPass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(

        if ($BackupFile) {
                # Initialize the hash table with a string comparer to allow case sensitive keys.
                # This allows differentiation between the winlogon and system policy logon banner strings.
            $OrigionalSettings = New-Object System.Collections.Hashtable ([system.stringcomparer]::CurrentCulture)
            $OrigionalSettings.AutoAdminLogon = (Get-ItemProperty $WinlogonPath ).AutoAdminLogon
            $OrigionalSettings.ForceAutoLogon = (Get-ItemProperty $WinlogonPath).ForceAutoLogon
            $OrigionalSettings.DefaultUserName = (Get-ItemProperty $WinlogonPath).DefaultUserName
            $OrigionalSettings.DefaultDomainName = (Get-ItemProperty $WinlogonPath).DefaultDomainName
            if((Get-ItemProperty $WinlogonPath).DefaultPassword) {
                $OrigionalSettings.DefaultPassword = (Get-ItemProperty $WinlogonPath).DefaultPassword
                Remove-ItemProperty -Path $WinlogonPath -Name DefaultPassword -Force
            $OrigionalSettings.AutoLogonCount = (Get-ItemProperty $WinlogonPath).AutoLogonCount
                # The winlogon logon banner settings.
            $OrigionalSettings.LegalNoticeCaption = (Get-ItemProperty $WinlogonPath).LegalNoticeCaption
            $OrigionalSettings.LegalNoticeText = (Get-ItemProperty $WinlogonPath).LegalNoticeText
                # The system policy logon banner settings.
            $OrigionalSettings.legalnoticecaption = (Get-ItemProperty $WinlogonBannerPolicyPath).legalnoticecaption
            $OrigionalSettings.legalnoticetext = (Get-ItemProperty $WinlogonBannerPolicyPath).legalnoticetext
            $OrigionalSettings | Export-Clixml -Depth 10 -Path $BackupFile
            # Store the password securely.
        $lsaUtil = New-Object ComputerSystem.LSAutil -ArgumentList "DefaultPassword"
            # Store the autologon registry settings.
        Set-ItemProperty -Path $WinlogonPath -Name AutoAdminLogon -Value $Enable -Force

        Set-ItemProperty -Path $WinlogonPath -Name DefaultUserName -Value $Username -Force
        Set-ItemProperty -Path $WinlogonPath -Name DefaultDomainName -Value $Domain -Force

        if ($AutoLogonCount) {
            Set-ItemProperty -Path $WinlogonPath -Name AutoLogonCount -Value $AutoLogonCount -Force
        } else {
            try {Remove-ItemProperty -Path $WinlogonPath -Name AutoLogonCount -ErrorAction stop } catch {$global:error.RemoveAt(0)}

        if ($RemoveLegalPrompt) {
            Set-ItemProperty -Path $WinlogonPath -Name LegalNoticeCaption -Value $null -Force
            Set-ItemProperty -Path $WinlogonPath -Name LegalNoticeText -Value $null -Force
            Set-ItemProperty -Path $WinlogonBannerPolicyPath -Name legalnoticecaption -Value $null -Force
            Set-ItemProperty -Path $WinlogonBannerPolicyPath -Name legalnoticetext -Value $null -Force
    } catch {
        throw 'Failed to set auto logon. The error was: "{0}".' -f $_

        Enables auto logon using the specified username and password.

    .PARAMETER  Username
        The username of the user to automatically logon as.

    .PARAMETER  Password
        The password for the user to automatically logon as.
    .PARAMETER  Domain
        The domain of the user to automatically logon as.
    .PARAMETER  AutoLogonCount
        The number of logons that auto logon will be enabled.
    .PARAMETER  RemoveLegalPrompt
        Removes the system banner to ensure intervention-less logon.
    .PARAMETER  BackupFile
        If specified the existing settings such as the system banner text will be backed up to the specified file.

        PS C:\> Set-SecureAutoLogon `
                -Username $env:USERNAME `
                -Password (Read-Host -AsSecureString) `
                -AutoLogonCount 2 `
                -RemoveLegalPrompt `
                -BackupFile "C:\WinlogonBackup.xml"



        Revision History:
            2011-04-19 : Andy Arismendi - Created.
            2011-09-29 : Andy Arismendi - Changed to use LSA secrets to store password securely.


function Start-UpdateServices {
    write-boxstartermessage "Restore Automatic Updates from Windows Update"
    $winUpdateKey = "HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au"

    Remove-BoxstarterError {
        Remove-ItemProperty -Path $winUpdateKey -name 'NoAutoUpdate' -force
        Remove-ItemProperty -Path $winUpdateKey -name 'NoAutoRebootWithLoggedOnUsers' -force

        # Restore original value
        Rename-ItemProperty -Path $winUpdateKey -NewName 'NoAutoUpdate' -Name 'NoAutoUpdate_BAK'


function Start-CCMEXEC {
    $ccm = get-service -include CCMEXEC
    if($ccm -and $ccm.Status -ne "Running") {
        Write-BoxstarterMessage "Starting Configuration Manager Service"
        set-service CCMEXEC -startuptype automatic
        Enter-BoxstarterLogable { Start-Service CCMEXEC -ErrorAction SilentlyContinue }
function Stop-UpdateServices {
    write-boxstartermessage "Disabling Automatic Updates from Windows Update"
    $winUpdateKey = "HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au"
    if(!(Test-Path $winUpdateKey) ) { New-Item $winUpdateKey -Type Folder -Force | Out-Null }

    Remove-BoxstarterError {
        # Backup original value
        Rename-ItemProperty -Path $winUpdateKey -Name 'NoAutoUpdate' -NewName 'NoAutoUpdate_BAK'

        New-ItemProperty -Path $winUpdateKey -name 'NoAutoUpdate' -value '1' -propertyType "DWord" -force | Out-Null
        New-ItemProperty -Path $winUpdateKey -name 'NoAutoRebootWithLoggedOnUsers' -value '1' -propertyType "DWord" -force | Out-Null

function Stop-CCMEXEC {
    $ccm = (get-service -include CCMEXEC)
    if($ccm) {
        set-service CCMEXEC -startuptype disabled
        do {
            if($ccm.CanStop) { 
                Write-boxstartermessage "Stopping Configuration Manager"
                Enter-BoxstarterLogable { Stop-Service CCMEXEC }
            Write-boxstartermessage "Waiting for Computer Configuration Manager to stop..."
            sleep 10
        } while (-not ($ccm.CanStop) -and ($i++ -lt 5))
function Test-PendingReboot {
Checks to see if Windows is pending a reboot

Uses a script from Brian Wilhite 
that queries the registry, Windows Update and System 
Configuration Manager to determine if a pending reboot is 

One may want to check this before installing software 
or doing anything that may fail if there is a pending 
reboot. If this command returns $true, one may want to
call Invoke-Reboot to restart the local machine.


    Write-BoxstarterMessage "Checking for Pending reboot" -Verbose
    $rebootPending = $null
    Remove-BoxstarterError {
        $rebootPending = Get-PendingReboot -ErrorLog $BoxStarter.Log
    if ($rebootPending.RebootPending) {
        Write-BoxstarterMessage "Detected Pending reboot" -Verbose
        Log-BoxstarterMessage "$rebootPending"
        return $true
    else {
        return $false
$tools = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
. (Join-Path $tools Setup.ps1)
try { 
    $ModuleName = (Get-ChildItem $tools | ?{ $_.PSIsContainer }).BaseName
    $preInstall = Join-Path $tools "$modulename.preinstall.ps1"
    if(Test-Path $preInstall) { .$preInstall }
    Install-Boxstarter $tools $ModuleName $env:chocolateyPackageParameters
} catch {
    write-output $_ | fl * -force
    throw $_.Exception
function Install-Boxstarter($here, $ModuleName, $installArgs = "") {
    $boxstarterPath=Join-Path $env:AppData Boxstarter
    if(!(test-Path $boxstarterPath)){
        mkdir $boxstarterPath
    $packagePath=Join-Path $boxstarterPath BuildPackages
    if(!(test-Path $packagePath)){
        mkdir $packagePath
    foreach($ModulePath in (Get-ChildItem $here | ?{ $_.PSIsContainer })){
        $target=Join-Path $boxstarterPath $modulePath.BaseName
        if(test-Path $target){
            Remove-Item $target -Recurse -Force
    Copy-Item "$here\*" $boxstarterPath -Recurse -Force -Exclude ChocolateyInstall.ps1, Setup.*

    PersistBoxStarterPathToEnvironmentVariable "PSModulePath"
    PersistBoxStarterPathToEnvironmentVariable "Path"
    $binPath =  "$here\..\..\..\bin"
    $boxModule=Get-Module Boxstarter.Chocolatey
    if($boxModule) {
        if($boxModule.Path -like "$env:LOCALAPPDATA\Apps\*") {
        Import-Module "$boxstarterPath\$ModuleName" -DisableNameChecking -Force -ErrorAction SilentlyContinue
    $successMsg = @"
The $ModuleName Module has been copied to $boxstarterPath and added to your Module path. 
You will need to open a new console for the path to be visible.
Use 'Get-Module Boxstarter.* -ListAvailable' to list all Boxstarter Modules.
To list all available Boxstarter Commands, use:
PS:>Import-Module $ModuleName
PS:>Get-Command -Module Boxstarter.*

To find more info visit http://Boxstarter.org or use:
PS:>Import-Module $ModuleName
PS:>Get-Help Boxstarter
    Write-Host $successMsg

    if($ModuleName -eq "Boxstarter.Chocolatey" -and !$env:appdata.StartsWith($env:windir)) {
        $desktop = $([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::DesktopDirectory))
        $startMenu=$("$env:appdata\Microsoft\Windows\Start Menu\Programs\Boxstarter")
        if(!(Test-Path $startMenu)){
            mkdir $startMenu
        $targetArgs="-ExecutionPolicy bypass -NoExit -Command `"&'$boxstarterPath\BoxstarterShell.ps1'`""

		if($installArgs -inotcontains "nodesktopicon") {
			$link = Join-Path $desktop "Boxstarter Shell.lnk"
			Create-Shortcut $link $target $targetArgs $boxstarterPath
        $link = Join-Path $startMenu "Boxstarter Shell.lnk"
        Create-Shortcut $link $target $targetArgs $boxstarterPath

        Set-Content -Path "$binPath\BoxstarterShell.bat" -Force -Value "$target $TargetArgs"

function Create-Shortcut($location, $target, $targetArgs, $boxstarterPath) {
    $wshshell = New-Object -ComObject WScript.Shell
    $lnk = $wshshell.CreateShortcut($location)
    $lnk.TargetPath = $target
    $lnk.Arguments = "$targetArgs"
    $lnk.WorkingDirectory = $boxstarterPath

	$tempFile = "$env:temp\TempShortcut.lnk"
	$writer = new-object System.IO.FileStream $tempFile, ([System.IO.FileMode]::Create)
	$reader = new-object System.IO.FileStream $location, ([System.IO.FileMode]::Open)
	while ($reader.Position -lt $reader.Length)
		$byte = $reader.ReadByte()
		if ($reader.Position -eq 22) {
			$byte = 34
	Move-Item -Path $tempFile $location -Force
function PersistBoxStarterPathToEnvironmentVariable($variableName){
    $value = [Environment]::GetEnvironmentVariable($variableName, 'User')
        $values=($value -split ';' | ?{ !($_.ToLower() -match "\\boxstarter$")}) -join ';'
    elseif($variableName -eq "PSModulePath") {
        $values +="\WindowsPowerShell\Modules;$boxstarterPath"
    else {
        $values ="$boxstarterPath"
    if(!$value -or !($values -contains $boxstarterPath)){
        $values = $values.Replace(';;',';')
        [Environment]::SetEnvironmentVariable($variableName, $values, 'User')
        $varValue = Get-Content env:\$variableName
        $varValue += ";$boxstarterPath"
        $varValue = $varValue.Replace(';;',';')
        Set-Content env:\$variableName -value $varValue

  • Persist RebootOk setting in nested installs
  • Suppress bogus Invalid Namespace errors
  • Added ability to configure "Expand to open folder" in Set-WindowsExplorerOptions
  • Added ability to configure QuickAccess options in Set-WindowsExplorerOption
  • Added Disable-GameBarTips to WinConfig module
  • Added Disable-BingSearch to WinConfig module
  • Updated to latest Get-PendingReboot
  • Eliminate multiple explorer restarts in Set-WindowsExplorerOption
  • Fix scenarios where providing multiple packages to Install-BoxstarterPackage fails
  • Added improved error logging where stacktrace was being dropped
  • Fix errors caused by using Int64 RebootCodes
  • Fix parameter typo in Set-ExplorerOptions
  • Update to latest Pester and ensure tests pass on clean VM
