Windows Server 2022

Last modified by Sebastian Marsching on 2022/05/30 12:24

Completely changing the language of the operating system

  1. Install language pack.
  2. Run %windir%\system32\sysprep\sysprep.exe,  select Enter System Out-of-Box Experience (OOBE) (keeping Generalize disabled) and select Reboot (idea from here).
  3. Select the correct language in the wizard that shows after the reboot.
  4. Change network name(s) if necessary.  Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles in the Registry Editor (idea from here). Alternatively,  reset the network settings (Network & Internet settings ➞_ Network reset_)
  5. Optionally, change the regional / format settings to something which is useful to you. For example, I use the en_US locale, but I prefer the ISO date format and 24 hour clock:
    • Short date: yyyy-MM-dd
    • Short time: HH:mm
    • Long time: HH:mm:ss
    • First day of week: Monday
    • Measurement system: Metric
    • Currency symbol: €
    • Positive currency format: 1.1 €
    • Negative currency format: -1.1 €
  6. Copy the settings to the welcome screen and new user accounts.

Running sysprep can have undesired side effects, but it is the only way to really change the system language completely. If one is happy with only having most of the system in the new language, using the method described for Windows Server 2012 R2 might be suitable. However, a few messages during startup and shutdown will still be displayed in the original language when using this method.

Changing the timeout in the Windows Boot Manager

bcdedit /timeout 10

(from https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--timeout)

Configuring the certificate for Remote Desktop

First,  we have to get the thumbprint, then we can tell the Remote Desktop services to use the certificate with this thumbprint:

Get-ChildItem -Path Cert:LocalMachine\MY
Set-WmiInstance -Path (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path -argument @{SSLCertificateSHA1Hash="$Thumbprint"}

(from https://blog.icewolf.ch/archive/2021/07/03/secure-remote-desktop-connections-with-certificates.aspx)

Enabling strong cryptography for older .NET apps

For 64-bit apps:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
     "SystemDefaultTlsVersions" = dword:00000001
     "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
     "SystemDefaultTlsVersions" = dword:00000001
     "SchUseStrongCrypto" = dword:00000001

For 32-bit apps:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
     "SystemDefaultTlsVersions" = dword:00000001
     "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
     "SystemDefaultTlsVersions" = dword:00000001
     "SchUseStrongCrypto" = dword:00000001

(see https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client)

SchUseStrongCrypto enables support for TLS 1.1 and 1.2,  and SystemDefaultTlsVersions allows .NET to use the system defaults.

These registry keys can be added through a group policy.

Typically,  the computer has to be rebooted in order for these changs to become effective.

Using EUI-64 instead of random IPv6 addressesEdit

It might be desirable to use an EUI-64-based IPv6 address (an IPv6 address that is generated based on the MAC address of the NIC) instead of a randomly generated address during IPv6 autoconfiguration. This can be achieved by using the following netsh command (from an elevated command prompt):

netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

This is exactly the same way as for Windows Server 2012 R2.

Related pages