Windows Server 2022
- Completely changing the language of the operating system
- Changing the timeout in the Windows Boot Manager
- Configuring the certificate for Remote Desktop
- Enabling strong cryptography for older .NET apps
- Using EUI-64 instead of random IPv6 addresses
Completely changing the language of the operating system
- Install language pack.
- Run %windir%\system32\sysprep\sysprep.exe, select Enter System Out-of-Box Experience (OOBE) (keeping Generalize disabled) and select Reboot (idea from here).
- Select the correct language in the wizard that shows after the reboot.
- Change network name(s) if necessary. Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles in the Registry Editor (idea from here). Alternatively, reset the network settings (Network & Internet settings ➞_ Network reset_)
- Optionally, change the regional / format settings to something which is useful to you. For example, I use the en_US locale, but I prefer the ISO date format and 24 hour clock:
- Short date: yyyy-MM-dd
- Short time: HH:mm
- Long time: HH:mm:ss
- First day of week: Monday
- Measurement system: Metric
- Currency symbol: €
- Positive currency format: 1.1 €
- Negative currency format: -1.1 €
- Copy the settings to the welcome screen and new user accounts.
Changing the timeout in the Windows Boot Manager
(from https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--timeout)
Configuring the certificate for Remote Desktop
First, we have to get the thumbprint, then we can tell the Remote Desktop services to use the certificate with this thumbprint:
Set-WmiInstance -Path (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path -argument @{SSLCertificateSHA1Hash="$Thumbprint"}
(from https://blog.icewolf.ch/archive/2021/07/03/secure-remote-desktop-connections-with-certificates.aspx)
Enabling strong cryptography for older .NET apps
For 64-bit apps:
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
For 32-bit apps:
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
(see https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client)
SchUseStrongCrypto enables support for TLS 1.1 and 1.2, and SystemDefaultTlsVersions allows .NET to use the system defaults.
These registry keys can be added through a group policy.
Typically, the computer has to be rebooted in order for these changs to become effective.
Using EUI-64 instead of random IPv6 addresses
This can be done in exactly the same ways as for Windows Server 2012 R2.