0

I have a PowerShell script that I need to run once on all computers in my Active Directory domain. A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines. However, the script needs to run as administrator because of the registry values being modified. Also, per our security department, we cannot change the ExecutionPolicy on these devices.

Is there any way to get this script to run?

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$regKey = 'ms-msdt'
$saveFolder = 'C:\Temp\'
$savePath = $saveFolder + 'CVE-2022-30190.reg'
$PSRegPath = 'HKCR:\' + $regkey
$CMDRegPath = 'HKCR\' + $regkey
if(Test-Path $PSRegPath)
{
    if(!(Test-Path $saveFolder))
    {
        New-Item -Path $folder -ItemType Directory
    }
    Invoke-Command {reg export $CMDRegPath $savePath -Y}
    Remove-Item -Path $PSRegPath -Recurse -Force
}

This script backs up a registry entry before deleting it, as recommended by the Microsoft mitigation work-around to CVE-2022-30190.

SamErde
  • 3,409
  • 3
  • 24
  • 44
CMS
  • 11
  • 1
  • 1
  • 1
  • 1
    What is the current execution policy? – SamErde Jun 01 '22 at 20:13
  • `A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines.` How is that? A GPO can only help you if an endpoint is *on* the network. – Greg Askew Jun 01 '22 at 20:24
  • I suspect their hope is that a GPO would ensure that the script runs as soon as the computer is turned on (once it picks up and processes the new GPO setting). – SamErde Jun 01 '22 at 20:26
  • 1
    Exactly. Most of our computers are in use during the normal business day at some time or another, but some of our locations have users who work night shifts or other non-standard times. Running via GPO will allow it to apply to all of our computers. Originally I was going to run this as a remote script until I realized that it would fail on any computer that wasn't currently on. – CMS Jun 06 '22 at 15:41
  • 1st, ms-msdt is patched already, 2nd, why Powershell, use reg.exe in a batch to export/delete reg keys, 3rd, deploy an immediate scheduled task as GPO. Startup scripts will not run at all, unless the machine is restarted (due to fast boot optimizations by MS on Win8 and higher). – Bernd Schwanenmeister Jun 22 '22 at 14:08
  • 1) It wasn't fixed when I posted this question 2) While this is a better solution for the problem at hand, I still wanted to know how to do it since there will inevitably come a time when I need to do something similar 3) We have FastBoot disabled company-wide due to this and other reasons. – CMS Jun 23 '22 at 15:02

2 Answers2

2

Create a GPO and execute the script in system context during boot or shutdown (see "Computer setting > Windows Settings > Scripts (Startup/Shutdown)"). Startup/Shutdown scripts got the needed privileges.

The Powershell executable provides a -ExecutionPolicy parameter allowing to bypass the global Execution Policy. This can be used in combination with -Command:

  1. Call Powershell as script to run in the GPO
  2. Put everything else into parameters field: -ExecutionPolicy "bypass" -NoProfile -Command "...." to bypass the general PSH Execution Policy.

The "..." part might be an inline { Script Block } or pointing to a .ps1 file on your network (usual way). You can also pass needed parameters to the .ps1 script (if any).

Examples (you can try out the whole command - before using in in a GPO - by simply using in cmd.exe or Powershell with admin privileges):

Powershell -ExecutionPolicy "bypass" -NoProfile -Command "\\contoso.com\dfs\script\foo.ps1"

Powershell -ExecutionPolicy "bypass" -NoProfile -Command "\\contoso.com\dfs\script\foo.ps1 -SwitchOne:$True -Langs @('de-de', 'en-us') -Verbose"

Checking if something has to be done (=run once) should be implemented in your script's logic, simply exit if there is nothing to do. Remove the GPO in a few weeks or months after it was ensured all clients booted / applied the change.

Andreas Haerter
  • 21
  • 2
1

You can deploy the script as a Computer setting using Windows Settings > Scripts (Startup/Shutdown.

These scripts will run in the system context and not the user. To limit this to only running once, you can add a little bit of logic in the script to check for the existence of the registry data. Screen shot of the group policy editor opened to the startup scripts settings.

SamErde
  • 3,409
  • 3
  • 24
  • 44
  • That option is not available in Group Policy Management, seems to be local policy only. – CMS Jun 06 '22 at 15:36
  • 2
    That option has always been present for local and domain group policies. If it's missing on your system, something is definitely broken! :) – SamErde Jun 06 '22 at 21:42