Creating Win32App for PowerShell script installation with Intune – Part 3 (Setup and Uninstall scripts)

Published by RandoMan on

Background

This is part 3 of the dealing with the Teams Firewall rules for non admin users. In the first two parts we introduced the issue and also the core script that would do the work. In this part I will show how to write a Setup script that can be run from Intune to initialize the entire process.

Logging:

As with the other scripts, we want to have logging and will leverage the Start-Transcript cmdlet to do this.

$LogPath = 'C:\Logs'
$LogName = $LogPath + "\Setup-TeamsFirewallRule.log"

If ((Test-Path $LogPath) -eq $false)
{
    New-Item -Path c:\Logs -ItemType Directory
}

Start-Transcript -Path $LogName -Append

Setup script

Now we want to build the path that the script will be installed to for the task to call and then copy all the files into it.

$ScriptPath = $env:ProgramFiles +"\YourPath\Scripts\Set-TeamsFirewallRules"

Write-Output "Checking for script paths"
If ((Test-Path $ScriptPath) -eq $false)
{
    Write-Output "Script path did not exist, building it now $($ScriptPath)"
    New-Item $ScriptPath -ItemType Directory 
}

Write-Output "Copying Set-TeamsFirewallRules and Uninstall scripts to script path"

$Files = Get-ChildItem $PSScriptroot

foreach ($File in $Files)
{
    Write-Output "Copying $($file.Name) to $($ScriptPath)"
    Copy-Item -Path $File.FullName -Destination $ScriptPath
}

We are copying these files into the C:\program files(86)\ directory because this path will be write protected. In order to make changes to files in this location you need Local Admin rights. If they were stored in some other location, a malicious actor could modify the scripts to perform anything they wanted and gain control of the machine.

Next step is to create the scheduled task that will initiate the script we created in Part 2.

As we want to have proper versioning capabilities we need to verify that there are no pre-existing scheduled tasks and if so remove them.

#Check for existing task and remove it if it's there
If ((Get-ScheduledTask 'Set-TeamsFirewallRules' -ErrorAction SilentlyContinue))
{
    Write-Output "Found existing task, removing it now..."
    Unregister-ScheduledTask 'Set-TeamsFirewallRules' -Confirm:$false
}

Write-Output "Building scheduled task to run the script at logon for each user"
$Action = New-ScheduledTaskAction -Execute powershell.exe -Argument '-ExecutionPolicy Bypass -File "C:\Program Files (x86)\YourPath\Scripts\Set-TeamsFirewallRules\Set-TeamsFirewallRules.ps1"'
$Trigger = New-ScheduledTaskTrigger -AtLogOn -RandomDelay (New-TimeSpan -Minutes 1)
$Principal = New-ScheduledTaskPrincipal "SYSTEM" -RunLevel Highest
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries 
$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings -Description "This will create new Teams firewall rules for each user at logon" 
Register-ScheduledTask 'Set-TeamsFirewallRules' -InputObject $Task

Now that we have created the task, we can initiate the first run and close the log file out.

Write-Output "Initiating first run of the Set-TeamsFirewallRules script"
Start-ScheduledTask -TaskName "Set-TeamsFirewallRules" 

Stop-Transcript

With that, we are done with the setup portion. Now on to the Uninstall portion.

Uninstall script

Using the same logging feature we have above, we enable logging via the start-transcript cmdlet

$LogPath = 'C:\Logs'
$LogName = $LogPath + "\Remove-TeamsFirewallRule.log"

Start-Transcript -Path $LogName -Append
Write-Output "Starting removal process"

Then we simply set our script path and set it to remove all the files and unregister the scheduled task we created above and then remove all the firewall rules that we created. This will fully clean up everything the script did.

$ScriptPath = $env:ProgramFiles +"\YourPath\Scripts\Set-TeamsFirewallRules"

Write-Output "Removing $($ScriptPath)"

Remove-Item $ScriptPath -Recurse

Write-Output "Unregistering Task Set-TeamsFirewallRules"

Unregister-ScheduledTask -TaskName "Set-TeamsFirewallRules" -Confirm:$false

Write-Output "Removing firewall rules related to Teams Access"
$TeamsBlock = Get-NetFirewallRule -Name *Teams* | Where-Object {$_.Enabled -eq 'True'}
If ($null -ne $TeamsBlock)
{
    Foreach ($Rule in $TeamsBlock)
    {
        Write-Output "Disabling blocking firewall rule $($Rule.DisplayName)"
        Remove-NetFirewallRule $Rule.Name -Confirm:$false
    }
}

Stop-Transcript

And we are done!

We now have a script that will setup the firewall script, build the scheduled task and initiate a first run as well as a script that will uninstall and remove all the changes.

Now on to Part 4, setting up the Intune piece.

  1. Intro
  2. The actual script
  3. Setup and Uninstall scripts
  4. Intune magic
Categories: IntunePowerShell
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Intune

Creating Win32App for PowerShell script installation with Intune – Part 4 (Intune setup)

Background In the previous parts we saw how to do the PowerShell piece, building the needed scripts to manage the Teams user based firewall rules as well as the setup and uninstall scripts. This next Read more…

Intune

Creating Win32App for PowerShell script installation with Intune – Part 2 (Firewall script)

Background As mentioned in Part 1 – We are going to be setting up a script to create firewall rules for Teams per user instance installations on machines. We will be using the Microsoft recommended Read more…

Azure

Creating Win32App for PowerShell script installation with Intune – Part 1 (Intro) – Using Intune and PowerShell to dynamically create Teams per user based firewall rules

The problem Recently we needed to deploy a firewall solution to deal with the change to MS Teams moving from a system wide installation to a per user based installation. Long story short, this causes Read more…