Background
This is part 3 of the dealing with the Teams Firewall rules for non admin users. In the first two parts we introduced the issue and also the core script that would do the work. In this part I will show how to write a Setup script that can be run from Intune to initialize the entire process.
Logging:
As with the other scripts, we want to have logging and will leverage the Start-Transcript cmdlet to do this.
$LogPath = 'C:\Logs' $LogName = $LogPath + "\Setup-TeamsFirewallRule.log" If ((Test-Path $LogPath) -eq $false) { New-Item -Path c:\Logs -ItemType Directory } Start-Transcript -Path $LogName -Append
Setup script
Now we want to build the path that the script will be installed to for the task to call and then copy all the files into it.
$ScriptPath = $env:ProgramFiles +"\YourPath\Scripts\Set-TeamsFirewallRules" Write-Output "Checking for script paths" If ((Test-Path $ScriptPath) -eq $false) { Write-Output "Script path did not exist, building it now $($ScriptPath)" New-Item $ScriptPath -ItemType Directory } Write-Output "Copying Set-TeamsFirewallRules and Uninstall scripts to script path" $Files = Get-ChildItem $PSScriptroot foreach ($File in $Files) { Write-Output "Copying $($file.Name) to $($ScriptPath)" Copy-Item -Path $File.FullName -Destination $ScriptPath }
We are copying these files into the C:\program files(86)\ directory because this path will be write protected. In order to make changes to files in this location you need Local Admin rights. If they were stored in some other location, a malicious actor could modify the scripts to perform anything they wanted and gain control of the machine.
Next step is to create the scheduled task that will initiate the script we created in Part 2.
As we want to have proper versioning capabilities we need to verify that there are no pre-existing scheduled tasks and if so remove them.
#Check for existing task and remove it if it's there If ((Get-ScheduledTask 'Set-TeamsFirewallRules' -ErrorAction SilentlyContinue)) { Write-Output "Found existing task, removing it now..." Unregister-ScheduledTask 'Set-TeamsFirewallRules' -Confirm:$false } Write-Output "Building scheduled task to run the script at logon for each user" $Action = New-ScheduledTaskAction -Execute powershell.exe -Argument '-ExecutionPolicy Bypass -File "C:\Program Files (x86)\YourPath\Scripts\Set-TeamsFirewallRules\Set-TeamsFirewallRules.ps1"' $Trigger = New-ScheduledTaskTrigger -AtLogOn -RandomDelay (New-TimeSpan -Minutes 1) $Principal = New-ScheduledTaskPrincipal "SYSTEM" -RunLevel Highest $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries $Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings -Description "This will create new Teams firewall rules for each user at logon" Register-ScheduledTask 'Set-TeamsFirewallRules' -InputObject $Task
Now that we have created the task, we can initiate the first run and close the log file out.
Write-Output "Initiating first run of the Set-TeamsFirewallRules script" Start-ScheduledTask -TaskName "Set-TeamsFirewallRules" Stop-Transcript
With that, we are done with the setup portion. Now on to the Uninstall portion.
Uninstall script
Using the same logging feature we have above, we enable logging via the start-transcript cmdlet
$LogPath = 'C:\Logs' $LogName = $LogPath + "\Remove-TeamsFirewallRule.log" Start-Transcript -Path $LogName -Append Write-Output "Starting removal process"
Then we simply set our script path and set it to remove all the files and unregister the scheduled task we created above and then remove all the firewall rules that we created. This will fully clean up everything the script did.
$ScriptPath = $env:ProgramFiles +"\YourPath\Scripts\Set-TeamsFirewallRules" Write-Output "Removing $($ScriptPath)" Remove-Item $ScriptPath -Recurse Write-Output "Unregistering Task Set-TeamsFirewallRules" Unregister-ScheduledTask -TaskName "Set-TeamsFirewallRules" -Confirm:$false Write-Output "Removing firewall rules related to Teams Access" $TeamsBlock = Get-NetFirewallRule -Name *Teams* | Where-Object {$_.Enabled -eq 'True'} If ($null -ne $TeamsBlock) { Foreach ($Rule in $TeamsBlock) { Write-Output "Disabling blocking firewall rule $($Rule.DisplayName)" Remove-NetFirewallRule $Rule.Name -Confirm:$false } } Stop-Transcript
And we are done!
We now have a script that will setup the firewall script, build the scheduled task and initiate a first run as well as a script that will uninstall and remove all the changes.
Now on to Part 4, setting up the Intune piece.
0 Comments