This is part 3 of the dealing with the Teams Firewall rules for non admin users. In the first two parts we introduced the issue and also the core script that would do the work. In this part I will show how to write a Setup script that can be run from Intune to initialize the entire process.


As with the other scripts, we want to have logging and will leverage the Start-Transcript cmdlet to do this.

$LogPath = 'C:\Logs'
$LogName = $LogPath + "\Setup-TeamsFirewallRule.log"

If ((Test-Path $LogPath) -eq $false)
    New-Item -Path c:\Logs -ItemType Directory

Start-Transcript -Path $LogName -Append

Setup script

Now we want to build the path that the script will be installed to for the task to call and then copy all the files into it.

$ScriptPath = $env:ProgramFiles +"\YourPath\Scripts\Set-TeamsFirewallRules"

Write-Output "Checking for script paths"
If ((Test-Path $ScriptPath) -eq $false)
    Write-Output "Script path did not exist, building it now $($ScriptPath)"
    New-Item $ScriptPath -ItemType Directory 

Write-Output "Copying Set-TeamsFirewallRules and Uninstall scripts to script path"

$Files = Get-ChildItem $PSScriptroot

foreach ($File in $Files)
    Write-Output "Copying $($file.Name) to $($ScriptPath)"
    Copy-Item -Path $File.FullName -Destination $ScriptPath

We are copying these files into the C:\program files(86)\ directory because this path will be write protected. In order to make changes to files in this location you need Local Admin rights. If they were stored in some other location, a malicious actor could modify the scripts to perform anything they wanted and gain control of the machine.

Next step is to create the scheduled task that will initiate the script we created in Part 2.

As we want to have proper versioning capabilities we need to verify that there are no pre-existing scheduled tasks and if so remove them.

#Check for existing task and remove it if it's there
If ((Get-ScheduledTask 'Set-TeamsFirewallRules' -ErrorAction SilentlyContinue))
    Write-Output "Found existing task, removing it now..."
    Unregister-ScheduledTask 'Set-TeamsFirewallRules' -Confirm:$false

Write-Output "Building scheduled task to run the script at logon for each user"
$Action = New-ScheduledTaskAction -Execute powershell.exe -Argument '-ExecutionPolicy Bypass -File "C:\Program Files (x86)\YourPath\Scripts\Set-TeamsFirewallRules\Set-TeamsFirewallRules.ps1"'
$Trigger = New-ScheduledTaskTrigger -AtLogOn -RandomDelay (New-TimeSpan -Minutes 1)
$Principal = New-ScheduledTaskPrincipal "SYSTEM" -RunLevel Highest
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries 
$Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings -Description "This will create new Teams firewall rules for each user at logon" 
Register-ScheduledTask 'Set-TeamsFirewallRules' -InputObject $Task

Now that we have created the task, we can initiate the first run and close the log file out.

Write-Output "Initiating first run of the Set-TeamsFirewallRules script"
Start-ScheduledTask -TaskName "Set-TeamsFirewallRules" 


With that, we are done with the setup portion. Now on to the Uninstall portion.

Uninstall script

Using the same logging feature we have above, we enable logging via the start-transcript cmdlet

$LogPath = 'C:\Logs'
$LogName = $LogPath + "\Remove-TeamsFirewallRule.log"

Start-Transcript -Path $LogName -Append
Write-Output "Starting removal process"

Then we simply set our script path and set it to remove all the files and unregister the scheduled task we created above and then remove all the firewall rules that we created. This will fully clean up everything the script did.

$ScriptPath = $env:ProgramFiles +"\YourPath\Scripts\Set-TeamsFirewallRules"

Write-Output "Removing $($ScriptPath)"

Remove-Item $ScriptPath -Recurse

Write-Output "Unregistering Task Set-TeamsFirewallRules"

Unregister-ScheduledTask -TaskName "Set-TeamsFirewallRules" -Confirm:$false

Write-Output "Removing firewall rules related to Teams Access"
$TeamsBlock = Get-NetFirewallRule -Name *Teams* | Where-Object {$_.Enabled -eq 'True'}
If ($null -ne $TeamsBlock)
    Foreach ($Rule in $TeamsBlock)
        Write-Output "Disabling blocking firewall rule $($Rule.DisplayName)"
        Remove-NetFirewallRule $Rule.Name -Confirm:$false


And we are done!

We now have a script that will setup the firewall script, build the scheduled task and initiate a first run as well as a script that will uninstall and remove all the changes.

Now on to Part 4, setting up the Intune piece.

  1. Intro
  2. The actual script
  3. Setup and Uninstall scripts
  4. Intune magic


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *