2018 – SCCMOG – Deployment Blog

So I’m working on a client site at the moment with a difficult to automate OU structure. Essentially I need to be able to add and get ConfigMgr machine variables easily and without the need of the PowerShell module.

So as we do… I went to google, found a couple of nice hints then though I’d write them into functions to be easily re-used.

The beauty of these functions is they can be run from anywhere in your site or during a task sequence as they use WMI.
This means as long as the account running the script has access to the ConfigMgr site you can play with variables!

Anyway download the most up to date versions of the functions from the SCCMOG GitHub Repo:

Scripts:

#Get-ConfigMgrMachineVariableWMI
#SCCMOG.com Richie Schuster - 27/09/18
#Gets the value of a ConfigMgr Objects Variable
#E.g <Get-ConfigMgrMachineVariable -Siteserver $Siteserver -SiteCode $SiteCode -MachineName TUDOR -VarName "Hello2">
#Returns blank string if not found and value if found.
Function Get-ConfigMgrMachineVariable{
	param(
		[parameter(Mandatory=$true, HelpMessage="Site server FQDN")]
		[ValidateNotNullOrEmpty()]
		[string]$Siteserver,

		[parameter(Mandatory=$true, HelpMessage="SCCM Site Code")]
		[ValidateNotNullOrEmpty()]
		[string]$SiteCode,

		[parameter(Mandatory=$true, HelpMessage="ConfigMgr Machine Object to add Variable to")]
		[ValidateNotNullOrEmpty()]
		[string]$MachineName,

		[parameter(Mandatory=$true, HelpMessage="Variable Name to query for.")]
		[ValidateNotNullOrEmpty()]
		[string]$VarName
	)
    #Set to null
    $objMachineSettings = $null
    #Get machine object from ConfigMgr
    $objComputer = gwmi -computername $($Siteserver) -namespace "root\sms\site_$($SiteCode)" -class "sms_r_system" | where{$_.Name -eq $MachineName}
    #Get settings from ConfigMgr
    $objMachineSettings = gwmi -computername $($Siteserver) -namespace "root\sms\site_$($SiteCode)" -class "sms_machinesettings" | where{$_.ResourceID -eq $objComputer.ResourceID}
    If ($objMachineSettings -ne $null){
        $objMachineSettings.get()
        If ($objMachineSettings.MachineVariables | where{$_.Name -eq "$VarName"}) {
            $variable = (($objMachineSettings.MachineVariables | where{$_.Name -eq "$VarName"}).Value).Trim()
            return $variable
        }
        Else {
            $variable = ""
            return $variable
        }
    }
    else {
        $variable = ""
        return $variable
    }   
}

#Set-ConfigMgrMachineVariableWMI
#SCCMOG.com Richie Schuster - 27/09/18
#Gets the value of a ConfigMgr Objects Variable
#E.g <Set-ConfigMgrMachineVariable -Siteserver ROARY-CM-01 -SiteCode ROR -MachineName TUDOR -VarName Hello2 -VarValue Really -VarMasked $false>
#Sets ConfigMgr Variable - will add a new variable if others already set.
Function Set-ConfigMgrMachineVariable {
	param(
		[parameter(Mandatory=$true, HelpMessage="Site server FQDN")]
		[ValidateNotNullOrEmpty()]
		[string]$Siteserver,

		[parameter(Mandatory=$true, HelpMessage="SCCM Site Code")]
		[ValidateNotNullOrEmpty()]
		[string]$SiteCode,

		[parameter(Mandatory=$true, HelpMessage="ConfigMgr Machine Object to add Variable to")]
		[ValidateNotNullOrEmpty()]
		[string]$MachineName,

		[parameter(Mandatory=$true, HelpMessage="Variable Name")]
		[ValidateNotNullOrEmpty()]
		[string]$VarName,

		[parameter(Mandatory=$true, HelpMessage="Variable Value")]
		[ValidateNotNullOrEmpty()]
		[string]$VarValue,

		[parameter(Mandatory=$false, HelpMessage="Mask variable - `$true or `$false - Default is `$false")]
		[ValidateNotNullOrEmpty()]
		[bool]$VarMasked = $false
	)
    #Set to null
    $objMachineSettings = $null
    #Get machine resource id
    $objComputer = gwmi -computername $($Siteserver) -namespace "root\sms\site_$($SiteCode)" -class "sms_r_system" | where{$_.Name -eq $MachineName}
    #Get SMS Machine Settings Class
    $objSMSMachineSettings = [WmiClass]"\\$($Siteserver)\ROOT\SMS\site_$($SiteCode):SMS_MachineSettings"
    #Get SMS Machine settings Instances
    $objSMSMachineSettings.GetInstances() | Out-Null
    #Get Machine Settings
    $objMachineSettings = gwmi -computername $($Siteserver) -namespace "root\sms\site_$($SiteCode)" -class "sms_machinesettings" | where{$_.ResourceID -eq $objComputer.ResourceID}

    #test if variables already present
    If ($objMachineSettings -ne $null){
        $objMachineSettings.Get()  
        #Get new array index
        if ($objMachineSettings.MachineVariables.length -ne 0){
            $i = 0
            $newVarIndex = $i
            DO {
            $newVarIndex = $i + 1
            $i++
            } While ($i -le $objMachineSettings.MachineVariables.length - 1)
            $newVarIndex
        }
        else {
            $newVarIndex = 0
        }
        #Create the new emty variable
        $objMachineSettings.MachineVariables = $objMachineSettings.MachineVariables += [WmiClass]"\\$($Siteserver)\ROOT\SMS\site_$($SiteCode):SMS_MachineVariable"
        #get array of variables
        $arrayMachineVariables = $objMachineSettings.MachineVariables
        #set new variable
        $arrayMachineVariables[$newVarIndex].name=$varName
        $arrayMachineVariables[$newVarIndex].value=$VarValue
        $arrayMachineVariables[$newVarIndex].ismasked = $VarMasked
    }
    Else {
        #Create Machine instance
        $objMachineSettings = $objSMSMachineSettings.CreateInstance()
        #Create base properties
        $objMachineSettings.psbase.properties["ResourceID"].value = $($objComputer.ResourceID)
        $objMachineSettings.psbase.properties["SourceSite"].value = $($SiteCode)
        $objMachineSettings.psbase.properties["LocaleID"].value = 1033
        #Create empty variable
        $objMachineSettings.MachineVariables = $objMachineSettings.MachineVariables + [WmiClass]"\\$($Siteserver)\ROOT\SMS\site_$($SiteCode):SMS_MachineVariable"
        #get array of variables
        $arrayMachineVariables = $objMachineSettings.MachineVariables
        #set the new variable
        $arrayMachineVariables[0].name=$varName
        $arrayMachineVariables[0].value=$VarValue
        $arrayMachineVariables[0].ismasked = $VarMasked
    }
    # write the variables back to the machine object 
    $objMachineSettings.MachineVariables = $arrayMachineVariables
    #Save the new Variable
    $objMachineSettings.put()
}

So I was setting up a KIOSK environment using Windows 10 1709 for a client recently and we wanted to take the route of applying as few GPOs as possible (as it should be in 2018)!

Ensuring that this stayed disabled was something that we decided to deploy using ConfigMgr Configuration Baselines.

So the Check compliance script is as follows:

##################################################################################################################
#
#  Author: Richie Schuster - C5 Alliance - SCCMOG.com
#  Date:   06/07/2018
#  Script: Action-CheckRDPCompliance.ps1
#  Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-CheckRDPCompliance.ps1
#
##################################################################################################################

#Variables
$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$TSRegProperty = "fDenyTSConnections"
$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$RDPTcpRegProperty = "UserAuthentication"

#Set initial values
$TSSet = $True
$RDPTCPSet = $True
$RDPUserinTCPReturn = $True
$RDPUserinUDPReturn = $True
$RDPShadinTCPReturn = $True

#Test fDenyTSConnections state
$TSReturn = (Get-ItemProperty -Path $TSRegPath -Name $TSRegProperty -ErrorAction SilentlyContinue).fDenyTSConnections
If ($TSReturn -eq 1) {
    $TSSet = $false
}

#Test RDP-TCP State
$RDPTCPReturn = (Get-ItemProperty -Path $RDPTcpRegPath -Name $RDPTcpRegProperty -ErrorAction SilentlyContinue).UserAuthentication
If ($RDPTCPReturn -eq 0) {
    $RDPTCPSet = $false
}

#Get Firewall states
$RDPUserinTCPReturn = (Get-NetFirewallRule -Name $RDPUserinTCP -ErrorAction SilentlyContinue).Enabled
$RDPUserinUDPReturn = (Get-NetFirewallRule -Name $RDPUserinUDP -ErrorAction SilentlyContinue).Enabled
$RDPShadinTCPReturn = (Get-NetFirewallRule -Name $RDPShadinTCP -ErrorAction SilentlyContinue).Enabled

#Evaluate and report
If (!($RDPUserinTCPReturn) -and ($RDPUserinUDPReturn) -and ($RDPShadinTCPReturn) -and ($TSSet) -and ($RDPTCPSet)) {
    Write-Host "Compliant!"
}

##################################################################################################################

Ok, so now the check script is out the way, here is the remediation script:

##################################################################################################################
#
#  Author: Richie Schuster - C5 Alliance - SCCMOG.com
#  Date:   06/07/2018
#  Script: Action-RemediateRDPCompliance.ps1
#  Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-RemediateRDPCompliance.ps1
#
##################################################################################################################

#Variables
$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$TSRegProperty = "fDenyTSConnections"
$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$RDPTcpRegProperty = "UserAuthentication"

#Remediate and Block RDP
Set-ItemProperty $TSRegPath -Name $TSRegProperty -Value 1 -Force
Set-ItemProperty $RDPTcpRegPath -Name $RDPTcpRegProperty -Value 0 -Force
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

#The End :)
##################################################################################################################

As Always scripts are as is, and if you do use them remeber where you got them from 😉

If you would like to see the setup of this baseline let me know in the comments below.

Cheers,

SCCMOG

Tag: 2018

Get and Set ConfigMgr Machine Variables with WMI and PowerShell Functions

Disable RDP Windows 10 PowerShell Script Configuration Baseline SCCM