2

I have a PowerShell script that I need to run once on all computers in my Active Directory domain. A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines. However, the script needs to run as administrator because of the registry values being modified. Also, per our security department, we cannot change the ExecutionPolicy on these devices.

Is there any way to get this script to run?

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$regKey = 'ms-msdt'
$saveFolder = 'C:\Temp\'
$savePath = $saveFolder + 'CVE-2022-30190.reg'
$PSRegPath = 'HKCR:\' + $regkey
$CMDRegPath = 'HKCR\' + $regkey
if(Test-Path $PSRegPath)
{
    if(!(Test-Path $saveFolder))
    {
        New-Item -Path $folder -ItemType Directory
    }
    Invoke-Command {reg export $CMDRegPath $savePath -Y}
    Remove-Item -Path $PSRegPath -Recurse -Force
}

This script backs up a registry entry before deleting it, as recommended by the Microsoft mitigation work-around to CVE-2022-30190.

Sam Erde
  • 3,549
CMS
  • 31

2 Answers2

4

Create a GPO and execute the script in system context during boot or shutdown (see "Computer setting > Windows Settings > Scripts (Startup/Shutdown)"). Startup/Shutdown scripts got the needed privileges.

The Powershell executable provides a -ExecutionPolicy parameter allowing to bypass the global Execution Policy. This can be used in combination with -Command:

  1. Call Powershell as script to run in the GPO
  2. Put everything else into parameters field: -ExecutionPolicy "bypass" -NoProfile -Command "...." to bypass the general PSH Execution Policy.

The "..." part might be an inline { Script Block } or pointing to a .ps1 file on your network (usual way). You can also pass needed parameters to the .ps1 script (if any).

Examples (you can try out the whole command - before using in in a GPO - by simply using in cmd.exe or Powershell with admin privileges):

Powershell -ExecutionPolicy "bypass" -NoProfile -Command "\\contoso.com\dfs\script\foo.ps1"

Powershell -ExecutionPolicy "bypass" -NoProfile -Command "\\contoso.com\dfs\script\foo.ps1 -SwitchOne:$True -Langs @('de-de', 'en-us') -Verbose"

Checking if something has to be done (=run once) should be implemented in your script's logic, simply exit if there is nothing to do. Remove the GPO in a few weeks or months after it was ensured all clients booted / applied the change.

Andreas Haerter
  • 41
1

You can deploy the script as a Computer setting using Windows Settings > Scripts (Startup/Shutdown.

These scripts will run in the system context and not the user. To limit this to only running once, you can add a little bit of logic in the script to check for the existence of the registry data. Screen shot of the group policy editor opened to the startup scripts settings.

Sam Erde
  • 3,549