How To Enable System Protection On All User Machines on A Domain using Windows Powershell.

Hello, Guyz, today I’m going to create an automated script for enable system protection on “C” drive (C:\) which is the task I have been assigned. Actually running a script via the domain is something critical because all the user machines are affected to the changes whatever the scripts do. So first of all let’s see what are the steps to achieve this goal.

As a condition, I have to configure the scripts for checking system protection is enabled at each logon. So now let’s make a plan.

  • What type of script that is possible on this task.
  • How to write the script according to the selected type.
  • How to run the script on the domain user machines.

These are the basic steps to achieve the goal. let’s get one by one to realize for the task.

What type of script that is possible on this task.

I searched most of the site for enabling system protection via .bat file, .vbs file, .ps1 file. As I realized powershell script was the best way to create a script to handle this because powershell has a inbuilt commands to enable system protection.

How to write the script according to the selected type

When I try to write the script I got a problem, how to check whether the system protection is already enable or not. So I found a solution to overcome this problem which is actually bat script. In that bat script it is looking for that the particular registry value is “0” or “1”(HKEY_LOCAL_MACHINE-> SOFTWARE-> Microsoft-> Windows NT-> CurrentVersion-> SystemRestore ).

Image

According to the figure given above we have to check the PRSEssionInterval Value from the registry, so I wrote this bat file to check the registry value.

Image

After checking the registry value, if the registry value equal to zero it execute the powershell script to run for enabling system protection, if it is one the program will exit saying ” System Protection Already Enable on Your System Drive “.

According to this bat script here is the powershell Script called “RunAdmin.ps1”

Image

In here the script is for open an Administrative powershell window to run commands because some of the powershell commands are run under elevated prompts.

Image

In here this command will be executed at the Administrative prompt.  Then the System system protection will be enabled on the C:\ drive.

How to run the script on the domain user machines

In this section I am going to show you how to run these scripts at the logon by the users. But in the powershell scripts, we need special permission to run those scripts, because the execution scripts are blocked by default in each machines if no one is changed the configuration. The defaut option can be seen using the “Get-ExecutionPolicy” command on the powershell window.

Image

So  you will see the output as Restricted. So what we need to do is we have to set the execution policy for enabling the script execution. If we not enabling the execution policy we are getting error like this.

Image

So I tried to set the execution policy via the Group Policy Management but again I got a problem because I was getting warnings before run the powershel script.

There are six execution policies on the powershell. (the options are showing below)

  1. Restricted: Execution of all scripts are disabled.
  2. AllSigned: Execution of all signed scripts are enabled.
  3. RemoteSigned: Execution of all remote signed scripts are enabled.
  4. Unrestricted: Execution of all scripts are Enabled but warnings are available.
  5. Bypass: Execution of all scripts are Enabled without warnings.
  6. Undefined: remains the current execution policy.

According to these execution policies we can only enable the ALLsigned, RemoteSigned and local scripts. But unfortunately even if we enabled the ALLSigned, there will be a warning message so the user has to manually answer for the warning message.

Image

In order to overcome this problem I found a solution via PSRemoting. PSRemoting is one of the major remote management tool via the powershell. Actually the PSRemoting can be used to change the configurations of the remote machines while executing powershell commands on remote machines. If our all machines are under one domain, it is easier to set the configuration so I changed the execution policy in to Bypass option on all machines on the domain.

Here are steps I followed to set execution policy to bypass. first of all we need to enable WinRM(Windows Remote Management) via GPO while enabling port traffic to 5985 on firewall. WinRM GPO is located at { Computer Configuration -> Policies -> Administrative Templates -> Windows Component -> Windows Remote Management -> WinRM Service }  and select Allow automatic configuration of listeners.

Image

Under listeners you will see IPv4 and IPv6 options, so you can specify special IP addresses if you have otherwise you can use “*” for allow all the IP addresses.

Then go to the firewall setting in GPO and add a firewall rule to enable traffic on port 5985 @{Computer Configurations -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile -> Define Inbound port exception }  like { 5985:TCP:*:enabled:WSMan }

Finally after all those steps run a gpupdate command on cmd to update the group policy on the domain.

Now our next target is to set Bypass execution policy on all the user machines, so in order to achieve that we have to take the machine list from the AD Users and Computers in the server. So under Action tab in the AD users and computer we can export the machine list as text (.txt) file and save it a particular location.

As the next step we can run the PSRemoting command to enable bypass option on execution policy. Here is the command to enable the option while appending the exported text (.txt) file (i.e. in my machine test file is in “C:\Users\Test\Desktop\”).

invoke-command -cn (Get-Content “C:\Users\Test\Desktop\testMachines.txt”) -scriptblock {Set-executionpolicy ByPass}

Give some moments to run this command and check the execution policy via Get-executionpolicy command, then you will realize the execution policy has been already set for ByPass option. Here is the command,

invoke-command -cn (Get-Content “C:\Users\Test\Desktop\testMachines.txt”) -scriptblock {Get-executionpolicy }

All after these steps you can add the scripts to the logon execution via GPO, then when users are logged you can automatically see that system protection has been enabled on all user machines.

Thank You.

Advertisements

3 thoughts on “How To Enable System Protection On All User Machines on A Domain using Windows Powershell.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s