{"id":2849,"date":"2019-02-06T12:49:03","date_gmt":"2019-02-06T10:49:03","guid":{"rendered":"http:\/\/blog.hosebei.ch\/?p=2849"},"modified":"2019-02-06T12:49:03","modified_gmt":"2019-02-06T10:49:03","slug":"intune-deploy-required-user-settings-to-windows-10-with-powershell","status":"publish","type":"post","link":"https:\/\/blog.hosebei.ch\/?p=2849","title":{"rendered":"Intune – Deploy required user settings to Windows 10 with powershell"},"content":{"rendered":"

In this blog I would like to describe, how I managed to set required user settings to Windows 10.
\nSince I still do have an On-Premises environment, in which also File Servers reside and a DFS Namespace is still up and running, I wanted to make sure to get the advantages of using the local network.
\nSo here are my two use-cases to solve:
\n1. Add a Network location for the DFS Path if the user is logged on On-Premises
\n2. Modify the local “host” file, to redirect the workfolder clients to the file server internally
\n<\/p>\n

With this goals to achieve given, it was quite clear: It’s scripting time again *happy*
\nSo I decided to create a single script, which I can use for both tasks. This means I need to check, if a user is running the script, or if it’s in System context. Due to the fact that the DFS link resides within the user profile, the script needs to run in user context. On the other hand the host file requires Admin permission for modifications. This is great, because within Intune, we can easily select, if the script should run in user or system context:
\n\"\"<\/a>
\nMy solution to check if the script is running in system or in user context is the following line (I will provide the whole script at the end):
\n\"\"<\/a><\/p>\n

And the second important question is: Am I on the local network? For this, I simply check if I can reach port 389 of a known Domain Controller in my network:
\n\"\"<\/a><\/p>\n

With that is set, I was able to go ahead and define the settings that should get applied.
\nThe first setting was creating a Network Location within Windows explorer if the domain controller is reachable, and if the DC is not reachable to remove the Link. For the creation of the Network location, I found a very nice function of Tom White on the TechNet Gallery:
\nAdd-NetworkLocation – A function to create an advanced network location<\/a><\/p>\n

Im simply took this function and implemented it in my script.
\nThe following section creates the link if a DC is available, or it deletes the link:
\n\"\"<\/a><\/p>\n

This will cover the user settings. Now it’s up to the Host file. For modifying the host file, I have to make sure that the script is running in System Context, as it requires Administrative permission.
\nFor adding or removing lines to the host file, I’m using those two functions (be aware, the search string is hard-coded):
\n\"\"<\/a><\/p>\n

So I then need only to trigger the correct function:
\n\"\"<\/a><\/p>\n

All is done for the script (again, for better readability of the blog, I post the whole script at the end), and I can go ahead, and test the solution through Intune. Just create a PowerShell configuration twice with the same script, where you configure one script running in user context, and the other in system context. I created a Azure AD security group and added my test machine to the group, this group I then used for both PowerShell Configuration Profiles.<\/p>\n

And everything worked great:
\n\"\"<\/a><\/p>\n

So the first step of creating a script which does the job is done. Next up would be to deploy the script to the clients, because the Intune configuration would only run the script once. I’m thinking about to create a Script, which creates two scheduled tasks, one for the user and one for the system. The scheduled tasks would then be configured to run at user logon. But I am not sure about this yet, but I’m quite sure that I will create a blog about the final solution.<\/p>\n

And here is the whole script:
\nFunction Check-DCAvailable {
\n param(
\n [Parameter(Position=0,mandatory=$true)][string]$DCToCheck
\n )
\n #Check if DC is available on LDAP
\n $LDAPTestResult = $null
\n $LDAPTestResult = Test-NetConnection -ComputerName $LocalDomainController -Port 389 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
\n if($LDAPTestResult.TcpTestSucceeded -ne $true) {
\n Write-Host (\"Domaincontroller was not answering: \" + $LocalDomainController) -ForegroundColor Yellow
\n return $false
\n }
\n else {
\n return $true
\n }
\n}<\/p>\n

function Remove-HostFileWorkFolderEntry {
\n $hostFile = ($env:SystemRoot + \"\\System32\\drivers\\etc\\hosts\")
\n $hostFileContent = Get-Content -Path $hostFile
\n $hostFileContent = $hostFileContent | foreach{if(($_ -like \"*workfolders.hosebei.ch*\") -eq $true) { Write-Host $_ } else {$_}}
\n $hostFileContent | Out-File $hostFile -enc ascii<\/p>\n

}<\/p>\n

function Add-HostFileWorkFolderEntry {
\n $hostFile = ($env:SystemRoot + \"\\System32\\drivers\\etc\\hosts\")
\n $hostFileContent = Get-Content -Path $hostFile
\n if(($hostFileContent -contains \"workfolders.hosebei.ch\") -ne $true) {
\n $hostFileContent = $hostFileContent + \"192.168.1.166\t\tworkfolders.hosebei.ch\"<\/p>\n

}
\n $hostFileContent | Out-File $hostFile -enc ascii<\/p>\n

}<\/p>\n

function Add-NetworkLocation<\/p>\n

{
\n [CmdLetBinding()]
\n param
\n (
\n [Parameter(Mandatory=$true)][string]$networkLocationPath,
\n [Parameter(Mandatory=$true)][string]$networkLocationName ,
\n [Parameter(Mandatory=$true)][string]$networkLocationTarget
\n )
\n Begin
\n {
\n Write-Verbose -Message \"Network location path: `\"$networkLocationPath`\".\"
\n Write-Verbose -Message \"Network location name: `\"$networkLocationName`\".\"
\n Write-Verbose -Message \"Network location target: `\"$networkLocationTarget`\".\"
\n Set-Variable -Name desktopIniContent -Option ReadOnly -value ([string]\"[.ShellClassInfo]`r`nCLSID2={0AFACED1-E828-11D1-9187-B532F1E9575D}`r`nFlags=2\")
\n }
\n Process
\n {
\n Write-Verbose -Message \"Checking that `\"$networkLocationPath`\" is a valid directory...\"
\n if(Test-Path -Path $networkLocationPath -PathType Container)
\n {
\n try
\n {
\n Write-Verbose -Message \"Creating `\"$networkLocationPath\\$networkLocationName`\".\"
\n [void]$(New-Item -Path \"$networkLocationPath\\$networkLocationName\" -ItemType Directory -ErrorAction Stop)
\n Write-Verbose -Message \"Setting system attribute on `\"$networkLocationPath\\$networkLocationName`\".\"
\n Set-ItemProperty -Path \"$networkLocationPath\\$networkLocationName\" -Name Attributes -Value ([System.IO.FileAttributes]::System) -ErrorAction Stop
\n }
\n catch [Exception]
\n {
\n Write-Error -Message \"Cannot create or set attributes on `\"$networkLocationPath\\$networkLocationName`\". Check your access and\/or permissions.\"
\n return $false
\n }
\n }
\n else
\n {
\n Write-Error -Message \"`\"$networkLocationPath`\" is not a valid directory path.\"
\n return $false
\n }
\n try
\n {
\n Write-Verbose -Message \"Creating `\"$networkLocationPath\\$networkLocationName\\desktop.ini`\".\"
\n [object]$desktopIni = New-Item -Path \"$networkLocationPath\\$networkLocationName\\desktop.ini\" -ItemType File
\n Write-Verbose -Message \"Writing to `\"$($desktopIni.FullName)`\".\"
\n Add-Content -Path $desktopIni.FullName -Value $desktopIniContent
\n }
\n catch [Exception]
\n {
\n Write-Error -Message \"Error while creating or writing to `\"$networkLocationPath\\$networkLocationName\\desktop.ini`\". Check your access and\/or permissions.\"
\n return $false
\n }
\n try
\n {
\n $WshShell = New-Object -ComObject WScript.Shell
\n Write-Verbose -Message \"Creating shortcut to `\"$networkLocationTarget`\" at `\"$networkLocationPath\\$networkLocationName\\target.lnk`\".\"
\n $Shortcut = $WshShell.CreateShortcut(\"$networkLocationPath\\$networkLocationName\\target.lnk\")
\n $Shortcut.TargetPath = $networkLocationTarget
\n $Shortcut.Description = \"Created $(Get-Date -Format s) by $($MyInvocation.MyCommand).\"
\n $Shortcut.Save()
\n }
\n catch [Exception]
\n {
\n Write-Error -Message \"Error while creating shortcut @ `\"$networkLocationPath\\$networkLocationName\\target.lnk`\". Check your access and permissions.\"
\n return $false
\n }
\n return $true
\n }
\n}<\/p>\n

#-----------------------------
\n#Main Script
\n#Variables
\n$LocalDomainController = \"hosebeidc02.deheim.hosebei.ch\"<\/p>\n

#Determine if Script was started with system
\n$bSystemContext = ([Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem<\/p>\n

if($bSystemContext -eq $false) {
\n #Execute User Section<\/p>\n

#Create Network Links
\n if(Check-DCAvailable($LocalDomainController)) {
\n #DC was found, we can assume getting a kerberos ticket for accesing SMB shares
\n Write-Host (\"Connecting network locations\") -ForegroundColor Green<\/p>\n

#test if Hosebei DFSlink is existent, if not, create it
\n Write-Host (\"Connecting Hosebei DFS\") -ForegroundColor Green
\n if((Test-Path -Path \"$env:APPDATA\\Microsoft\\Windows\\Network Shortcuts\\Hosebei DFS\") -ne $true) {
\n $null = Add-NetworkLocation -networkLocationPath \"$env:APPDATA\\Microsoft\\Windows\\Network Shortcuts\" -networkLocationName \"Hosebei DFS\" -networkLocationTarget \"\\\\deheim.hosebei.ch\\hosebeiDFSroot\"
\n }
\n }
\n else {
\n #Remove existing Links
\n Write-Host (\"Removing network locations\") -ForegroundColor Yellow<\/p>\n

#test if Hosebei DFSlink is existent, if true, remove it
\n Write-Host (\"Remove Hosebei DFS Link due to no DC Access\") -ForegroundColor Yellow
\n if((Test-Path -Path \"$env:APPDATA\\Microsoft\\Windows\\Network Shortcuts\\Hosebei DFS\") -eq $true) {
\n Remove-Item -Path \"$env:APPDATA\\Microsoft\\Windows\\Network Shortcuts\\Hosebei DFS\" -Force -Recurse
\n }
\n }
\n}
\nelse {
\n #execute system Section<\/p>\n

#Modify host file for Workfolder access
\n #Get HostFile
\n $hostFile = ($env:SystemRoot + \"\\System32\\drivers\\etc\\hosts\")
\n $hostFileContent = Get-Content -Path $hostFile
\n if(Check-DCAvailable($LocalDomainController)) {
\n #DC was found, we can directly access the file server
\n Add-HostFileWorkFolderEntry
\n }
\n else {
\n #No DC was found, we need to sync workfolders through the azure ad app proxy
\n Remove-HostFileWorkFolderEntry
\n }
\n}
\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

In this blog I would like to describe, how I managed to set required user settings to Windows 10. Since I still do have an On-Premises environment, in which also File Servers reside and a DFS Namespace is still up and running, I wanted to make sure to get the advantages of using the local […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,7,12,17,19,22,24,27,29,32,43],"tags":[],"class_list":["post-2849","post","type-post","status-publish","format-standard","hentry","category-application-management","category-azure-ad","category-client-settings","category-emm","category-general","category-intune","category-mdm","category-operating-system-deployment","category-powershell","category-remote-workplace","category-windows-10"],"_links":{"self":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/2849","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2849"}],"version-history":[{"count":0,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/2849\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}