├── .gitignore ├── Pax8 Invoice Analysis for Azure, AVD, Nerdio ├── Invoice-Analysis.ps1 ├── README.md └── SAMPLE-Company-Specific-Functions.ps1 ├── README.md ├── Remove N-Central Agent ├── README.md └── Remove-N-Central-Agent.ps1 ├── ScreenConnect Self-Hosted LetsEncrypt Certs ├── BindNewScreenConnectCert.cmd └── README.md ├── ScreenConnect Server └── Upgrade-ScreenConnect-Server.ps1 ├── Windows-Security-Hardening ├── Disable-PowerShell-V2.ps1 ├── Harden-Security-Windows-Registry.ps1 └── README.md └── immy.bot Scripts ├── DefensX Agent ├── DefensXDynamicVersions.ps1 ├── DefensXShield.png ├── DefensXSilentInstall.ps1 ├── README.md └── assets │ ├── screenshot_Deploying Defen_Image-1.png │ ├── screenshot_Deploying Defen_Image-2.png │ ├── screenshot_Deploying Defen_Image-3.png │ ├── screenshot_Deploying Defen_Image-4.png │ └── screenshot_Deploying Defen_Image.png └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.plist 2 | .DS_Store 3 | *.fossil 4 | .Ulysses* 5 | *.fossil 6 | -------------------------------------------------------------------------------- /Pax8 Invoice Analysis for Azure, AVD, Nerdio/Invoice-Analysis.ps1: -------------------------------------------------------------------------------- 1 | <# Invoice-Analysis.ps1 for Pax8 Invoice CSVs for Nerdio, Azure, and CloudJumper (retired) cost analysis 2 | 3 | # HOW TO USE: 4 | ## Prerequisites 5 | - Script should be in its own folder 6 | - Inside the folder, create a subfolder named "invoices" and put a CSV file from Pax8 (Billing, Invoices tab, "CSV" download button in Actions column for each month) into the folder. 7 | - If you need to noramlize/transform one company/ID to another from the source Pax8 files to your reports, copy `SAMPLE-Company-Specific-Functions.ps1` to remove the `SAMPLE-` prefix and 8 | edit with your changes. 9 | - When running the script, it should have permissions to create folders in the current folder, and write files into the subfolder. 10 | - This script has only been tested with PowerShell 7.4, though it may work with other versions. 11 | 12 | The reason for the `Company-Specific-Functions.ps1` script is because we've encountered the following cases where we need to normalize data for our reports: 13 | - Pax8 wasn't set up to assign certain licenses from our internal company to the correct one initially and the reporting will forever be 14 | incorrect in the Pax8 file, so we adjust. 15 | - Two companies merged into one and we want the report to reflect totals as if all historical billing were for one of the two companies. 16 | 17 | If you don't need to make adjustments like this, you can ignore this file as the script checks to see if it exists, and also checks to confirm 18 | that the `Normalize-Row-Data` function exists (from that file) before calling it, so it will run fine without. The function, if it does exist, 19 | directly accesses the current $row values from the main script for comparisons, and then updates the original variables $companyName and $companyID 20 | from that loop iteration (by using $script:companyName and $script:companyID to access the variables from the script scope); there are no variables 21 | passed to or from the script. This isn't neceessarily the cleanest code, but it was the simplest way to extract the code with customer names out 22 | of the main script to make it sharable, providing an example for you to use, and making its use optional if you don't need it. 23 | 24 | ## Running The Script 25 | Once all prerequisites are good to go, inside the script folder from a pwsh PowerShell prompt, run the script: 26 | 27 | `./Invoice-Anslysis.ps1` 28 | 29 | You can optionally provide command-line arguments to override some of the settings, if desired, with these named arguments (all optional with solid defaults): 30 | - CsvFolderPath 31 | - OutputPath 32 | - OutputFile 33 | - RawOutputFile 34 | 35 | You can also pass the -Verbose switch to substantially increase the detail output to the screen during the run for diagnostic purposes. 36 | 37 | By default, the script will validate that the "invoices" subfolder exists, will create (if it doesn't exist) a subfolder named yyyy-MM based on the date you're 38 | running the script, will loop through all the invoice .csv files in the "invoices" subfolder, perform it's analysis, and create two output files in the 39 | yyyy-MM folder, one named "analysis_raw.csv" and the other named "analysis.csv". If you pass different values to the parameters, the outputs will change. 40 | 41 | See the param() block at the start of the code for the default values and the formatting of the argument inputs. 42 | 43 | The `analysis.csv` file will contain one line per client-month with these columns (definitions in parentheses): 44 | - company_name (the client's name from the Pax8 file, or as modified/transformed in your normalization) 45 | - subtotal (the retail price subtotal of matching lines for the billing period from the Pax8 file) 46 | - cost_total (same as subtotal but the sum of cost_total instead rather than price) 47 | - margin (the difference between subtotal and cost_total columns) 48 | - start_period (always the FIRST day of the month for the period in which all charges in that line were pulled from in the Pax8 .csv files) 49 | 50 | The `analysis_raw.csv` file should basically have the lines from the original Pax8 .csv invoice files, but filtered to be only the ones that were used in 51 | calculating the analysis.csv data. 52 | 53 | The items that are included in the analysis should be, if any: 54 | - Azure arrears-billable consumption items, including Reserved Instances 55 | - Microsoft subscription Windows licensing 56 | - Nerdio licensing 57 | - CloudJumper licenses (this service, purchased by NetApp, no longer exists but a client used to use it before moving to AVD) 58 | 59 | All lines with a `subtotal` field equal to $0 will be skipped/excluded since it doesn't affect the totals. You can find the line of the script where 60 | `$filteredData` is defined to adjust your own version of which SKUs from the Pax8 invoices file will be included or not if you need to see or 61 | customize this for your purposes. 62 | 63 | ## How We Analyze Further 64 | 65 | We take the output and open the two resulting .csv files from the subfolder in Excel and Save As .xlsx files in the same folder, to make saving formatting 66 | and updates easier. 67 | 68 | It's not yet provided with sample data, but we take the resulitng `analysis.csv` file and use it to build a pivot table in Excel, where we add new lines each month 69 | and have the following additional columns we add to the five in `analysis.csv` which we then save as the file `new_analysis-thru-yyyy-MM.xlsx` in the same folder: 70 | - retail_price (we manually update the price these items were sold to the client from their invoice to this column of the spreadsheet) 71 | - margin_from_price_vs_cost (calculated value of the retail_price column minus the cost_total column, for us the Excel formula is `=F2-C2`) 72 | - margin_percent (calculated value of margin_from_price_vs_cost divided by the retail_price column (for us the Excel formula is `=G2/F2`)) 73 | - invoice_month (calculated MONTH function value of the start_period value, for us the Excel formula is `=MONTH(E2)`) 74 | - invoice_year (calculated YEAR function value of the start_period value, for us the Excel formula is `=YEAR(E2)`) 75 | - invoice_yearmonth (calculated zero-padded yyyy-MM value string from the invoice_year and invoice_month columns, for us the Excel formula is `=J2 & "-" & TEXT(I2,"00")`) 76 | 77 | From here, we can create or update two pivot tables with the above data as the source. The outcome is a pivot table with columns for client name, 78 | margin % average, total margin, total cost, and invoiced price, and a tree of rows we can expand and subtotal by client, year, or month. There are 79 | not currently samples of these additional fields or the pivot tables with sample data that have been created, so they're left as an exercise to 80 | the reader in the initial release. You can do whatever other analysis you wish, this is just how we use it so we can have a repeatable/updated 81 | process to get updated information regularly. 82 | 83 | # VERSION HISTORY: 84 | ## V9 is a complete refactor of V8 on 2023-12-05 that changes the following (original version details not tracked): 85 | - Reads in all invoice*.csv files at once to one large array. 86 | - Filters the data using a hash that combines the company name and the Start Period date (SP_ID) as the key. 87 | - Moves the company_name to be a separate field in the output since the key is no longer just company name. 88 | - All final analysis output is based on the actual month in which an individual charge was for, regardless of invoice. 89 | - Loses the name of the invoice file in the output but it isn't relevant for the final analysis. 90 | - Data can be copied to an Excel spreadsheet with pivot table that pulls some date info out and collects invoice amounts. 91 | - Removes the need for the Invoice-More-Summary.ps1 script to do further processing since the above replaces it. 92 | - Removes the redundant assignment of $results to $allResults since there's no looping through CSVs now to collect. 93 | - Removes multiple += array operator usages and increases performance. 94 | 95 | ## V10 is a minor tweak of V9 on 2023-12-06 that changes the following: 96 | - Removes old debug comments to clean up code. 97 | - Sets defaults for parameters after moving invoices around, also changes parameter names. 98 | - Fixes parsing of company name for Nerdio licenses and ignores parent company free licenses. 99 | 100 | ## V11 is an adjustment on 2024-06-13 that changes the following: 101 | - Add third company to the list of companies with Nerdio licenses. 102 | - Refactors the code that updates the company for Nerdio licenses based on the Description field to properly output it in the summary. 103 | - Adds some Verbose output for debugging the Nderio code activated if the -Verbose flag is passed. 104 | 105 | ## V12 is an adjustment on 2024-07-15 that changes the following for the first public release: 106 | - Moves any client names and client-specific normalization into external Company-Specific-Functions.ps1 file to enable sharing without compromising privacy. 107 | - Documenteation added for how to use the script to to the top in markdown format in order to create sharable version. 108 | #> 109 | [CmdletBinding()] 110 | param ( 111 | [Parameter(Mandatory = $false)] 112 | [ValidateScript({ Test-Path $_ -PathType 'Container' })] 113 | [string]$CsvFolderPath = '.\invoices', 114 | 115 | [Parameter(Mandatory = $false)] 116 | [string]$OutputPath = (".\" + (Get-Date -Format "yyyy-MM")), 117 | 118 | [Parameter(Mandatory = $false)] 119 | [string]$OutputFile = 'analysis.csv', 120 | 121 | [Parameter(Mandatory = $false)] 122 | [string]$RawOutputFile = 'analysis_raw.csv' 123 | ) 124 | 125 | # Verify if the folder to check exists 126 | if (-Not (Test-Path -Path $CsvFolderPath)) { 127 | Write-Error "The folder '$CsvFolderPath' does not exist." 128 | exit 1 129 | } 130 | 131 | # Get all CSV files in the specified folder that start with "invoice" 132 | $csvFiles = Get-ChildItem -Path $CsvFolderPath -Filter "invoice*.csv" -File 133 | if ($csvFiles.Count -eq 0) { 134 | Write-Error "No CSV files found in the folder '$CsvFolderPath'." 135 | exit 1 136 | } 137 | 138 | # Verify if the output path exists, create it if not 139 | if (-Not (Test-Path -Path $outputPath)) { 140 | Write-Host "The output path '$outputPath' does not exist. Creating it now." 141 | New-Item -ItemType Directory -Path $outputPath | Out-Null 142 | } 143 | 144 | # Join the output path with the filename 145 | $OutputFilePath = Join-Path -Path $outputPath -ChildPath $OutputFile 146 | $RawOutputFilePath = Join-Path -Path $outputPath -ChildPath $RawOutputFile 147 | 148 | Write-Host "Reading files from $CsvFolderPath" 149 | Write-Host "Output file: $OutputFilePath" 150 | Write-Host "Raw output file: $RawOutputFilePath" 151 | Write-Host "These files will be overwritten if they already exist." 152 | 153 | # Import all CSV file lines into the $data variable 154 | $data = Get-ChildItem -Path $CsvFolderPath -Filter "invoice*.csv" -File | ForEach-Object { 155 | Import-Csv -Path $_ 156 | } 157 | 158 | # Create an empty array list object to store the raw results 159 | # Create a List to store the raw data 160 | $rawData = New-Object System.Collections.Generic.List[object] 161 | 162 | # Filter the data based on the sku field to only include Azure, Microsoft subscription Windows licensing, Nerdio, and CloudJumper (old) licenses 163 | $filteredData = $data | 164 | Where-Object { $_.sku -like "MST-AZR*" -or $_.sku -like "MST-ARI*" -or $_.sku -like "AZR-ARR-*" -or $_.sku -like "NIO-INF*" -or $_.sku -like "CJR-*" } | 165 | Sort-Object -Property company_name, start_period 166 | 167 | # Create a hashtable to store the results 168 | $companySums = @{} 169 | 170 | # Load in any Company-Specific-Functions file, if it exists, to allow for normalization of company name/ID specific to organization: 171 | if (Test-Path -PathType Leaf -Path "./Company-Specific-Functions.ps1") { 172 | . "./Company-Specific-Functions.ps1" 173 | } 174 | else { 175 | Write-Host "No Company-Specific-Functions.ps1 file found in current folder, skipping these normalization/transformation calls." 176 | } 177 | 178 | # Iterate over each row in the filtered data 179 | foreach ($row in $filteredData) { 180 | $companyName = $row.company_name 181 | $companyID = $row.company_id 182 | $subtotal = [decimal]$row.subtotal 183 | $costTotal = [decimal]$row.cost_total 184 | $startPeriod = [datetime]$row.start_period 185 | 186 | # First skip the line if the subtotal is $0 because it doesn't matter to the result. 187 | if ($script:subtotal -eq 0) { 188 | continue 189 | } 190 | 191 | # Call function in Comapany-Specific-Functions.ps1 script to normalize some company names/IDs by updating $script:companyName and $script:companyID to 192 | # new values based on the values of $row.details. If the function doesn't exist, skip the call. 193 | if (Get-Command "Normalize-Row-Data-General" -ErrorAction SilentlyContinue) { 194 | Normalize-Row-Data 195 | } 196 | 197 | $row.company_name = $companyName 198 | $row.company_id = $companyID 199 | 200 | # Set the date to the first day of the month and make it the $sp_id 201 | $startPeriod = $startPeriod.Date.AddDays(1 - $startPeriod.Day) 202 | $sp_id = $startPeriod.ToString("yyyy-MM-dd") 203 | 204 | # If the company name is not already in the hashtable, add it 205 | if (-not $companySums.ContainsKey("$companyName-$sp_id")) { 206 | $companySums["$companyName-$sp_id"] = @{ 207 | company_name = $companyName 208 | subtotal = 0 209 | costTotal = 0 210 | margin = 0 211 | start_period = $startPeriod 212 | } 213 | } 214 | 215 | # Update the sums for the company 216 | $companySums["$companyName-$sp_id"].subtotal += $subtotal 217 | $companySums["$companyName-$sp_id"].costTotal += $costTotal 218 | $companySums["$companyName-$sp_id"].margin += ($subtotal - $costTotal) 219 | 220 | # Add the raw data to the $rawData array 221 | $rawData.Add($row) 222 | } 223 | 224 | # Convert the hashtable to an array of objects 225 | $results = foreach ($key in $companySums.Keys) { 226 | [PSCustomObject]@{ 227 | key = $key 228 | company_name = $companySums[$key].company_name 229 | subtotal = $companySums[$key].subtotal 230 | cost_total = $companySums[$key].costTotal 231 | margin = $companySums[$key].margin 232 | start_period = $companySums[$key].start_period.ToString("yyyy-MM-dd") 233 | } 234 | } 235 | 236 | # Sort the results alphabetically by company_name, and then by oldest-first date order by start_period 237 | $results = $results | Sort-Object -Property @{Expression = "company_name"; Ascending = $true }, @{Expression = "start_period"; Ascending = $true } 238 | 239 | # Export the results to a CSV file 240 | $results | Select-Object company_name, subtotal, cost_total, margin, start_period | Export-Csv -Path $OutputFilePath -NoTypeInformation 241 | 242 | # Export the raw results to a CSV file 243 | $rawData | Export-Csv -Path $RawOutputFilePath -NoTypeInformation 244 | -------------------------------------------------------------------------------- /Pax8 Invoice Analysis for Azure, AVD, Nerdio/README.md: -------------------------------------------------------------------------------- 1 | # Invoice-Analysis.ps1 for Pax8 Invoice CSVs for Nerdio, Azure, and CloudJumper (retired) cost analysis 2 | 3 | # HOW TO USE: 4 | ## Prerequisites 5 | - Script should be in its own folder 6 | - Inside the folder, create a subfolder named "invoices" and put a CSV file from Pax8 (Billing, Invoices tab, "CSV" download button in Actions column for each month) into the folder. 7 | - If you need to normalize/transform one company/ID to another from the source Pax8 files to your reports, copy `SAMPLE-Company-Specific-Functions.ps1` to remove the `SAMPLE-` prefix and 8 | edit with your changes. 9 | - When running the script, it should have permissions to create folders in the current folder, and write files into the subfolder. 10 | - This script has only been tested with PowerShell 7.4, though it may work with other versions. 11 | 12 | The reason for the `Company-Specific-Functions.ps1` script is because we've encountered the following cases where we need to normalize data for our reports: 13 | - Pax8 wasn't set up to assign certain licenses from our internal company to the correct one initially and the reporting will forever be 14 | incorrect in the Pax8 file, so we adjust. 15 | - Two companies merged into one and we want the report to reflect totals as if all historical billing were for one of the two companies. 16 | 17 | If you don't need to make adjustments like this, you can ignore this file as the script checks to see if it exists, and also checks to confirm 18 | that the `Normalize-Row-Data` function exists (from that file) before calling it, so it will run fine without. The function, if it does exist, 19 | directly accesses the current $row values from the main script for comparisons, and then updates the original variables $companyName and $companyID 20 | from that loop iteration (by using $script:companyName and $script:companyID to access the variables from the script scope); there are no variables 21 | passed to or from the script. This isn't necessarily the cleanest code, but it was the simplest way to extract the code with customer names out 22 | of the main script to make it sharable, providing an example for you to use, and making its use optional if you don't need it. 23 | 24 | ## Running The Script 25 | Once all prerequisites are good to go, inside the script folder from a pwsh PowerShell prompt, run the script: 26 | 27 | `./Invoice-Anslysis.ps1` 28 | 29 | You can optionally provide command-line arguments to override some of the settings, if desired, with these named arguments (all optional with solid defaults): 30 | - CsvFolderPath 31 | - OutputPath 32 | - OutputFile 33 | - RawOutputFile 34 | 35 | You can also pass the -Verbose switch to substantially increase the detail output to the screen during the run for diagnostic purposes. 36 | 37 | By default, the script will validate that the "invoices" subfolder exists, will create (if it doesn't exist) a subfolder named yyyy-MM based on the date you're 38 | running the script, will loop through all the invoice .csv files in the "invoices" subfolder, perform it's analysis, and create two output files in the 39 | yyyy-MM folder, one named "analysis_raw.csv" and the other named "analysis.csv". If you pass different values to the parameters, the outputs will change. 40 | 41 | See the param() block at the start of the code for the default values and the formatting of the argument inputs. 42 | 43 | The `analysis.csv` file will contain one line per client-month with these columns (definitions in parentheses): 44 | - company_name (the client's name from the Pax8 file, or as modified/transformed in your normalization) 45 | - subtotal (the retail price subtotal of matching lines for the billing period from the Pax8 file) 46 | - cost_total (same as subtotal but the sum of cost_total instead rather than price) 47 | - margin (the difference between subtotal and cost_total columns) 48 | - start_period (always the FIRST day of the month for the period in which all charges in that line were pulled from in the Pax8 .csv files) 49 | 50 | The `analysis_raw.csv` file should basically have the lines from the original Pax8 .csv invoice files, but filtered to be only the ones that were used in 51 | calculating the analysis.csv data. 52 | 53 | The items that are included in the analysis should be, if any: 54 | - Azure arrears-billable consumption items, including Reserved Instances 55 | - Microsoft subscription Windows licensing 56 | - Nerdio licensing 57 | - CloudJumper licenses (this service, purchased by NetApp, no longer exists but a client used to use it before moving to AVD) 58 | 59 | All lines with a `subtotal` field equal to $0 will be skipped/excluded since it doesn't affect the totals. You can find the line of the script where 60 | `$filteredData` is defined to adjust your own version of which SKUs from the Pax8 invoices file will be included or not if you need to see or 61 | customize this for your purposes. 62 | 63 | ## How We Analyze Further 64 | 65 | We take the output and open the two resulting .csv files from the subfolder in Excel and Save As .xlsx files in the same folder, to make saving formatting 66 | and updates easier. 67 | 68 | It's not yet provided with sample data, but we take the resulting `analysis.csv` file and use it to build a pivot table in Excel, where we add new lines each month 69 | and have the following additional columns we add to the five in `analysis.csv` which we then save as the file `new_analysis-thru-yyyy-MM.xlsx` in the same folder: 70 | - retail_price (we manually update the price these items were sold to the client from their invoice to this column of the spreadsheet) 71 | - margin_from_price_vs_cost (calculated value of the retail_price column minus the cost_total column, for us the Excel formula is `=F2-C2`) 72 | - margin_percent (calculated value of margin_from_price_vs_cost divided by the retail_price column (for us the Excel formula is `=G2/F2`)) 73 | - invoice_month (calculated MONTH function value of the start_period value, for us the Excel formula is `=MONTH(E2)`) 74 | - invoice_year (calculated YEAR function value of the start_period value, for us the Excel formula is `=YEAR(E2)`) 75 | - invoice_yearmonth (calculated zero-padded yyyy-MM value string from the invoice_year and invoice_month columns, for us the Excel formula is `=J2 & "-" & TEXT(I2,"00")`) 76 | 77 | From here, we can create or update two pivot tables with the above data as the source. The outcome is a pivot table with columns for client name, 78 | margin % average, total margin, total cost, and invoiced price, and a tree of rows we can expand and subtotal by client, year, or month. There are 79 | not currently samples of these additional fields or the pivot tables with sample data that have been created, so they're left as an exercise to 80 | the reader in the initial release. You can do whatever other analysis you wish, this is just how we use it so we can have a repeatable/updated 81 | process to get updated information regularly. 82 | 83 | # VERSION HISTORY: 84 | ## V9 is a complete refactor of V8 on 2023-12-05 that changes the following (original version details not tracked): 85 | - Reads in all invoice*.csv files at once to one large array. 86 | - Filters the data using a hash that combines the company name and the Start Period date (SP_ID) as the key. 87 | - Moves the company_name to be a separate field in the output since the key is no longer just company name. 88 | - All final analysis output is based on the actual month in which an individual charge was for, regardless of invoice. 89 | - Loses the name of the invoice file in the output but it isn't relevant for the final analysis. 90 | - Data can be copied to an Excel spreadsheet with pivot table that pulls some date info out and collects invoice amounts. 91 | - Removes the need for the Invoice-More-Summary.ps1 script to do further processing since the above replaces it. 92 | - Removes the redundant assignment of $results to $allResults since there's no looping through CSVs now to collect. 93 | - Removes multiple += array operator usages and increases performance. 94 | 95 | ## V10 is a minor tweak of V9 on 2023-12-06 that changes the following: 96 | - Removes old debug comments to clean up code. 97 | - Sets defaults for parameters after moving invoices around, also changes parameter names. 98 | - Fixes parsing of company name for Nerdio licenses and ignores parent company free licenses. 99 | 100 | ## V11 is an adjustment on 2024-06-13 that changes the following: 101 | - Add third company to the list of companies with Nerdio licenses. 102 | - Refactors the code that updates the company for Nerdio licenses based on the Description field to properly output it in the summary. 103 | - Adds some Verbose output for debugging the Nerdio code activated if the -Verbose flag is passed. 104 | 105 | ## V12 is an adjustment on 2024-07-15 that changes the following for the first public release: 106 | - Moves any client names and client-specific normalization into external Company-Specific-Functions.ps1 file to enable sharing without compromising privacy. 107 | - Documentation added for how to use the script to to the top in markdown format in order to create sharable version. 108 | -------------------------------------------------------------------------------- /Pax8 Invoice Analysis for Azure, AVD, Nerdio/SAMPLE-Company-Specific-Functions.ps1: -------------------------------------------------------------------------------- 1 | # Company-Specific-Functions.ps1 2 | 3 | function Normalize-Row-Data () { 4 | # Normalize company name and ID from one to another to correct some Pax8 billing companies to desired reporting company 5 | 6 | # Normalize company name and ID from one to another if the SKU is Nerdio and thus starts with NIO-INF: 7 | if ($row.sku -like "NIO-INF*") { 8 | Write-Verbose "ORIGINAL: $script:companyName name and $script:companyID ID using separate script!" 9 | if ($row.details -like '*Original Company Name 1*') { 10 | $script:companyName = "New Company 1 To Use" 11 | $script:companyID = "1234567" 12 | } 13 | elseif ($row.details -like '*Original Company Name 2*') { 14 | $script:companyName = "New Company 2 To Use" 15 | $script:ompanyID = "2345678" 16 | } 17 | Write-Verbose "NEW: $script:companyName name and $script:companyID ID using separate script!" 18 | 19 | Write-Verbose "---------------------------------------------------------------" 20 | Write-Verbose "NERDIO SKU: $($row.sku)" 21 | Write-Verbose "NERDIO COMPANY ID: $($row.company_id)" 22 | Write-Verbose "NERDIO ORIG COMPANY: $($row.company_name)" 23 | Write-Verbose "NERDIO COMPANY NAME: $companyName" 24 | Write-Verbose "NERDIO SUBTOTAL: $subtotal" 25 | Write-Verbose "NERDIO COST: $costTotal" 26 | Write-Verbose "NERDIO PERIOD: $startPeriod" 27 | Write-Verbose "NERDIO DESC: $($row.details)" 28 | Write-Verbose "NERDIO DESC: $($row.description)" 29 | } 30 | 31 | # Normalize company name and ID from one to another for any CloudJumpber (CJR-) SKU licenses: 32 | if ($row.sku -like "CJR-*") { 33 | Write-Verbose "ORIGINAL: $script:companyName name and $script:companyID ID using separate script!" 34 | $script:companyName = "Original Company Name 3" 35 | $script:companyID = "3456789" 36 | Write-Verbose "NEW: $script:companyName name and $script:companyID ID using separate script!" 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MSP-Scripts 2 | Generic MSP scripts that aren't specific to a Remote Monitoring & Management (RMM) tool, although some of them may run well from an RMM depending on the purpose. The [Windows-Registry-Hardening script](https://github.com/dszp/MSP-Scripts/tree/main/Windows-Registry-Hardening), for example, runs well from an RMM but has nothing RMM-specific in it. 3 | 4 | Scripts that are designed to run from the [NinjaOne](https://www.ninjaone.com) RMM, although they will often run just fine on their own or from another RMM system (with no or minor modifications, depending on the system) are in the [NinjaOne-Scripts](https://github.com/dszp/NinjaOne-Scripts) repository instead. 5 | 6 | ## Licensing and Attribution 7 | Note that some of these scripts I’ve written, and some I’ve modified based on others either initial scripts or contributions; some may even be vendor-provided scripts with minor adjustments to make them more useful. I don’t claim any copyright over scripts or sections of scripts not written by me, and although I haven’t chosen a specific license for my stuff (I may do so), it’s freely usable and modifiable by others (attribution preferred). I’ve attempted to attribute code from others where it’s included. Most scripts are compilations of improvements to small useful projects over time and I’m not aware of any sources who wish to restrict the publication of code that they wrote or contributed to, but if there are objections to the public posting of any of these scripts from other sources, please let me know and I’ll be happy to adjust. You can reach me on Discord at DavidSzp or I’m sure you can probably find other ways to get in touch, I’m not terribly hard to find. -------------------------------------------------------------------------------- /Remove N-Central Agent/README.md: -------------------------------------------------------------------------------- 1 | # [Remove-N-Central-Agent.ps1](./Remove-N-Central-Agent.ps1) 2 | 3 | ## SYNOPSIS 4 | Remove N-able N-Central Windows Agent and related services, both via uninstallation of the agent and related apps (not the Probe) and also via manual cleanup (optional with the `-Clean` parameter) if the uninstall fails. 5 | 6 | ## DESCRIPTION 7 | Uninstalls and optionally cleans/removes the N-able N-Central Windows Agent and related services and folders. It will attempt to run uninstallers for all known agent entries from Add/Remove Programs. 8 | 9 | If the `-Clean` parameter is specified, it will also attempt (after uninstallation) to clean up agent remnants in addition to attempting uninstallation--this includes stopping and disabling related services, removing both the Uninstall and regular application registry entries and disabling the services, attempting to delete the services, and then removing the installation folders and the related folders in `C:\ProgramData`. 10 | 11 | The script _should NOT_ remove N-able Cove backup installations or files/services. 12 | 13 | The script _should_ uninstall but _does NOT_ forcibly clean/remove the Windows Probe service or agent, if it exists. 14 | 15 | The script _does NOT_ remove the registry setting showing the N-central device ID that would be used if the agent were ever reinstalled to map to the same device in the future. This ID should be a harmless artifact in most cases especially if the agent is no longer running on the system, but it could be updated to remove it if desired. 16 | 17 | The script may leave some top-level folders under Program Files, that are empty, or may leave some subfolders that are in use and cannot be removed due to permissions, but it will attempt to remove some of these after a reboot if possible, and any remaining remnants afterwards should not allow the agent to run, even if they aren't completely cleaned up. 18 | 19 | The script _WILL delete_ agent logs and history in ProgramData subfolders. 20 | 21 | The script _WILL attempt to remove_ the Take Control (BeAnywhere) services and folders if they exist and -Clean is specified, but does not attempt any separate uninstallation. 22 | 23 | The script should be run with admin privileges, ideally as SYSTEM, and will quit if it is not. 24 | 25 | Paths and services to clean up are hardcoded into the script under **CONFIG AND SETUP**, and will use the correct system drive for the system but the rest of the paths are hardcoded. The installation folders that any existing services refer to will be added to the cleanup list, if they are different and exist during the run (if `-Clean` is run as part of the initial pass). 26 | 27 | While it can be run manually, it is recommended that the script be run via a different RMM tool, and supports but does not require NinjaRMM Script Variables with the parameter names (as checkboxes) for configuration. 28 | 29 | ## KNOWN ISSUES 30 | *Known issues with version 0.0.1 and 0.0.2:* The services, while they are deleted, are not always fully removed from the system when cleaned if the uninstallations fail. This is a bug that has not been diagnosed/fixed yet, but the services should still be left in the Stopped and Disabled state. 31 | 32 | **This issue has been resolved in 0.0.3** and re-running with `-Clean` should properly delete services. 33 | 34 | ## PARAMETER Clean 35 | Clean up agent remnants in addition to attempting uninstallation. 36 | 37 | ## PARAMETER TestOnly 38 | Test removal of agent and services without actually removing them--will output test info to console instead of making changes. Kind of like a custom -WhatIf dry run without being official. 39 | 40 | ## EXAMPLE 41 | ``` 42 | Remove-N-Central-Agent.ps1 43 | ``` 44 | 45 | ## EXAMPLE 46 | ``` 47 | Remove-N-Central-Agent.ps1 -Clean 48 | ``` 49 | 50 | ## NOTES 51 | **Version 0.0.3** - 2024-03-26 by David Szpunar - Resolution of service deletion bug in cleanup 52 | **Version 0.0.2** - 2024-03-26 by David Szpunar - Update service deletion options 53 | **Version 0.0.1** - 2024-03-25 by David Szpunar - Initial release 54 | -------------------------------------------------------------------------------- /Remove N-Central Agent/Remove-N-Central-Agent.ps1: -------------------------------------------------------------------------------- 1 | <# Remove-N-Central-Agent.ps1 2 | 3 | .SYNOPSIS 4 | Remove N-able N-Central Windows Agent and related services, both via uninstallation of the agent and related apps (not the Probe) and also via manual cleanup (optional with the -Clean parameter) if the uninstall fails. 5 | 6 | .DESCRIPTION 7 | Uninstalls and optionally cleans/removes the N-able N-Central Windows Agent and related services and folders. It will attempt to run uninstallers for all known agent entries from Add/Remove Programs. 8 | 9 | If the -Clean parameter is specified, it will also attempt (after uninstallation) to clean up agent remnants in addition to attempting uninstallation--this includes stopping and disabling related services, removing both the Uninstall and regular application registry entries and disabling the services, attempting to delete the services, and then removing the installation folders and the related folders in C:\ProgramData. 10 | 11 | The script should NOT remove N-able Cove backup installations or files/services. 12 | 13 | The script should uninstall (but does not clean up remants of) the Windows Probe service or agent, if it exists. 14 | 15 | The script does NOT remove the registry setting showing the N-central device ID that would be used if the agent were ever reinstalled to map to the same device in the future. This ID should be a harmless artifact in most cases especially if the agent is no longer running on the system, but it could be updated to remove it if desired. 16 | 17 | The script may leave some top-level folders under Program Files, that are empty, or may leave some subfolders that are in use and cannot be removed due to permissions, but it will attempt to remove some of these after a reboot if possible, and any remaining remnants afterwards should not allow the agent to run, even if they aren't completely cleaned up. 18 | 19 | The script WILL delete agent logs and history in ProgramData subfolders. 20 | 21 | The script WILL attempt to remove the Take Control (BeAnywhere) services and folders if they exist and -Clean is specified, but does not attempt any separate uninstallation. 22 | 23 | The script should be run with admin privileges, ideally as SYSTEM, and will quit if it is not. 24 | 25 | Paths and services to clean up are hardcoded into the script under CONFIG AND SETUP, and will use the correct system drive for the system but the rest of the paths are hardcoded. The installation folders that any existing services refer to will be added to the cleanup list, if they are different and exist during the run (if -Clean is run as part of the initial pass). 26 | 27 | While it can be run manually, it is recommended that the script be run via a different RMM tool, and supports but does not require NinjaRMM Script Variables with the parameter names (as checkboxes) for configuration. 28 | 29 | Service deletion issue with version 0.0.1 and 0.0.2 has been resolved, the script properly deletes services during cleanup, in addition to stopping and disabling. 30 | 31 | .PARAMETER Clean 32 | Clean up agent remnants in addition to attempting uninstallation. 33 | 34 | .PARAMETER TestOnly 35 | Test removal of agent and services without actually removing them--will output test info to console instead of making changes. Kind of like a custom -WhatIf dry run without being official. 36 | 37 | .EXAMPLE 38 | Remove-N-Central-Agent.ps1 39 | 40 | .EXAMPLE 41 | Remove-N-Central-Agent.ps1 -Clean 42 | 43 | .NOTES 44 | Version 0.0.4 - 2024-06-14 by David Szpunar - Update service deletion to clean the N-able Take Control Service and some related folders/registry keys 45 | Version 0.0.3 - 2024-03-26 by David Szpunar - Resolution of service deletion bug in cleanup 46 | Version 0.0.2 - 2024-03-26 by David Szpunar - Update service deletion options 47 | Version 0.0.1 - 2024-03-25 by David Szpunar - Initial release 48 | #> 49 | [CmdletBinding()] 50 | param( 51 | [switch] $Clean, 52 | [switch] $TestOnly 53 | ) 54 | 55 | ### PROCESS NINJRAMM SCRIPT VARIABLES AND ASSIGN TO NAMED SWITCH PARAMETERS 56 | # Get all named parameters and overwrite with any matching Script Variables with value of 'true' from environment variables 57 | # Otherwise, if not a checkbox ('true' string), assign any other Script Variables provided to matching named parameters 58 | $switchParameters = (Get-Command -Name $MyInvocation.InvocationName).Parameters 59 | foreach ($param in $switchParameters.keys) { 60 | $var = Get-Variable -Name $param -ErrorAction SilentlyContinue 61 | if ($var) { 62 | $envVarName = $var.Name.ToLower() 63 | $envVarValue = [System.Environment]::GetEnvironmentVariable("$envVarName") 64 | if (![string]::IsNullOrWhiteSpace($envVarValue) -and ![string]::IsNullOrEmpty($envVarValue) -and $envVarValue.ToLower() -eq 'true') { 65 | # Checkbox variables 66 | $PSBoundParameters[$envVarName] = $true 67 | Set-Variable -Name "$envVarName" -Value $true -Scope Script 68 | } 69 | elseif (![string]::IsNullOrWhiteSpace($envVarValue) -and ![string]::IsNullOrEmpty($envVarValue) -and $envVarValue -ne 'false') { 70 | # non-Checkbox string variables 71 | $PSBoundParameters[$envVarName] = $envVarValue 72 | Set-Variable -Name "$envVarName" -Value $envVarValue -Scope Script 73 | } 74 | } 75 | } 76 | ### END PROCESS SCRIPT VARIABLES 77 | 78 | ##### CONFIG AND SETUP ##### 79 | # These itemss should generally be set via parameters or environment/script variables, but can be manually overridden for testing: 80 | # $TestOnly = $false 81 | # $Clean = $true 82 | # $Verbose = $true 83 | 84 | <# Some of this information was used for interactive troubleshooting and script design but is not a part of the final script, left for reference: 85 | 86 | # $Application = "N-able" 87 | # # $AgentInstall = ("HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall") | ForEach-Object { Get-ChildItem -Path $_ | ForEach-Object { Get-ItemProperty $_.PSPath } | Where-Object { $_.DisplayName -match "$Application" } } 88 | # $AgentInstall = ("HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall") | ForEach-Object { Get-ChildItem -Path $_ | ForEach-Object { Get-ItemProperty $_.PSPath } | Where-Object { $_.Publisher -match "$Application" } } 89 | # $AgentVersion = $AgentInstall.DisplayVersion 90 | # $AgentGUID = $AgentInstall.PSChildName 91 | # $AgentInstall | Format-List 92 | #> 93 | 94 | <# 95 | PREPARE THE LIST OF APPS TO UNINSTALL AND SERVICES TO REMOVE 96 | #> 97 | $AppList = @('Ecosystem Agent', 'Patch Management Service Controller', 'Request Handler Agent', 'File Cache Service Agent') 98 | $MSIList = @('Windows Agent', 'Windows Probe') 99 | 100 | $ServiceList = @('AutomationManagerAgent', 'EcosystemAgent', 'EcosystemAgentMaintenance', 'Windows Agent Service', 'Windows Agent Maintenance Service', 'PME.Agent.PmeService', 'BASupportExpressSrvcUpdater_N_Central', 'BASupportExpressStandaloneService_N_Central', 'N-able Take Control Service') 101 | 102 | # Resolve-Path "$($env:systemdrive)\Program Files*\MspPlatform" 103 | $FolderPathsList = @("$($env:systemdrive)\Program Files*\MspPlatform", 104 | "$($env:systemdrive)\Program Files*\SolarWinds MSP", 105 | "$($env:systemdrive)\Program Files*\MSPEcosystem", 106 | "$($env:systemdrive)\Program Files*\BeAnywhere Support Express", 107 | "$($env:systemdrive)\Program Files*\N-able Technologies\UpdateServerCache", 108 | "$($env:systemdrive)\Program Files*\N-able Technologies\NablePatcheCache", 109 | "$($env:systemdrive)\Program Files*\N-able Technologies\AutomationManagerEngine", 110 | "$($env:systemdrive)\Program Files*\N-able Technologies\Windows Agent", 111 | "$($env:systemdrive)\ProgramData\MspPlatform", 112 | "$($env:systemdrive)\ProgramData\N-able Technologies\AutomationManager", 113 | "$($env:systemdrive)\ProgramData\N-able Technologies\AVDefender", 114 | "$($env:systemdrive)\ProgramData\N-able Technologies\Windows Agent", 115 | "$($env:systemdrive)\ProgramData\N-able Technologies\N-able\AutomationManager", 116 | "$($env:systemdrive)\ProgramData\N-able\AutomationManager", 117 | "$($env:systemdrive)\ProgramData\Solarwinds MSP", 118 | "$($env:systemdrive)\ProgramData\GetSupportService", 119 | "$($env:systemdrive)\ProgramData\GetSupportService_Common", 120 | "$($env:systemdrive)\ProgramData\GetSupportService_Common_N-central", 121 | "$($env:systemdrive)\ProgramData\GetSupportService_N-central", 122 | "$($env:systemdrive)\ProgramData\N-able Technologies", 123 | "$($env:systemdrive)\ProgramData\MSPEcosystem" 124 | ) 125 | 126 | <# 127 | PREPARE THE EMPTY LIST OF FILE PATHS TO LATER REMOVE 128 | #> 129 | $InstallPaths = New-Object System.Collections.Generic.List[System.Object] 130 | 131 | <# 132 | PREPARE THE EMPTY LIST OF FILE PATHS TO LATER REMOVE 133 | #> 134 | $ServicePaths = New-Object System.Collections.Generic.List[System.Object] 135 | 136 | <# 137 | PREPARE THE EMPTY LIST OF REGISTRY PATHS TO LATER REMOVE 138 | #> 139 | $RegistryPaths = New-Object System.Collections.Generic.List[System.Object] 140 | 141 | # $RegistryPaths.Add('HKLM:\SOFTWARE\N-able Technologies') 142 | # $RegistryPaths.Add('HKLM:\SOFTWARE\WOW6432Node\N-able') 143 | $RegistryPaths.Add('HKLM:\SOFTWARE\WOW6432Node\N-able\AM') 144 | $RegistryPaths.Add('HKLM:\SOFTWARE\N-able\AM') 145 | # $RegistryPaths.Add('HKLM:\SOFTWARE\WOW6432Node\N-able Technologies') 146 | $RegistryPaths.Add('HKLM:\SOFTWARE\WOW6432Node\N-able Technologies\Windows Agent') 147 | $RegistryPaths.Add('HKLM:\SOFTWARE\N-able Technologies\Windows Agent') 148 | $RegistryPaths.Add('HKLM:\SOFTWARE\N-able Technologies\Patch Management') 149 | 150 | ###### FUNCTIONS ###### 151 | function Test-IsElevated { 152 | $id = [System.Security.Principal.WindowsIdentity]::GetCurrent() 153 | $p = New-Object System.Security.Principal.WindowsPrincipal($id) 154 | $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) 155 | } 156 | 157 | Function Remove-ItemOnReboot { 158 | # SOURCE: https://gist.github.com/rob89m/6bbea14651396f5870b23f1b2b8e4d0d 159 | [CmdletBinding()] 160 | Param 161 | ( 162 | [Parameter(Mandatory = $true)][string]$Item 163 | ) 164 | END { 165 | # Read current items from PendingFileRenameOperations in Registry 166 | $PendingFileRenameOperations = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations).PendingFileRenameOperations 167 | 168 | # Append new item to be deleted to variable 169 | $NewPendingFileRenameOperations = $PendingFileRenameOperations + "\??\$Item" 170 | 171 | # Reload PendingFileRenameOperations with existing values plus newly defined item to delete on reboot 172 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "PendingFileRenameOperations" -Value $NewPendingFileRenameOperations 173 | } 174 | } 175 | 176 | function Uninstall-GUID ([string]$GUID) { 177 | # $AgentInstall = ("HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall") | ForEach-Object { Get-ChildItem -Path $_ | ForEach-Object { Get-ItemProperty $_.PSPath } | Where-Object { $_.DisplayName -match "$Application" } } 178 | # $AgentVersion = $AgentInstall.DisplayVersion 179 | # $AgentGUID = $AgentInstall.PSChildName 180 | # 181 | # $UninstallString = "$($AgentInstall.UninstallString) /quiet /norestart" 182 | $UninstallString = "MsiExec.exe /x$AgentGUID /quiet /norestart" 183 | 184 | if ($GUID) { 185 | Write-Host "Uninstalling now via GUID: $GUID" 186 | Write-Verbose "Uninstall String: $UninstallString" 187 | if (!$TestOnly) { 188 | $Process = Start-Process cmd.exe -ArgumentList "/c $UninstallString" -Wait -PassThru 189 | if ($Process.ExitCode -eq 1603) { 190 | Write-Host "Uninstallation attempt failed with error code: $($Process.ExitCode). Please review manually." 191 | Write-Host "Hint: This exit code likely requires the system to reboot prior to installation." 192 | } 193 | elseif ($Process.ExitCode -ne 0) { 194 | Write-Host "Uninstallation attempt failed with error code: $($Process.ExitCode). Please review manually." 195 | } 196 | else { 197 | Write-Host "Uninstallation attempt completed." 198 | } 199 | return $($Process.ExitCode) 200 | } 201 | else { 202 | Write-Host "TEST ONLY: No uninstallation attempt was made." 203 | return 0 204 | } 205 | } 206 | else { 207 | Write-Host "Pass a GUID to the function." 208 | return $false 209 | } 210 | } 211 | 212 | function Uninstall-App ($Agent) { 213 | $QuietUninstall = $Agent.QuietUninstallString 214 | if ([string]::IsNullOrWhiteSpace($QuietUninstall)) { 215 | Write-Host "No QuietUninstall string, skipping silent uninstall for" $Agent.DisplayName 216 | return $false 217 | } 218 | $UninstallString = $Agent.UninstallString + " /SILENT /VERYSILENT /SUPPRESSMSGBOXES" 219 | 220 | if ($Agent) { 221 | Write-Host "Uninstalling now via Inno Setup Silent Removal:" $Agent.DisplayName 222 | Write-Host "Uninstall String: $UninstallString" 223 | if (!$TestOnly) { 224 | $Process = Start-Process cmd.exe -ArgumentList "/c $UninstallString" -Wait -PassThru 225 | if ($Process.ExitCode -ne 0) { 226 | Write-Host "Uninstallation attempt failed with error code: $($Process.ExitCode). Please review manually." 227 | } 228 | else { 229 | Write-Host "Uninstallation attempt completed for" $Agent.DisplayName 230 | return 0 231 | } 232 | return $($Process.ExitCode) 233 | } 234 | else { 235 | Write-Host "TEST ONLY: No uninstallation attempt was made." 236 | return 0 237 | } 238 | } 239 | else { 240 | Write-Host "Pass an uninstall registry object to the function." 241 | return 1 242 | } 243 | } 244 | 245 | 246 | 247 | Function Get-ServiceStatus ([string]$Name) { 248 | (Get-Service -Name $Name -ErrorAction SilentlyContinue).Status 249 | } 250 | 251 | Function Stop-RunningService ($svc) { 252 | Write-Verbose "Checking if $($svc.Name) service is running to STOP" 253 | # If ( $(Get-ServiceStatus -Name $Name) -eq "Running" ) { 254 | If ( $svc.Status -eq "Running" ) { 255 | Write-Host "Stopping : $($svc.Name) service" 256 | if (!$TestOnly) { 257 | # Stop-Service -Name $Svc -Force 258 | $svc | Stop-Service -Force 259 | } 260 | else { 261 | Write-Host "TEST ONLY: Not stopping $Name service" 262 | } 263 | } 264 | else { 265 | Write-Verbose "The $($svc.Name) service is not running, not stopping it!" 266 | } 267 | } 268 | 269 | Function Disable-Service ($svc) { 270 | If ( $svc ) { 271 | Write-Host "Disabling : $($svc.Name) service" 272 | if (!$TestOnly) { 273 | # Set-Service $Svc -StartupType Disabled 274 | $svc | Set-Service -StartupType Disabled 275 | } 276 | else { 277 | Write-Host "TEST ONLY: Not disabling $($svc.Name) service" 278 | } 279 | } 280 | else { 281 | Write-Verbose "The $($svc.Name) service doesn't exist, not disabling it!" 282 | } 283 | } 284 | 285 | Function Remove-StoppedService ($svc) { 286 | If ( $svc ) { 287 | If ( $svc.Status -eq "Stopped" ) { 288 | Write-Host "Deleting : $($svc.Name) service" 289 | if (!$TestOnly) { 290 | Stop-Process -Name $($svc.Name) -Force -ErrorAction SilentlyContinue 291 | sc.exe delete $($svc.Name) 292 | Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\$($svc.Name)" -Force -Recurse -ErrorAction SilentlyContinue 293 | } 294 | else { 295 | Write-Host "TEST ONLY: Not deleting $Name service" 296 | } 297 | } 298 | else { 299 | Write-Host "The $($svc.Name) service is not stopped, not deleting it!" 300 | } 301 | } 302 | Else { 303 | Write-Verbose "Not Found to Remove: $($svc.Name) service" 304 | } 305 | } 306 | 307 | Function Remove-File-Path ([string]$Path) { 308 | Write-Host "Deleting folder if it exists: $Path" 309 | $FolderPath = Resolve-Path -Path $Path.Trim('"') -ErrorAction SilentlyContinue 310 | if (![string]::IsNullOrEmpty($FolderPath) -and (Test-Path $FolderPath)) { 311 | Write-Host "Removing folder: $FolderPath" 312 | if (!$TestOnly) { 313 | try { 314 | Remove-Item -Path $FolderPath -Recurse -Force -ErrorAction Stop 315 | } 316 | catch { 317 | Write-host "Error deleting folder '$FolderPath\', adding to delete on reboot list." 318 | Remove-ItemOnReboot -Item "$FolderPath\" 319 | } 320 | } 321 | else { 322 | Write-Host "TEST ONLY: Not removing $FolderPath" 323 | } 324 | } 325 | else { 326 | Write-Verbose "Not found and thus not deleting: $Path" 327 | } 328 | } 329 | 330 | Function Remove-Registry-Path ([string]$Path) { 331 | Write-Verbose "Deleting registry path: $Path" 332 | $KeyPath = Resolve-Path $Path -ErrorAction SilentlyContinue 333 | if (![string]::IsNullOrEmpty($KeyPath) -and (Test-Path $KeyPath)) { 334 | Write-Host "Removing key $KeyPath" 335 | if (!$TestOnly) { 336 | Remove-Item -Path $KeyPath -Recurse -Force 337 | } 338 | else { 339 | Write-Host "TEST ONLY: Not removing $KeyPath" 340 | } 341 | } 342 | else { 343 | Write-Verbose "Not found and thus not deleting: ${Path}" 344 | } 345 | } 346 | 347 | function Remove-Agent { 348 | foreach ($service in $ServiceList) { 349 | Write-Host "`nGetting Service $service" 350 | $ServiceObj = Get-Service $service -ErrorAction SilentlyContinue 351 | if (($ServiceObj)) { 352 | $SvcInfo = Get-WmiObject win32_service | Where-Object { $_.Name -eq "$service" } | Select-Object Name, DisplayName, State, StartMode, PathName 353 | Write-Host "STATE: $($SvcInfo.State) MODE: $($SvcInfo.StartMode) `tSERVICE: $($SvcInfo.DisplayName) '$($SvcInfo.Name)'" 354 | Write-Host "PATH: $($SvcInfo.PathName)" 355 | 356 | $SvcPath = Split-Path -Path $($SvcInfo.PathName).Trim('"') -Parent 357 | $ServicePaths.Add($SvcPath) 358 | 359 | Stop-RunningService $ServiceObj 360 | Disable-Service $ServiceObj 361 | $ServiceObj = Get-Service $service -ErrorAction SilentlyContinue 362 | Remove-StoppedService $ServiceObj 363 | } 364 | else { 365 | Write-Host "Service $service not found." 366 | } 367 | } 368 | 369 | Write-Host 370 | 371 | foreach ($Folder in $FolderPathsList) { 372 | Remove-File-Path $Folder 373 | } 374 | 375 | foreach ($Folder in $InstallPaths) { 376 | Remove-File-Path $Folder 377 | } 378 | 379 | foreach ($Folder in $ServicePaths) { 380 | Remove-File-Path $Folder 381 | } 382 | 383 | foreach ($Key in $RegistryPaths) { 384 | Remove-Registry-Path $Key 385 | } 386 | } 387 | 388 | ##### BEGIN SCRIPT ##### 389 | 390 | # If not elevated error out. Admin priveledges are required to uninstall software 391 | if (-not (Test-IsElevated)) { 392 | Write-Error -Message "Access Denied. Please run with Administrator privileges." 393 | exit 1 394 | } 395 | 396 | foreach ($app in $MSIList) { 397 | $AgentInstall = ("HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall") | ForEach-Object { Get-ChildItem -Path $_ | ForEach-Object { Get-ItemProperty $_.PSPath } | Where-Object { $_.DisplayName -match "$app" } } 398 | $AgentGUID = $AgentInstall.PSChildName 399 | 400 | if ($AgentInstall) { 401 | $InstallPaths.Add($AgentInstall.InstallLocation) 402 | $RegistryPaths.Add($AgentInstall.PSPath) 403 | Write-Host "`nUninstalling app '$app' using GUID: " $AgentGUID 404 | if ((Uninstall-GUID $AgentGUID) -eq 0) { 405 | Write-Host "Successfully uninstalled '$app' via MSI command using GUID $AgentGUID" 406 | } 407 | } 408 | else { 409 | Write-Verbose "No installation entry found to uninstall '$app' via MSI command." 410 | } 411 | } 412 | 413 | foreach ($app in $AppList) { 414 | $AgentInstall = ("HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall") | ForEach-Object { Get-ChildItem -Path $_ | ForEach-Object { Get-ItemProperty $_.PSPath } | Where-Object { $_.DisplayName -match "$app" } } 415 | $AgentGUID = $AgentInstall.PSChildName 416 | 417 | if ($AgentInstall) { 418 | $InstallPaths.Add($AgentInstall.InstallLocation) 419 | $RegistryPaths.Add($AgentInstall.PSPath) 420 | Write-Host "`nUninstalling app '$app' using Inno Setup Quiet Removal." 421 | if ((Uninstall-App $AgentInstall) -eq 0) { 422 | Write-Host "Successfully uninstalled '$app' silently via Inno Setup Quiet Removal." 423 | } 424 | else { 425 | Write-Host "Unable to uninstall '$app' silently via Inno Setup Quiet Removal." 426 | } 427 | } 428 | else { 429 | Write-Verbose "No installation entry found to uninstall '$app' silently via Inno Setup command." 430 | } 431 | } 432 | 433 | Write-Host "Folder Paths:" 434 | $InstallPaths 435 | Write-Host "Registry Paths:" 436 | $RegistryPaths 437 | 438 | 439 | if ($Clean) { 440 | Write-Host "`nAttempting to clean up agent remnants..." 441 | Remove-Agent $AgentInstall 442 | 443 | Write-Host "`nService Folder Paths after Agent Removal:" 444 | $ServicePaths 445 | } 446 | -------------------------------------------------------------------------------- /ScreenConnect Self-Hosted LetsEncrypt Certs/BindNewScreenConnectCert.cmd: -------------------------------------------------------------------------------- 1 | @REM PASS THESE ARGUMENTS: cert-thumbprint certbinding-ip:port 2 | @REM cert-thumbprint: win-acme's {CertThumbprint} variable 3 | @REM certbinding-ip:port: the IP:port value of existing ScreenConnect 4 | @REM cert in the output of this command: 5 | @REM netsh http show sslcert 6 | @ECHO off 7 | echo "Installing ScreenConnect TLS Certificate" 8 | net stop "ScreenConnect Web Server" 9 | 10 | ECHO Now installing cert %1 11 | netsh http delete sslcert ipport=%2 12 | netsh http add sslcert ipport=%2 certhash=%1 appid="{00000000-0000-0000-0000-000000000000}" 13 | 14 | net start "ScreenConnect Web Server" 15 | -------------------------------------------------------------------------------- /ScreenConnect Self-Hosted LetsEncrypt Certs/README.md: -------------------------------------------------------------------------------- 1 | # Set up self-hosted ScreenConnect LetsEncrypt TLS certificates 2 | 3 | ## Context and Background 4 | 5 | When using a self-hosted ConnectWise ScreenConnect server, if you don't want to manually renew the TLS/SSL certificates annually, you must set up TLS certificates using LetsEncrypt. This is a feature that ConnectWise has rejected including, but the application does not use IIS directly, so the certificate that's used must be manually bound to the application initially and after renewal. This script is designed for Windows and is NOT relevant for Linux or macOS, where older versions of ScreenConnect ran and where there is more documentation available online for automating this process (and ConnectWise doesn't support SSO on any servers except Windows, which is important for some people). 6 | 7 | ### Introduction and Overview 8 | 9 | There were too many possible options, libraries, and methods to try but no simple process with a very straightforward installation script that was tested for use on modern Windows versions with the default ScreenConnect web server configuration that didn't involve proxies or third parties like CloudFlare, so I assembled this process that requires the very well-written, easy-to-use, and frequently updated win-acme tool and a tiny script to install the certificate. Hopefully this provides the push to stop renewing certificates manually for ScreenConnect! 10 | 11 | ## What this is not 12 | 13 | This process assumes you already have an operational [ScreenConnect](https://screenconnect.com) installation on your own self-hosted server, and that it's already configured with a valid TLS certificate, perhaps issued by RapidSSL or any other certificate authority where you buy certificates and manually retrieve and install them, but that you'd like to switch to using LetsEncrypt certificates instead. 14 | 15 | This process assumes you are having LetsEncrypt configured for TLS, are using the built-in web server and not proxying the web server through a third party like CloudFlare or yourself using nginx or Caddy, so it doesn't walk you through that process. It also assumes you have locked down the TLS settings yourself and validated it using a service like [Qualys SSLLabs](https://www.ssllabs.com/ssltest/) in order to ensure only modern and secure TLS configurations are used. 16 | 17 | ## Alternate Solutions 18 | 19 | We will assume you will not use a self-signed certificate, which is not recommended as it is not secure and is subject to being revoked. This is not a real option for a public server. 20 | 21 | 1. Use a third-party tool like CertifyTheWeb to obtain and renew a certificate from LetsEncrypt. This should work and is well documented, but as of this writing costs approximately $60 per year, which is substantially more than a basic RapidSSL certificate (though you'd have to spend the time renewing it manually). 22 | 2. Create your own PowerShell or command-line based script to obtain and renew a certificate from LetsEncrypt and apply it to ScreenConnect. There are various PowerShell modules for ACME v2 that would work; this solution is relatively close but it uses a third-party free tool called [win-acme](https://www.win-acme.com/) to obtain and renew the certificate, calling the Command Line script provided here to remove the old and install the new certificate for ScreenConnect use. 23 | 24 | ## This Solution 25 | 26 | ### win-acme and installation script 27 | The script in this repository, `BindNewScreenConnectCert.cmd` (the installation script that win-acme runs after obtaining the certificate) should be placed into a folder with the extracted win-acme zip file contents. From the [win-acme](https://www.win-acme.com/) website, on your Windows server where ScreenConnect is running, place the extracted win-acme zip file contents in a permanent location. You may wish to create a folder like C:\certs to hold the files, or place it in an existing location. I'm using `C:\certs\win-acme-pluggable` in this example and you're welcome to copy mine or choose your own. The executable that matters is `C:\certs\win-acme-pluggable\wacs.exe` or the same file inside the extracted zip on your system. 28 | 29 | ### Validating for certificate to be issued 30 | Configuring win-acme to obtain a certificate and validate properly is left up to you, but their documentation is relatively good. If you've run certbot on Linux it's not terribly different. Validation can be completed via multiple web-based or DNS-based method. If web-based, you'll need to allow port 80 for HTTP access to the server to handle validation, all the way through the firewall. win-acme has a plugin system for many DNS providers that can validate with DNS instead (including Microsoft Azure DNS, CloudFlare, and many others). 31 | 32 | ### Determine the bound IP and port of ScreenConnect server 33 | If you run this command from an elevated command prompt, it will display the TLS certificates that are mapped to listening IP:port combinations: 34 | 35 | `netsh http show sslcert` 36 | 37 | The first field should be named "IP/port" and should be in a global "listen on all interfaces" format like `0.0.0.0:443` or a specific IP (public or private) like `10.0.0.2:443`. As noted above, you need ScreenConnect already functional and listening or to figure this out first. Some of the potential commands and screenshots of sample output are listed at [Replace/renew your SSL certificate in ConnectWise OnPrem](https://nadavsvirsky.medium.com/replace-renew-your-ssl-certificate-in-connectwise-onprem-82fc15352227). Gather the IP:port string from the above command and record it for the next step. 38 | 39 | If you need to set this up for the first time, there are instructions at [ConnectWise Control (ScreenConnect) On-Premise SSL Installation Woes… Here’s the Secret to Using an Alternate Port (not 443), Working With SSL](https://asheroto.medium.com/screenconnect-on-premise-ssl-installation-woes-heres-the-secret-to-get-an-alternate-port-working-931f240ced92) although you can simply use the default port 443, but that's up to you. (Note the article recommends RapidSSL certificates and suggests the benefit is not renewing every 90 days; we are automating this process so that's not ever necessary but the manual setup steps are similar and useful! You don't have to use the ScreenConnectSSLConfigurator they recommend if you just want to get a certificate with win-acme in the first place which will be used in the same way, and win-acme handles all public and private keys and CSRs in addition to renewals.) The section starting "To show existing bindings" has the more useful information in this article, along with the next "Binding the Certificate — Method 1" section; Method 2 uses the ScreenConnectSSLConfigurator again but shouldn't be necessary. 40 | 41 | ### Run wacs.exe and obtain a new certificate 42 | Open an elevated command prompt or PowerShell prompt (either is fine) and change to the folder you extracted the win-acme zip file contents to, then run `.\wacs.exe` from the command prompt. It will launch a menu and let you walk through obtaining a new certificate, using the `M` option to Create certificate (full options). 43 | 44 | Walk through the wizard to obtain a new certificate. Choose your own validation options to match what you wish to use and have available. The "Store" you choose should be "Windows Certificate Store (Local Computer)" and when prompted for how you would like to store the certificate, choose "2: [My] - General computer store (for Exchange/RDS)" as the option. If you want to store the certificate a second way, choose a second set of options but this should not be necessary and you can choose "5: No (additional) store steps" (the default). 45 | 46 | For the Installation step, choose "2: Start external script or program" and enter the full path to the BindNewScreenConnectCert.cmd script and press Enter, for example in the folder above: 47 | 48 | `C:\certs\win-acme-pluggable\BindNewScreenConnectCert.cmd` 49 | 50 | You'll then be prompted for Parameters. The script requires two parameters, the first is the thumbprint of the certificate to bind. The second is the IP:port to bind to (which it will unbind first). Enter the placeholder variable and the IP:port string all on one line but separate by a space as the Parameters value, exactly like this with the curly braces (customize only the IP:port portion), then press Enter: 51 | 52 | `{CertThumbprint} 0.0.0.0:443` 53 | 54 | Choose 3 to perform no additional installation steps and press Enter. The certificate will be obtained, assuming no errors, saved to the Local Computer Personal Certificates, then the installation script will be called by win-acme and the script will unbind the existing certificate (if any), bind the new one by thumbprint (both using `netsh` commands). **Warning: This process will stop the ScreenConnect Web Server service! After rebinding the new certificate, it will start it again. However, connections will be interrupted!** 55 | 56 | By default, Task Scheduler will have a task added by win-acme to run daily to attempt certificate renewal. However, certificates won't be renewed until 55 days have elapsed by default. The `settings.json` file can be edited in the folder alongside `wacs.exe` and the settings are well-documented on the win-acme website. You may wish to provide different schedule times (perhaps not during the day, since the process stops the ScreenConnect Web Server service and restarts it after rebinding). 57 | 58 | You can exit the win-acme menus now and run `netsh http show sslcert` to verify the new certificate is bound properly. 59 | 60 | ### Editing the certificate 61 | You can re-run `wacs.exe` and choose Manage Renewals to walk through the reviewing or editing any of the settings you set above. After editing, the certificate will be reinstalled including reloading the ScreenConnect service! Note that by default the renewal will use the cached certificate and will not reach out to LetsEncrypt if it's been less than a day, by default, to avoid rate-limiting. 62 | 63 | Renewals should run automatically, but you can edit `settings.json` to configure an SMTP server and email details to send failure and, optionally, success notifications to you via email, or you can monitor the expiration externally with a tool like UptimeRobot or others that will alert you if the renewal fails with enough time to remediate the issue. 64 | 65 | ### Examining the command line generated for renewals 66 | The Renewals submenu in `wacs.exe` also has an "L" option that will display the command line you can run to renew the certificate manually; if nothing else this is nice to review what the command line options being used are, and see the script call and parameters that are set. It also displays the next renewal attempt date of all certificates being managed for review. 67 | 68 | ### Reviewing the script run in Event Log 69 | win-acme does a great job of logging, to its own log and to the Windows Application Event Log. If you want to see the actual output of the `BindNewScreenConnectCert.cmd` script, you can open the Windows Event Log and search for Event ID 7703, the source will be "win-acme" if you'd like to set a filter. The output of the script will be in the "Message" field of the event on the General tab of this event ID when it's logged. You should see the service stopping, the binding deleted, re-added, and the service told to start again. 70 | 71 | ## Summary 72 | These instructions could likely be more concise and clearer, possibly with some screenshots, but this is the first pass. If you have any suggestions for improvement, please let me know! Pull requests are also welcome. Hope this is helpful! 73 | 74 | # References 75 | 76 | A few links that were helpful in my research, not mentioned above: 77 | 78 | - [win-acme documentation for installation scripts](https://www.win-acme.com/reference/plugins/installation/script) 79 | - [official ScreenConnect docs on updating SSL cert](https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/On-premises/Advanced_setup/SSL_certificate_installation/Install_and_bind_an_SSL_certificate_on_a_Windows_server) 80 | - [Installing an SSL certificate manually on Windows](https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/On-premises/Advanced_setup/SSL_certificate_installation/Install_and_bind_an_SSL_certificate_on_a_Windows_server) 81 | - [official ScreenConnect docs on the SSL Configurator tool](https://docs.connectwise.com/ConnectWise_ScreenConnect_Documentation/On-premises/Advanced_setup/SSL_certificate_installation/SSL_Configurator) -------------------------------------------------------------------------------- /ScreenConnect Server/Upgrade-ScreenConnect-Server.ps1: -------------------------------------------------------------------------------- 1 | <# Upgrade-ScreenConnect-Server.ps1 2 | Run this PowerShell script from an elevated PowerShell prompt to upgrade your ScreenConnect server to the latest version. 3 | 4 | Before running, confirm the $Downloads folder path exists (configured below) and optionally contains the latest ScreenConnect installer. 5 | 6 | The script will first check the online download page for ScreenConnect and attempt to verify the newest verison. If there is a newer version available 7 | to download, it will prompt you to download the latest version. If you choose not to, it will continue with the latest installer in the $Downloads folder, 8 | if one already exists. 9 | 10 | Note that the download page parsing may or may not be accurate and has only been tested with one version avialble, for Windows. If parsing fails, 11 | please report the issue to the author. You should be able to install using the latest installer in the $Downloads folder regardless, if one exists. 12 | 13 | Use the -SkiDownload parameter to skip the download prompt or cloud version check and only use locally downloaded installers, if any. 14 | 15 | Downloads are located at https://www.screenconnect.com/Download online. NOTE: ScreenConnect Client is NOT installed as part of this script!! This is for the server itself! 16 | 17 | Run this PowerShell script from an elevated PowerShell prompt to upgrade your ScreenConnect server to the latest version. Will prompt you before proceeding, but otherwise will run silently. 18 | 19 | Existing ScreenConnect server must already be installed. Version numbers will be verified and the upgrade will only be performed if the installer is for a newer version than the installation. 20 | 21 | Install the PowerShell module "MSI" using "Install-Module MSI" if it is not already installed (you will a runtime error if it's not installed). 22 | 23 | Use the switch -Force to download (if necessary) and install without prompting, assuming newer installer than installed version. 24 | 25 | Version 0.0.1 - 2024-02-24 - Initial version by David Szpunar 26 | Version 0.0.2 - 2025-05-01 - Updated to incorporate version checking and download functionality directly in this script. 27 | #> 28 | param( 29 | [switch] $Force, 30 | [switch] $SkipDownload 31 | ) 32 | #Requires -Modules MSI 33 | 34 | ### CONFIG 35 | # Define where the ScreenConnect MSI files are located, defaults to current user's Downloads folder. 36 | # Only the most recently modified MSI file with name starting with ScreenConnect_ will be used. 37 | $Downloads = "~\Downloads" 38 | ### END CONFIG 39 | 40 | #region Functions 41 | function Get-LatestScreenConnectVersion { 42 | [CmdletBinding()] 43 | param() 44 | 45 | try { 46 | # Download the ScreenConnect download page 47 | $url = "https://www.screenconnect.com/Download" 48 | $response = Invoke-WebRequest -Uri $url -UseBasicParsing 49 | $content = $response.Content 50 | 51 | # Look for the download URL of the stable release version 52 | $downloadUrlPattern = 'https://[^"]+ScreenConnect_[\d\.]+_Release\.msi' 53 | if ($content -match $downloadUrlPattern) { 54 | $downloadUrl = $matches[0] 55 | $fileName = $downloadUrl.Split('/')[-1] 56 | 57 | # Extract version from filename 58 | $version = "Unknown" 59 | if ($fileName -match 'ScreenConnect_(\d+\.\d+\.\d+\.\d+)') { 60 | $version = $matches[1] 61 | } 62 | 63 | # Extract information directly using the HTML structure provided by the user 64 | # Look for the row containing this URL 65 | $rowPattern = ']*>(.*?)' 66 | if ($content -match $rowPattern) { 67 | $rowContent = $matches[1] 68 | 69 | # Extract the column values using the known structure 70 | $sizePattern = '
\s*(.*?)\s*
' 71 | $releaseDatePattern = '
\s*(.*?)\s*
' 72 | $fileNamePattern = '
\s*(.*?)\s*
' 73 | $platformsPattern = '
\s*(.*?)\s*
' 74 | 75 | $size = if ($rowContent -match $sizePattern) { $matches[1].Trim() } else { "Unknown" } 76 | $releaseDate = if ($rowContent -match $releaseDatePattern) { $matches[1].Trim() } else { "Unknown" } 77 | $fileNameFromHtml = if ($rowContent -match $fileNamePattern) { $matches[1].Trim() } else { "Unknown" } 78 | $platforms = if ($rowContent -match $platformsPattern) { $matches[1].Trim() } else { "Unknown" } 79 | } 80 | else { 81 | # If we can't find the row, try a different approach 82 | # Use the exact HTML structure from the user's example 83 | $tableRowPattern = '
\s*
\s*(.*?)\s*
\s*
\s*(.*?)\s*
\s*
\s*(.*?)\s*
\s*
\s*(.*?)\s*
' 84 | 85 | if ($content -match $tableRowPattern) { 86 | $size = $matches[1].Trim() 87 | $releaseDate = $matches[2].Trim() 88 | $fileNameFromHtml = $matches[3].Trim() 89 | $platforms = $matches[4].Trim() 90 | } 91 | else { 92 | # Last resort - try to find values directly 93 | $size = "Unknown" 94 | $releaseDate = "Unknown" 95 | $platforms = "Unknown" 96 | 97 | # Look for a pattern like "123 MB" near the file name 98 | if ($content -match '(\d+)\s*MB[^<]*' + [regex]::Escape($fileName)) { 99 | $size = $matches[1] + " MB" 100 | } 101 | 102 | # Look for a date pattern near the file name 103 | if ($content -match '(\d{1,2}/\d{1,2}/\d{4})[^<]*' + [regex]::Escape($fileName)) { 104 | $releaseDate = $matches[1] 105 | } 106 | 107 | # Look for platform information near the file name 108 | if ($content -match [regex]::Escape($fileName) + '[^<]*(Windows|Linux|Mac)') { 109 | $platforms = $matches[1] 110 | } 111 | } 112 | } 113 | 114 | # Create and return a custom object with the extracted information 115 | [PSCustomObject]@{ 116 | Size = $size 117 | ReleaseDate = $releaseDate 118 | FileName = $fileName 119 | Platforms = $platforms 120 | Version = $version 121 | DownloadUrl = $downloadUrl 122 | } 123 | } 124 | else { 125 | Write-Error "Could not find stable release download link on the page." 126 | return $null 127 | } 128 | } 129 | catch { 130 | Write-Error "An error occurred while retrieving ScreenConnect version information: $_" 131 | return $null 132 | } 133 | } 134 | 135 | function Compare-ScreenConnectVersions { 136 | [CmdletBinding()] 137 | param ( 138 | [Parameter(Mandatory = $true)] 139 | [string]$CurrentVersion, 140 | 141 | [Parameter(Mandatory = $true)] 142 | [string]$LatestVersion 143 | ) 144 | 145 | try { 146 | # Parse versions into version objects for proper comparison 147 | $currentVersionObj = [System.Version]::new($CurrentVersion) 148 | $latestVersionObj = [System.Version]::new($LatestVersion) 149 | 150 | # Compare versions 151 | $comparisonResult = $currentVersionObj.CompareTo($latestVersionObj) 152 | 153 | # Return comparison result 154 | [PSCustomObject]@{ 155 | CurrentVersion = $CurrentVersion 156 | LatestVersion = $LatestVersion 157 | IsUpdateAvailable = $comparisonResult -lt 0 158 | IsCurrentVersionNewer = $comparisonResult -gt 0 159 | AreVersionsEqual = $comparisonResult -eq 0 160 | } 161 | } 162 | catch { 163 | Write-Error "An error occurred while comparing versions: $_" 164 | return $null 165 | } 166 | } 167 | 168 | function Download-ScreenConnectFile { 169 | [CmdletBinding()] 170 | param ( 171 | [Parameter(Mandatory = $true)] 172 | [string]$Url, 173 | 174 | [Parameter(Mandatory = $true)] 175 | [string]$DestinationFolder, 176 | 177 | [Parameter(Mandatory = $true)] 178 | [string]$FileName 179 | ) 180 | 181 | try { 182 | # Ensure the destination folder exists 183 | if (-not (Test-Path -Path $DestinationFolder)) { 184 | New-Item -Path $DestinationFolder -ItemType Directory -Force | Out-Null 185 | Write-Host "Created download folder: $DestinationFolder" -ForegroundColor Cyan 186 | } 187 | 188 | $destinationPath = Join-Path -Path $DestinationFolder -ChildPath $FileName 189 | 190 | # Download the file 191 | Write-Host "Downloading file from $Url" -ForegroundColor Cyan 192 | Write-Host "Saving to $destinationPath" -ForegroundColor Cyan 193 | 194 | $webClient = New-Object System.Net.WebClient 195 | $webClient.DownloadFile($Url, $destinationPath) 196 | 197 | Write-Host "Download completed successfully." -ForegroundColor Green 198 | return $destinationPath 199 | } 200 | catch { 201 | Write-Error "Failed to download file: $_" 202 | return $null 203 | } 204 | } 205 | #endregion Functions 206 | 207 | # Get the path to the currently installed ScreenConnect service 208 | $svcPath = [System.IO.Path]::Combine(${env:ProgramFiles(x86)}, "ScreenConnect\Bin", "ScreenConnect.Service.exe") 209 | if (!(Test-Path $svcPath)) { 210 | Write-Host "Unable to locate ScreenConnect Service executable file. Must already be installed. Quitting." -ForegroundColor Red 211 | exit 1 212 | } 213 | 214 | # Get the currently installed version 215 | $svcVersion = (Get-Command $svcPath).FileVersionInfo.FileVersion 216 | Write-Host "Installed Path:`t`t" $svcPath 217 | Write-Host "Installed Version:`t" $svcVersion -ForegroundColor Yellow 218 | Write-Host 219 | 220 | $latestVersionInfo = '' 221 | if ($SkipDownload) { 222 | Write-Host "Skipping download check." -ForegroundColor Yellow 223 | $downloadedNewVersion = $false 224 | } 225 | else { 226 | Write-Host "Checking for new version..." -ForegroundColor Cyan 227 | # Check for the latest version available online 228 | Write-Host "Checking for latest ScreenConnect version online..." -ForegroundColor Cyan 229 | $latestVersionInfo = Get-LatestScreenConnectVersion 230 | } 231 | 232 | if ('' -eq $latestVersionInfo -or $null -eq $latestVersionInfo) { 233 | Write-Host "Failed to retrieve (or skipped) latest version information. Will check for local installers." -ForegroundColor Yellow 234 | } 235 | else { 236 | Write-Host "Latest version information:" -ForegroundColor Cyan 237 | Write-Host " Version: $($latestVersionInfo.Version)" -ForegroundColor White 238 | Write-Host " File: $($latestVersionInfo.FileName)" -ForegroundColor White 239 | Write-Host " Size: $($latestVersionInfo.Size)" -ForegroundColor White 240 | Write-Host " Released: $($latestVersionInfo.ReleaseDate)" -ForegroundColor White 241 | Write-Host " Platforms: $($latestVersionInfo.Platforms)" -ForegroundColor White 242 | Write-Host " Download URL: $($latestVersionInfo.DownloadUrl)" -ForegroundColor White 243 | 244 | # Compare versions 245 | $comparisonResult = Compare-ScreenConnectVersions -CurrentVersion $svcVersion -LatestVersion $latestVersionInfo.Version 246 | 247 | if ($null -eq $comparisonResult) { 248 | Write-Host "Failed to compare versions. Will check for local installers." -ForegroundColor Yellow 249 | } 250 | elseif ($comparisonResult.IsUpdateAvailable) { 251 | Write-Host "`nAn update is available!" -ForegroundColor Yellow 252 | Write-Host "Current version: $($comparisonResult.CurrentVersion)" -ForegroundColor White 253 | Write-Host "Latest version: $($comparisonResult.LatestVersion)" -ForegroundColor White 254 | 255 | # Prompt user to download the update 256 | if ($Force -or (Read-Host -Prompt "Do you want to download the update? (Y/N)") -like "y*") { 257 | # Ensure download folder exists and is resolved 258 | $DownloadFolder = Resolve-Path -Path $Downloads -ErrorAction SilentlyContinue 259 | if (-not $DownloadFolder) { 260 | $DownloadFolder = (New-Item -Path $Downloads -ItemType Directory -Force).FullName 261 | Write-Host "Created download folder: $DownloadFolder" -ForegroundColor Cyan 262 | } 263 | 264 | # Download the file 265 | $downloadPath = Download-ScreenConnectFile -Url $latestVersionInfo.DownloadUrl -DestinationFolder $DownloadFolder -FileName $latestVersionInfo.FileName 266 | 267 | if ($null -ne $downloadPath -and (Test-Path -Path $downloadPath)) { 268 | Write-Host "`nDownload successful!" -ForegroundColor Green 269 | Write-Host "File saved to: $downloadPath" -ForegroundColor White 270 | $InstallerFile = $downloadPath 271 | $InstallerVersion = $latestVersionInfo.Version 272 | $installerVer = [version]$InstallerVersion 273 | $installedVer = [version]$svcVersion 274 | $downloadedNewVersion = $true 275 | } 276 | else { 277 | Write-Host "`nDownload failed. Will check for existing installers." -ForegroundColor Red 278 | $downloadedNewVersion = $false 279 | } 280 | } 281 | else { 282 | Write-Host "`nDownload canceled. Will check for existing installers." -ForegroundColor Yellow 283 | $downloadedNewVersion = $false 284 | } 285 | } 286 | elseif ($comparisonResult.AreVersionsEqual) { 287 | Write-Host "`nYou have the latest version installed." -ForegroundColor Green 288 | 289 | # Check if the installer for the current version exists in the Downloads folder 290 | $DownloadFolder = Resolve-Path -Path $Downloads -ErrorAction SilentlyContinue 291 | $existingInstaller = $null 292 | if ($DownloadFolder) { 293 | $existingInstaller = Get-ChildItem -Path "$DownloadFolder\ScreenConnect_$($latestVersionInfo.Version)*.msi" -ErrorAction SilentlyContinue | Select-Object -First 1 294 | } 295 | 296 | if ($null -eq $existingInstaller) { 297 | # Installer doesn't exist, prompt to download it 298 | if ($Force -or (Read-Host -Prompt "Installer for current version not found. Download current installer anyway? (Y/N)") -like "y*") { 299 | # Ensure download folder exists and is resolved 300 | if (-not $DownloadFolder) { 301 | $DownloadFolder = (New-Item -Path $Downloads -ItemType Directory -Force).FullName 302 | Write-Host "Created download folder: $DownloadFolder" -ForegroundColor Cyan 303 | } 304 | 305 | # Download the file 306 | $downloadPath = Download-ScreenConnectFile -Url $latestVersionInfo.DownloadUrl -DestinationFolder $DownloadFolder -FileName $latestVersionInfo.FileName 307 | 308 | if ($null -ne $downloadPath -and (Test-Path -Path $downloadPath)) { 309 | Write-Host "`nDownload successful!" -ForegroundColor Green 310 | Write-Host "File saved to: $downloadPath" -ForegroundColor White 311 | $InstallerFile = $downloadPath 312 | $InstallerVersion = $latestVersionInfo.Version 313 | $installerVer = [version]$InstallerVersion 314 | $installedVer = [version]$svcVersion 315 | $downloadedNewVersion = $true 316 | } 317 | else { 318 | Write-Host "`nDownload failed. Will check for existing installers." -ForegroundColor Red 319 | $downloadedNewVersion = $false 320 | } 321 | } 322 | else { 323 | Write-Host "`nDownload canceled. Will check for existing installers." -ForegroundColor Yellow 324 | $downloadedNewVersion = $false 325 | } 326 | } 327 | else { 328 | Write-Host "Installer for current version already exists: $($existingInstaller.FullName)" -ForegroundColor Cyan 329 | $InstallerFile = $existingInstaller.FullName 330 | $InstallerVersion = $latestVersionInfo.Version 331 | $installerVer = [version]$InstallerVersion 332 | $installedVer = [version]$svcVersion 333 | $downloadedNewVersion = $true 334 | } 335 | } 336 | elseif ($comparisonResult.IsCurrentVersionNewer) { 337 | Write-Host "`nYour current version is newer than the latest stable release." -ForegroundColor Magenta 338 | Write-Host "You might be using a pre-release or custom build. Will check for existing installers anyway." -ForegroundColor White 339 | $downloadedNewVersion = $false 340 | } 341 | } 342 | 343 | # If we didn't download a new version or if download failed, check for existing installers 344 | if (-not (Get-Variable -Name downloadedNewVersion -ErrorAction SilentlyContinue) -or -not $downloadedNewVersion) { 345 | $InstallerPath = Resolve-Path -Path $Downloads -ErrorAction SilentlyContinue 346 | if (!$InstallerPath) { 347 | Write-Host "Unable to locate the $Downloads folder to look for installers. Quitting" -ForegroundColor Red 348 | exit 1 349 | } 350 | else { 351 | Write-Host "Looking for installers in the $InstallerPath folder..." -ForegroundColor Cyan 352 | } 353 | 354 | $installer = (Get-ChildItem "$InstallerPath\ScreenConnect_*.msi" -Attributes !Directory | Sort-Object -Descending -Property LastWriteTime | Select-Object -First 1) 355 | if (!($installer)) { 356 | Write-Host "Unable to locate a ScreenConnect MSI installer to install." -ForegroundColor Red 357 | exit 1 358 | } 359 | else { 360 | $InstallerFile = $installer.FullName 361 | Write-Host "Located the installer $InstallerFile, analyzing..." -ForegroundColor Cyan 362 | } 363 | 364 | $InstallerProps = $installer | Get-MsiProperty -PassThru | Select-Object Name, MSIProperties 365 | $InstallerVersion = $InstallerProps.productversion 366 | $InstallerName = $InstallerProps.productname 367 | 368 | if ($InstallerName -ne 'ScreenConnect') { 369 | Write-Host "The $InstallerFile file is not a ScreenConnect installer! Quitting." -ForegroundColor Red 370 | exit 1 371 | } 372 | else { 373 | Write-Host 374 | } 375 | 376 | Write-Host "Installer File:`t`t" $InstallerFile 377 | Write-Host "File write time:`t" $installer.LastWriteTime 378 | Write-Host "Installer Version:`t" $InstallerVersion -ForegroundColor Yellow 379 | Write-Host 380 | 381 | $installedVer = [version]$svcVersion 382 | $installerVer = [version]$InstallerVersion 383 | } 384 | 385 | # Compare the installer version to the installed version 386 | if ($installerVer -eq $installedVer) { 387 | Write-Host "The installer version is the SAME as current install! Quitting." -ForegroundColor Red 388 | exit 1 389 | } 390 | elseif ($installerVer -lt $installedVer) { 391 | Write-Host "The installer is OLDER than current install! Quitting." -ForegroundColor Red 392 | exit 1 393 | } 394 | elseif ($installerVer -gt $installedVer) { 395 | Write-Host "The installer is newer than current install. Proceeding..." -ForegroundColor Green 396 | } 397 | 398 | If ($Force -or (Read-Host "Silently install this MSI file? (Yes/No)") -Like "y*") { 399 | $InstallerLogFile = [io.path]::ChangeExtension([io.path]::GetTempFileName(), ".log") 400 | Write-Host "InstallerLogFile:`t" $InstallerLogFile 401 | $Arguments = " /c msiexec /i `"$InstallerFile`" /qn /l*v `"$InstallerLogFile`"" 402 | $Process = Start-Process -Wait cmd -ArgumentList $Arguments -PassThru 403 | if ($Process.ExitCode -ne 0) { 404 | Get-Content $InstallerLogFile -ErrorAction SilentlyContinue | Select-Object -Last 200 405 | Write-Host "Upgrade failed, please troubleshoot manually. Log file: $InstallerLogFile" -ForegroundColor Red 406 | } 407 | else { 408 | Write-Host "Uprade successfully completed. Please upgrade endpoint agents and adjust filter list version in application." -ForegroundColor Green 409 | } 410 | } 411 | else { 412 | Write-Host "Cancelled, no action taken." -ForegroundColor Red 413 | } 414 | -------------------------------------------------------------------------------- /Windows-Security-Hardening/Disable-PowerShell-V2.ps1: -------------------------------------------------------------------------------- 1 | <# Disable-PowerShell-V2.ps1 2 | Check if PowerShell v2 is enabled disable it if it is. 3 | 4 | Security report with example disable command: https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-70637 5 | 6 | Version 1.0.0 - 2023-10-18 - Initial Version 7 | 8 | USAGE: Run script to report and disable PowerShell v2. No change will be made if it's already disabled. 9 | In order to provide an undo option, pass the argument -Enable to instead enable PowerShell v2, if disabled. 10 | Returns 0 if the requested action was successful or no action was taken, or 1 if a requested change fails to 11 | succeed after testing. Will report if a reboot is required to complete the change (it usually isn't). 12 | #> 13 | [CmdletBinding()] 14 | param( 15 | [Parameter(Mandatory=$false)][switch] $Enable 16 | ) 17 | if($env:enable -eq $true) { 18 | $Enable = $true 19 | } 20 | 21 | function Disable-Or-Enable-PowerShellV2 { 22 | param( 23 | [Parameter(Mandatory=$false)][bool] $Enable 24 | ) 25 | $feature = $false 26 | [bool]$exists = $false 27 | $features = Get-WindowsOptionalFeature -Online 28 | foreach($feat in $features) { 29 | if($feat.FeatureName -eq "MicrosoftWindowsPowerShellV2Root") { 30 | $exists = $true 31 | $feature = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root 32 | } 33 | } 34 | if(!$exists) { 35 | Write-Host "The Windows feature 'MicrosoftWindowsPowerShellV2Root' does not exist. This OS does not support PowerShell V2. Quitting." 36 | return 0 37 | } 38 | 39 | if($feature.State -ne "Disabled" -and !$Enable) { 40 | Write-Host "PowerShell v2 is currently ENABLED. Disabling..." 41 | $change = Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root 42 | if($change.RestartNeeded -eq $true) { 43 | Write-Host "PowerShell v2 requires a restart to complete disabling. Please restart the system." 44 | } 45 | $feature = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root 46 | if($feature.State -ne "Disabled") { 47 | Write-Host "PowerShell v2 was NOT DISABLED even after attempting the change. Something went wrong." 48 | return 1 49 | } else { 50 | Write-Host "PowerShell v2 was DISABLED successfully." 51 | return 0 52 | } 53 | } elseif ($feature.State -ne "Enabled" -and $Enable) { 54 | Write-Host "PowerShell v2 is currently DISABLED. Enabling..." 55 | $change = Enable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart 56 | if($change.RestartNeeded -eq $true) { 57 | Write-Host "PowerShell v2 requires a restart to complete enabling. Please restart the system." 58 | } 59 | $feature = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root 60 | if($feature.State -ne "Enabled") { 61 | Write-Host "PowerShell v2 was NOT ENABLED even after attempting the change. Something went wrong." 62 | return 1 63 | } else { 64 | Write-Host "PowerShell v2 was ENABLED successfully." 65 | return 0 66 | } 67 | } elseif ($feature.State -eq "Enabled" -and $Enable) { 68 | Write-Host "PowerShell v2 is already ENABLED." 69 | return 0 70 | } else { 71 | Write-Host "PowerShell v2 is already DISABLED." 72 | return 0 73 | } 74 | } 75 | 76 | 77 | exit (Disable-Or-Enable-PowerShellV2 $Enable) 78 | -------------------------------------------------------------------------------- /Windows-Security-Hardening/Harden-Security-Windows-Registry.ps1: -------------------------------------------------------------------------------- 1 | <# Harden-Security-Windows-Registry.ps1 2 | This script configures several common registry settings that lock down Windows client (and sometimes server) security. 3 | Usually this means disabling old protocols or requiring SMB signing, etc., and on modern networks most of these already 4 | should not be used, but also in theory it could break things, so only run this on systems where you know it won't have 5 | a negative effect, or are prepared to diagnose issues/test things after adjusting. 6 | 7 | There is currently no automatic undo for these settings, but given that these are all basic registry settings, 8 | usually deleting the key or changing the value will reverse the change. Many times, rebooting is required before 9 | a change will take effect. These settings may be overridden by local or group policy settings, or Intune, if 10 | those are configured. 11 | 12 | Version 0.0.1 - 2023-12-27 - Initial release by David Szpunar 13 | Version 0.0.2 - 2024-03-12 - Updated to properly set (or fix) the registry value type to DWord when needed, rather than always using REG_SZ (string). 14 | Version 0.0.3 - 2024-03-12 - Updated to disable NetBIOS over TCP/IP (NBT-NS) for physical network adapters. 15 | #> 16 | 17 | # SOURCE: https://discord.com/channels/676451788395642880/1063257007324414004/1187116607500197908 by Mikey O'Toole. 18 | # Utility Function: Registry.ShouldBe - modified to skip Wow6432Node registry paths on 32-bit Windows. 19 | ## This function is used to ensure that a registry value exists and is set to a specific value. 20 | function Registry.ShouldBe { 21 | [CmdletBinding()] 22 | param( 23 | [Parameter(Mandatory)] 24 | [string]$Path, 25 | [Parameter(Mandatory)] 26 | [string]$Name, 27 | [Parameter(Mandatory)] 28 | [string]$Value, 29 | [Parameter(Mandatory)] 30 | [ValidateSet('String','ExpandString','Binary','DWord','MultiString','QWord')] 31 | [string]$Type 32 | ) 33 | begin { 34 | # Return if the OS is not 64-bit if the registry path includes Wow6432Node (these are only valid on 64-bit Windows). 35 | if(![System.Environment]::Is64BitOperatingSystem -and ($Path -like "*\Wow6432Node\*")) { 36 | Write-Warning ("Skipping Wow6432Node registry path on 32-bit Windows: $Path") 37 | return 38 | } 39 | # Make sure the registry path exists. 40 | if (!(Test-Path $Path)) { 41 | Write-Warning ("Registry path '$Path' does not exist. Creating.") 42 | New-Item -Path $Path -Force | Out-Null 43 | } 44 | # Make sure it's actually a registry path. 45 | if (!(Get-Item $Path).PSProvider.Name -eq 'Registry' -and !(Get-Item $Path).PSIsContainer) { 46 | throw "Path '$Path' is not a registry path." 47 | } 48 | } 49 | process { 50 | do { 51 | # Do nothing if the -64bit switch is set and the OS is not 64-bit. 52 | if(![System.Environment]::Is64BitOperatingSystem -and $64BitOnly) { 53 | return 0 54 | } 55 | # Do nothing if the -32bit switch is set and the OS is not 32-bit. 56 | if(![System.Environment]::Is64BitOperatingSystem -and $32BitOnly) { 57 | return 0 58 | } 59 | # Make sure the registry value exists. 60 | if (!(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) { 61 | Write-Warning ("Registry value '$Name' in path '$Path' does not exist. Setting to '$Value' with type '$Type'.") 62 | New-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force | Out-Null 63 | } 64 | # Make sure the registry value is correct. 65 | if ((Get-ItemProperty -Path $Path -Name $Name).$Name -ne $Value) { 66 | Write-Warning ("Registry value '$Name' in path '$Path' is not correct. Setting to '$Value' with type '$Type'.") 67 | Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type 68 | } 69 | # Make sure the registry value type is correct. 70 | if ((Get-Item -Path $Path).GetValueKind($Name) -ne $Type) { 71 | Write-Warning ("Registry value type for key '$Name' in path '$Path' is not correct. Setting to '$Type' with value '$Value'.") 72 | Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type 73 | } 74 | } while ((Get-ItemProperty -Path $Path -Name $Name).$Name -ne $Value) 75 | } 76 | } 77 | 78 | function Test-IsElevated { 79 | $id = [System.Security.Principal.WindowsIdentity]::GetCurrent() 80 | $p = New-Object System.Security.Principal.WindowsPrincipal($id) 81 | $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) 82 | } 83 | 84 | function Test-IsWorkstation { 85 | $OS = Get-CimInstance -ClassName Win32_OperatingSystem 86 | return $OS.ProductType -eq 1 87 | } 88 | 89 | if(!(Test-IsElevated)) { 90 | Write-Host "This script needs to be run with elevated permissions. Exiting..." 91 | exit 1 92 | } 93 | 94 | # Disable LLMNR: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast Registry key is not present, Hence presumed as Enabled(1), Expected value: 0 95 | Write-Host "Disabling LLMNR Multicast Name Resolution..." 96 | Registry.ShouldBe -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient' -Name 'EnableMulticast' -Value '0' -Type 'DWord' 97 | 98 | # SOURCE: https://techcommunity.microsoft.com/t5/storage-at-microsoft/configure-smb-signing-with-confidence/ba-p/2418102 99 | Write-Host "Requiring SMB Signing on Client and Server..." 100 | Registry.ShouldBe -Path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -Name 'EnableSecuritySignature' -Value '1' -Type 'DWord' 101 | Registry.ShouldBe -Path 'HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters' -Name 'RequireSecuritySignature' -Value '1' -Type 'DWord' 102 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Rdr\Parameters' -Name 'EnableSecuritySignature' -Value '1' -Type 'DWord' 103 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Rdr\Parameters' -Name 'RequireSecuritySignature' -Value '1' -Type 'DWord' 104 | 105 | # SOURCE: https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-defend-users-from-interception-attacks-via-smb-client/ba-p/1494995 106 | Write-host "Disallowing Insecure Guest Auth for SMB - Windows 10+ and Server 2016+..." 107 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters' -Name 'AllowInsecureGuestAuth' -Value '0' -Type 'DWord' 108 | 109 | # SOURCE (Service): https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220865 110 | # SOURCE (Client): https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220862 111 | Write-Host "Disabling 'Allow Basic authentication' for WinRM Service and Client..." 112 | Registry.ShouldBe -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' -Name 'AllowBasic' -Value '0' -Type 'DWord' 113 | Registry.ShouldBe -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' -Name 'AllowBasic' -Value '0' -Type 'DWord' 114 | 115 | # SOURCE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 116 | Write-Host "Enabling 'CertPaddingCheck' registry key to resolve WinVerifyTrust security issues per CVE-2013-3900..." 117 | Registry.ShouldBe -Path 'HKLM:\Software\Microsoft\Cryptography\Wintrust\Config' -Name 'EnableCertPaddingCheck' -Value '1' -Type 'DWord' 118 | Registry.ShouldBe -Path 'HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config' -Name 'EnableCertPaddingCheck' -Value '1' -Type 'DWord' 119 | 120 | # SOURCE: https://ss64.com/nt/syntax-ntlm.html 121 | Write-Host "Setting the LM and NTLMv1 authentication responses to 5 via LmCompatibilityLevel ('Send NTLMv2 response only. Refuse LM & NTLM.')..." 122 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Lsa' -Name 'LmCompatibilityLevel' -Value '5' -Type 'DWord' 123 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA' -Name 'LmCompatibilityLevel' -Value '5' -Type 'DWord' 124 | 125 | # SOURCE: https://www.tenforums.com/tutorials/101962-enable-disable-autoplay-all-drives-windows.html 126 | Write-Host "Disabling Autorun(Autoplay) on all drives..." 127 | Registry.ShouldBe -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer' -Name 'NoDriveTypeAutorun' -Value 255 -Type 'DWord' 128 | Registry.ShouldBe -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer' -Name 'NoAutorun' -Value 0x01 -Type 'DWord' 129 | 130 | ##### NBT-NS Disable #### 131 | <# Disable NetBIOS over TCP/IP (NBT-NS) via PowerShell 132 | ORIGINAL SOURCE: https://www.reddit.com/r/sysadmin/comments/sjra2q/disable_llmnr_and_nbtns/ 133 | CURRENT SOURCE: https://www.reddit.com/r/PowerShell/comments/buh3ln/comment/epi7fg4/?utm_source=share&utm_medium=web2x&context=3 134 | CREDIT: https://www.reddit.com/user/PinchesTheCrab/ 135 | Information on disabling via DHCP for dynamic IPs using Windows DHCP Server: 136 | https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-netbios-tcp-ip-using-dhcp 137 | Information on disabling NetBIOS over TCP/IP (NBT-NS) via DHCP when using a Fortinet FortiGate firewall for DHCP: 138 | https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-NetBIOS-over-TCP-IP-using-DHCP/ta-p/195730 139 | #> 140 | 141 | Write-Host "Disabling NetBIOS over TCP/IP (NBT-NS) and LMHOST lookup on physical network adapters..." 142 | $filter = @' 143 | (Description LIKE '%Intel%' 144 | OR Description LIKE '%Realtek%' 145 | OR Description LIKE '%Broadcom%' 146 | OR Description LIKE '%Surface%' 147 | OR Description LIKE '%Marvell%' 148 | OR Description LIKE '%Wireless%' 149 | ) 150 | AND TcpipNetbiosOptions <> 2 151 | '@ 152 | 153 | # Get-CimInstance Win32_NetworkAdapterConfiguration -Filter $filter | 154 | # Invoke-CimMethod -MethodName SetTcpipNetbios -Arguments @{ TcpipNetbiosOptions = 2 } 155 | 156 | Get-CimInstance Win32_NetworkAdapterConfiguration -Filter $filter | 157 | ForEach-Object { 158 | $regParam = @{ 159 | Path = 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{0}' -f $PSItem.SettingID 160 | Name = 'NetbiosOptions' 161 | Value = 2 162 | Type = 'DWord' 163 | } 164 | Registry.ShouldBe @regParam 165 | } 166 | ##### END NBT-NS Disable ##### 167 | 168 | # Windows Desktop Only Settings 169 | Write-Host "" 170 | Write-Host "Checking Windows Version...." 171 | if (Test-IsWorkstation) { 172 | Write-Host "Windows Desktop/Workstation Detected! Running some additional client-side-only hardening..." 173 | 174 | # SOURCE: https://www.stigviewer.com/stig/windows_xp/2014-01-06/finding/V-15669 175 | Write-Host "Prohibiting use of Internet Connection Sharing on your DNS domain network..." 176 | Registry.ShouldBe -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections' -Name 'NC_ShowSharedAccessUI' -Value '0' -Type 'DWord' 177 | 178 | # SOURCE: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection 179 | Write-Host "Enabling 'Local Security Authority (LSA) protection'..." 180 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RunAsPPL' -Value '1' -Type 'DWord' 181 | 182 | # SOURCE: https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220930 183 | Write-Host "Do not allow anonymous enumeration of SAM accounts and shares..." 184 | Registry.ShouldBe -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RestrictAnonymous' -Value '1' -Type 'DWord' 185 | } 186 | -------------------------------------------------------------------------------- /Windows-Security-Hardening/README.md: -------------------------------------------------------------------------------- 1 | # Windows Security Hardening 2 | These scripts help to harden various Windows security settings. 3 | 4 | ## [Harden-Security-Windows-Registry.ps1](Harden-Security-Windows-Registry.ps1) 5 | The [Harden-Security-Windows-Registry.ps1](Harden-Security-Windows-Registry.ps1 "Harden-Security-Windows-Registry.ps1") script configures several common registry settings that lock down Windows client (and sometimes server) security. 6 | 7 | Usually this means disabling old protocols or requiring SMB signing, etc., and on modern networks most of these already should not be used, but also in theory it could break things, so only run this on systems where you know it won't have a negative effect, or are prepared to diagnose issues/test things after adjusting. 8 | 9 | There is currently no automatic undo for these settings, but given that these are all basic registry settings, usually deleting the key or changing the value will reverse the change. Many times, rebooting is required before a change will take effect. These settings may be overridden by local or group policy settings, or Intune, if those are configured. 10 | 11 | Each setting in the script is accompanied by a comment with one or more links to the reference source showing where the solution was obtained. 12 | 13 | This script could cause important network functions to stop working for networks that rely on one or more of the disabled protocols, even if they are legacy protocols that generally should no longer be used if possible. Don’t roll out without testing first in each environment. 14 | 15 | ## [Disable-PowerShell-V2.ps1](Disable-PowerShell-V2.ps1) 16 | The [Disable-PowerShell-V2.ps1](Disable-PowerShell-V2.ps1) script checks to see if PowerShell v2 is enabled and disables it if it is. 17 | 18 | Run the script to report and disable PowerShell v2. No change will be made if it's already disabled. 19 | 20 | Leaving PowerShell V2 enabled on a system that supports it could allow for a security bypass due to being able to use it to skip some logging and auditing, hence [the recommendation to disable at StigViewer.com](https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-70637). 21 | 22 | In order to provide an undo option, pass the argument `-Enable` to instead enable PowerShell v2, if disabled. 23 | 24 | Returns 0 if the requested action was successful or no action was taken, or 1 if a requested change fails to succeed after testing. 25 | 26 | Will report if a reboot is required to complete the change (it usually isn't). 27 | 28 | Checks Windows Optional Feature List to ensure PowerShell V2 is a possible feature first, and quits if not (for servers or OS versions where it's not supported at all), and succeeds but reports the finding. (Newer versions of Windows Server, including 2022, do not include PowerShell 2 at all, so the feature doesn’t exist to be disabled.) -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/DefensXDynamicVersions.ps1: -------------------------------------------------------------------------------- 1 | # # --- Dynamic Versions Script --- 2 | # # The script MUST return an array of applicable version objects. 3 | # # Each object is required to provide a "Version" and "Url" property. 4 | 5 | 6 | # # use the New-DynamicVersion function to build out valid versions and assign them to $Response.Versions 7 | 8 | # # you must explicitly return the data in the following structure 9 | # $Response = New-Object PSObject -Property @{ 10 | # Versions = @() 11 | # } 12 | 13 | # return $Response; 14 | Get-DynamicVersionFromInstallerURL "https://cloud.defensx.com/defensx-installer/latest.msi" -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/DefensXShield.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dszp/MSP-Scripts/ecb0937046c4c0bfa3a9c4ab9807934cd134d497/immy.bot Scripts/DefensX Agent/DefensXShield.png -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/DefensXSilentInstall.ps1: -------------------------------------------------------------------------------- 1 | #If existing install, require to stop the current service from running before being able to install an update 2 | 3 | # Get-Service -Name "DefensX Agent" -ErrorAction SilentlyContinue | Stop-Service -Force -ErrorAction SilentlyContinue 4 | 5 | $Arguments = @" 6 | /i "$InstallerFile" /quiet /norestart /l*v "$InstallerLogFile" KEY=$LicenseValue BRAVE_DISABLE_PRIVATE_WINDOW=$BRAVE_DISABLE_PRIVATE_WINDOW CHROME_DISABLE_PRIVATE_WINDOW=$CHROME_DISABLE_PRIVATE_WINDOW CHROMIUM_DISABLE_PRIVATE_WINDOW=$CHROMIUM_DISABLE_PRIVATE_WINDOW EDGE_DISABLE_PRIVATE_WINDOW=$EDGE_DISABLE_PRIVATE_WINDOW FIREFOX_DISABLE_PRIVATE_WINDOW=$FIREFOX_DISABLE_PRIVATE_WINDOW VIVALDI_DISABLE_PRIVATE_WINDOW=$VIVALDI_DISABLE_PRIVATE_WINDOW DISABLE_UNINSTALL=$DISABLE_UNINSTALL ENABLE_BYPASS_MODE=$ENABLE_BYPASS_MODE ENABLE_DRIVER_MODE=$ENABLE_DRIVER_MODE ENABLE_IAM_USER=$ENABLE_IAM_USER ENABLE_LOGON_USER=$ENABLE_LOGON_USER SYSTEM_COMPONENT=$SYSTEM_COMPONENT 7 | "@ 8 | 9 | Write-Host "Arguments: $Arguments" 10 | Write-Host "InstallerLogFile: $InstallerLogFile" 11 | $Process = Start-ProcessWithLogTail msiexec -ArgumentList $Arguments -LogFilePath $InstallerLogFile 12 | Write-Host "Exit Code: $($Process.ExitCode)"; -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/README.md: -------------------------------------------------------------------------------- 1 | # Deploying DefensX Agent with immy.bot 2 | 3 | ## Setting up immy.bot Software Deployment 4 | 5 | Create a new Software Library entry in immy.bot named DefensX agent. I use the following Notes field: 6 | 7 | > This is the Windows agent for the DefensX.com web filtering and browser control/management software. The online console to create and manage tenants and get deployment keys is https://cloud.defensx.com 8 | 9 | The Software Info field looks like this for me: 10 | ![immy.bot Software Info example screenshot.]() 11 | 12 | The Icon logo is in this repository as [DefensXShield.png](DefensXShield.png). (Note that this is for internal use only and is trademarked by DefensX, and I will remove it should DefensX request removal.) 13 | 14 | For licensing, change to Required of type Key. You'll create a License for each tenant with the short key from DefensX (the long key should work) to select for each deployment: 15 | ![immy.bot Licensing Configuration screenshot for DefensX.]() 16 | 17 | The description I used for the license key field is: 18 | 19 | > Short activation key from cloud.defensx.com in each customer tenant's Policies->Policy Groups->Deployments->RMM button->Enable "Use Short Deployment Key"->Copy value after KEY= in URL and use as license key value for tenant. Default long Deployment Key from the same area may work as well. 20 | 21 | But use whatever you want for these fields, they are for reference only. 22 | 23 | Choose Upgrade Code as the Version Detection method. You won't see the existing code on a fresh deployment, so ignore the rest beyond choosing "Upgrade Code" as the Detection Method: 24 | ![Version Detection portion of immy.bot deployment.]() 25 | 26 | Set up the scripts as shown below, create New scripts for the two that are included in this repository and select them for the relevant areas: 27 | ![DefensX delpoyment scripts selection in immy.bot.]() 28 | 29 | The [DefensXSilentInstall.ps1](DefensXSilentInstall.ps1) and [DefensXDynamicVersions.ps1](DefensXDynamicVersions.ps1) scripts are included in this repository and are the only ones needed that are not already included with immy.bot as Global scripts that don't require modification. 30 | 31 | ## Configuration Task 32 | The Configuration Task needs to be created to have all of the flags that can be passed to the installer to configure settings in the agent at deployment. The flags are listed below, you should create a New Configuration Task with the following parameter names, all of type "Number", with no Requires User Input options and with a default value of `0` or `1` as desired. The description field is optional. 33 | 34 | | Parameter Name | Default Value | Description | 35 | | -------------- | ------------- | ----------- | 36 | | CHROME_DISABLE_PRIVATE_WINDOW | 0 | When set to 1, private browser functionality will NOT be disabled for Chrome. It will be disabled with value of 0 (default). | 37 | | EDGE_DISABLE_PRIVATE_WINDOW | 0 | When set to 1, private browser functionality will NOT be disabled for Edge. It will be disabled with value of 0 (default). | 38 | | FIREFOX_DISABLE_PRIVATE_WINDOW | 0 | When set to 1, private browser functionality will NOT be disabled for Firefox. It will be disabled with value of 0 (default). | 39 | | CHROMIUM_DISABLE_PRIVATE_WINDOW | 0 | When set to 1, private browser functionality will NOT be disabled for Chromium. It will be disabled with value of 0 (default). | 40 | | BRAVE_DISABLE_PRIVATE_WINDOW | 0 | When set to 1, private browser functionality will NOT be disabled for Brave. It will be disabled with value of 0 (default). | 41 | | VIVALDI_DISABLE_PRIVATE_WINDOW | 0 | When set to 1, private browser functionality will NOT be disabled for Vivaldi. It will be disabled with value of 0 (default). | 42 | | DISABLE_UNINSTALL | 0 | If set to 1, users cannot uninstall the agent from Add/Remove Programs, but it can still be seen in the list. | 43 | | SYSTEM_COMPONENT | 0 | If set to 1, users cannot see the agent in Add/Remove Programs. | 44 | | ENABLE_IAM_USER | 0 | When enabled (set to 1), DefensX Agent allows users to sign in using configured methods (Google, Octa, Local Users with or without MFA) within the DefensX interface. Please note that this method requires users to sign in interactively. | 45 | | ENABLE_LOGON_USER | 1 | When enabled with value 1 (or not set), DefensX Agent automatically creates new users on the DefensX backend for logged-in Windows users based on their Windows Logon usernames. Set to 0 to disable. | 46 | | ENABLE_DRIVER_MODE | 1 | When kernel driver is enabled (default, set to 1), DefensX Agent will try to load kernel drivers to redirect DNS requests itself without changing system wide DNS settings. | 47 | | ENABLE_BYPASS_MODE | 0 | When Bypass mode is set to Enabled (value of 1), DefensX Agent will allow users to temporarily remove protection. It can be useful in some Captive-Portal authentication and troubleshooting. | 48 | 49 | Save/update the Software and create a deployment using the new software library item. The Configuration Task area should provide a customizable list of parameters for you to edit if desired. 50 | 51 | Although the default here is 0 for the options to disable private browser windows, we generally deploy DefensX with the `CHROME_DISABLE_PRIVATE_WINDOW`, `EDGE_DISABLE_PRIVATE_WINDOW`, and `FIREFOX_DISABLE_PRIVATE_WINDOW` flags set to 1 in order to allow Private Window to bypass filtering for Chrome, Edge, and Firefox, allowing for troubleshooting and testing, although this is a less-secure overall configuration so consider that in your deployment plans. 52 | 53 | ## Parameter Block for Reference 54 | The parameter block that immy.bot defines for these parameters is equal to the following, but I've added the parameters directly in the UI so this is not currently being used and is added for reference only: 55 | 56 | ```powershell 57 | param( 58 | [Parameter(Position=0,Mandatory=$False,HelpMessage=@' 59 | When set to 1, private browser functionality will NOT be disabled for Chrome. It will be disabled with value of 0 (default). 60 | '@)] 61 | [Int32]$CHROME_DISABLE_PRIVATE_WINDOW=0, 62 | [Parameter(Position=1,Mandatory=$False,HelpMessage=@' 63 | When set to 1, private browser functionality will NOT be disabled for Edge. It will be disabled with value of 0 (default). 64 | '@)] 65 | [Int32]$EDGE_DISABLE_PRIVATE_WINDOW=0, 66 | [Parameter(Position=2,Mandatory=$False,HelpMessage=@' 67 | When set to 1, private browser functionality will NOT be disabled for Firefox. It will be disabled with value of 0 (default). 68 | '@)] 69 | [Int32]$FIREFOX_DISABLE_PRIVATE_WINDOW=0, 70 | [Parameter(Position=3,Mandatory=$False,HelpMessage=@' 71 | When set to 1, private browser functionality will NOT be disabled for Chromium. It will be disabled with value of 0 (default). 72 | '@)] 73 | [Int32]$CHROMIUM_DISABLE_PRIVATE_WINDOW=0, 74 | [Parameter(Position=4,Mandatory=$False,HelpMessage=@' 75 | When set to 1, private browser functionality will NOT be disabled for Brave. It will be disabled with value of 0 (default). 76 | '@)] 77 | [Int32]$BRAVE_DISABLE_PRIVATE_WINDOW=0, 78 | [Parameter(Position=5,Mandatory=$False,HelpMessage=@' 79 | When set to 1, private browser functionality will NOT be disabled for Vivaldi. It will be disabled with value of 0 (default). 80 | '@)] 81 | [Int32]$VIVALDI_DISABLE_PRIVATE_WINDOW=0, 82 | [Parameter(Position=6,Mandatory=$False,HelpMessage=@' 83 | If set to 1, users cannot uninstall the agent from Add/Remove Programs, but it can still be seen in the list. 84 | '@)] 85 | [Int32]$DISABLE_UNINSTALL=0, 86 | [Parameter(Position=7,Mandatory=$False,HelpMessage=@' 87 | If set to 1, users cannot see the agent in Add/Remove Programs. 88 | '@)] 89 | [Int32]$SYSTEM_COMPONENT=0, 90 | [Parameter(Position=8,Mandatory=$False,HelpMessage=@' 91 | When enabled (set to 1), DefensX Agent allows users to sign in using configured methods (Google, Octa, Local Users with or without MFA) within the DefensX interface. Please note that this method requires users to sign in interactively. 92 | '@)] 93 | [Int32]$ENABLE_IAM_USER=0, 94 | [Parameter(Position=9,Mandatory=$False,HelpMessage=@' 95 | When enabled with value 1 (or not set), DefensX Agent automatically creates new users on the DefensX backend for logged-in Windows users based on their Windows Logon usernames. Set to 0 to disable. 96 | 97 | This feature simplifies deployments in both device-joined Azure AD and Active Directory environments by eliminating the need for user interaction. 98 | '@)] 99 | [Int32]$ENABLE_LOGON_USER=1, 100 | [Parameter(Position=10,Mandatory=$False,HelpMessage=@' 101 | When kernel driver is enabled (default, set to 1), DefensX Agent will try to load kernel drivers to redirect DNS requests itself without changing system wide DNS settings. 102 | 103 | It is safe to use kernel driver, if the driver not available for the installed platform, agent automatically fallback to standard mode. 104 | '@)] 105 | [Int32]$ENABLE_DRIVER_MODE=1, 106 | [Parameter(Position=11,Mandatory=$False,HelpMessage=@' 107 | When Bypass mode is set to Enabled (value of 1), DefensX Agent will allow users to temporarily remove protection. It can be useful in some Captive-Portal authentication and troubleshooting. 108 | '@)] 109 | [Int32]$ENABLE_BYPASS_MODE=0 110 | ) 111 | ``` 112 | -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dszp/MSP-Scripts/ecb0937046c4c0bfa3a9c4ab9807934cd134d497/immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-1.png -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dszp/MSP-Scripts/ecb0937046c4c0bfa3a9c4ab9807934cd134d497/immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-2.png -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dszp/MSP-Scripts/ecb0937046c4c0bfa3a9c4ab9807934cd134d497/immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-3.png -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dszp/MSP-Scripts/ecb0937046c4c0bfa3a9c4ab9807934cd134d497/immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image-4.png -------------------------------------------------------------------------------- /immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dszp/MSP-Scripts/ecb0937046c4c0bfa3a9c4ab9807934cd134d497/immy.bot Scripts/DefensX Agent/assets/screenshot_Deploying Defen_Image.png -------------------------------------------------------------------------------- /immy.bot Scripts/README.md: -------------------------------------------------------------------------------- 1 | # immy.bot Scripts 2 | The enclosed scripts (one software item per folder) contain scripts that can be used in immy.bot to deploy and manage software, but are not (as of publication) included in the Global Software Library in immy.bot, though it may be added later. 3 | --------------------------------------------------------------------------------