├── Detect_24Hour_Clock.ps1
├── Detect_AdobeDC_Java.ps1
├── Detect_AdobeReader_Flash.ps1
├── Detect_AdobeReader_Java.ps1
├── Detect_Always_Elevated.ps1
├── Detect_Built-in_MSTeams_W11.ps1
├── Detect_Choco_Pre-Release_Enabled.ps1
├── Detect_CloudDeliveredProtection.ps1
├── Detect_DateNotation_ddMMyyyy.ps1
├── Detect_DeviceUptime1.ps1
├── Detect_DeviceUptime2.ps1
├── Detect_DeviceUptime7.ps1
├── Detect_FastBoot.ps1
├── Detect_IBeam_TextSelect.ps1
├── Detect_InitializeInpackageUpdate.ps1
├── Detect_LSA_Protection.ps1
├── Detect_NetworkProtection.ps1
├── Detect_Office_Telementry.ps1
├── Detect_Office_Telemetry.ps1
├── Detect_OutlookFont_Calibri.ps1
├── Detect_PUA-Protection.ps1
├── Detect_RDP.ps1
├── Detect_RDP_fClientDisableUDP.ps1
├── Detect_RealTimeBehavior.ps1
├── Detect_RealTimeProtection.ps1
├── Detect_TeamsConsumerChat_W11.ps1
├── Detect_W11_VPN-error.ps1
├── Detect_W32TimeService.ps1
├── Detect__TimeZone_W_Europe.ps1
├── Detect_registryexists1.ps1
├── Detect_registryexists2.ps1
├── Remediate_24Hour_Clock.ps1
├── Remediate_AdobeDC_Java.ps1
├── Remediate_AdobeReader_Flash.ps1
├── Remediate_AdobeReader_Java.ps1
├── Remediate_Always_Elevated.ps1
├── Remediate_Built-in_MSTeams_W11.ps1
├── Remediate_Choco_Pre-Release_Enabled.ps1
├── Remediate_CloudDeliveredProtection.ps1
├── Remediate_DateNotation_ddMMyyyy.ps1
├── Remediate_DeviceUptime1.ps1
├── Remediate_DeviceUptime2.ps1
├── Remediate_DeviceUptime7.ps1
├── Remediate_FastBoot.ps1
├── Remediate_IBeam_TextSelect.ps1
├── Remediate_InitializeInpackageUpdate.ps1
├── Remediate_LSA_Protection.ps1
├── Remediate_NetworkProtection.ps1
├── Remediate_Office_Telementry.ps1
├── Remediate_Office_Telemetry.ps1
├── Remediate_OutlookFont_Calibri.ps1
├── Remediate_PUA-Protection.ps1
├── Remediate_RDP.ps1
├── Remediate_RDP_fClientDisableUDP.ps1
├── Remediate_RealTimeBehavior.ps1
├── Remediate_RealTimeProtection.ps1
├── Remediate_TeamsConsumerChat_W11.ps1
├── Remediate_TimeZone_W_Europe.ps1
├── Remediate_W11_VPN-error.ps1
└── Remediate_W32TimeService.ps1
/Detect_24Hour_Clock.ps1:
--------------------------------------------------------------------------------
1 | $Paths = @(
2 | @{ Path = "HKCU:\Control Panel\International"; Name = "sShortTime"; Value = "HH:mm" },
3 | @{ Path = "HKCU:\Control Panel\International"; Name = "sTimeFormat"; Value = "HH:mm:ss" }
4 | )
5 |
6 | $Compliant = $true
7 |
8 | foreach ($Item in $Paths) {
9 | Try {
10 | $Registry = Get-ItemProperty -Path $Item.Path -Name $Item.Name -ErrorAction Stop | Select-Object -ExpandProperty $Item.Name
11 | If ($Registry -ne $Item.Value) {
12 | Write-Warning "$($Item.Name) is Not Compliant"
13 | $Compliant = $false
14 | }
15 | }
16 | Catch {
17 | Write-Warning "$($Item.Name) is Not Compliant"
18 | $Compliant = $false
19 | }
20 | }
21 |
22 | If ($Compliant) {
23 | Write-Output "Compliant"
24 | Exit 0
25 | } else {
26 | Exit 1
27 | }
--------------------------------------------------------------------------------
/Detect_AdobeDC_Java.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown"
2 | $Name = "bDisableJavaScript"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_AdobeReader_Flash.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown"
2 | $Name = "bEnableFlash"
3 | $Type = "DWORD"
4 | $Value = 0
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_AdobeReader_Java.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown"
2 | $Name = "bDisableJavaScript"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_Always_Elevated.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"
2 | $Name = "AlwaysInstallElevated"
3 | $Type = "DWORD"
4 | $Value = "0"
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_Built-in_MSTeams_W11.ps1:
--------------------------------------------------------------------------------
1 | #Script detects the new Microsoft Teams consumer app on Windows 11.
2 |
3 | if ($null -eq (Get-AppxPackage -Name MicrosoftTeams)) {
4 | Write-Host "Microsoft Teams client not found"
5 | exit 0
6 | } Else {
7 | Write-Host "Microsoft Teams client found"
8 | Exit 1
9 |
10 | }
--------------------------------------------------------------------------------
/Detect_Choco_Pre-Release_Enabled.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\WOW6432Node\Insign.it\InPackageUpdater"
2 | $Name = "Prerelease"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_CloudDeliveredProtection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'C1'
2 | if(((Get-MpPreference).MAPSReporting -eq 2) -and ((Get-MpPreference).SubmitSamplesConsent) -eq 3) {
3 | Write-Output "$version COMPLIANT"
4 | exit 0
5 | } else {
6 | Write-Output "$version NON-COMPLIANT"
7 | exit 1
8 | }
--------------------------------------------------------------------------------
/Detect_DateNotation_ddMMyyyy.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Control Panel\International"
2 | $Name = "sShortDate"
3 | $Type = "String"
4 | $Value = "dd/MM/yyyy"
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_DeviceUptime1.ps1:
--------------------------------------------------------------------------------
1 | $Uptime= get-computerinfo | Select-Object OSUptime
2 | if ($Uptime.OsUptime.Days -ge 1){
3 | Write-Output "Device has not rebootet on $($Uptime.OsUptime.Days) days, notify user to reboot"
4 | Exit 1
5 | }else {
6 | Write-Output "Device has rebootet $($Uptime.OsUptime.Days) days ago, all good"
7 | Exit 0
8 | }
--------------------------------------------------------------------------------
/Detect_DeviceUptime2.ps1:
--------------------------------------------------------------------------------
1 | $Uptime= get-computerinfo | Select-Object OSUptime
2 | if ($Uptime.OsUptime.Days -ge 2){
3 | Write-Output "Device has not rebootet on $($Uptime.OsUptime.Days) days, notify user to reboot"
4 | Exit 1
5 | }else {
6 | Write-Output "Device has rebootet $($Uptime.OsUptime.Days) days ago, all good"
7 | Exit 0
8 | }
--------------------------------------------------------------------------------
/Detect_DeviceUptime7.ps1:
--------------------------------------------------------------------------------
1 | $Uptime= get-computerinfo | Select-Object OSUptime
2 | if ($Uptime.OsUptime.Days -ge 7){
3 | Write-Output "Device has not rebootet on $($Uptime.OsUptime.Days) days, notify user to reboot"
4 | Exit 1
5 | }else {
6 | Write-Output "Device has rebootet $($Uptime.OsUptime.Days) days ago, all good"
7 | Exit 0
8 | }
--------------------------------------------------------------------------------
/Detect_FastBoot.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power"
2 | $Name = "HiberbootEnabled"
3 | $Type = "DWORD"
4 | $Value = 0
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_IBeam_TextSelect.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Control Panel\Cursors"
2 | $Name = "IBeam"
3 | $Type = "STRING"
4 | $Value = "C:\WINDOWS\Cursors\beam_il.cur"
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | else
13 | {
14 | Write-Warning "Not Compliant"
15 | Exit 1
16 | }
17 | }
18 | Catch {
19 | Write-Warning "Not Compliant"
20 | Exit 1
21 | }
--------------------------------------------------------------------------------
/Detect_InitializeInpackageUpdate.ps1:
--------------------------------------------------------------------------------
1 | # Random placeholder/registry key with a false (not compliant) result to trigger the remediation.
2 |
3 | $Path = "HKLM:\SOFTWARE\Insign.it\"
4 | $Name = "InitializePlaceholder"
5 | $Type = "DWORD"
6 | $Value = "123456789"
7 |
8 | Try {
9 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
10 | If ($Registry -eq $Value){
11 | Write-Output "Compliant"
12 | #Exit 0
13 | }
14 | Write-Warning "Not Compliant"
15 | #Exit 1
16 | }
17 | Catch {
18 | Write-Warning "Not Compliant"
19 | #Exit 1
20 | }
--------------------------------------------------------------------------------
/Detect_LSA_Protection.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
2 | $Name = "RunAsPPL"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_NetworkProtection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'C1'
2 | if((Get-MpPreference).EnableNetworkProtection -eq 1) {
3 | Write-Output "$version COMPLIANT"
4 | exit 0
5 | } else {
6 | Write-Output "$version NON-COMPLIANT"
7 | exit 1
8 | }
--------------------------------------------------------------------------------
/Detect_Office_Telementry.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Software\Policies\Microsoft\office\common\clienttelemetry"
2 | $Name = "DisableTelemetry"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_Office_Telemetry.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Software\Policies\Microsoft\office\common\clienttelemetry"
2 | $Name = "DisableTelemetry"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_OutlookFont_Calibri.ps1:
--------------------------------------------------------------------------------
1 | $Path = "registry::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\mailsettings"
2 | $Name1 = "ReplyFontComplex"
3 | $Name2 = "ComposeFontComplex"
4 | $Value1 = "3C,68,74,6D,6C,3E,0D,0A,0D,0A,3C,68,65,61,64,3E,0D,0A,3C,73,74,79,6C,65,3E,0D,0A,0D,0A,20,2F,2A,20,53,74,79,6C,65,20,44,65,66,69,6E,69,74,69,6F,6E,73,20,2A,2F,0D,0A,20,73,70,61,6E,2E,50,65,72,73,6F,6E,61,6C,52,65,70,6C,79,53,74,79,6C,65,0D,0A,09,7B,6D,73,6F,2D,73,74,79,6C,65,2D,6E,61,6D,65,3A,22,50,65,72,73,6F,6E,61,6C,20,52,65,70,6C,79,20,53,74,79,6C,65,22,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,74,79,70,65,3A,70,65,72,73,6F,6E,61,6C,2D,72,65,70,6C,79,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,6E,6F,73,68,6F,77,3A,79,65,73,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,75,6E,68,69,64,65,3A,6E,6F,3B,0D,0A,09,6D,73,6F,2D,61,6E,73,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,43,61,6C,69,62,72,69,22,2C,73,61,6E,73,2D,73,65,72,69,66,3B,0D,0A,09,6D,73,6F,2D,61,73,63,69,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,68,61,6E,73,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,54,69,6D,65,73,20,4E,65,77,20,52,6F,6D,61,6E,22,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,74,68,65,6D,65,2D,66,6F,6E,74,3A,6D,69,6E,6F,72,2D,62,69,64,69,3B,0D,0A,09,63,6F,6C,6F,72,3A,77,69,6E,64,6F,77,74,65,78,74,3B,0D,0A,09,66,6F,6E,74,2D,77,65,69,67,68,74,3A,6E,6F,72,6D,61,6C,3B,0D,0A,09,66,6F,6E,74,2D,73,74,79,6C,65,3A,6E,6F,72,6D,61,6C,3B,7D,0D,0A,2D,2D,3E,0D,0A,3C,2F,73,74,79,6C,65,3E,0D,0A,3C,2F,68,65,61,64,3E,0D,0A,0D,0A,3C,2F,68,74,6D,6C,3E,0D,0A"
5 | $Value2 = "3C,68,74,6D,6C,3E,0D,0A,0D,0A,3C,68,65,61,64,3E,0D,0A,3C,73,74,79,6C,65,3E,0D,0A,0D,0A,20,2F,2A,20,53,74,79,6C,65,20,44,65,66,69,6E,69,74,69,6F,6E,73,20,2A,2F,0D,0A,20,73,70,61,6E,2E,50,65,72,73,6F,6E,61,6C,43,6F,6D,70,6F,73,65,53,74,79,6C,65,0D,0A,09,7B,6D,73,6F,2D,73,74,79,6C,65,2D,6E,61,6D,65,3A,22,50,65,72,73,6F,6E,61,6C,20,43,6F,6D,70,6F,73,65,20,53,74,79,6C,65,22,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,74,79,70,65,3A,70,65,72,73,6F,6E,61,6C,2D,63,6F,6D,70,6F,73,65,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,6E,6F,73,68,6F,77,3A,79,65,73,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,75,6E,68,69,64,65,3A,6E,6F,3B,0D,0A,09,6D,73,6F,2D,61,6E,73,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,43,61,6C,69,62,72,69,22,2C,73,61,6E,73,2D,73,65,72,69,66,3B,0D,0A,09,6D,73,6F,2D,61,73,63,69,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,68,61,6E,73,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,54,69,6D,65,73,20,4E,65,77,20,52,6F,6D,61,6E,22,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,74,68,65,6D,65,2D,66,6F,6E,74,3A,6D,69,6E,6F,72,2D,62,69,64,69,3B,0D,0A,09,63,6F,6C,6F,72,3A,77,69,6E,64,6F,77,74,65,78,74,3B,0D,0A,09,66,6F,6E,74,2D,77,65,69,67,68,74,3A,6E,6F,72,6D,61,6C,3B,0D,0A,09,66,6F,6E,74,2D,73,74,79,6C,65,3A,6E,6F,72,6D,61,6C,3B,7D,0D,0A,2D,2D,3E,0D,0A,3C,2F,73,74,79,6C,65,3E,0D,0A,3C,2F,68,65,61,64,3E,0D,0A,0D,0A,3C,2F,68,74,6D,6C,3E,0D,0A"
6 |
7 | Try {
8 | $Registry1 = (Get-ItemProperty -Path $Path -Name $Name1 -ErrorAction Stop | Select-Object -ExpandProperty $Name1 | ForEach-Object { '{0:X2}' -f $_ }) -join ','
9 | $Registry2 = (Get-ItemProperty -Path $Path -Name $Name2 -ErrorAction Stop | Select-Object -ExpandProperty $Name2 | ForEach-Object { '{0:X2}' -f $_ }) -join ','
10 | $Registry3 = Get-ItemProperty -Path $Path -Name ThemeFont -ErrorAction Stop | Select-Object -ExpandProperty ThemeFont
11 | If ($Registry1 -eq $Value1 -and $Registry2 -eq $Value2 -and $Registry3 -eq 2){
12 | Write-Output "Compliant"
13 | #Exit 0
14 | }
15 | Write-Warning "Not Compliant"
16 | #Exit 1
17 | }
18 | Catch {
19 | Write-Warning "Not Compliant"
20 | #Exit 1
21 | }
--------------------------------------------------------------------------------
/Detect_PUA-Protection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'C1'
2 | if((Get-MpPreference).PUAProtection -eq 1) {
3 | Write-Output "$version COMPLIANT"
4 | exit 0
5 | } else {
6 | Write-Output "$version NON-COMPLIANT"
7 | exit 1
8 | }
--------------------------------------------------------------------------------
/Detect_RDP.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\System\CurrentControlSet\Control\Terminal Server"
2 | $Name = "fDenyTSConnections"
3 | $Type = "DWORD"
4 | $Value = 0
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_RDP_fClientDisableUDP.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client"
2 | $Name = "fClientDisableUDP"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | else
13 | {
14 | Write-Warning "Not Compliant"
15 | Exit 1
16 | }
17 | }
18 | Catch {
19 | Write-Warning "Not Compliant"
20 | Exit 1
21 | }
--------------------------------------------------------------------------------
/Detect_RealTimeBehavior.ps1:
--------------------------------------------------------------------------------
1 | $version = 'C1'
2 | if((Get-MpComputerStatus).BehaviorMonitorEnabled -eq "True") {
3 | Write-Output "$version COMPLIANT"
4 | exit 0
5 | } else {
6 | Write-Output "$version NON-COMPLIANT"
7 | exit 1
8 | }
--------------------------------------------------------------------------------
/Detect_RealTimeProtection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'C1'
2 | if((Get-MpComputerStatus).RealTimeProtectionEnabled -eq "True") {
3 | Write-Output "$version COMPLIANT"
4 | exit 0
5 | } else {
6 | Write-Output "$version NON-COMPLIANT"
7 | exit 1
8 | }
--------------------------------------------------------------------------------
/Detect_TeamsConsumerChat_W11.ps1:
--------------------------------------------------------------------------------
1 | #Script detects the new Microsoft Teams consumer app on Windows 11.
2 |
3 | if ($null -eq (Get-AppxPackage -Name MicrosoftTeams)) {
4 | Write-Host "Microsoft Teams client not found"
5 | exit 0
6 | } Else {
7 | Write-Host "Microsoft Teams client found"
8 | Exit 1
9 |
10 | }
--------------------------------------------------------------------------------
/Detect_W11_VPN-error.ps1:
--------------------------------------------------------------------------------
1 | # Windows 11 and Intune are no a great combination. When deploying VPN connections to Windows 11 via Intune, they get corrupt. The command get-vpnconnection does result in a strange error.
2 | # Ths Proactive Remediation script checks if the VPN Profile is available. If not, an error will show and will trigger the remediation.
3 |
4 | $VPNName = "AOVPN" # Write down the VPN Name as shown in the "Name" output.
5 |
6 | Try {
7 | $GETVPN = Get-VPNConnection -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Name
8 | If ($GetVPN -eq $VPNName){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_W32TimeService.ps1:
--------------------------------------------------------------------------------
1 | =============================================================================================================================
2 | #
3 | Script Name: DetectW32TimeService.ps1
4 | Description: Purpose of this script is to detect if "Windows Time Service" is running
5 | Notes: No variable substitution should be necessary
6 | #
7 | =============================================================================================================================
8 | Define Variables
9 | $curSvcStat,$svcCTRSvc,$errMsg = "","",""
10 | Main script
11 | $svcCTRSvc = w32tm /resync
12 | Try{
13 | $svcCTRSvc = w32tm /resync
14 | $svcCTRSvc = Get-Service "W32Time"
15 | $curSvcStat = $svcCTRSvc.Status
16 | }
17 | Catch{
18 | $errMsg = $_.Exception.Message
19 | Write-Error $errMsg
20 | exit 1
21 | }
22 | If ($curSvcStat -eq "Running"){
23 | Write-Output $curSvcStat
24 | exit 0
25 | }
26 | Else{
27 | If($curSvcStat -eq "Stopped"){
28 | Write-Output $curSvcStat
29 | exit 1
30 | }
31 | Else{
32 | Write-Error "Error: " + $errMsg
33 | exit 1
34 | }
35 | }
36 | SIG # Begin signature block
37 | #Signature Removed - But will be available in the Intune portal.
38 | SIG # End signature block
--------------------------------------------------------------------------------
/Detect__TimeZone_W_Europe.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SSYSTEM\CurrentControlSet\Control\TimeZoneInformation"
2 | $Name = "TimeZoneKeyName"
3 | $Type = "STRING"
4 | $Value = "W. Europe Standard Time"
5 |
6 | Try {
7 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
8 | If ($Registry -eq $Value){
9 | Write-Output "Compliant"
10 | Exit 0
11 | }
12 | Write-Warning "Not Compliant"
13 | Exit 1
14 | }
15 | Catch {
16 | Write-Warning "Not Compliant"
17 | Exit 1
18 | }
--------------------------------------------------------------------------------
/Detect_registryexists1.ps1:
--------------------------------------------------------------------------------
1 | # Launch remediation if registry exists: use -ne (not equals)
2 | # Launch remediation if registry DOES NOT exists: use -eq (equals)
3 |
4 | $Path = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
5 | $Name = "Valuename"
6 | $Value = "DATAHERE"
7 |
8 | Try {
9 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $Name
10 | If ($Registry -ne $Value){
11 | Write-Output "Compliant"
12 | #Exit 0
13 | }
14 | Write-Warning "Not Compliant"
15 | #Exit 1
16 | }
17 | Catch {
18 | Write-Warning "Not Compliant"
19 | #Exit 1
20 | }
--------------------------------------------------------------------------------
/Detect_registryexists2.ps1:
--------------------------------------------------------------------------------
1 | # Launch remediation if registry exists: use -ne (not equals)
2 | # Launch remediation if registry DOES NOT exists: use -eq (equals)
3 |
4 | $Path = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
5 | $Name = "Valuename"
6 | $Value = "DATAHERE"
7 |
8 | Try {
9 | $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $Name
10 | If ($Registry -eq $Value){
11 | Write-Output "Compliant"
12 | #Exit 0
13 | }
14 | Write-Warning "Not Compliant"
15 | #Exit 1
16 | }
17 | Catch {
18 | Write-Warning "Not Compliant"
19 | #Exit 1
20 | }
--------------------------------------------------------------------------------
/Remediate_24Hour_Clock.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath "HKCU:\Control Panel\International" -Name "sShortTime" -Value "HH:mm" -PropertyType String -Force -ea SilentlyContinue;
2 | New-ItemProperty -LiteralPath "HKCU:\Control Panel\International" -Name "sTimeFormat" -Value "HH:mm:ss" -PropertyType String -Force -ea SilentlyContinue;
--------------------------------------------------------------------------------
/Remediate_AdobeDC_Java.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown" -Name "bDisableJavaScript" -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
2 |
--------------------------------------------------------------------------------
/Remediate_AdobeReader_Flash.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name "bEnableFlash" -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
2 |
--------------------------------------------------------------------------------
/Remediate_AdobeReader_Java.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name "bDisableJavaScript" -Value 1 -PropertyType DWord -Force -ea SilentlyContinue;
2 |
--------------------------------------------------------------------------------
/Remediate_Always_Elevated.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\"
2 | $Key = "Installer"
3 | $FullPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"
4 | $Name = "AlwaysInstallElevated"
5 | $Type = "DWORD"
6 | $Value = "0"
7 |
8 |
9 | New-Item -Path $Path -Name $Key
10 | New-ItemProperty -Path $FullPath -Name $Name -Value $Value -PropertyType $Type
11 |
--------------------------------------------------------------------------------
/Remediate_Built-in_MSTeams_W11.ps1:
--------------------------------------------------------------------------------
1 | #Script removes the new Microsoft Teams consumer app on Windows 11.
2 | #App is removed because this app can only be used with personal Microsoft accounts
3 |
4 | try{
5 | Get-AppxPackage -Name MicrosoftTeams | Remove-AppxPackage -ErrorAction stop
6 | Write-Host "Microsoft Teams app successfully removed"
7 |
8 | }
9 | catch{
10 | Write-Error "Errorremoving Microsoft Teams app"
11 | }
--------------------------------------------------------------------------------
/Remediate_Choco_Pre-Release_Enabled.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\WOW6432Node\Insign.it\InPackageUpdater"
2 | $Name = "Prerelease"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | IF(!(Test-Path $Path))
7 | {
8 | New-Item -Path $Path -Force | Out-Null
9 | New-ItemProperty -Path $Path -Name $name -Value $value -PropertyType $Type -Force | Out-Null
10 | }
11 |
12 | ELSE {
13 | New-ItemProperty -Path $Path -Name $name -Value $value -PropertyType $Type -Force | Out-Null
14 | }
15 |
--------------------------------------------------------------------------------
/Remediate_CloudDeliveredProtection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'R1'
2 | try {
3 | Set-MpPreference -MAPSReporting Advanced
4 | Set-MpPreference -SubmitSamplesConsent SendAllSamples
5 | Write-Output "$version Remediated"
6 | exit 0
7 | }
8 | catch {
9 | Write-Output "$version Failed"
10 | exit 1
11 | }
--------------------------------------------------------------------------------
/Remediate_DateNotation_ddMMyyyy.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath "HKCU:\Control Panel\International" -Name "sShortDate" -Value "dd/MM/yyyy" -PropertyType String -Force -ea SilentlyContinue;
--------------------------------------------------------------------------------
/Remediate_DeviceUptime1.ps1:
--------------------------------------------------------------------------------
1 | function Display-ToastNotification() {
2 | $Load = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]
3 | $Load = [Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom.XmlDocument, ContentType = WindowsRuntime]
4 | # Load the notification into the required format
5 | $ToastXML = New-Object -TypeName Windows.Data.Xml.Dom.XmlDocument
6 | $ToastXML.LoadXml($Toast.OuterXml)
7 |
8 | # Display the toast notification
9 | try {
10 | [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($App).Show($ToastXml)
11 | }
12 | catch {
13 | Write-Output -Message 'Something went wrong when displaying the toast notification' -Level Warn
14 | Write-Output -Message 'Make sure the script is running as the logged on user' -Level Warn
15 | }
16 | }
17 | # Setting image variables
18 | $LogoImageUri = "https://raw.githubusercontent.com/insignit/endpointmanagerbranding/master/insignit_512.jpg"
19 | $HeroImageUri = "https://raw.githubusercontent.com/insignit/endpointmanagerbranding/master/InsignIT_hero.png"
20 | $LogoImage = "$env:TEMP\ToastLogoImage.png"
21 | $HeroImage = "$env:TEMP\ToastHeroImage.png"
22 | $Uptime= get-computerinfo | Select-Object OSUptime
23 |
24 | #Fetching images from uri
25 | Invoke-WebRequest -Uri $LogoImageUri -OutFile $LogoImage
26 | Invoke-WebRequest -Uri $HeroImageUri -OutFile $HeroImage
27 |
28 | #Defining the Toast notification settings
29 | #ToastNotification Settings
30 | $Scenario = 'reminder' #
31 |
32 | # Load Toast Notification text
33 | $AttributionText = "Insign.it"
34 | $HeaderText = "Computer Restart is needed!"
35 | $TitleText = "Your device has not performed a reboot the last $($Uptime.OsUptime.Days) days"
36 | $BodyText1 = "For performance and stability reasons we suggest a reboot at least once a week."
37 | $BodyText2 = "Please save your work and restart your device today. Thank you in advance."
38 |
39 |
40 | # Check for required entries in registry for when using Powershell as application for the toast
41 | # Register the AppID in the registry for use with the Action Center, if required
42 | $RegPath = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings'
43 | $App = '{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe'
44 |
45 | # Creating registry entries if they don't exists
46 | if (-NOT(Test-Path -Path "$RegPath\$App")) {
47 | New-Item -Path "$RegPath\$App" -Force
48 | New-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -Value 1 -PropertyType 'DWORD'
49 | }
50 |
51 | # Make sure the app used with the action center is enabled
52 | if ((Get-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -ErrorAction SilentlyContinue).ShowInActionCenter -ne '1') {
53 | New-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -Value 1 -PropertyType 'DWORD' -Force
54 | }
55 |
56 |
57 | # Formatting the toast notification XML
58 | [xml]$Toast = @"
59 |
60 |
61 |
62 |
63 |
64 | $AttributionText
65 | $HeaderText
66 |
67 |
68 | $TitleText
69 |
70 |
71 |
72 |
73 | $BodyText1
74 |
75 |
76 |
77 |
78 | $BodyText2
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 | "@
88 |
89 | #Send the notification
90 | Display-ToastNotification
91 | Exit 0
--------------------------------------------------------------------------------
/Remediate_DeviceUptime2.ps1:
--------------------------------------------------------------------------------
1 | function Display-ToastNotification() {
2 | $Load = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]
3 | $Load = [Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom.XmlDocument, ContentType = WindowsRuntime]
4 | # Load the notification into the required format
5 | $ToastXML = New-Object -TypeName Windows.Data.Xml.Dom.XmlDocument
6 | $ToastXML.LoadXml($Toast.OuterXml)
7 |
8 | # Display the toast notification
9 | try {
10 | [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($App).Show($ToastXml)
11 | }
12 | catch {
13 | Write-Output -Message 'Something went wrong when displaying the toast notification' -Level Warn
14 | Write-Output -Message 'Make sure the script is running as the logged on user' -Level Warn
15 | }
16 | }
17 | # Setting image variables
18 | $LogoImageUri = "https://raw.githubusercontent.com/insignit/endpointmanagerbranding/master/insignit_512.jpg"
19 | $HeroImageUri = "https://raw.githubusercontent.com/insignit/endpointmanagerbranding/master/InsignIT_hero.png"
20 | $LogoImage = "$env:TEMP\ToastLogoImage.png"
21 | $HeroImage = "$env:TEMP\ToastHeroImage.png"
22 | $Uptime= get-computerinfo | Select-Object OSUptime
23 |
24 | #Fetching images from uri
25 | Invoke-WebRequest -Uri $LogoImageUri -OutFile $LogoImage
26 | Invoke-WebRequest -Uri $HeroImageUri -OutFile $HeroImage
27 |
28 | #Defining the Toast notification settings
29 | #ToastNotification Settings
30 | $Scenario = 'reminder' #
31 |
32 | # Load Toast Notification text
33 | $AttributionText = "Insign.it"
34 | $HeaderText = "Computer Restart is needed!"
35 | $TitleText = "Your device has not performed a reboot the last $($Uptime.OsUptime.Days) days"
36 | $BodyText1 = "For performance and stability reasons we suggest a reboot at least once a week."
37 | $BodyText2 = "Please save your work and restart your device today. Thank you in advance."
38 |
39 |
40 | # Check for required entries in registry for when using Powershell as application for the toast
41 | # Register the AppID in the registry for use with the Action Center, if required
42 | $RegPath = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings'
43 | $App = '{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe'
44 |
45 | # Creating registry entries if they don't exists
46 | if (-NOT(Test-Path -Path "$RegPath\$App")) {
47 | New-Item -Path "$RegPath\$App" -Force
48 | New-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -Value 1 -PropertyType 'DWORD'
49 | }
50 |
51 | # Make sure the app used with the action center is enabled
52 | if ((Get-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -ErrorAction SilentlyContinue).ShowInActionCenter -ne '1') {
53 | New-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -Value 1 -PropertyType 'DWORD' -Force
54 | }
55 |
56 |
57 | # Formatting the toast notification XML
58 | [xml]$Toast = @"
59 |
60 |
61 |
62 |
63 |
64 | $AttributionText
65 | $HeaderText
66 |
67 |
68 | $TitleText
69 |
70 |
71 |
72 |
73 | $BodyText1
74 |
75 |
76 |
77 |
78 | $BodyText2
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 | "@
88 |
89 | #Send the notification
90 | Display-ToastNotification
91 | Exit 0
--------------------------------------------------------------------------------
/Remediate_DeviceUptime7.ps1:
--------------------------------------------------------------------------------
1 | function Display-ToastNotification() {
2 | $Load = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]
3 | $Load = [Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom.XmlDocument, ContentType = WindowsRuntime]
4 | # Load the notification into the required format
5 | $ToastXML = New-Object -TypeName Windows.Data.Xml.Dom.XmlDocument
6 | $ToastXML.LoadXml($Toast.OuterXml)
7 |
8 | # Display the toast notification
9 | try {
10 | [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($App).Show($ToastXml)
11 | }
12 | catch {
13 | Write-Output -Message 'Something went wrong when displaying the toast notification' -Level Warn
14 | Write-Output -Message 'Make sure the script is running as the logged on user' -Level Warn
15 | }
16 | }
17 | # Setting image variables
18 | $LogoImageUri = "https://raw.githubusercontent.com/insignit/endpointmanagerbranding/master/insignit_512.jpg"
19 | $HeroImageUri = "https://raw.githubusercontent.com/insignit/endpointmanagerbranding/master/InsignIT_hero.png"
20 | $LogoImage = "$env:TEMP\ToastLogoImage.png"
21 | $HeroImage = "$env:TEMP\ToastHeroImage.png"
22 | $Uptime= get-computerinfo | Select-Object OSUptime
23 |
24 | #Fetching images from uri
25 | Invoke-WebRequest -Uri $LogoImageUri -OutFile $LogoImage
26 | Invoke-WebRequest -Uri $HeroImageUri -OutFile $HeroImage
27 |
28 | #Defining the Toast notification settings
29 | #ToastNotification Settings
30 | $Scenario = 'reminder' #
31 |
32 | # Load Toast Notification text
33 | $AttributionText = "Insign.it"
34 | $HeaderText = "Computer Restart is needed!"
35 | $TitleText = "Your device has not performed a reboot the last $($Uptime.OsUptime.Days) days"
36 | $BodyText1 = "For performance and stability reasons we suggest a reboot at least once a week."
37 | $BodyText2 = "Please save your work and restart your device today. Thank you in advance."
38 |
39 |
40 | # Check for required entries in registry for when using Powershell as application for the toast
41 | # Register the AppID in the registry for use with the Action Center, if required
42 | $RegPath = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings'
43 | $App = '{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe'
44 |
45 | # Creating registry entries if they don't exists
46 | if (-NOT(Test-Path -Path "$RegPath\$App")) {
47 | New-Item -Path "$RegPath\$App" -Force
48 | New-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -Value 1 -PropertyType 'DWORD'
49 | }
50 |
51 | # Make sure the app used with the action center is enabled
52 | if ((Get-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -ErrorAction SilentlyContinue).ShowInActionCenter -ne '1') {
53 | New-ItemProperty -Path "$RegPath\$App" -Name 'ShowInActionCenter' -Value 1 -PropertyType 'DWORD' -Force
54 | }
55 |
56 |
57 | # Formatting the toast notification XML
58 | [xml]$Toast = @"
59 |
60 |
61 |
62 |
63 |
64 | $AttributionText
65 | $HeaderText
66 |
67 |
68 | $TitleText
69 |
70 |
71 |
72 |
73 | $BodyText1
74 |
75 |
76 |
77 |
78 | $BodyText2
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 | "@
88 |
89 | #Send the notification
90 | Display-ToastNotification
91 | Exit 0
--------------------------------------------------------------------------------
/Remediate_FastBoot.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power' -Name 'HiberbootEnabled' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
2 |
--------------------------------------------------------------------------------
/Remediate_IBeam_TextSelect.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Control Panel\Cursors"
2 | $Name = "IBeam"
3 | $Type = "String"
4 | $Value = "C:\WINDOWS\Cursors\beam_il.cur"
5 |
6 | IF(!(Test-Path $Path))
7 | {
8 | New-Item -Path $Path -Force | Out-Null
9 | New-ItemProperty -Path $Path -Name $name -Value $value -PropertyType $Type -Force | Out-Null
10 | }
11 |
12 | ELSE {
13 | New-ItemProperty -Path $Path -Name $name -Value $value -PropertyType $Type -Force | Out-Null
14 | }
15 |
--------------------------------------------------------------------------------
/Remediate_InitializeInpackageUpdate.ps1:
--------------------------------------------------------------------------------
1 | start shell:AppsFolder\Insign.itGroup.InPackageUpdate_2cfj28fyab6na!App
2 | sleep 5
3 | stop-process -name "inpackageupdate"
--------------------------------------------------------------------------------
/Remediate_LSA_Protection.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
2 | $Name = "RunAsPPL"
3 | $Type = "DWORD"
4 | $Value = 1
5 |
6 | Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value
--------------------------------------------------------------------------------
/Remediate_NetworkProtection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'R1'
2 | try {
3 | Set-MpPreference -EnableNetworkProtection Enabled
4 | Write-Output "$version Remediated"
5 | exit 0
6 | }
7 | catch {
8 | Write-Output "$version Failed"
9 | exit 1
10 | }
--------------------------------------------------------------------------------
/Remediate_Office_Telementry.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Software\Policies\Microsoft\office\common\"
2 | $Key = "clienttelemetry"
3 | $FullPath = "HKCU:\Software\Policies\Microsoft\office\common\clienttelemetry"
4 | $Name = "DisableTelemetry"
5 | $Type = "DWORD"
6 | $Value = "1"
7 |
8 | New-Item -Path $Path -Name $Key
9 | New-ItemProperty -Path $FullPath -Name $Name -Value $Value -PropertyType $Type
10 |
--------------------------------------------------------------------------------
/Remediate_Office_Telemetry.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKCU:\Software\Policies\Microsoft\office\common\"
2 | $Key = "clienttelemetry"
3 | $FullPath = "HKCU:\Software\Policies\Microsoft\office\common\clienttelemetry"
4 | $Name = "DisableTelemetry"
5 | $Type = "DWORD"
6 | $Value = "1"
7 |
8 | New-Item -Path $Path -Name $Key
9 | New-ItemProperty -Path $FullPath -Name $Name -Value $Value -PropertyType $Type
10 |
--------------------------------------------------------------------------------
/Remediate_OutlookFont_Calibri.ps1:
--------------------------------------------------------------------------------
1 | $ValueSimple = "3C,00,00,00,1F,00,00,F8,00,00,00,40,DC,00,00,00,00,00,00,00,00,00,00,FF,00,22,43,61,6C,69,62,72,69,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"
2 | $ValueComposeComplex = "3C,68,74,6D,6C,3E,0D,0A,0D,0A,3C,68,65,61,64,3E,0D,0A,3C,73,74,79,6C,65,3E,0D,0A,0D,0A,20,2F,2A,20,53,74,79,6C,65,20,44,65,66,69,6E,69,74,69,6F,6E,73,20,2A,2F,0D,0A,20,73,70,61,6E,2E,50,65,72,73,6F,6E,61,6C,43,6F,6D,70,6F,73,65,53,74,79,6C,65,0D,0A,09,7B,6D,73,6F,2D,73,74,79,6C,65,2D,6E,61,6D,65,3A,22,50,65,72,73,6F,6E,61,6C,20,43,6F,6D,70,6F,73,65,20,53,74,79,6C,65,22,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,74,79,70,65,3A,70,65,72,73,6F,6E,61,6C,2D,63,6F,6D,70,6F,73,65,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,6E,6F,73,68,6F,77,3A,79,65,73,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,75,6E,68,69,64,65,3A,6E,6F,3B,0D,0A,09,6D,73,6F,2D,61,6E,73,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,43,61,6C,69,62,72,69,22,2C,73,61,6E,73,2D,73,65,72,69,66,3B,0D,0A,09,6D,73,6F,2D,61,73,63,69,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,68,61,6E,73,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,54,69,6D,65,73,20,4E,65,77,20,52,6F,6D,61,6E,22,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,74,68,65,6D,65,2D,66,6F,6E,74,3A,6D,69,6E,6F,72,2D,62,69,64,69,3B,0D,0A,09,63,6F,6C,6F,72,3A,77,69,6E,64,6F,77,74,65,78,74,3B,0D,0A,09,66,6F,6E,74,2D,77,65,69,67,68,74,3A,6E,6F,72,6D,61,6C,3B,0D,0A,09,66,6F,6E,74,2D,73,74,79,6C,65,3A,6E,6F,72,6D,61,6C,3B,7D,0D,0A,2D,2D,3E,0D,0A,3C,2F,73,74,79,6C,65,3E,0D,0A,3C,2F,68,65,61,64,3E,0D,0A,0D,0A,3C,2F,68,74,6D,6C,3E,0D,0A"
3 | $ValueReplyComplex = "3C,68,74,6D,6C,3E,0D,0A,0D,0A,3C,68,65,61,64,3E,0D,0A,3C,73,74,79,6C,65,3E,0D,0A,0D,0A,20,2F,2A,20,53,74,79,6C,65,20,44,65,66,69,6E,69,74,69,6F,6E,73,20,2A,2F,0D,0A,20,73,70,61,6E,2E,50,65,72,73,6F,6E,61,6C,52,65,70,6C,79,53,74,79,6C,65,0D,0A,09,7B,6D,73,6F,2D,73,74,79,6C,65,2D,6E,61,6D,65,3A,22,50,65,72,73,6F,6E,61,6C,20,52,65,70,6C,79,20,53,74,79,6C,65,22,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,74,79,70,65,3A,70,65,72,73,6F,6E,61,6C,2D,72,65,70,6C,79,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,6E,6F,73,68,6F,77,3A,79,65,73,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,75,6E,68,69,64,65,3A,6E,6F,3B,0D,0A,09,6D,73,6F,2D,61,6E,73,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,43,61,6C,69,62,72,69,22,2C,73,61,6E,73,2D,73,65,72,69,66,3B,0D,0A,09,6D,73,6F,2D,61,73,63,69,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,68,61,6E,73,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,54,69,6D,65,73,20,4E,65,77,20,52,6F,6D,61,6E,22,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,74,68,65,6D,65,2D,66,6F,6E,74,3A,6D,69,6E,6F,72,2D,62,69,64,69,3B,0D,0A,09,63,6F,6C,6F,72,3A,77,69,6E,64,6F,77,74,65,78,74,3B,0D,0A,09,66,6F,6E,74,2D,77,65,69,67,68,74,3A,6E,6F,72,6D,61,6C,3B,0D,0A,09,66,6F,6E,74,2D,73,74,79,6C,65,3A,6E,6F,72,6D,61,6C,3B,7D,0D,0A,2D,2D,3E,0D,0A,3C,2F,73,74,79,6C,65,3E,0D,0A,3C,2F,68,65,61,64,3E,0D,0A,0D,0A,3C,2F,68,74,6D,6C,3E,0D,0A"
4 | $ValueTextComplex = "3C,68,74,6D,6C,3E,0D,0A,0D,0A,3C,68,65,61,64,3E,0D,0A,3C,73,74,79,6C,65,3E,0D,0A,0D,0A,20,2F,2A,20,53,74,79,6C,65,20,44,65,66,69,6E,69,74,69,6F,6E,73,20,2A,2F,0D,0A,20,70,2E,4D,73,6F,50,6C,61,69,6E,54,65,78,74,2C,20,6C,69,2E,4D,73,6F,50,6C,61,69,6E,54,65,78,74,2C,20,64,69,76,2E,4D,73,6F,50,6C,61,69,6E,54,65,78,74,0D,0A,09,7B,6D,73,6F,2D,73,74,79,6C,65,2D,6E,6F,73,68,6F,77,3A,79,65,73,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,70,72,69,6F,72,69,74,79,3A,39,39,3B,0D,0A,09,6D,73,6F,2D,73,74,79,6C,65,2D,6C,69,6E,6B,3A,22,50,6C,61,69,6E,20,54,65,78,74,20,43,68,61,72,22,3B,0D,0A,09,6D,61,72,67,69,6E,3A,30,69,6E,3B,0D,0A,09,6D,73,6F,2D,70,61,67,69,6E,61,74,69,6F,6E,3A,77,69,64,6F,77,2D,6F,72,70,68,61,6E,3B,0D,0A,09,66,6F,6E,74,2D,73,69,7A,65,3A,31,31,2E,30,70,74,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,73,69,7A,65,3A,31,30,2E,35,70,74,3B,0D,0A,09,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,43,61,6C,69,62,72,69,22,2C,73,61,6E,73,2D,73,65,72,69,66,3B,0D,0A,09,6D,73,6F,2D,66,61,72,65,61,73,74,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,43,61,6C,69,62,72,69,3B,0D,0A,09,6D,73,6F,2D,66,61,72,65,61,73,74,2D,74,68,65,6D,65,2D,66,6F,6E,74,3A,6D,69,6E,6F,72,2D,6C,61,74,69,6E,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,66,6F,6E,74,2D,66,61,6D,69,6C,79,3A,22,54,69,6D,65,73,20,4E,65,77,20,52,6F,6D,61,6E,22,3B,0D,0A,09,6D,73,6F,2D,62,69,64,69,2D,74,68,65,6D,65,2D,66,6F,6E,74,3A,6D,69,6E,6F,72,2D,62,69,64,69,3B,7D,0D,0A,2D,2D,3E,0D,0A,3C,2F,73,74,79,6C,65,3E,0D,0A,3C,2F,68,65,61,64,3E,0D,0A,0D,0A,3C,2F,68,74,6D,6C,3E,0D,0A"
5 |
6 | $registryPath = 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\mailsettings'
7 | $Name1Simple = "ComposeFontSimple"
8 | $Name1Complex = "ComposeFontComplex"
9 | $Name2Simple = "ReplyFontSimple"
10 | $Name2Complex = "ReplyFontComplex"
11 | $Name3Simple = "TextFontSimple"
12 | $Name3Complex = "TextFontComplex"
13 |
14 | $hexSimple = $ValueSimple.Split(',') | % { "0x$_"}
15 | $hexComposeComplex = $ValueComposeComplex.Split(',') | % { "0x$_"}
16 | $hexReplyComplex = $ValueReplyComplex.Split(',') | % { "0x$_"}
17 | $hexTextComplex = $ValueTextComplex.Split(',') | % { "0x$_"}
18 |
19 | IF(!(Test-Path $registryPath))
20 | {
21 | New-Item -Path $registryPath -Force | Out-Null
22 | New-ItemProperty -Path $registryPath -name NewTheme -PropertyType string
23 | New-ItemProperty -Path $registryPath -Name $Name1Simple -Value ([byte[]]$hexSimple) -PropertyType Binary -Force
24 | New-ItemProperty -Path $registryPath -Name $Name2Simple -Value ([byte[]]$hexSimple) -PropertyType Binary -Force
25 | New-ItemProperty -Path $registryPath -Name $Name3Simple -Value ([byte[]]$hexSimple) -PropertyType Binary -Force
26 | New-ItemProperty -Path $registryPath -Name $Name1Complex -Value ([byte[]]$hexComposeComplex) -PropertyType Binary -Force
27 | New-ItemProperty -Path $registryPath -Name $Name2Complex -Value ([byte[]]$hexReplyComplex) -PropertyType Binary -Force
28 | New-ItemProperty -Path $registryPath -Name $Name3Complex -Value ([byte[]]$hexTextComplex) -PropertyType Binary -Force
29 | }
30 |
31 | ELSE {
32 | Set-ItemProperty -Path $registryPath -name NewTheme -value $null
33 | Set-ItemProperty -Path $registryPath -name ThemeFont -value 2
34 | Set-ItemProperty -Path $registryPath -Name $Name1Simple -Value ([byte[]]$hexSimple) -Force
35 | Set-ItemProperty -Path $registryPath -Name $Name2Simple -Value ([byte[]]$hexSimple) -Force
36 | Set-ItemProperty -Path $registryPath -Name $Name3Simple -Value ([byte[]]$hexSimple) -Force
37 | Set-ItemProperty -Path $registryPath -Name $Name1Complex -Value ([byte[]]$hexComposeComplex) -Force
38 | Set-ItemProperty -Path $registryPath -Name $Name2Complex -Value ([byte[]]$hexReplyComplex) -Force
39 | Set-ItemProperty -Path $registryPath -Name $Name3Complex -Value ([byte[]]$hexTextComplex) -Force
40 | }
--------------------------------------------------------------------------------
/Remediate_PUA-Protection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'R1'
2 | try {
3 | Set-MpPreference -PUAProtection Enabled
4 | Write-Output "$version Remediated"
5 | exit 0
6 | }
7 | catch {
8 | Write-Output "$version Failed"
9 | exit 1
10 | }
--------------------------------------------------------------------------------
/Remediate_RDP.ps1:
--------------------------------------------------------------------------------
1 | New-ItemProperty -LiteralPath 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 -PropertyType DWord -Force -ea SilentlyContinue;
--------------------------------------------------------------------------------
/Remediate_RDP_fClientDisableUDP.ps1:
--------------------------------------------------------------------------------
1 | $Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client"
2 | $Name = "fClientDisableUDP"
3 | $Type = "DWord"
4 | $Value = "1"
5 |
6 | IF(!(Test-Path $Path))
7 | {
8 | New-Item -Path $Path -Force | Out-Null
9 | New-ItemProperty -Path $Path -Name $name -Value $value -PropertyType $Type -Force | Out-Null
10 | }
11 |
12 | ELSE {
13 | New-ItemProperty -Path $Path -Name $name -Value $value -PropertyType $Type -Force | Out-Null
14 | }
15 |
--------------------------------------------------------------------------------
/Remediate_RealTimeBehavior.ps1:
--------------------------------------------------------------------------------
1 | $version = 'R1'
2 | try {
3 | Set-MpPreference -DisableBehaviorMonitoring $false
4 | Write-Output "$version Remediated"
5 | exit 0
6 | }
7 | catch {
8 | Write-Output "$version Failed"
9 | exit 1
10 | }
--------------------------------------------------------------------------------
/Remediate_RealTimeProtection.ps1:
--------------------------------------------------------------------------------
1 | $version = 'R1'
2 | try {
3 | Set-MpPreference -DisableRealtimeMonitoring $false
4 | Write-Output "$version Remediated"
5 | exit 0
6 | }
7 | catch {
8 | Write-Output "$version Failed"
9 | exit 1
10 | }
--------------------------------------------------------------------------------
/Remediate_TeamsConsumerChat_W11.ps1:
--------------------------------------------------------------------------------
1 | #Script removes the new Microsoft Teams consumer app on Windows 11.
2 | #App is removed because this app can only be used with personal Microsoft accounts
3 |
4 | try{
5 | Get-AppxPackage -Name MicrosoftTeams | Remove-AppxPackage -ErrorAction stop
6 | Write-Host "Microsoft Teams app successfully removed"
7 |
8 | }
9 | catch{
10 | Write-Error "Errorremoving Microsoft Teams app"
11 | }
--------------------------------------------------------------------------------
/Remediate_TimeZone_W_Europe.ps1:
--------------------------------------------------------------------------------
1 | tzutil /s "W. Europe Standard Time"
--------------------------------------------------------------------------------
/Remediate_W11_VPN-error.ps1:
--------------------------------------------------------------------------------
1 | # The remediation will remove the VPN connection and trigger a Intune sync.
2 | # VP Connection should be available again in a few minutes.
3 |
4 | # Remove VPN
5 | $VPNName = "AOVPN" # Write down the VPN Name as shown in the "Name" output.
6 | Rasphone -h "$VPNName"
7 | start-sleep 2
8 | Rasphone -r "$VPNName"
9 |
10 | # Force Sync Intune
11 | Get-ScheduledTask | ? {$_.TaskName -eq 'Pushlaunch'} | Start-ScheduledTask
--------------------------------------------------------------------------------
/Remediate_W32TimeService.ps1:
--------------------------------------------------------------------------------
1 | =============================================================================================================================
2 | #
3 | Script Name: RemediateW32TimeService.ps1
4 | Description: Purpose of this script is to start the "Windows Time Service" and change its startup type to Automatic
5 | Notes: No variable substitution needed
6 | #
7 | =============================================================================================================================
8 | Define Variables
9 | $svcCur = "W32Time"
10 | $curSvcStat,$svcCTRSvc,$errMsg = "","",""
11 | $ctr = 0
12 | First, let's make sure nothing has changed since detection and service exists and is stopped
13 | Try{
14 | $svcCTRSvc = Get-Service $svcCur
15 | $curSvcStat = $svcCTRSvc.Status
16 | }
17 | Catch{
18 | $errMsg = $_.Exception.Message
19 | Write-Error $errMsg
20 | Exit 1
21 | }
22 | If the service got started between detection and now (nested if) then return
23 | If the service got uninstalled or corrupted between detection and now (else) then return the "Error: " + the error
24 | If ($curSvcStat -ne "Stopped"){
25 | If ($curSvcStat -eq "Running"){
26 | Write-Output "Running"
27 | Exit 0
28 | }
29 | Else{
30 | Write-Error $errMsg
31 | Exit 1
32 | }
33 | }
34 | Okay, the service should be there and be stopped, we'll change the startup type and get it running
35 | Try{
36 | Start-Service $svcCur
37 | $svcCTRSvc = Get-Service $svcCur
38 | w32tm /resync
39 | $curSvcStat = $svcCTRSvc.Status
40 | While ($curSvcStat -eq "Stopped"){
41 | Start-Sleep -Seconds 5
42 | ctr++
43 | if(ctr -eq 12){
44 | Write-Output "Service could not be started after 60 seconds"
45 | Exit 1
46 | }
47 | }
48 | }
49 | Catch{
50 | $errMsg = $_.Exception.Message
51 | Write-Error $errMsg
52 | Exit 1
53 | }
54 | SIG # Begin signature block
55 | #Removed the Signature
56 | SIG # End signature block
--------------------------------------------------------------------------------