Trigger reboot and script execution, securely - powershell

I am using PowerShell to manage Autodesk installs, many of which depend on .NET, and some of which install services, which they then try to start, and if the required .NET isn't available that install stalls with a dialog that requires user action, despite the fact that the install was run silently. Because Autodesk are morons.
That said, I CAN install .NET 4.8 with PowerShell, but because PowerShell is dependent on .NET, that will complete with exit code 3010, Reboot Required.
So that leaves me with the option of either managing .NET separately, or triggering that reboot and continuing the Autodesk installs in a state that will actually succeed.
The former has always been a viable option in office environments, where I can use Group Policy or SCCM or the like, then use my tool for the Autodesk stuff that is not well handled by other approaches. But that falls apart when you need to support the Work From Home scenario, which is becoming a major part of AEC practice. Not to mention the fact that many/most even large AEC firms don't have internal GP or SCCM expertise, and more and more firm management is choosing to outsource IT support, all to often to low cost glorified help desk outfits with even less GP/SCCM knowledge. So, I am looking for a solution that fits these criteria.
1: Needs to be secure.
2: Needs to support access to network resources where the install assets are located, which have limited permissions and thus require credentials to access.
3: Needs to support remote initiation of some sort, PowerShell remote jobs, PowerShell remoting to create a scheduled task, etc.
I know you can trigger a script to run at boot in System context, but my understanding is that because system context isn't an actual user you don't have access to network resources in that case. And that would only really be viable if I could easily change the logon screen to make VERY clear to users that installs are underway and to not logon until they are complete and the logon screen is back to normal. Which I think is really not easily doable because Microsoft makes it near impossible to make temporary changes/messaging on the logon screen.
I also know I can do a one time request for credentials on the machine, and save those credentials as a secure file. From then on I can access those credentials so long as I am logged in as the same user. But that then suggests rebooting with automatic logon as a specific user. And so far as I can tell, doing that requires a clear text password in the registry. Once I have credentials as a secure file, is there any way to trigger a reboot and one time automatic logon using those secure credentials? Or is any automatic reboot and logon always a less than secure option?
EDIT: I did just find this that seems to suggest a way to use HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon without using a plain text DefaultPassword. The challenge is figuring out how to do this in PowerShell when you don't know C#. Hopefully someone can verify this is a viable approach before I invest too much time in trying to implement it for testing. :)
And, on a related note, everything I have read about remote PowerShell jobs and the Second Hop Problem suggests the only "real" solution is to use CredSSP, which is itself innately insecure. But it is also a lot of old information, predating Windows 10 for the most part, and I wonder if that is STILL true? Or perhaps was never true, since none of the authors claiming CredSSP to be insecure explained in detail WHY it was insecure, which is to me a red flag that maybe someone is just complaining to get views.

Related

Is it possible to install Windows Updates on multiple, remote servers through Powershell?

I am a network admin with very little experience coding or using Powershell. About once a month I have to check for and install Windows updates on about 25 servers. I've played around with Powershell in hopes of handling this task in a more automated fashion but get hung up getting the servers to actually install the updates after checking. I apologize for posting such a noob question, but can anyone let me know if this is possible and if so, show me the ways of your dark arts?
WSUS will require you to install the components and setup the profiles etc. If you have a large number of servers on a single network, that is your best bet for delivering the content.
If you just want to be able to schedule and run the updates on specific remote hosts, there is a ton of stuff already available that will do this and you just need to come up with your implementation of scheduling the updates for what hosts. I did this exact thing for a prior employer for 10k plus servers world wide using a web app for the owners to schedule the updates and then back end workflow to perform the approval requests, installs, logging, etc..
PowerShell Gallery is a good start. Here is a post that walks you through using PSWindowsUpdate.

Way to pull Exchange permissions

Maybe an easy question for someone who knows Powershell and O365 well. Is there a way to configure it so when a command is run for example to pull all access to a shared mailbox, that either a service account is permissioned each time to pull that information or the user who is running the script? I looked at connecting an SA to the script but it would have too much access to 0365 to give it the specific permissions. So the account is not permissioned for the access by default but every time the script/command is ran its permissioned for that inquiry which it shows then it won't have access until the next time its called.
Looking to add this type of function to a script which we only want the helpdesk people to see the information when they run the script and the specific command in the script.
Hopefully explained clear enough :)
Thanks all.
I don't think there is a way to do that natively. You could fiddle something with Azure PIM but that's more for one-off operations than minute action that are done often.
You could however circumvent that by making some sort of web interface that triggers commands on another server using a privileged SA and returns the output through the web interface. You can just make it so that the interface can only request one specific command to be run, and the only thing you have to worry about is sanitizing your parameters well to avoid unwanted injection.
Alternatively, what are you trying to protect against by restricting access so much ? Isn't it something that could be done more easily using a read-only account and some clearly defined policy ? If your helpdesk people overstep their allowed scope, that's a management/HR problem as much as a technical one.

Is there anyway to have powershell respond to pings like a typical automated server?

Some people on our team have rights to reset MFA on azure, and others do not. I was wondering if powershell had -some- functionality where I could build some kind of server with it that would respond to prompts from those team members.
My controller would basically have my credentials signed in, and based on pings from my team members, it would take their input and perform the MFA reset using my credentials. I already have tools that allow me, personal, to send these requests, but I do not know if Powershell has the capability to act as a controller/server of some form and respond to commands such as this.
Basically: Coworker pings my machine, my machine performs the reset with my credentials via powershell. Everything I have found thus far is about running remote credentials on other machines, and not having powershell itself act as some kind of controller. Is it even possible? Or am I going to have to use something else to do this. Powershell isn't a language I am super familiar with and something I had to learn on the fly

Can't set the priority of a service

I noticed that my fan goes up a lot on occasion for no apparent reason. Investigation shows that it's the process Antimalware Service Executable, the service Windows Defender Antivirus Service and the file executed is MsMpEng.exe.
I want it to be able to run still but not go bananas, so I tried to set its priority to low. However, Windows barked at me that the operation could not be completed and that access was denied.
How can I force the service to run at a limited performance?
You can't, by design. That "by design" means that if you find a hack, a future security update of Windows will likely render your hack inoperable.
The key word here is "security". The whole point of anti-malware is that detects malware even when the malware tries to avoid detection. To make that work, Windows treats anti-malware software as a special case, and offers it additional protection. If there was an answer to your question, it would be treated by Microsoft as a bug.

How to force Windows Server 2008 to believe a user is logged in interactively?

I've written some UI Automation that runs an installer and clicks on its buttons to complete the installation without human interaction.
The main reason to do this is to automate installations that cannot be automated through orthodox means (such as parameters, or deployment packages).
This is a low cost solution and it works well on a user pc, but crucially it doesn't work on our build farm, which the system was written for primarily.
After some investigation I think this is due to the fact that in the build agents although a user is logged in, this login is not "interactive", and the screen will not be rendered unless Windows has to.
I can force the rendering by connecting via Remote Desktop, and the automation works correctly then.
If the Remote Desktop window loses focus though (for example by being behind another window), the automation stops working.
I suspect if I could trick Windows into believing a user is logged in interactively, and Windows rendered, the automation would work fine, but I have no idea how to achieve this.
I know this solution is far from solid and if you can recommend better ways to approach the problem I'm happy to hear them, but it's really cheap to implement, and quite effective if it can be made to work (the code being built in the build farm depends on the packages being installer, so after a sync the auto installer needs to be run, and we'll have up to 30-40 machines to manage and maintain).
In short: does anybody know how to trick Windows into believing it should behave as if a human user was logged in interactively?
Thank you in advance!