用於補救的 PowerShell 腳本
本文包含客戶可實作或作為範本的範例腳本,以瞭解如何建立自己的腳本。 使用此處提供的資訊來建立補救的腳本套 件。
腳本描述
下表顯示文稿名稱、描述、偵測、補救和可設定的專案。 名稱開頭為的 Detect
腳本檔案是偵測腳本。 補救腳本的開頭為 Remediate
。 您可以從本文的下一節複製這些腳本。
指令碼名稱 | 描述 |
---|---|
檢查網路憑證Detect_Expired_Issuer_Certificates.ps1 Remediate_Expired_Issuer_Certificates.ps1 |
偵測 CA 在電腦或使用者的個人存放區中發行的憑證已過期或即將到期。
藉由在偵測腳本中變更 的 $strMatch 值來指定 CA。 針對 指定 0 $expiringDays 以尋找過期的憑證,或指定其他天數來尋找即將到期的憑證。
藉由向使用者提出快顯通知來進行補救。 $Title 使用您希望使用者看到的訊息標題和文字來指定 和 $msgText 值。
通知使用者可能需要更新的過期憑證。 使用登入認證執行腳本:是 |
清除過時的憑證Detect_Expired_User_Certificates.ps1 Remediate_Expired_User_Certificates.ps1 |
偵測目前用戶個人存放區中 CA 所簽發的過期憑證。
藉由在偵測腳本中變更 的 $certCN 值來指定 CA。
從目前使用者的個人存放區中刪除 CA 所簽發的過期憑證,以進行補救。 藉由在補救腳本中變更 的 $certCN 值來指定 CA。
從目前使用者的個人存放區尋找並刪除 CA 所簽發的過期憑證。 使用登入認證執行腳本:是 |
更新過時的組 策略 (內建) Detect_stale_Group_Policies.ps1 Remediate_stale_GroupPolicies.ps1 |
偵測上次 群組原則 重新整理是否大於7 days 之前。
此腳本套件隨附於補救,但如果您想要變更閾值,則會提供複本。 藉由變更偵測腳本中的 值來自定義七天閾值 $numDays 。
藉由執行 gpupdate /target:computer /force 來補救,且gpupdate /target:user /force 可協助減少透過 群組原則 傳遞憑證和設定時的網路連線相關支援呼叫。 使用登入認證執行腳本:是 |
檢查網路憑證腳本套件
此腳本套件會偵測計算機或用戶個人存放區中CA所簽發的過期或即將到期的憑證。 腳本會藉由向使用者提出快顯通知來進行補救。
Detect_Expired_Issuer_Certificates.ps1
#=============================================================================================================================
#
# Script Name: Detect_Expired_Issuer_Certificates.ps1
# Description: Detect expired certificates issued by "CN=<your CA here>" in either Machine
# or User certificate store
# Notes: Change the value of the variable $strMatch from "CN=<your CA here>" to "CN=..."
# For testing purposes the value of the variable $expiringDays can be changed to a positive integer
# Don't change the $results variable
#
#=============================================================================================================================
# Define Variables
$results = @()
$expiringDays = 0
$strMatch = "CN=<your CA here>"
try
{
$results = @(Get-ChildItem -Path Cert:\LocalMachine\My -Recurse -ExpiringInDays $expiringDays | where {$_.Issuer -match $strMatch})
$results += @(Get-ChildItem -Path Cert:\CurrentUser\My -Recurse -ExpiringInDays $expiringDays | where {$_.Issuer -match $strMatch})
if (($results -ne $null)){
#Below necessary for Intune as of 10/2019 will only remediate Exit Code 1
Write-Host "Match"
Return $results.count
exit 1
}
else{
#No matching certificates, do not remediate
Write-Host "No_Match"
exit 0
}
}
catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
Remediate_Expired_Issuer_Certificates.ps1
#=============================================================================================================================
#
# Script Name: Remediate_Expired_Issuer_Certificates.ps1
# Description: Raise a Toast Notification if expired certificates issued by "CN=..."
# to user or machine on the machine where detection script found them. No remediation action besides
# the Toast is taken.
# Notes: Change the values of the variables $Title and $msgText
#
#=============================================================================================================================
## Raise toast to have user contact whoever is specified in the $msgText
# Define Variables
$delExpCert = 0
$Title = "Title"
$msgText = "message"
# Main script
[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null
[Windows.UI.Notifications.ToastNotification, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null
[Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom.XmlDocument, ContentType = WindowsRuntime] | Out-Null
$APP_ID = '{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe'
$template = @"
<toast>
<visual>
<binding template="ToastText02">
<text id="1">$Title</text>
<text id="2">$msgText</text>
</binding>
</visual>
</toast>
"@
$xml = New-Object Windows.Data.Xml.Dom.XmlDocument
$xml.LoadXml($template)
$toast = New-Object Windows.UI.Notifications.ToastNotification $xml
[Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier($APP_ID).Show($toast)
清除過時的憑證腳本套件
此腳本套件會偵測目前用戶個人存放區中 CA 所簽發的過期憑證。 腳本會從目前使用者的個人存放區中刪除 CA 所簽發的過期憑證,以進行補救。
Detect_Expired_User_Certificates.ps1
#=============================================================================================================================
#
# Script Name: Detect_Expired_User_Certificates.ps1
# Description: Detect expired certificates issued by "CN=<your CA here>" to User
# Notes: Change the value of the variable $certCN from "CN=<your CA here>" to "CN=...".
# Don't change $results
#
#=============================================================================================================================
# Define Variables
$results = 0
$certCN = "CN=<your CA here>"
try
{
$results = Get-ChildItem -Path Cert:\CurrentUser\My -Recurse -ExpiringInDays 0 | where {$_.Issuer -eq($certCN)}
if (($results -ne $null)){
#Below necessary for Intune as of 10/2019 will only remediate Exit Code 1
Write-Host "Match"
Return $results.count
exit 1
}
else{
Write-Host "No_Match"
exit 0
}
}
catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
Remediate_Expired_User_Certificates.ps1
#=============================================================================================================================
#
# Script Name: Remediate_Expired_User_Certificates.ps1
# Description: Remove expired certificates issued by "CN=<your CA here>" to User
# Notes: Change the value of the variable $certCN from "CN=<your CA here>" to "CN=..."
#
#=============================================================================================================================
# Define Variables
$certCN = "CN=<your CA here>"
try
{
Get-ChildItem -Path cert:\CurrentUser -Recurse -ExpiringInDays 0 | where {$_.Issuer -eq($certCN)} | Remove-Item
exit 0
}
catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
更新過時的組策略腳本套件
此腳本套件隨附於補救,但如果您想要變更閾值,則會提供複本。
此腳本套件會偵測上次 群組原則 重新整理是否大於7 days
之前。 腳本會藉由執行 gpupdate /target:computer /force
和 gpupdate /target:user /force
來補救。
Detect_stale_Group_Policies.ps1
#=============================================================================================================================
#
# Script Name: Detect_stale_Group_Policies.ps1
# Description: Detect if Group Policy has been updated within number of days
# Notes: Remediate if "Match", $lastGPUpdateDays default value of 7, change as appropriate
#
#=============================================================================================================================
# Define Variables
try {
$gpResult = [datetime]::FromFileTime(([Int64] ((Get-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}").startTimeHi) -shl 32) -bor ((Get-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}").startTimeLo))
$lastGPUpdateDate = Get-Date ($gpResult[0])
[int]$lastGPUpdateDays = (New-TimeSpan -Start $lastGPUpdateDate -End (Get-Date)).Days
if ($lastGPUpdateDays -gt 7){
#Exit 1 for Intune. We want it to be within the last 7 days "Match" to remediate in SCCM
Write-Host "Match"
exit 1
}
else {
#Exit 0 for Intune and "No_Match" for SCCM, only remediate "Match"
Write-Host "No_Match"
exit 0
}
}
catch {
$errMsg = $_.Exception.Message
return $errMsg
exit 1
}
Remediate_stale_GroupPolicies.ps1
#=============================================================================================================================
#
# Script Name: Remediate_stale_GroupPolicies.ps1
# Description: This script triggers Group Policy update
# Notes: No variable substitution needed
#
#=============================================================================================================================
try {
$compGPUpd = gpupdate /force
$gpResult = [datetime]::FromFileTime(([Int64] ((Get-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}").startTimeHi) -shl 32) -bor ((Get-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}").startTimeLo))
$lastGPUpdateDate = Get-Date ($gpResult[0])
[int]$lastGPUpdateDays = (New-TimeSpan -Start $lastGPUpdateDate -End (Get-Date)).Days
if ($lastGPUpdateDays -eq 0){
Write-Host "gpupdate completed successfully"
exit 0
}
else{
Write-Host "gpupdate failed"
}
}
catch{
$errMsg = $_.Exception.Message
return $errMsg
exit 1
}
後續步驟
如需部署腳本套件的相關信息,請參閱 補救。