-
Notifications
You must be signed in to change notification settings - Fork 57
/
Update-TeamsFWRules.ps1
135 lines (95 loc) · 4.98 KB
/
Update-TeamsFWRules.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
<#
.SYNOPSIS
Creates firewall rules for Microsoft Teams.
Modified substatially from Original version found at: https://docs.microsoft.com/en-us/microsoftteams/get-clients#sample-powershell-script
by author.
.DESCRIPTION
(c) Microsoft Corporation 2018 and Michael Mardahl. All rights reserved. Script provided as-is without any warranty of any kind. Use it freely at your own risks.
Must be run with elevated permissions.
Designed to be run as user assigned PowerShell Script from Intune, or as a Scheduled Task run as SYSTEM at user login.
The script will create a new inbound firewall rule for the currently logged in user.
Requires PowerShell 3.0.
.INPUTS
None
.OUTPUTS
Log file stored in %SystemDrive%\Windows\TEMP\log_Update-TeamsFWRules.txt
Log file is copied to users own TEMP dir IF execution is successful.
.NOTES
Version: 1.0
Author: Michael Mardahl
Twitter: @michael_mardahl
Blogging on: www.iphase.dk and www.msendpointmgr.com
Creation Date: 28 March 2020
Purpose/Change: Initial script development
.EXAMPLE
.\Update-TeamsFWRule.ps1 -Force
Adds the required Teams Firewall Rules
Execute the script in SYSTEM context!
#>
#Requires -Version 3
#Requires -Runasadministrator
#region Declarations
#Define a log path (defaults to system, but will be copied to the users own temp after successful execution.)
$logPath = join-path -path $($env:SystemRoot) -ChildPath "\TEMP\log_Update-TeamsFWRules.txt"
#Enable forced rule creation, to cleanup any rules the user might have made, and set the standards imposed by this script (suggested setting $True).
$Force = $True
#endregion Declarations
#region Functions
Function Get-LoggedInUserProfile() {
# Tries to figure out who is logged in and returns their user profile path
try {
$loggedInUser = Gwmi -Class Win32_ComputerSystem | select username -ExpandProperty username
$username = ($loggedInUser -split "\\")[1]
#Identifying the correct path to the users profile folder - only selecting the first result in case there is a mess of profiles
#(which case you should do a clean up. As this script might not work in that case)
$userProfile = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') | Where-Object Name -Like "$username*" | select -First 1
} catch [Exception] {
$Message = "Unable to find logged in users profile folder. User is not logged on to the primary session: $_"
Throw $Message
}
return $userProfile
}
Function Set-TeamsFWRule($ProfileObj) {
# Setting up the inbound firewall rule required for optimal Microsoft Teams screensharing within a LAN.
Write-Verbose "Identified the current user as: $($ProfileObj.Name)" -Verbose
$progPath = Join-Path -Path $ProfileObj.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
if ((Test-Path $progPath) -or ($Force)) {
if ($Force) {
#Force parameter given - attempting to remove any potential pre-existing rules.
Write-Verbose "Force switch set: Purging any pre-existing rules." -Verbose
Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue | Remove-NetFirewallRule -ErrorAction SilentlyContinue
}
if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
$ruleName = "Teams.exe for user $($ProfileObj.Name)"
Write-Verbose "Adding Firewall rule: $ruleName" -Verbose
New-NetFirewallRule -DisplayName "$ruleName" -Direction Inbound -Profile Domain -Program $progPath -Action Allow -Protocol Any
New-NetFirewallRule -DisplayName "$ruleName" -Direction Inbound -Profile Public,Private -Program $progPath -Action Block -Protocol Any
} else {
Write-Verbose "Rule already exists!" -Verbose
}
} else {
$Message = "Teams not found in $progPath - use the force parameter to override."
Throw "$Message"
}
}
#endregion Functions
#region Execution
#Start logging
Start-Transcript $logPath -Force
#Add rule to WFAS
Try {
Write-Output "Adding inbound Firewall rule for the currently logged in user."
#Combining the two function in order to set the Teams Firewall rule for the logged in user
Set-TeamsFWRule -ProfileObj (Get-LoggedInUserProfile)
#Copy log file to users own temp directory.
Copy-Item -Path $logPath -Destination (Join-Path -Path (Get-LoggedInUserProfile).FullName -ChildPath "AppData\Local\Temp\") -Force
} catch [Exception] {
#Something whent wrong and we should tell the log.
$Message = "Houston we have a problem: $_"
Write-Output "$Message"
exit 1
} Finally {
#Make sure we stop logging no matter what whent down.
Stop-Transcript
}
#endregion Execution