Internal-Support-Scripts/CloudSignatureUpdateAgent_runOnce.ps1 at master · exclaimerltd/Internal-Support-Scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# <#
# .SYNOPSIS
#     Removes legacy Cloud Signature Update Agent Run keys and creates a user-specific scheduled task to run the agent once per logon.
#
# .DESCRIPTION
#     This script iterates through all local user profiles, removes any existing Run key entries for the Exclaimer Cloud Signature Update Agent in both HKCU and HKLM,
#     and creates a per-user scheduled task to execute the agent at logon with a limited runtime of 15 minutes.
#     The task is uniquely named per user to avoid conflicts and ensures offline signatures continue to function while reducing persistent ASR alert triggers.
#
# .NOTES
#     Date: 13th March 2026
#     Version: 1.0.0
#
# .PRODUCTS
#     Exclaimer Cloud Signature Update Agent
#
# .REQUIREMENTS
#     - PowerShell 5.1+ or PowerShell Core
#     - Administrative privileges to remove HKLM Run keys
#     - Local user profiles present under C:\Users
#     - Script executed in SYSTEM context for Intune deployment
#
# .VERSION
#     1.1.0
#         - Cleans per-user and machine-level Run keys for Cloud Signature Update Agent
#         - Detects active user sessions via HKU Volatile Environment
#         - Validates Cloud Signature Update Agent installation path per user
#         - Creates a scheduled task for each detected user to run the agent at logon
#         - Scheduled task automatically terminates after a configurable runtime
#         - Avoids task name conflicts by appending username
#         - Adds configurable overrideExistingTask option:
#             • 0 = Skip task creation if task already exists (default, idempotent for Intune)
#             • 1 = Remove existing task and recreate it
#         - Adds configurable runTimeLimitMinutes variable to adjust task runtime (default 15 minutes)
#
# .INSTRUCTIONS
#     **Deployment via Intune (Recommended for testing and production rollout):**
#     1. Save the script as `CloudSignatureUpdateAgent_runOnce.ps1`.
#     2. Go to Microsoft Endpoint Manager portal → Devices → Scripts → Add → Windows 10 and later.
#     3. Upload the PowerShell script.
#     4. Configure settings:
#        - Run script using logged-on credentials: No (system context required)
#        - Enforce script signature check: No
#        - Run script in 64-bit PowerShell Host: Yes
#     5. Assign the script to a test device group first.
#     6. Monitor deployment under Devices → PowerShell scripts → Device status.
#     7. Verify on test endpoints:
#        - Run keys removed from HKCU and HKLM
#        - Scheduled task created per detected user
#        - Task runs at user logon and stops automatically after $runTimeLimitMinutes minutes
#        - Script safely re-runs without recreating tasks unless overrideExistingTask = 1
# >
# -------------------------------
# Choose the runtime limit for the scheduled task and whether to override existing tasks if they already exist.
# -------------------------------
$runTimeLimitMinutes = 15
$overrideExistingTask = 0

# -------------------------------
# Ensure the script is running with elevated permissions
# -------------------------------
$isAdmin = ([Security.Principal.WindowsPrincipal] `
        [Security.Principal.WindowsIdentity]::GetCurrent()
    ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if (-not $isAdmin) {
    Write-Host 'Elevated privileges are required. Relaunching as administrator...'
    Start-Sleep -Seconds 3
    exit 1
}

# -------------------------------
# Remove Exclaimer Agent Run keys (all users)
# -------------------------------

function RemoveUserRunKey {
    param($sid)

    $runPath = "Registry::HKEY_USERS\$sid\Software\Microsoft\Windows\CurrentVersion\Run"

    if (Test-Path $runPath) {
        Remove-ItemProperty -Path $runPath -Name "*Cloud Signature Update Agent" -ErrorAction SilentlyContinue
        Write-Host "Removed Run key for user hive $sid"
    }
}

$userHives = Get-ChildItem 'Registry::HKEY_USERS' -ErrorAction SilentlyContinue |
    Where-Object { $_.PSChildName -match '^S-' -and $_.PSChildName.Length -ge 30 -and $_.PSChildName -notmatch '_Classes$' }

foreach ($hive in $userHives) {
    RemoveUserRunKey -sid $hive.PSChildName
}

$runKeyMachine = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Remove-ItemProperty -Path $runKeyMachine -Name "Cloud Signature Update Agent" -ErrorAction SilentlyContinue
Write-Host "Removed HKLM Run key for Cloud Signature Update Agent"


# -------------------------------
# Create Scheduled Task for each active user session
# -------------------------------

$userHives = Get-ChildItem 'Registry::HKEY_USERS' -ErrorAction SilentlyContinue |
    Where-Object { $_.PSChildName -match '^S-1-5-21-' -and $_.PSChildName -notmatch '_Classes$' }

foreach ($hive in $userHives) {

    $hiveName = $hive.PSChildName
    $volEnvPath = "Registry::HKEY_USERS\$hiveName\Volatile Environment"

    if (-not (Test-Path $volEnvPath)) { continue }

    $envProps = Get-ItemProperty $volEnvPath

    $username = $envProps.USERNAME
    $userDomain = $envProps.USERDOMAIN
    $localAppData = $envProps.LOCALAPPDATA

    if (-not $username -or -not $localAppData) { continue }

    $exePath = Join-Path $localAppData "Programs\Exclaimer Ltd\Cloud Signature Update Agent\Exclaimer.CloudSignatureAgent.exe"

    if (-not (Test-Path $exePath)) {
        Write-Host "Agent not found for $userDomain\$username. Skipping task creation."
        continue
    }

    Write-Host "Found agent for $userDomain\$username at $exePath"

    $taskName = "ExclaimerSignatureAgent_LogonRun_$username"

    # Only check if task name exists
    $existingTask = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue

    if ($existingTask) {

        if ($overrideExistingTask -eq 1) {
            Write-Host "Scheduled task '$taskName' already exists. Override enabled. Recreating."
            Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
        }
        else {
            Write-Host "Scheduled task '$taskName' already exists. Skipping."
            continue
        }

    }

    $action = New-ScheduledTaskAction -Execute $exePath

    $trigger = New-ScheduledTaskTrigger `
        -AtLogOn `
        -User "$userDomain\$username"

    $settings = New-ScheduledTaskSettingsSet `
        -ExecutionTimeLimit (New-TimeSpan -Minutes $runTimeLimitMinutes) `
        -AllowStartIfOnBatteries `
        -DontStopIfGoingOnBatteries

    $principal = New-ScheduledTaskPrincipal `
        -UserId "$userDomain\$username" `
        -LogonType Interactive `
        -RunLevel Limited

    Register-ScheduledTask `
        -TaskName $taskName `
        -Action $action `
        -Trigger $trigger `
        -Settings $settings `
        -Principal $principal `
        -Description "Runs Exclaimer Cloud Signature Update Agent at logon with limited runtime"

    Write-Host "Scheduled task '$taskName' created for $userDomain\$username"
}

Write-Host "All Run keys cleaned and scheduled task validation completed."