Skip to content

Commit 51f1511

Browse files
markstanmarkstan
authored
Merge pull request #2 from markstan/markstan-patch-2
Update Validate-NDESConfiguration.ps1
2 parents 1ff9832 + d317e1b commit 51f1511

File tree

1 file changed

+65
-33
lines changed

1 file changed

+65
-33
lines changed

CertificationAuthority/Validate-NDESConfiguration.ps1

Lines changed: 65 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
1+
22
<#
33
44
.SYNOPSIS
@@ -25,6 +25,11 @@ https://docs.microsoft.com/en-us/intune/certificates-scep-configure#configure-yo
2525
[CmdletBinding(DefaultParameterSetName="NormalRun")]
2626

2727
Param(
28+
29+
[parameter(Mandatory=$false,ParameterSetName="Unattended")]
30+
[alias("ua","silent","s","unattended")]
31+
[switch]$unattend,
32+
2833
[parameter(Mandatory=$true,ParameterSetName="NormalRun")]
2934
[alias("sa")]
3035
[ValidateScript({
@@ -51,8 +56,9 @@ Param(
5156
}
5257

5358
else {
54-
55-
Throw "Incorrect Domain. Ensure domain is '$($Domain)\<USERNAME>'"
59+
if (-not $unattend) {
60+
Throw "Incorrect Domain. Ensure domain is '$($Domain)\<USERNAME>'"
61+
}
5662

5763
}
5864

@@ -90,9 +96,11 @@ Param(
9096

9197
[parameter(ParameterSetName="Help")]
9298
[alias("u")]
93-
[switch]$usage
99+
[switch]$usage
100+
101+
102+
94103

95-
96104
)
97105

98106
#######################################################################
@@ -195,23 +203,33 @@ $LogFilePath = "$($TempDirPath)\Validate-NDESConfig.log"
195203

196204
#region Proceed with Variables...
197205

198-
Write-Host
199-
Write-host "......................................................."
200-
Write-Host
201-
Write-Host "NDES Service Account = "-NoNewline
202-
Write-Host "$($NDESServiceAccount)" -ForegroundColor Cyan
203-
Write-host
204-
Write-Host "Issuing CA Server = " -NoNewline
205-
Write-Host "$($IssuingCAServerFQDN)" -ForegroundColor Cyan
206-
Write-host
207-
Write-Host "SCEP Certificate Template = " -NoNewline
208-
Write-Host "$($SCEPUserCertTemplate)" -ForegroundColor Cyan
209-
Write-Host
210-
Write-host "......................................................."
211-
Write-Host
212-
Write-Host "Proceed with variables? [Y]es, [N]o"
206+
213207

214-
$confirmation = Read-Host
208+
if ($unattend) {
209+
$NDESServiceAccount = Get-Item 'IIS:\AppPools\SCEP' | select -expandproperty processmodel | select -Expand username
210+
$IssuingCAServerFQDN = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Cryptography\MSCEP\CAInfo).Configuration -replace "\\.*$", ""
211+
$SCEPUserCertTemplate = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Cryptography\MSCEP).EncryptionTemplate
212+
$confirmation = "y"
213+
}
214+
else {
215+
Write-Host
216+
Write-host "......................................................."
217+
Write-Host
218+
Write-Host "NDES Service Account = "-NoNewline
219+
Write-Host "$($NDESServiceAccount)" -ForegroundColor Cyan
220+
Write-host
221+
Write-Host "Issuing CA Server = " -NoNewline
222+
Write-Host "$($IssuingCAServerFQDN)" -ForegroundColor Cyan
223+
Write-host
224+
Write-Host "SCEP Certificate Template = " -NoNewline
225+
Write-Host "$($SCEPUserCertTemplate)" -ForegroundColor Cyan
226+
Write-Host
227+
Write-host "......................................................."
228+
Write-Host
229+
Write-Host "Proceed with variables? [Y]es, [N]o"
230+
$confirmation = Read-Host
231+
}
232+
215233

216234
#endregion
217235

@@ -303,9 +321,9 @@ Write-host
303321
Log-ScriptEvent $LogFilePath "Checking NDES Service Account properties in Active Directory" NDES_Validation 1
304322

305323
$ADUser = $NDESServiceAccount.split("\")[1]
306-
307324
$ADUserProps = (Get-ADUser $ADUser -Properties SamAccountName,enabled,AccountExpirationDate,accountExpires,accountlockouttime,PasswordExpired,PasswordLastSet,PasswordNeverExpires,LockedOut)
308325

326+
309327
if ($ADUserProps.enabled -ne $TRUE -OR $ADUserProps.PasswordExpired -ne $false -OR $ADUserProps.LockedOut -eq $TRUE){
310328

311329
Write-Host "Error: Problem with the AD account. Please see output below to determine the issue" -BackgroundColor Red
@@ -323,31 +341,32 @@ $ADUserProps = (Get-ADUser $ADUser -Properties SamAccountName,enabled,AccountExp
323341
}
324342

325343

326-
327344
Get-ADUser $ADUser -Properties SamAccountName,enabled,AccountExpirationDate,accountExpires,accountlockouttime,PasswordExpired,PasswordLastSet,PasswordNeverExpires,LockedOut | fl SamAccountName,enabled,AccountExpirationDate,accountExpires,accountlockouttime,PasswordExpired,PasswordLastSet,PasswordNeverExpires,LockedOut
328-
345+
329346
#endregion
330347

331348
#######################################################################
332349

333350
#region Checking if NDES server is the CA
334351

335-
Write-host
336-
Write-host "......................................................."
337-
Write-host
338-
Write-host "Checking if NDES server is the CA..." -ForegroundColor Yellow
339-
Write-host
352+
Write-host "`n.......................................................`n"
353+
Write-host "Checking if NDES server is the CA...`n" -ForegroundColor Yellow
340354
Log-ScriptEvent $LogFilePath "Checking if NDES server is the CA" NDES_Validation 1
341355

342356
$hostname = ([System.Net.Dns]::GetHostByName(($env:computerName))).hostname
357+
$CARoleInstalled = (Get-WindowsFeature ADCS-Cert-Authority).InstallState -eq "Installed"
343358

344359
if ($hostname -match $IssuingCAServerFQDN){
345360

346361
Write-host "Error: NDES is running on the CA. This is an unsupported configuration!" -BackgroundColor Red
347362
Log-ScriptEvent $LogFilePath "NDES is running on the CA" NDES_Validation 3
348363

349364
}
350-
365+
elseif($CARoleInstalled)
366+
{
367+
Write-host "Error: NDES server has Certification Authority Role installed. This is an unsupported configuration!" -BackgroundColor Red
368+
Log-ScriptEvent $LogFilePath "NDES server has Certification Authority Role installed" NDES_Validation 3
369+
}
351370
else {
352371

353372
Write-Host "Success: " -ForegroundColor Green -NoNewline
@@ -1576,9 +1595,15 @@ Write-host "......................................................."
15761595
Write-host
15771596
Write-host "Log Files..." -ForegroundColor Yellow
15781597
Write-host
1579-
write-host "Do you want to gather troubleshooting files? This includes IIS, NDES Connector, NDES Plugin, CRP, and MSCEP log files, in addition to the SCEP template configuration. [Y]es, [N]o:"
1580-
$LogFileCollectionConfirmation = Read-Host
1581-
1598+
if ($unattend) {
1599+
Write-Host "Automatically gathering files."
1600+
$LogFileCollectionConfirmation = "y"
1601+
}
1602+
else {
1603+
Write-Host "Do you want to gather troubleshooting files? This includes IIS, NDES Connector, NDES Plugin, CRP, and MSCEP log files, in addition to the SCEP template configuration. [Y]es, [N]o:"
1604+
$LogFileCollectionConfirmation = Read-Host
1605+
}
1606+
15821607
if ($LogFileCollectionConfirmation -eq "y"){
15831608

15841609
$IISLogPath = (Get-WebConfigurationProperty "/system.applicationHost/sites/siteDefaults" -name logfile.directory).Value + "\W3SVC1" -replace "%SystemDrive%",$env:SystemDrive
@@ -1659,6 +1684,13 @@ Write-Host
16591684

16601685
write-host "Log file copied to $($LogFilePath)"
16611686
Write-Host
1687+
# for ODC
1688+
$copyPath = "$env:temp\CollectedData\Intune\Files\NDES"
1689+
if ($unattend ){
1690+
if ( -not (test-path $copyPath) ) { mkdir $copyPath -Force }
1691+
copy $LogFilePath $copyPath
1692+
}
1693+
16621694

16631695
}
16641696
write-host "Ending script..." -ForegroundColor Yellow

0 commit comments

Comments
 (0)