Merge pull request #418 from Romanitho/GPO-enhancement

Gpo enhancement / reworked

Author: Romanitho

.github/workflows/WAU-AutoCreatePreVersion.yml

@@ -82,11 +82,14 @@ jobs:
 
       - name: Build project
         run: |
-          zip -r WAU Winget-AutoUpdate/*
-          zip -r WAU Winget-AutoUpdate-Install.ps1
-          zip -r WAU excluded_apps.txt
-          zip -r WAU install.bat
-          zip -r WAU uninstall.bat
+          zip -r WAU.zip Winget-AutoUpdate
+          zip WAU.zip Winget-AutoUpdate-Install.ps1
+          zip WAU.zip excluded_apps.txt
+          zip WAU.zip install.bat
+          zip WAU.zip uninstall.bat
+          cd Policies
+          zip -r ../WAU_ADMX.zip *
+          cd ..
 
       - name: Create release
         uses: "ncipollo/release-action@v1"
@@ -96,7 +99,7 @@ jobs:
           prerelease: true
           generateReleaseNotes: true
           name: "v${{ steps.versioning.outputs.version }} [Nightly Build]"
-          artifacts: "WAU.zip"
+          artifacts: "WAU.zip,WAU_ADMX.zip"
 
       - name: URL to release
         run: echo "Release -> ${{ steps.release.outputs.html_url }}"

.github/workflows/WAU-CreateNewVersion.yml

@@ -55,11 +55,14 @@ jobs:
 
       - name: Build project
         run: |
-          zip -r WAU Winget-AutoUpdate/*
-          zip -r WAU Winget-AutoUpdate-Install.ps1
-          zip -r WAU excluded_apps.txt
-          zip -r WAU install.bat
-          zip -r WAU uninstall.bat
+          zip -r WAU.zip Winget-AutoUpdate
+          zip WAU.zip Winget-AutoUpdate-Install.ps1
+          zip WAU.zip excluded_apps.txt
+          zip WAU.zip install.bat
+          zip WAU.zip uninstall.bat
+          cd Policies
+          zip -r ../WAU_ADMX.zip *
+          cd ..
 
       - name: Create release
         uses: "ncipollo/release-action@v1"
@@ -68,4 +71,4 @@ jobs:
           prerelease: ${{ github.event.inputs.pre-release }}
           generateReleaseNotes: true
           name: "v${{ steps.versioning.outputs.version }}"
-          artifacts: "WAU.zip"
+          artifacts: "WAU.zip,WAU_ADMX.zip"

Policies/WAU.admx renamed to Policies/ADMX/WAU.admx

@@ -172,8 +172,8 @@ Remove scheduled tasks and scripts.
 See https://github.com/Romanitho/Winget-AutoUpdate/discussions/88
 
 ## Custom script (Mods for WAU)
-**Mods for WAU** allows you to craft a script to do whatever you like via `_WAU-mods.ps1` in the **mods** folder.  
-This script executes **if the network is active/any version of Winget is installed/WAU is running as SYSTEM**.  
+**Mods for WAU** allows you to craft a script to do whatever you like via `_WAU-mods.ps1` in the **mods** folder.<br>
+This script executes **if the network is active/any version of Winget is installed/WAU is running as SYSTEM**.<br>
 If **ExitCode** is **1** from `_WAU-mods.ps1` then **Re-run WAU**.
 ## Custom scripts (Mods feature for Apps)
 From version 1.8.0, the Mods feature allows you to run additional scripts when upgrading or installing an app.
@@ -206,7 +206,7 @@ This will use the **content** of the text file as a native **winget --override**
 In an enterprise environment it's crucial that different groups can have different settings in applications etc. or to implement other mandatory settings, i.e for security/management reasons.<br>
 **WAU** doesn't have any setting that can be changed except for when installing (or editing the registry/the task `Winget-AutoUpdate` as **Admin**).<br>
 With the use of **ADML/ADMX** files you can manage every **WAU** setting from within **GPO**.<br>
-They will be detected/evaluated during the next run of **WAU** (taking effect before any actions).<br>
+They will be detected/evaluated on a daily basis.<br>
 The **GPO ADMX/ADML** validated with: [Windows 10 - Validate ADMX for Ingestion](https://developer.vmware.com/samples/7115/windows-10---validate-admx-for-ingestion)<br>
 Read more in the `README.md` under the directory **Policies**.
 

Policies/en-US/WAU.adml renamed to Policies/ADMX/en-US/WAU.adml

@@ -249,7 +249,7 @@ function Install-WinGet {
             }
             Remove-Item -Path $VCLibsFile -Force
         }
-        
+
         #Download WinGet MSIXBundle
         Write-Host "-> Downloading WinGet MSIXBundle for App Installer..."
         $WinGetURL = "https://github.com/microsoft/winget-cli/releases/download/v$WinGetAvailableVersion/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle"
@@ -401,6 +401,15 @@ function Install-WingetAutoUpdate {
         $task = New-ScheduledTask -Action $taskAction -Principal $taskUserPrincipal -Settings $taskSettings
         Register-ScheduledTask -TaskName 'Winget-AutoUpdate-Notify' -TaskPath 'WAU' -InputObject $task -Force | Out-Null
 
+        # Settings for the GPO scheduled task
+        $taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$($WingetUpdatePath)\WAU-Policies.ps1`""
+        $tasktrigger = New-ScheduledTaskTrigger -Daily -At 6am
+        $taskUserPrincipal = New-ScheduledTaskPrincipal -UserId S-1-5-18 -RunLevel Highest
+        $taskSettings = New-ScheduledTaskSettingsSet -Compatibility Win8 -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 00:05:00
+        # Set up the task, and register it
+        $task = New-ScheduledTask -Action $taskAction -Principal $taskUserPrincipal -Settings $taskSettings -Trigger $taskTrigger
+        Register-ScheduledTask -TaskName 'Winget-AutoUpdate-Policies' -TaskPath 'WAU' -InputObject $task -Force | Out-Null
+
         #Set task readable/runnable for all users
         $scheduler = New-Object -ComObject "Schedule.Service"
         $scheduler.Connect()
@@ -433,6 +442,7 @@ function Install-WingetAutoUpdate {
         New-ItemProperty $regPath -Name WAU_MaxLogFiles -Value $MaxLogFiles -PropertyType DWord -Force | Out-Null
         New-ItemProperty $regPath -Name WAU_MaxLogSize -Value $MaxLogSize -PropertyType DWord -Force | Out-Null
         New-ItemProperty $regPath -Name WAU_UpdatesAtTime -Value $UpdatesAtTime -Force | Out-Null
+        New-ItemProperty $regPath -Name WAU_UpdatesInterval -Value $UpdatesInterval -Force | Out-Null
         if ($UpdatesAtLogon) {
             New-ItemProperty $regPath -Name WAU_UpdatesAtLogon -Value 1 -PropertyType DWord -Force | Out-Null
         }
@@ -540,6 +550,7 @@ function Uninstall-WingetAutoUpdate {
             Get-ScheduledTask -TaskName "Winget-AutoUpdate" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
             Get-ScheduledTask -TaskName "Winget-AutoUpdate-Notify" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
             Get-ScheduledTask -TaskName "Winget-AutoUpdate-UserContext" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
+            Get-ScheduledTask -TaskName "Winget-AutoUpdate-Policies" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
             & reg delete "HKCR\AppUserModelId\Windows.SystemToast.Winget.Notification" /f | Out-Null
             & reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winget-AutoUpdate" /f | Out-Null
 

README.md

@@ -0,0 +1,101 @@
+<#
+.SYNOPSIS
+Handle GPO/Polices
+
+.DESCRIPTION
+Daily update settings from policies
+#>
+
+#Import functions
+. "$PSScriptRoot\functions\Get-WAUConfig.ps1"
+. "$PSScriptRoot\functions\Add-Shortcut.ps1"
+
+#Check if GPO Management is enabled
+$ActivateGPOManagement = Get-ItemPropertyValue "HKLM:\SOFTWARE\Policies\Romanitho\Winget-AutoUpdate" -Name "WAU_ActivateGPOManagement" -ErrorAction SilentlyContinue
+if ($ActivateGPOManagement -eq 1) {
+    #Add (or update) tag to activate WAU-Policies Management
+    New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winget-AutoUpdate" -Name WAU_RunGPOManagement -Value 1 -Force | Out-Null
+}
+
+#Get WAU settings
+$WAUConfig = Get-WAUConfig
+
+#Check if GPO got applied from Get-WAUConfig (tag)
+if ($WAUConfig.WAU_RunGPOManagement -eq 1) {
+
+    #Log init
+    $GPOLogFile = "$($WAUConfig.InstallLocation)\logs\LatestAppliedSettings.txt"
+    Set-Content -Path $GPOLogFile -Value "###  POLICY CYCLE - $(Get-Date)  ###`n"
+
+    #Reset WAU_RunGPOManagement if not GPO managed anymore (This is used to run this job one last time and reset initial settings)
+    if ($($WAUConfig.WAU_ActivateGPOManagement -eq 1)) {
+        Add-Content -Path $GPOLogFile -Value "GPO Management Enabled. Policies updated."
+    }
+    else {
+        New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winget-AutoUpdate" -Name WAU_RunGPOManagement -Value 0 -Force | Out-Null
+        $WAUConfig.WAU_RunGPOManagement = 0
+        Add-Content -Path $GPOLogFile -Value "GPO Management Disabled. Policies removed."
+    }
+
+    #Get Winget-AutoUpdate scheduled task
+    $WAUTask = Get-ScheduledTask -TaskName 'Winget-AutoUpdate' -ErrorAction SilentlyContinue
+
+    #Update 'Winget-AutoUpdate' scheduled task settings
+    $taskTriggers = @()
+    if ($WAUConfig.WAU_UpdatesAtLogon -eq 1) {
+        $tasktriggers += New-ScheduledTaskTrigger -AtLogOn
+    }
+    if ($WAUConfig.WAU_UpdatesInterval -eq "Daily") {
+        $tasktriggers += New-ScheduledTaskTrigger -Daily -At $WAUConfig.WAU_UpdatesAtTime
+    }
+    elseif ($WAUConfig.WAU_UpdatesInterval -eq "BiDaily") {
+        $tasktriggers += New-ScheduledTaskTrigger -Daily -At $WAUConfig.WAU_UpdatesAtTime -DaysInterval 2
+    }
+    elseif ($WAUConfig.WAU_UpdatesInterval -eq "Weekly") {
+        $tasktriggers += New-ScheduledTaskTrigger -Weekly -At $WAUConfig.WAU_UpdatesAtTime -DaysOfWeek 2
+    }
+    elseif ($WAUConfig.WAU_UpdatesInterval -eq "BiWeekly") {
+        $tasktriggers += New-ScheduledTaskTrigger -Weekly -At $WAUConfig.WAU_UpdatesAtTime -DaysOfWeek 2 -WeeksInterval 2
+    }
+    elseif ($WAUConfig.WAU_UpdatesInterval -eq "Monthly") {
+        $tasktriggers += New-ScheduledTaskTrigger -Weekly -At $WAUConfig.WAU_UpdatesAtTime -DaysOfWeek 2 -WeeksInterval 4
+    }
+    #If trigger(s) set
+    if ($taskTriggers) {
+        #Edit scheduled task
+        Set-ScheduledTask -TaskPath $WAUTask.TaskPath -TaskName $WAUTask.TaskName -Trigger $taskTriggers | Out-Null
+    }
+    #If not, remove trigger(s)
+    else {
+        #Remove by setting past due date
+        $tasktriggers = New-ScheduledTaskTrigger -Once -At "01/01/1970"
+        Set-ScheduledTask -TaskPath $WAUTask.TaskPath -TaskName $WAUTask.TaskName -Trigger $taskTriggers | Out-Null
+    }
+
+    #Update Desktop shortcut
+    $DesktopShortcut = "${env:Public}\Desktop\WAU - Check for updated Apps.lnk"
+    if (($WAUConfig.WAU_DesktopShortcut -eq 1) -and !(Test-Path $DesktopShortcut)) {
+        Add-Shortcut "wscript.exe" $DesktopShortcut "`"$($WAUConfig.InstallLocation)\Invisible.vbs`" `"powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"`"`"$($WAUConfig.InstallLocation)\user-run.ps1`"`"" "${env:SystemRoot}\System32\shell32.dll,-16739" "Manual start of Winget-AutoUpdate (WAU)..."
+    }
+    elseif ($WAUConfig.WAU_DesktopShortcut -ne 1) {
+        Remove-Item -Path $DesktopShortcut -Force -ErrorAction SilentlyContinue | Out-Null
+    }
+
+    #Update Start Menu shortcuts
+    $StartMenuShortcut = "${env:ProgramData}\Microsoft\Windows\Start Menu\Programs\Winget-AutoUpdate (WAU)"
+    if (($WAUConfig.WAU_StartMenuShortcut -eq 1) -and !(Test-Path $StartMenuShortcut)) {
+        New-Item -ItemType Directory -Force -Path $StartMenuShortcut | Out-Null
+        Add-Shortcut "wscript.exe" "$StartMenuShortcut\WAU - Check for updated Apps.lnk" "`"$($WAUConfig.InstallLocation)\Invisible.vbs`" `"powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"`"`"$($WAUConfig.InstallLocation)\user-run.ps1`"`"" "${env:SystemRoot}\System32\shell32.dll,-16739" "Manual start of Winget-AutoUpdate (WAU)..."
+        Add-Shortcut "wscript.exe" "$StartMenuShortcut\WAU - Open logs.lnk" "`"$($WAUConfig.InstallLocation)\Invisible.vbs`" `"powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"`"`"$($WAUConfig.InstallLocation)\user-run.ps1`" -Logs`"" "${env:SystemRoot}\System32\shell32.dll,-16763" "Open existing WAU logs..."
+        Add-Shortcut "wscript.exe" "$StartMenuShortcut\WAU - Web Help.lnk" "`"$($WAUConfig.InstallLocation)\Invisible.vbs`" `"powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"`"`"$($WAUConfig.InstallLocation)\user-run.ps1`" -Help`"" "${env:SystemRoot}\System32\shell32.dll,-24" "Help for WAU..."
+    }
+    elseif ($WAUConfig.WAU_StartMenuShortcut -ne 1) {
+        Remove-Item -Path $StartMenuShortcut -Recurse -Force -ErrorAction SilentlyContinue | Out-Null
+    }
+
+    #Log latest applied config
+    Add-Content -Path $GPOLogFile -Value "`nLatest applied settings:"
+    $WAUConfig.PSObject.Properties | Where-Object { $_.Name -like "WAU_*" } | Select-Object Name, Value | Out-File -Encoding default -FilePath $GPOLogFile -Append
+}
+
+Exit 0

Winget-AutoUpdate-Install.ps1

@@ -50,6 +50,7 @@ try {
         Get-ScheduledTask -TaskName "Winget-AutoUpdate" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
         Get-ScheduledTask -TaskName "Winget-AutoUpdate-Notify" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
         Get-ScheduledTask -TaskName "Winget-AutoUpdate-UserContext" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
+        Get-ScheduledTask -TaskName "Winget-AutoUpdate-Policies" -ErrorAction SilentlyContinue | Unregister-ScheduledTask -Confirm:$False
         & reg delete "HKCR\AppUserModelId\Windows.SystemToast.Winget.Notification" /f | Out-Null
         & reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winget-AutoUpdate" /f | Out-Null
         if (Test-Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Winget-AutoUpdate") {

Winget-AutoUpdate/WAU-Policies.ps1

@@ -14,25 +14,16 @@ $Script:IsSystem = [System.Security.Principal.WindowsIdentity]::GetCurrent().IsS
 #Run log initialisation function
 Start-Init
 
-#Get WAU Configurations
-$Script:WAUConfig = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winget-AutoUpdate"
+#Get settings and Domain/Local Policies (GPO) if activated.
+$WAUConfig = Get-WAUConfig
+if ($($WAUPolicies.WAU_ActivateGPOManagement -eq 1)) {
+    Write-ToLog "WAU Policies management Enabled."
+}
 
 #Log running context and more...
 if ($IsSystem) {
     Write-ToLog "Running in System context"
 
-    #Get and set Domain/Local Policies (GPO)
-    $ActivateGPOManagement, $ChangedSettings = Get-Policies
-    if ($ActivateGPOManagement) {
-        Write-ToLog "Activated WAU GPO Management detected, comparing..."
-        if ($null -ne $ChangedSettings -and $ChangedSettings -ne 0) {
-            Write-ToLog "Changed settings detected and applied" "Yellow"
-        }
-        else {
-            Write-ToLog "No Changed settings detected" "Yellow"
-        }
-    }
-
     # Maximum number of log files to keep. Default is 3. Setting MaxLogFiles to 0 will keep all log files.
     $MaxLogFiles = $WAUConfig.WAU_MaxLogFiles
     if ($null -eq $MaxLogFiles) {
@@ -315,7 +306,7 @@ if (Test-Network) {
                 $UserContextTask = Get-ScheduledTask -TaskName 'Winget-AutoUpdate-UserContext' -ErrorAction SilentlyContinue
                 if (!$UserContextTask) {
                     #Create the scheduled task in User context
-                    $taskAction = New-ScheduledTaskAction -Execute "wscript.exe" -Argument "`"$($WingetUpdatePath)\Invisible.vbs`" `"powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"`"`"$($WingetUpdatePath)\winget-upgrade.ps1`"`""
+                    $taskAction = New-ScheduledTaskAction -Execute "wscript.exe" -Argument "`"$($WAUConfig.InstallLocation)\Invisible.vbs`" `"powershell.exe -NoProfile -ExecutionPolicy Bypass -File `"`"`"$($WAUConfig.InstallLocation)\winget-upgrade.ps1`"`""
                     $taskUserPrincipal = New-ScheduledTaskPrincipal -GroupId S-1-5-11
                     $taskSettings = New-ScheduledTaskSettingsSet -Compatibility Win8 -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 03:00:00
                     $task = New-ScheduledTask -Action $taskAction -Principal $taskUserPrincipal -Settings $taskSettings