Publish supplemental scripts

SkipToTheEndpoint · SkipToTheEndpoint · commit fb92993b2456 · 2025-05-13T11:03:10.000+01:00
diff --git a/WINDOWS/Scripts/Enable-AutoTimezone.ps1 b/WINDOWS/Scripts/Enable-AutoTimezone.ps1
@@ -0,0 +1,86 @@
+<#
+    .SYNOPSIS
+        Enables the location setting and turns on the "Set the timezone automatically" switch in Time & Language > Date & Time.
+   
+    .NOTES
+        Author: James Robinson | SkipToTheEndpoint | https://skiptotheendpoint.co.uk
+        Version: v1
+        Release Date: 2024-08-31
+
+        Intune Info:
+        Script type - Platform Script
+        Assign to - Devices
+        Script Settings:
+            Run this script using the logged on credentials - No
+            Enforce script signature check - No
+            Run script in 64-bit PowerShell Host - Yes
+#>
+
+#### Logging Variables ####
+$Script:ScriptName = "OIB-AutoTimezone"
+$Script:LogFile = "$ScriptName.log"
+$Script:LogsFolder = "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs"
+
+#### Script Variables ####
+$ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
+$Host.UI.RawUI.WindowTitle = '$ScriptName'
+
+$LocationValue = "Allow"
+$AutoTZValue = "3"
+$LFSVCValue = "1"
+$SensorValue = "1"
+
+#### Functions ####
+function Start-Logging {
+    Start-Transcript -Path $LogsFolder\$LogFile -Append
+    Write-Host "Current script timestamp: $(Get-Date -f yyyy-MM-dd_HH-mm)"
+}
+
+function Set-RegistryValue {
+    param (
+        [string]$Path,
+        [string]$Name,
+        [string]$Value
+    )
+    try {
+        $currentValue = (Get-ItemProperty -Path $Path -Name $Name).$Name
+        if ($currentValue -ne $Value) {
+            Write-Host "Setting $Name to $Value at $Path"
+            Set-ItemProperty -Path $Path -Name $Name -Value $Value
+        } 
+        else {
+            Write-Host "$Name is already set to $Value at $Path"
+        }
+    } 
+    catch {
+        Write-Error "$($_.Exception.Message)"
+    }
+}
+
+#### Script ####
+Start-Logging
+
+try {
+    # Set the location value
+    Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" -Name "Value" -Value $LocationValue
+
+    # Enable Auto Timezone value and (re)start service
+    Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate" -Name "Start" -Value $AutoTZValue
+    Set-RegistryValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Value $LFSVCValue
+    Write-Host "(Re)Starting geolocation service"
+    $lfsvc = Get-Service -Name lfsvc
+    if ($lfsvc.Status -ne "Running") {
+        Start-Service -Name lfsvc
+    }
+    else {
+        Restart-Service -Name lfsvc -Force
+    }
+
+    # Set sensor value
+    Set-RegistryValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Value $SensorValue
+    Exit 0
+}
+catch {
+    Write-Error "$($_.Exception.Message)"
+    Exit 1
+}
diff --git a/WINDOWS/Scripts/README.md b/WINDOWS/Scripts/README.md
@@ -0,0 +1,35 @@
+# Scripts
+
+This folder contains a few scripts that suppliment the OIB, but are not requirements for the OIB to function.
+
+All scripts create logs that can be found in the `$ProgramData\Microsoft\IntuneManagementExtension\Logs` folder.
+
+## Enable-AutoTimezone
+### Purpose
+I have tried to utilise available settings to make this work as part of the Timezone and Privacy policies, however it seems that the only way to get this to work is to run a script. This script will enable the "Set time zone automatically" switch in Settings > Time & Language > Date & Time.
+
+### Usage
+**Script type** - Platform Script
+**Assign to** - Users
+**Script Settings:**
+- Run this script using the logged on credentials - No
+- Enforce script signature check - No
+- Run script in 64-bit PowerShell Host - Yes
+
+## Trigger-PostOOBEUpdates
+### Purpose
+One big security concern with OOBE is that it doesn't ([currently](https://techcommunity.microsoft.com/blog/windows-itpro-blog/coming-soon-quality-updates-during-the-out-of-box-experience/4374291)) install updates. This means that most devices will be at least a month out of date when they are first used.
+This script automatically triggers the following to update once a device gets to the desktop:
+- Defender
+- Microsoft Store
+- Windows Update
+
+The end result of this is that pretty shortly after, any pending updates will be installed, and the user notified a reboot is required, reducing the time between OOBE and the device being secure.
+
+### Usage
+**Script type** - Platform Script
+**Assign to** - Users
+**Script Settings:**
+- Run this script using the logged on credentials - No
+- Enforce script signature check - No
+- Run script in 64-bit PowerShell Host - Yes
diff --git a/WINDOWS/Scripts/Trigger-PosstOOBEUpdates.ps1 b/WINDOWS/Scripts/Trigger-PosstOOBEUpdates.ps1
@@ -0,0 +1,62 @@
+<#
+    .SYNOPSIS
+        Script to trigger updates following an Autopilot deployment.
+   
+    .NOTES
+        Author: James Robinson | SkipToTheEndpoint | https://skiptotheendpoint.co.uk
+        Version: v1
+        Release Date: 2024-08-31
+
+        Intune Info:
+        Script type - Platform Script
+        Assign to - Users
+        Script Settings:
+            Run this script using the logged on credentials - No
+            Enforce script signature check - No
+            Run script in 64-bit PowerShell Host - Yes
+#>
+
+#### Logging Variables ####
+$Script:ScriptName = "OIB-PostOOBEUpdates.log"
+$Script:LogFile = "$ScriptName.log"
+$Script:LogsFolder = "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs"
+
+
+#### Script Variables ####
+$ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
+$Host.UI.RawUI.WindowTitle = '$ScriptName'
+
+#### Functions ####
+function Start-Logging {
+    Start-Transcript -Path $LogsFolder\$LogFile -Append
+    Write-Host "Current script timestamp: $(Get-Date -f yyyy-MM-dd_HH-mm)"
+}
+
+#### Script ####
+Start-Logging
+
+try {
+    # Update MDE
+    Write-Host "Triggering MDE Update..."
+    Update-MpSignature
+    Start-Sleep 10
+
+    # Update Store Apps
+    Write-Host "Triggering Store App Updates..."
+    Get-CimInstance -Namespace "Root\cimv2\mdm\dmmap" -ClassName "MDM_EnterpriseModernAppManagement_AppManagement01" | Invoke-CimMethod -MethodName UpdateScanMethod
+    Start-Sleep 10
+
+    # Start WU Check
+    Write-Host "Triggering Windows Update Check..."
+    Start-Process USOClient.exe -ArgumentList "StartInteractiveScan" -NoNewWindow -Wait
+    Start-Sleep 10
+
+    # Stop Logging and Exit
+    Write-Host "Script complete."
+    Stop-Transcript
+    Exit 0
+}
+catch {
+    Write-Error "$($_.Exception.Message)"
+    Exit 1
+}
