Prevent a Task Sequence from running over a remote connection
During a recent Windows 10 deployment, my colleague (@NathanOlmstead) and I needed a way to prevent the task sequence from running if a user kicks it off via Software Center from a remote connection.
We did not have the deployment set to download all content before running simply because it's a large amount of data (20+ GB of content) to store on the workstation and even a lot to download over a remote connection. I have to admit, we implemented this after we had a few pilot users get their system formatted when they were at home. Configuration Manager saw the Direct Access IP addresses as on premise IP addresses and kicked off the wipe-and-load...Lesson Learned the hard way! :)
I tossed around the idea of using a collection membership based on VPN/DirectAccess boundaries, however, this was not as effective as I would have liked it to be, mostly because the collection wouldn't update fast enough. I would have to have the collection constantly evaluating its membership in order for it to be effective.
In short, I ended up using a PowerShell script within the task sequence to look for specific VPN / Remote Connection IP ranges and if detected, notify the user and the task sequence will fail, preventing it from running.
While this script was successful for my usage, before using this script, test it in your environment. You will need to update any directories and IP addresses that your organization uses.
# Log directory
if ((Test-Path -Path c:\sdc\logs) -eq $false)
{
New-Item -Path c:\sdc\logs -ItemType dir
}
else {
# Setting known VPN/Remote connection IP ranges to array
$array = @("10.10.120.*","10.10.121.*","10.10.122.*","10.10.123.*","10.10.124.*","2608:300:180:1150:*","2608:300:180:1151:*","2608:300:180:1152:*","192.168.*.*")
$computer = $env:COMPUTERNAME
@()
# Excluding local system IP addresses
$ips = Get-NetIPAddress| ? { $_.IPAddress -ne "127.0.0.1" -and $_.IPAddress -ne "::1" -and $_.IPAddress -notlike "fe80*" -and $_.IPAddress -notlike "169.254.*.*" } | select IPAddress
foreach ($ip in $ips)
{
$ip = $ip.IPAddress
foreach($item in $array)
{
if ($ip -like $item)
{
#Popup notification presented to user trying to run task sequence
$wshell = New-Object -ComObject Wscript.Shell
$wshell.Popup("This task sequence cannot be ran while connected via DirectAccess or VPN. Please try again when you are physically connected to the corporate network. `n `n Contact the DTRA Service Desk for further assistance.",0,"Windows 10 OS Deployment",0x1)
$date = Get-Date
$errormsg = " `n The Windows 10 Task Sequence failed because a remote connection was detected. The system must be phyically connected to the corporate network to upgrade or install Windows 10. `n Detected IP(s): $IP `n Script runtime: $date" | Out-File -FilePath c:\sdc\logs\Win10_TaskSequenceForcedFailure.log -Append -Encoding default -NoClobber; Write-Output -1; exit -1
}
else {
# Log result to file
$date = Get-Date
"A remote connection was not detected: $IP. Finishing loop. Script runtime: $date" | Out-File -FilePath c:\sdc\logs\Win10_TaskSequenceForcedFailure.log -Append -Encoding default -NoClobber
}
}
}
# Log result to file
"A DirectAccess or VPN connection was NOT found, continuing with Task Sequence" | Out-File -FilePath c:\sdc\logs\Win10_TaskSequenceForcedFailure.log -Append -Encoding default -NoClobber
}
You can grab the script file here: TaskSequenceRemoteConnectionDetection.ps1