Prevent a Task Sequence from running over a remote connection

During a recent Windows 10 deployment, my colleague (@NathanOlmstead) and I needed a way to prevent the task sequence from running if a user kicks it off via Software Center from a remote connection.

We did not have the deployment set to download all content before running simply because it's a large amount of data (20+ GB of content) to store on the workstation and even a lot to download over a remote connection. I have to admit, we implemented this after we had a few pilot users get their system formatted when they were at home. Configuration Manager saw the Direct Access IP addresses as on premise IP addresses and kicked off the wipe-and-load...Lesson Learned the hard way! :)

I tossed around the idea of using a collection membership based on VPN/DirectAccess boundaries, however, this was not as effective as I would have liked it to be, mostly because the collection wouldn't update fast enough. I would have to have the collection constantly evaluating its membership in order for it to be effective.

In short, I ended up using a PowerShell script within the task sequence to look for specific VPN / Remote Connection IP ranges and if detected, notify the user and the task sequence will fail, preventing it from running.

While this script was successful for my usage, before using this script, test it in your environment. You will need to update any directories and IP addresses that your organization uses.


# Log directory

if ((Test-Path -Path c:\sdc\logs) -eq $false)

{

New-Item -Path c:\sdc\logs -ItemType dir

}

else {

# Setting known VPN/Remote connection IP ranges to array

$array = @("10.10.120.*","10.10.121.*","10.10.122.*","10.10.123.*","10.10.124.*","2608:300:180:1150:*","2608:300:180:1151:*","2608:300:180:1152:*","192.168.*.*")

$computer = $env:COMPUTERNAME

@()

# Excluding local system IP addresses

$ips = Get-NetIPAddress| ? { $_.IPAddress -ne "127.0.0.1" -and $_.IPAddress -ne "::1" -and $_.IPAddress -notlike "fe80*" -and $_.IPAddress -notlike "169.254.*.*" } | select IPAddress

foreach ($ip in $ips)

{

$ip = $ip.IPAddress

foreach($item in $array)

{

if ($ip -like $item)

{

#Popup notification presented to user trying to run task sequence

$wshell = New-Object -ComObject Wscript.Shell

$wshell.Popup("This task sequence cannot be ran while connected via DirectAccess or VPN. Please try again when you are physically connected to the corporate network. `n `n Contact the DTRA Service Desk for further assistance.",0,"Windows 10 OS Deployment",0x1)

$date = Get-Date

$errormsg = " `n The Windows 10 Task Sequence failed because a remote connection was detected. The system must be phyically connected to the corporate network to upgrade or install Windows 10. `n Detected IP(s): $IP `n Script runtime: $date" | Out-File -FilePath c:\sdc\logs\Win10_TaskSequenceForcedFailure.log -Append -Encoding default -NoClobber; Write-Output -1; exit -1

}

else {

# Log result to file

$date = Get-Date

"A remote connection was not detected: $IP. Finishing loop. Script runtime: $date" | Out-File -FilePath c:\sdc\logs\Win10_TaskSequenceForcedFailure.log -Append -Encoding default -NoClobber

}

}

}

# Log result to file

"A DirectAccess or VPN connection was NOT found, continuing with Task Sequence" | Out-File -FilePath c:\sdc\logs\Win10_TaskSequenceForcedFailure.log -Append -Encoding default -NoClobber

}


You can grab the script file here: TaskSequenceRemoteConnectionDetection.ps1

Disclaimer: Scripts in this post are not supported under any Microsoft standard support program or service. The script here is provided AS IS without warranty of any kind. Microsoft disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages.