Task Trigger

A Trigger adds automation to the Scheduled Task. While I have a Scheduled Task that allows a Standard User to change their Execution Policy, the User may forget to change things back. There are many types of Triggers that can be set, and I suggest reading about them from Microsoft

New-ScheduledTaskTrigger (ScheduledTasks)docsmsft

In my case, I want to set the Execution Policy back to Restricted as soon as the computer is rebooted, so I will add a Trigger to set things back to Restricted the next time the Computer is restarted. Its easy enough to Splat the setting and add it to the Task using New-ScheduledTaskTrigger

$Trigger = @{
    AtStartup = $true
}
$ScheduledTask = @{
    Action = New-ScheduledTaskAction @Action
    Principal = New-ScheduledTaskPrincipal @Principal
    Settings = New-ScheduledTaskSettingsSet @Settings
    Trigger = New-ScheduledTaskTrigger @Trigger
    Description = $Description
}

Full Script

Here is a copy of the full script. I have modified the Description a bit and added a Version

#Requires -RunAsAdministrator

$TaskName = 'Set-ExecutionPolicy Restricted AtStartup'
$TaskPath = '\Corporate\PowerShell'
$Description = @"
Version 21.1.18  
Set-ExecutionPolicy Restricted -Force  
Runs as SYSTEM at system startup and does not display any progress or results
"@

$Action = @{
    Execute = 'powershell.exe'
    Argument = 'Set-ExecutionPolicy Restricted -Force'
}
$Principal = @{
    UserId = 'SYSTEM'
    RunLevel = 'Highest'
}
$Settings = @{
    AllowStartIfOnBatteries = $true
    Compatibility = 'Win8'
    MultipleInstances = 'Parallel'
    ExecutionTimeLimit = (New-TimeSpan -Minutes 60)
}
$Trigger = @{
    AtStartup = $true
}
$ScheduledTask = @{
    Action = New-ScheduledTaskAction @Action
    Principal = New-ScheduledTaskPrincipal @Principal
    Settings = New-ScheduledTaskSettingsSet @Settings
    Trigger = New-ScheduledTaskTrigger @Trigger
    Description = $Description
}

New-ScheduledTask @ScheduledTask | Register-ScheduledTask -TaskName $TaskName -TaskPath $TaskPath -Force

$Scheduler = New-Object -ComObject "Schedule.Service"
$Scheduler.Connect()
$GetTask = $Scheduler.GetFolder($TaskPath).GetTask($TaskName)
$GetSecurityDescriptor = $GetTask.GetSecurityDescriptor(0xF)
if ($GetSecurityDescriptor -notmatch 'A;;0x1200a9;;;AU') {
    $GetSecurityDescriptor = $GetSecurityDescriptor + '(A;;GRGX;;;AU)'
    $GetTask.SetSecurityDescriptor($GetSecurityDescriptor, 0)
}

Task Scheduler

Everything looks great. Now when the computer is restarted, the Execution Policy will always be set to Restricted

PreviousTask Permissions NextAction a PowerShell File

Last updated 3 years ago