Add new resource IEEnhancedSecurityConfiguration

CHANGELOG.md

@@ -11,6 +11,8 @@
   - Migrated SystemLocale from [SystemLocaleDsc](https://github.com/PowerShell/SystemLocaleDsc).
 - RemoteDesktopAdmin:
   - Correct Context messages in integration tests by adding 'When'.
+- Added new resource IEEnhancedSecurityConfiguration (moved from module
+  xSystemSecurity).
 
 ## 7.1.0.0
 

DSCResources/DSC_IEEnhancedSecurityConfiguration/DSC_IEEnhancedSecurityConfiguration.psm1

@@ -0,0 +1,209 @@
+$modulePath = Join-Path -Path (Split-Path -Path (Split-Path -Path $PSScriptRoot -Parent) -Parent) -ChildPath 'Modules'
+
+# Import the ComputerManagementDsc Common Modules
+Import-Module -Name (Join-Path -Path $modulePath `
+        -ChildPath (Join-Path -Path 'ComputerManagementDsc.Common' `
+            -ChildPath 'ComputerManagementDsc.Common.psm1'))
+
+# Import Localization Strings
+$script:localizedData = Get-LocalizedData -ResourceName 'DSC_IEEnhancedSecurityConfiguration'
+
+$script:registryKey_Administrators = 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}'
+$script:registryKey_Users = 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}'
+$script:registryKey_Property = 'IsInstalled'
+
+<#
+    .SYNOPSIS
+        Gets the current state of the IE Enhanced Security Configuration.
+
+    .PARAMETER Role
+        Specifies the role for which the IE Enhanced Security Configuration
+        should be changed.
+
+    .PARAMETER Enabled
+        Specifies if IE Enhanced Security Configuration should be enabled or
+        disabled.
+#>
+function Get-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Collections.Hashtable])]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('Administrators', 'Users')]
+        [System.String]
+        $Role,
+
+        [Parameter(Mandatory = $true)]
+        [System.Boolean]
+        $Enabled,
+
+        [Parameter()]
+        [System.Boolean]
+        $SuppressRestart
+    )
+
+    Write-Verbose -Message ($script:localizedData.GettingStateMessage -f $Role)
+
+    $registryKey = Get-Variable -Name ('registryKey_{0}' -f $Role) -Scope 'Script' -ValueOnly
+
+    $returnValue = @{
+        Role            = $Role
+        Enabled         = [System.Boolean] (Get-ItemProperty -Path $registryKey).$script:registryKey_Property
+        SuppressRestart = $SuppressRestart
+    }
+
+    return $returnValue
+}
+
+<#
+    .SYNOPSIS
+        Sets the current state of the IE Enhanced Security Configuration.
+
+    .PARAMETER Role
+        Specifies the role for which the IE Enhanced Security Configuration
+        should be changed.
+
+    .PARAMETER Enabled
+        Specifies if IE Enhanced Security Configuration should be enabled or
+        disabled.
+
+    .PARAMETER SuppressRestart
+        Specifies if the needed restart is suppress. Default the node will be
+        restarted if the value is changed.
+
+    .NOTES
+        The change could come in affect if the process Explorer is stopped, which
+        will make Windows automatically start a new process. But, stopping a
+        process feels wrong so the resource instead restarts the node when the
+        value is changed.
+#>
+function Set-TargetResource
+{
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidGlobalVars', '', Scope = 'Function')]
+    [CmdletBinding()]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('Administrators', 'Users')]
+        [System.String]
+        $Role,
+
+        [Parameter(Mandatory = $true)]
+        [System.Boolean]
+        $Enabled,
+
+        [Parameter()]
+        [System.Boolean]
+        $SuppressRestart
+    )
+
+    $getTargetResourceResult = Get-TargetResource @PSBoundParameters
+    if ($getTargetResourceResult.Enabled -ne $Enabled)
+    {
+        Write-Verbose -Message ($script:localizedData.SettingStateMessage -f $Role)
+
+        $registryKey = Get-Variable -Name ('registryKey_{0}' -f $Role) -Scope 'Script' -ValueOnly
+
+        Set-ItemProperty -Path $registryKey -Name $script:registryKey_Property -Value $Enabled
+
+        if ($SuppressRestart)
+        {
+            Write-Warning -Message $script:localizedData.SuppressRestart
+        }
+        else
+        {
+            $global:DSCMachineStatus = 1
+        }
+    }
+    else
+    {
+        Write-Verbose -Message ($script:localizedData.InDesiredState -f $Role)
+    }
+}
+
+<#
+    .SYNOPSIS
+        Tests the current state of the IE Enhanced Security Configuration.
+
+    .PARAMETER Role
+        Specifies the role for which the IE Enhanced Security Configuration
+        should be changed.
+
+    .PARAMETER Enabled
+        Specifies if IE Enhanced Security Configuration should be enabled or
+        disabled.
+
+    .PARAMETER SuppressRestart
+        Specifies if the needed restart is suppress. Default the node will be
+        restarted if the value is changed.
+#>
+function Test-TargetResource
+{
+    [CmdletBinding()]
+    [OutputType([System.Boolean])]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('Administrators', 'Users')]
+        [System.String]
+        $Role,
+
+        [Parameter(Mandatory = $true)]
+        [System.Boolean]
+        $Enabled,
+
+        [Parameter()]
+        [System.Boolean]
+        $SuppressRestart
+    )
+
+    Write-Verbose -Message ($script:localizedData.TestingStateMessage -f $Role)
+
+    $getTargetResourceResult = Get-TargetResource @PSBoundParameters
+    if ($getTargetResourceResult.Enabled -ne $Enabled)
+    {
+        $testTargetResourceReturnValue = $false
+
+        $currentStateString = Get-StateStringValue -Enabled $getTargetResourceResult.Enabled
+        $desiredStateString = Get-StateStringValue -Enabled $Enabled
+
+        Write-Verbose -Message ($script:localizedData.NotInDesiredState -f $Role, $currentStateString, $desiredStateString)
+    }
+    else
+    {
+        $testTargetResourceReturnValue = $true
+
+        Write-Verbose -Message ($script:localizedData.InDesiredState -f $Role)
+    }
+
+    return $testTargetResourceReturnValue
+}
+
+function Get-StateStringValue
+{
+    [CmdletBinding()]
+    [OutputType([System.String])]
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Boolean]
+        $Enabled
+    )
+
+    $stringValue = switch ($Enabled)
+    {
+        $false
+        {
+            'disabled'
+        }
+
+        $true
+        {
+            'enabled'
+        }
+    }
+
+    return $stringValue
+}

DSCResources/DSC_IEEnhancedSecurityConfiguration/DSC_IEEnhancedSecurityConfiguration.schema.mof

@@ -0,0 +1,7 @@
+[ClassVersion("1.0.1.0"), FriendlyName("IEEnhancedSecurityConfiguration")]
+class DSC_IEEnhancedSecurityConfiguration : OMI_BaseResource
+{
+    [Key, Description("Specifies the role for which the IE Enhanced Security Configuration should be changed."), ValueMap{"Administrators","Users"}, Values{"Administrators","Users"}] String Role;
+    [Required, Description("Specifies if IE Enhanced Security Configuration should be enabled or disabled.")] Boolean Enabled;
+    [Write, Description("Specifies if the needed restart is suppress. Default the node will be restarted if the value is changed.")] Boolean SuppressRestart;
+};

DSCResources/DSC_IEEnhancedSecurityConfiguration/README.md

@@ -0,0 +1,4 @@
+# Description
+
+The resource allows you to configure the IE Enhanced Security Configuration
+for both the role administrators and users.

DSCResources/DSC_IEEnhancedSecurityConfiguration/en-US/DSC_IEEnhancedSecurityConfiguration.strings.psd1

@@ -0,0 +1,8 @@
+ConvertFrom-StringData @'
+    GettingStateMessage = Getting IE Enhanced Security Configuration state for '{0}'. (IEESC0001)
+    SettingStateMessage = Setting IE Enhanced Security Configuration state for '{0}'. (IEESC0002)
+    TestingStateMessage = Testing IE Enhanced Security Configuration state for '{0}'. (IEESC0003)
+    SuppressRestart = Suppressing the restart. For the change to come in affect the node must be restarted manually. (IEESC0004)
+    InDesiredState = The IE Enhanced Security Configuration for '{0}' is in desired state. (IEESC0005)
+    NotInDesiredState = The IE Enhanced Security Configuration for '{0}' was {1}, but expected it to be {2}. (IEESC0005)
+'@

Examples/Resources/IEEnhancedSecurityConfiguration/1-IEEnhancedSecurityConfiguration_DisableForAdministrators_Config.ps1

@@ -0,0 +1,37 @@
+<#PSScriptInfo
+.VERSION 1.0.0
+.GUID d54a9117-8468-4cb1-958b-25837f15126b
+.AUTHOR DSC Community
+.COMPANYNAME DSC Community
+.COPYRIGHT DSC Community contributors. All rights reserved.
+.TAGS DSCConfiguration
+.LICENSEURI https://github.com/dsccommunity/ComputerManagementDsc/blob/master/LICENSE
+.PROJECTURI https://github.com/dsccommunity/ComputerManagementDsc
+.ICONURI
+.EXTERNALMODULEDEPENDENCIES
+.REQUIREDSCRIPTS
+.EXTERNALSCRIPTDEPENDENCIES
+.RELEASENOTES First version.
+.PRIVATEDATA 2016-Datacenter,2016-Datacenter-Server-Core
+#>
+
+#Requires -module ComputerManagementDsc
+
+<#
+    .DESCRIPTION
+        This configuration will disable the IE Enhanced Security Configuration for
+        administrators.
+#>
+Configuration IEEnhancedSecurityConfiguration_DisableForAdministrators_Config
+{
+    Import-DscResource -Module ComputerManagementDsc
+
+    Node localhost
+    {
+        IEEnhancedSecurityConfiguration 'DisableForAdministrators'
+        {
+            Role    = 'Administrators'
+            Enabled = $false
+        }
+    }
+}

Examples/Resources/IEEnhancedSecurityConfiguration/2-IEEnhancedSecurityConfiguration_DisableForUsers_Config.ps1

@@ -0,0 +1,37 @@
+<#PSScriptInfo
+.VERSION 1.0.0
+.GUID 4afcbf49-6290-4039-a1f1-965a721f6f49
+.AUTHOR DSC Community
+.COMPANYNAME DSC Community
+.COPYRIGHT DSC Community contributors. All rights reserved.
+.TAGS DSCConfiguration
+.LICENSEURI https://github.com/dsccommunity/ComputerManagementDsc/blob/master/LICENSE
+.PROJECTURI https://github.com/dsccommunity/ComputerManagementDsc
+.ICONURI
+.EXTERNALMODULEDEPENDENCIES
+.REQUIREDSCRIPTS
+.EXTERNALSCRIPTDEPENDENCIES
+.RELEASENOTES First version.
+.PRIVATEDATA 2016-Datacenter,2016-Datacenter-Server-Core
+#>
+
+#Requires -module ComputerManagementDsc
+
+<#
+    .DESCRIPTION
+        This configuration will disable the IE Enhanced Security Configuration for
+        administrators.
+#>
+Configuration IEEnhancedSecurityConfiguration_DisableForUsers_Config
+{
+    Import-DscResource -Module ComputerManagementDsc
+
+    Node localhost
+    {
+        IEEnhancedSecurityConfiguration 'DisableForUsers'
+        {
+            Role    = 'Users'
+            Enabled = $false
+        }
+    }
+}

README.md

@@ -4,6 +4,9 @@ The **ComputerManagementDsc** module contains the following resources:
 
 - **Computer**: allows you to configure a computer by changing its name and
   description and modifying its Active Directory domain or workgroup membership.
+- **IEEnhancedSecurityConfiguration**: The resource allows you to configure
+  the IE Enhanced Security Configuration for both the role administrators and
+  users.
 - **OfflineDomainJoin**: allows you to join computers to an Active Directory
   domain using an [Offline Domain Join](https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx)
   request file.

Tests/Integration/DSC_IEEnhancedSecurityConfiguration.Config.ps1

@@ -0,0 +1,30 @@
+# Integration Test Config Template Version: 1.0.0
+configuration DSC_IEEnhancedSecurityConfiguration_Enable_Config
+{
+    Import-DscResource -ModuleName ComputerManagementDsc
+
+    node $AllNodes.NodeName
+    {
+        IEEnhancedSecurityConfiguration 'DisableForAdministrators'
+        {
+            Role            = 'Administrators'
+            Enabled         = $true
+            SuppressRestart = $true
+        }
+    }
+}
+
+configuration DSC_IEEnhancedSecurityConfiguration_Disable_Config
+{
+    Import-DscResource -ModuleName ComputerManagementDsc
+
+    node $AllNodes.NodeName
+    {
+        IEEnhancedSecurityConfiguration 'DisableForAdministrators'
+        {
+            Role            = 'Administrators'
+            Enabled         = $false
+            SuppressRestart = $true
+        }
+    }
+}