search

dsccommunity / ComputerManagementDsc

DSC resources for for configuration of a Windows computer. These DSC resources allow you to perform computer management tasks, such as renaming the computer, joining a domain and scheduling tasks as well as configuring items such as virtual memory, event logs, time zones and power settings.
https://dsccommunity.org
MIT License
309 stars 82 forks source link

ScheduledTask: Support ValueQueries for event trigger #392

Closed Antiohne closed 2 months ago

Antiohne commented 2 years ago

Problem description

I am trying to automate the 'Enable automatic rebinding of renewed certificates' setting within IIS. When you do this manually a scheduled task is created. The trigger definition you will find below.

<Triggers>
  <EventTrigger>
    <Enabled>true</Enabled>
    <Subscription>&lt;QueryList&gt;&lt;Query Id='0'&gt;&lt;Select Path='Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'&gt;*[System[EventID=1001]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    <ValueQueries>
      <Value name="NewCertHash">Event/UserData/CertNotificationData/NewCertificateDetails/@Thumbprint</Value>
      <Value name="OldCertHash">Event/UserData/CertNotificationData/OldCertificateDetails/@Thumbprint</Value>
    </ValueQueries>
  </EventTrigger>
</Triggers>

As you can see in the XML definition we have besides the event subscription a ValueQueries section. This ValueQueries option is missing in the ScheduledTask definition. According the documentation it's a list of key-values.

Verbose logs

N/A

DSC configuration

# Enable automatic rebind of renewed certificates.
ScheduledTask "IIS-AutoCertRebind" {
  TaskName                        = "IIS-AutoCertRebind"
  TaskPath                        = "\Microsoft\Windows\CertificateServicesClient"
  ActionExecutable                = "%SystemRoot%\System32\inetsrv\appcmd.exe"
  ActionArguments                 = 'renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)'
  ScheduleType                    = "OnEvent"
  Ensure                          = "Present"
  Enable                          = $true
  BuiltInAccount                  = "SYSTEM"
  AllowStartIfOnBatteries         = $true
  DisallowStartOnRemoteAppSession = $false
  ExecutionTimeLimit              = "0.01:00:00"
  RestartCount                    = 3
  RestartInterval                 = "0.00:10:00"
  RunLevel                        = "Highest"
  EventSubscription               = "<QueryList><Query Id='0'><Select Path='Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'>*[System[EventID=1001]]</Select></Query></QueryList>"
  #EventValueQueries is missing
}

Suggested solution

Add a property named EventValueQueries which can contain a hash table with the ValueQueries property value.

# Enable automatic rebind of renewed certificates.
ScheduledTask "IIS-AutoCertRebind" {
  TaskName                        = "IIS-AutoCertRebind"
  TaskPath                        = "\Microsoft\Windows\CertificateServicesClient"
  ActionExecutable                = "%SystemRoot%\System32\inetsrv\appcmd.exe"
  ActionArguments                 = 'renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)'
  ScheduleType                    = "OnEvent"
  Ensure                          = "Present"
  Enable                          = $true
  BuiltInAccount                  = "SYSTEM"
  AllowStartIfOnBatteries         = $true
  DisallowStartOnRemoteAppSession = $false
  ExecutionTimeLimit              = "0.01:00:00"
  RestartCount                    = 3
  RestartInterval                 = "0.00:10:00"
  RunLevel                        = "Highest"
  EventSubscription               = "<QueryList><Query Id='0'><Select Path='Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'>*[System[EventID=1001]]</Select></Query></QueryList>"
  EventValueQueries               = @{ 
    "NewCertHash" = "Event/UserData/CertNotificationData/NewCertificateDetails/@Thumbprint";
    "OldCertHash" = "Event/UserData/CertNotificationData/OldCertificateDetails/@Thumbprint"
  }
}

I found a GIST with a PowerShell example how to configure the ValueQueries property.

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US, en-GB}

PowerShell version and build the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.20348.859
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.859
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path
----                  ------- ----
ComputerManagementDsc 8.5.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\8.5.0\ComputerManagementDsc.psd1