Updated task scheduler

Updated task scheduler

Harden-Windows-Security Module/Main files/C#/Others/ConfirmSystemComplianceMethods.cs

@@ -1970,7 +1970,6 @@ public static Task VerifyMicrosoftDefender()
                 #endregion
 
 
-
                 // Get the value and convert it to unsigned int16
                 if (PropertyHelper.GetPropertyValue(GlobalVars.MDAVPreferencesCurrent, "PlatformUpdatesChannel") == null)
                 {

Harden-Windows-Security Module/Main files/C#/Protect Methods/MSFTDefender_ScheduledTask.cs

@@ -9,23 +9,32 @@ public static void MSFTDefender_ScheduledTask()
             HardenWindowsSecurity.Logger.LogMessage("Creating scheduled task for fast weekly Microsoft recommended driver block list update", LogTypeIntel.Information);
 
             HardenWindowsSecurity.PowerShellExecutor.ExecuteScript("""
+Write-Verbose -Message 'Deleting the MSFT Driver Block list update Scheduled task if it exists'
+Get-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath '\MSFT Driver Block list update\' -ErrorAction Ignore | Unregister-ScheduledTask -Confirm:$false
+
+Write-Verbose -Message "Creating the MSFT Driver Block list update task"
+[System.Security.Principal.SecurityIdentifier]$SYSTEMSID = New-Object -TypeName System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
+
+[System.String]$TaskArgument = @'
+-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri 'https://aka.ms/VulnerableDriverBlockList' -OutFile 'VulnerableDriverBlockList.zip' -ErrorAction Stop}catch{exit 1};Expand-Archive -Path '.\VulnerableDriverBlockList.zip' -DestinationPath 'VulnerableDriverBlockList' -Force;$SiPolicy_EnforcedFile = Get-ChildItem -Recurse -File -Path '.\VulnerableDriverBlockList' -Filter 'SiPolicy_Enforced.p7b' | Select-Object -First 1;Move-Item -Path $SiPolicy_EnforcedFile.FullName -Destination ($env:SystemDrive + '\Windows\System32\CodeIntegrity\SiPolicy.p7b') -Force;citool --refresh -json;Remove-Item -Path '.\VulnerableDriverBlockList' -Recurse -Force;Remove-Item -Path '.\VulnerableDriverBlockList.zip' -Force;}"
+'@
 # Create a scheduled task action, this defines how to download and install the latest Microsoft Recommended Driver Block Rules
-[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -command "& {try {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip -ErrorAction Stop}catch{exit 1};Expand-Archive -Path .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item -Path .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item -Path .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "$env:SystemDrive\Windows\System32\CodeIntegrity" -Force;citool --refresh -json;Remove-Item -Path .\VulnerableDriverBlockList -Recurse -Force;Remove-Item -Path .\VulnerableDriverBlockList.zip -Force; exit 0;}"'
+[Microsoft.Management.Infrastructure.CimInstance]$Action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument $TaskArgument
 
-# Create a scheduled task principal and assign the SYSTEM account's well-known SID to it so that the task will run under its context
-[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId 'S-1-5-18' -RunLevel Highest
+# Create a scheduled task principal and assign the SYSTEM account's SID to it so that the task will run under its context
+[Microsoft.Management.Infrastructure.CimInstance]$TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $($SYSTEMSID.Value) -RunLevel Highest
 
 # Create a trigger for the scheduled task. The task will first run one hour after its creation and from then on will run every 7 days, indefinitely
 [Microsoft.Management.Infrastructure.CimInstance]$Time = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(1) -RepetitionInterval (New-TimeSpan -Days 7)
 
-# Register the scheduled task
-$null = Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update' -Force
+# Register the scheduled task. If the task's state is disabled, it will be overwritten with a new task that is enabled
+Register-ScheduledTask -Action $Action -Trigger $Time -Principal $TaskPrincipal -TaskPath 'MSFT Driver Block list update' -TaskName 'MSFT Driver Block list update' -Description 'Microsoft Recommended Driver Block List update' -Force
 
 # Define advanced settings for the scheduled task
 [Microsoft.Management.Infrastructure.CimInstance]$TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility 'Win8' -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) -RestartCount 4 -RestartInterval (New-TimeSpan -Hours 6) -RunOnlyIfNetworkAvailable
 
 # Add the advanced settings we defined above to the scheduled task
-$null = Set-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath 'MSFT Driver Block list update' -Settings $TaskSettings
+Set-ScheduledTask -TaskName 'MSFT Driver Block list update' -TaskPath 'MSFT Driver Block list update' -Settings $TaskSettings
 """);
         }
     }

Harden-Windows-Security Module/Main files/Shared/HardeningFunctions.ps1

@@ -382,20 +382,12 @@ Function Invoke-MicrosoftDefender {
                 }
             }
 
-            [HardenWindowsSecurity.Logger]::LogMessage('Getting the state of fast weekly Microsoft recommended driver block list update scheduled task', [HardenWindowsSecurity.LogTypeIntel]::Information)
-            [System.String]$BlockListScheduledTaskState = ([HardenWindowsSecurity.TaskSchedulerHelper]::Get('MSFT Driver Block list update', '\MSFT Driver Block list update\', 'TaskList')).State
-
-            # Create scheduled task for fast weekly Microsoft recommended driver block list update if it doesn't exist or exists but is not Ready/Running
-            if (($BlockListScheduledTaskState -notin '2', '3', '4')) {
-                :TaskSchedulerCreationLabel switch ($RunUnattended ? ($MSFTDefender_NoScheduledTask ? 'No' : 'Yes') : (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nCreate scheduled task for fast weekly Microsoft recommended driver block list update ?")) {
-                    'Yes' {
-                        [HardenWindowsSecurity.MicrosoftDefender]::MSFTDefender_ScheduledTask()
-                    } 'No' { break TaskSchedulerCreationLabel }
-                    'Exit' { break MainSwitchLabel }
-                }
-            }
-            else {
-                [HardenWindowsSecurity.Logger]::LogMessage("Scheduled task for fast weekly Microsoft recommended driver block list update already exists and is in $BlockListScheduledTaskState state", [HardenWindowsSecurity.LogTypeIntel]::Information)
+            # Create scheduled task for fast weekly Microsoft recommended driver block list update. The method will overwrite the task if it exists which is the desired behavior.
+            :TaskSchedulerCreationLabel switch ($RunUnattended ? ($MSFTDefender_NoScheduledTask ? 'No' : 'Yes') : (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nCreate scheduled task for fast weekly Microsoft recommended driver block list update ?")) {
+                'Yes' {
+                    [HardenWindowsSecurity.MicrosoftDefender]::MSFTDefender_ScheduledTask()
+                } 'No' { break TaskSchedulerCreationLabel }
+                'Exit' { break MainSwitchLabel }
             }
 
             # Only display this prompt if Engine and Platform update channels are not already set to Beta