Monday, October 30, 2017

System Reserved Drive Letter Compliance Baseline

We have a scenario where the System Reserved Volume (S: usually) still retains its drive letter assignment after deployment. In trying to resolve we noticed several systems post deployment (months) that still have the Reserved Drive letter present. While we are still trying to find the root cause during a Task Sequence, its hard to track down. We can image a system and its present, clean it and do it again and it will not be there.

So as a resolution we are using a baseline to remove the letter assignment if found. I will not cover creating a baseline here but will show the relevant parts. To begin with we have to setup the detection using this PowerShell:

 $SysReservedDrive = Get-WmiObject win32_volume -filter "Label = 'System Reserved'" | select -property "DriveLetter"   
 $DriveLetter = $SysReservedDrive.DriveLetter  
 IF([string]::IsNullOrEmpty($DriveLetter)) {        
   Write-Host "Compliant"        
 } else {        
   Write-Host "Non-Compliant"        

Then for Remediation we use this PS1.

 $commands=@('List Volume')  
 $commands | diskpart  
 $results = $commands | diskpart  
 Foreach ($line in $results){  
 if ($line -match "System Rese"){  
 $POS = $line.IndexOf("System")  
 $line = $line.substring(0,$pos)  
 $Array = $line.split(" ",[System.StringSplitOptions]::RemoveEmptyEntries)  
 $NumElements = $Array.count  
 foreach ($element in $array){  
 $VolNum = $line.split(" ",[System.StringSplitOptions]::RemoveEmptyEntries)[-2]  
 $DriveLtr = $line.split(" ",[System.StringSplitOptions]::RemoveEmptyEntries)[-1]  
   "Select Volume $VolNum",  
   "Remove Letter=$driveLtr"  
   $commands | diskpart  

Pretty easy, on the compliance condition just set it so the value = Compliant.

We advertise the baseline to a collection holding all workstations in it and set to Windows 7 and up to run daily. This way if there is a legit reason for IT staff to attach a drive letter assignment they can finish their task before the baseline remedies it.

No comments:

Post a Comment