<#
   *******************************************************************************************************************************
    Name:            Reset-WindowsUpdate-WSUSManaged.ps1
    Version:         0.1.0.0 (12/02/2021)
    Purpose:         Resets Windows Update if device is managed by WSUS.
    Created by:      Ashley How
    Pre-Reqs:        PowerShell 2.0
    Version History: 0.1.0.0 - Initial Release.
   *******************************************************************************************************************************
#>

Function Get-TimeStamp { 
    return "[{0:MM/dd/yy} {0:HH:mm:ss}]" -f (Get-Date) 
}

Function Confirm-WSUSManaged {
    Try {
        If (-NOT (Test-Path -LiteralPath "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU")){ 
            Write-Output "$(get-timestamp) Device is not managed by WSUS. No action required."
            $Check = $false
            Return

        }
        If ((Get-ItemPropertyValue -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'UseWUServer' -ea SilentlyContinue) -eq 1) {
        } 
        Else {
            Write-Output "$(get-timestamp) Device is not managed by WSUS. No action required."
            $Check = $false
            Return
        }
    }
    Catch {
        Write-Output "$(get-timestamp) Device is not managed by WSUS. No action required."
        $Check = $false
        Return
    }
    $Check = $true
    Write-Error "$(get-timestamp) Device is managed by WSUS. Action required."
}

. Confirm-WSUSManaged
If ($Check -eq $true) {
    Write-Output "$(get-timestamp) Configuring prerequisites for removing local GPO entries..."
    
    # Set TLS 1.2
    Write-Output "$(get-timestamp) Setting TLS 1.2, required for PSGallery..."
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    # Trust PSGalley and Install Module
    Write-Output "$(get-timestamp) Setting PSGallery as trusted repository..."
    Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
    Write-Output "$(get-timestamp) Installing PolicyFileEditor module from the PSGallery..."
    Install-Module -Name PolicyFileEditor -Force

    # Define Local GPO file location for Machine
    $MachineDir = "$env:windir\system32\GroupPolicy\Machine\Registry.pol"
    Write-Output "$(get-timestamp) PolicyFileEditor - Local GPO location for machine: ($MachineDir)."

    Write-Output "$(get-timestamp) Removing Local GPO entries..."
    # Remove Local GPO settings   
    If ((Get-PolicyFileEntry -ValueName "DisableDualScan" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "DisableDualScan") {
        Write-Output "$(get-timestamp) Found DisableDualScan, removing..."
        Remove-PolicyFileEntry -ValueName "DisableDualScan" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "WUServer" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "WUServer") {
        Write-Output "$(get-timestamp) Found WUServer, removing..."
        Remove-PolicyFileEntry -ValueName "WUServer" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "WUStatusServer" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "WUStatusServer") {
        Write-Output "$(get-timestamp) Found WUStatusServer, removing..."
        Remove-PolicyFileEntry -ValueName "WUStatusServer" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "UseWUServer" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -Path $MachineDir).ValueName -eq "UseWUServer") {
        Write-Output "$(get-timestamp) Found UseWUServer, removing..."
        Remove-PolicyFileEntry -ValueName "UseWUServer" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "SetProxyBehaviorForUpdateDetection" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "SetProxyBehaviorForUpdateDetection") {
        Write-Output "$(get-timestamp) Found SetProxyBehaviorForUpdateDetection, removing..."
        Remove-PolicyFileEntry -ValueName "SetProxyBehaviorForUpdateDetection" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "UpdateServiceUrlAlternate" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "UpdateServiceUrlAlternate") {
        Write-Output "$(get-timestamp) Found UpdateServiceUrlAlternate, removing..."
        Remove-PolicyFileEntry -ValueName "UpdateServiceUrlAlternate" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection") {
        Write-Output "$(get-timestamp) Found DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection"
        Remove-PolicyFileEntry -ValueName "DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "FillEmptyContentUrls" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "FillEmptyContentUrls") {
        Write-Output "$(get-timestamp) Found FillEmptyContentUrls, removing..."
        Remove-PolicyFileEntry -ValueName "FillEmptyContentUrls" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "**del.DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "**del.DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection") {
        Write-Output "$(get-timestamp) Found **del.DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection, removing..."
        Remove-PolicyFileEntry -ValueName "**del.DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    If ((Get-PolicyFileEntry -ValueName "**del.FillEmptyContentUrls" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir).ValueName -eq "**del.FillEmptyContentUrls") {
        Write-Output "$(get-timestamp) Found **del.FillEmptyContentUrls, removing..."
        Remove-PolicyFileEntry -ValueName "**del.FillEmptyContentUrls" -Key "Software\Policies\Microsoft\Windows\WindowsUpdate" -Path $MachineDir
    }
    Write-Output "$(get-timestamp) Invoking group policy update..."
    Invoke-Command -ScriptBlock {
        echo y | gpupdate /force /wait:0
    }

    . Confirm-WSUSManaged
    If ($Check -eq $true) {
        Write-Output "$(get-timestamp) Removing manual registry entries..."
        
        # Get Date
        $Date = (Get-Date -Format yyyy.MM.ddTHHmm | Out-String)

        # Rename registry key
        Rename-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -NewName "WindowsUpdate.old.$date" -Force

        . Confirm-WSUSManaged
    }

    # Restart the Windows Update Service
    Write-Output "$(get-timestamp) Restarting the Windows Update Service..."
    Restart-Service -Name wuauserv -Force
}