In this post, we’ll provide a PowerShell script IT admins can use to mount and unmount ISO files dynamically.
Background
ISO files, essentially a complete copy of a disc in digital form, are widely used to distribute software (including malware, unfortunately). IT professionals and Managed Service Providers (MSPs) may prefer to block mounting of ISO files in general, or they might come across a need to enable or disable the mounting of these ISO images dynamically, particularly on enterprise systems. This PowerShell script aids in controlling this feature with precision, ensuring that security and policy adherence are met with grace.
The Script
#Requires -Version 5.1
<#
.SYNOPSIS
Enables or disables the mounting of ISO images.
.DESCRIPTION
Enables or disables the mounting of ISO images.
.EXAMPLE
-Enable
Enables mounting of ISO images.
.EXAMPLE
-Disable
Disables mounting of ISO images.
.OUTPUTS
None
.NOTES
Minimum OS Architecture Supported: Windows 10, Windows Server 2016
Release Notes:
Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider.
Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>
[CmdletBinding()]
param (
[Parameter()]
[switch]
$Enable,
[Parameter()]
[switch]
$Disable
)
begin {
function Set-ItemProp {
param (
$Path,
$Name,
$Value,
[ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
$PropertyType = "DWord"
)
# Do not output errors and continue
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::SilentlyContinue
if (-not $(Test-Path -Path $Path)) {
# Check if path does not exist and create the path
New-Item -Path $Path -Force | Out-Null
}
if ((Get-ItemProperty -Path $Path -Name $Name)) {
# Update property and print out what it was changed from and changed to
$CurrentValue = Get-ItemProperty -Path $Path -Name $Name
try {
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error $_
}
Write-Host "$Path$Name changed from $CurrentValue to $(Get-ItemProperty -Path $Path -Name $Name)"
}
else {
# Create property with value
try {
New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
}
catch {
Write-Error $_
}
Write-Host "Set $Path$Name to $(Get-ItemProperty -Path $Path -Name $Name)"
}
$ErrorActionPreference = [System.Management.Automation.ActionPreference]::Continue
}
function Test-IsElevated {
$id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$p = New-Object System.Security.Principal.WindowsPrincipal($id)
$p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
}
}
process {
if (-not (Test-IsElevated)) {
Write-Error -Message "Access Denied. Please run with Administrator privileges."
exit 1
}
if ($env:Action -like "Enable") {
$Enable = $true
}
elseif ($env:Action -like "Disable") {
$Disable = $true
}
# Use a unique number that isn't likely to be used
# "ninja" to something close to a number plus 1 at the end: "41470" + "1"
$GroupName = "414701"
# Mount HKEY_CLASSES_ROOT as HKCR: for the current session
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
if ($Enable -and $Disable) {
Write-Error "Both Enable and Disable can not be used at the same time."
exit 1
}
elseif ($Enable) {
# Enables the use of ISO mounting by removing registry settings
# ErrorAction set to SilentlyContinue for when the registry settings don't exist
Remove-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsDeviceInstallRestrictionsDenyDeviceIDs" -Name "$GroupName" -ErrorAction SilentlyContinue
Write-Host "Removed $GroupName from HKLM:SOFTWAREPoliciesMicrosoftWindowsDeviceInstallRestrictionsDenyDeviceIDs"
Remove-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsDeviceInstallRestrictions" -Name "DenyDeviceIDsRetroactive" -ErrorAction SilentlyContinue
Write-Host "Removed DenyDeviceIDsRetroactive from HKLM:SOFTWAREPoliciesMicrosoftWindowsDeviceInstallRestrictionsDenyDeviceIDs"
Remove-ItemProperty -Path "HKCR:Windows.IsoFileshellmount" -Name "ProgrammaticAccessOnly" -ErrorAction SilentlyContinue
Write-Host "Removed ProgrammaticAccessOnly from HKCR:Windows.IsoFileshellmount"
}
elseif ($Disable) {
# Disables the use of ISO mounting by creating registry settings
Set-ItemProp -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsDeviceInstallRestrictionsDenyDeviceIDs" -Name "$GroupName" -Value "SCSICdRomMsft____Virtual_DVD-ROM_" -PropertyType String
Set-ItemProp -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsDeviceInstallRestrictions" -Name "DenyDeviceIDsRetroactive" -Value "1" -PropertyType DWord
Set-ItemProp -Path "HKCR:Windows.IsoFileshellmount" -Name "ProgrammaticAccessOnly" -Value "" -PropertyType String
}
else {
Write-Error "Enable or Disable is required."
exit 1
}
Write-Host "Any logged in users will need to log out and back in for changes to take effect."
}
end {
$ScriptVariables = @(
[PSCustomObject]@{
name = "Action"
calculatedName = "action"
required = $true
defaultValue = [PSCustomObject]@{
type = "TEXT"
value = "Disable"
}
valueType = "DROPDOWN"
valueList = @(
[PSCustomObject]@{
type = "UNDEFINED"
value = "Disable"
},
[PSCustomObject]@{
type = "UNDEFINED"
value = "Enable"
}
)
description = "Used to enable or disable the mounting of ISO images."
}
)
}
Access 300+ scripts in the NinjaOne Dojo
Detailed Breakdown
The provided script is designed to toggle the mounting capability of ISO images. Let’s dissect its components:
- Parameters: The script accepts two switches – $Enable and $Disable. They dictate the script’s behavior, enabling or disabling ISO mounting.
- Set-ItemProp Function: This in-house function handles the creation or modification of a registry property. It caters to different property types, ensuring flexibility in the management of Windows Registry keys.
- Test-IsElevated Function: Checks if the script runs with administrative privileges. This ensures that changes are applied system-wide and not limited to the user’s session.
- Process Block: The heart of the script. Here, the logic resides:
- Checks administrative rights.
- Determines the action based on provided parameters or environment variables.
- Either removes (enabling) or sets (disabling) specific registry keys to control the ISO mounting capability.
Potential Use Cases
Consider a case study: Acme Corp’s IT department pushes a software update via ISO files to all employee systems. Once the update concludes, they aim to disable the ISO mounting capability temporarily. By deploying this script enterprise-wide, they can control this functionality, ensuring that unofficial or unsanctioned ISOs aren’t mounted by curious users.
Comparisons
While manual intervention or GUI-based tools can manage ISO mounting permissions, they are inefficient for large-scale operations. Our script offers an automated, hassle-free, and robust method when compared to time-consuming manual processes.
FAQs
- Does the script require admin privileges?
Yes, for system-wide changes, the script must be run with administrative rights. - Can I enable and disable simultaneously?
No. The script requires a distinct action, either enabling or disabling.
Implications
Managing the ability to mount ISO files can have profound security implications. Unauthorized ISOs can introduce malware or unwanted software. By controlling this feature, IT departments can ensure only sanctioned ISOs get mounted, mitigating potential threats.
Recommendations
- Always backup registry settings before making changes.
- Test the script in a controlled environment before enterprise-wide deployment.
- Monitor system behaviors post-deployment to identify any unexpected outcomes.
Final Thoughts
For platforms like NinjaOne, which caters to IT operations and management, scripts like these are invaluable. They showcase the platform’s versatility and alignment with contemporary IT needs. By leveraging such tools, IT professionals can harness the full power of PowerShell, making system management efficient and secure.
