From a23fb30c7425f9fe03e2a32d3f4afc706f0361db Mon Sep 17 00:00:00 2001
From: Mathew <mmcnee@futuresens.co.uk>
Date: Mon, 23 Sep 2024 09:25:44 +0000
Subject: [PATCH] added in gpedit auto update for removable storage audit

---
 Install-PromtailOnWindows.ps1 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Install-PromtailOnWindows.ps1 b/Install-PromtailOnWindows.ps1
index d4f88c4..24ecbf7 100644
--- a/Install-PromtailOnWindows.ps1
+++ b/Install-PromtailOnWindows.ps1
@@ -335,6 +335,17 @@ $logDetails.Enabled = $True
 Set-LogProperties -LogDetails $logDetails
 Get-LogProperties 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
 
+## The below line will update the group Policy to enable the removeable storage audit, if GP edit exists
+
+if (Test-Path 'C:\Windows\System32\gpedit.msc') {
+    Write-Host 'Enabling Group Policy - Audit removeable storage.'
+    auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable    
+}
+else{
+    Write-Host 'c:\Windows\System32\gpedit.msc does NOT exist, Exiting on safety grounds'
+    exit
+}
+
 $downloadUrl = "https://github.com/grafana/loki/releases/download/v2.9.5/promtail-windows-amd64.exe.zip"
 $downloadWinSWUrl = "https://github.com/winsw/winsw/releases/download/v2.12.0/WinSW-x64.exe"
 $winSWFilename = "WinSW-x64.exe"