Scheduled Tasks and PowerShell Actions

One day, I decided to experiment with Windows Event Viewer and Scheduled Tasks. I discovered that you can use Scheduled Tasks on Windows machines to execute certain actions based on specific Event IDs. In this case, I created a Scheduled Task that triggers when the 4624 Event ID occurs, and sends a notification to a specified Microsoft Teams channel. This allows for interesting automation flows and makes Microsoft Teams even more powerful.

Requirements

• Visual Studio Code or NotePad++
• Microsoft Teams
• Windows Server with Advanced Auditing Settings enabled

Sample files

You can download sample files from my GitHub page:

• https://github.com/Kaidja/AzureAutomation/tree/main/RDP%20Interactive%20Logons

Create Microsoft Teams Group and Channels

The first step is to set up a Microsoft Teams Group and one channel for the RDP interactive notifications. Notifications are posted from different servers to this channel.

In this example, I'm using the Incoming Webhooks connector for posting information. To configure the channel connector, follow the following steps.

Interactive Logons channel connectors

1. Right-click the “Interactive Logons” channel and choose Connectors
   
2. Locate the Incoming Webhooks connector and click Add twice
   
3. Right-click the channel again and choose Connectors
   
4. Click Configure
   
5. Specify the name, upload the image and click Create
   
6. Copy the URL
   

Create Scheduled Task

Sample PowerShell script for Teams

Copy the following script template from GitHub and add the Teams Webhook URL address. You need to modify line 9.

Send-InterActiveLogonDetails.ps1

• https://github.com/Kaidja/AzureAutomation/blob/main/RDP%20Interactive%20Logons/Send-InterActiveLogonDetails.ps1

Event Filter

Copy the following Event ID XPATH filter. You can get the following query from GitHub

• https://github.com/Kaidja/AzureAutomation/blob/main/RDP%20Interactive%20Logons/Query%20Interactive%20Logons.xt

Query Interactive Logons XPath query

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[EventData[Data[@Name='LogonType'] and Data='10']]
and
*[System[(EventID=4624)]]
</Select>
  </Query>
</QueryList> 

Scheduled Task creation

1. Open the Task Scheduler console and right-click and choose Create New Task
2. On the Create Task page, fill out the following information:

• Name: Send Interactive Logon Details
• Description: Send Interactive Logon Details
• User account: SYSTEM
• Configure for: Windows Server 2019

4. Select the Triggers panel and choose New
   
5. On the New Trigger windows, choose New Event Filter..
   
6. On the New Event Filter page, select XML and enable the Edit query manually. Copy the Event Filter XPath query and click OK. Click OK
   
7. Select the Actions panel and choose New..
8. On the New Action window, fill out the following fields:

• Program/Script: PowerShell.exe
• Add Arguments(Optional): -File "C:\MyScriptFolderLocation\Send-InterActiveLogonDetails.ps1" -TargetUserName $(TargetUserName) -TimeCreated $(TimeCreated)
  

12. Right-click the Scheduled Task and choose Export
    
13. Open the Send Interactive Logon Details.xml with Visual Studio Code or NotePad++
14. Locate the Triggers XML node
    
15. Add the ValueQueries section under the Subscription
    
16. Save the XML file
17. Delete the first version of the “Send Interactive Logon Details Scheduled” Task
    
18. Right-click again in the Scheduled Task console and choose Import Task
    
19. Locate the modified version of “Send Interactive Logon Details” Scheduled Task and click Open
20. Click OK
    
21. Right-click the task again and choose Run
22. If everything is done correctly, then you should see the following message in your Teams channel
    
23. Now disconnect and log on again to your test server. Now all the fields should be filled with the correct data.
    

Summary

As you see from this simple POC, you can build awesome solutions quite easily these days and Teams makes it even easier.

If you have any questions, then please let me know.