Add-CodeDomAuthorizedType.ps1

1. <#
2.  
3.  This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.  
4.  THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
5.  INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.  
6.  We grant you a nonexclusive, royalty-free right to use and modify the sample code and to reproduce and distribute the object
7.  code form of the Sample Code, provided that you agree:
8.     (i)   to not use our name, logo, or trademarks to market your software product in which the sample code is embedded;
9.     (ii)  to include a valid copyright notice on your software product in which the sample code is embedded; and
10.     (iii) to indemnify, hold harmless, and defend us and our suppliers from and against any claims or lawsuits, including
11.           attorneys' fees, that arise or result from the use or distribution of the sample code.
12.  Please note: None of the conditions outlined in the disclaimer above will supercede the terms and conditions contained within
13.               the Premier Customer Services Description.
14.  ----------------------------------------------------------
15.  History
16.  ----------------------------------------------------------
17.  10/15/2018 - Added three additional authorized types
18.  
19.  09/18/2018 - Added an update to allow customers using Nintex to use the new IncludeNintexWorkflow switch to automatically add
20.               the necessary authorizedType required for Nintex
21.  
22.  09/17/2018 - Updated to match "final update" post
23.  
24.  
25.    REFERENCE:
26.    
27.     https://support.microsoft.com/en-us/help/4465015/sharepoint-workflows-stop-after-cve-2018-8421-security-update
28.     https://blogs.msdn.microsoft.com/rodneyviana/2018/09/13/after-installing-net-security-patches-to-address-cve-2018-8421-sharepoint-workflows-stop-working/
29.     https://blogs.msdn.microsoft.com/rodneyviana/2018/10/12/step-by-step-video-on-how-to-fix-the-sharepoint-workflow/
30.  
31.   SUMMARY:
32.    
33.     This script leverages the native SharePoint SPWebConfigModification API to deploy new updates to the web.config file for
34.     each web application on each server in the farm.  Servers added a later date will also get the updates applied because the API
35.     configuration is persisted in the config database.  This API does not update the web.config for the central administration web application.
36.     If you are running workflows on the central admin web application, you will need to manually update the web.config using the steps in the
37.     referenced blog.
38.  
39. ==============================================================
40. #>
41.  
42. Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue | Out-Null
43.  
44. function Add-CodeDomAuthorizedType
45. {
46.     <#
47.     .Synopsis
48.        Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
49.  
50.     .DESCRIPTION
51.        Adds the necessary authorizedType elements to all web.config files for all non-central admin web applications
52.  
53.     .EXAMPLE
54.        Add-CodeDomAuthorizedType
55.  
56.     .EXAMPLE
57.        Add-CodeDomAuthorizedType -IncludeNintexWorkflow
58.     #>
59.     [CmdletBinding()]
60.     param
61.     (
62.         [parameter(Mandatory=$false)][switch]$IncludeNintexWorkflow
63.     )
64.  
65.     begin
66.     {
67.         $updateRequired = $false
68.  
69.         $farmMajorVersion = (Get-SPFarm -Verbose:$false ).BuildVersion.Major
70.         $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
71.  
72.         $authorizedTypes = @()
73.  
74.         if( $farmMajorVersion -le 14)
75.         {
76.             $systemAssemblyVersion = "2.0.0.0"
77.             $targetParentPath      = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes"
78.         }
79.         else
80.         {
81.             $systemAssemblyVersion = "4.0.0.0"
82.             $targetParentPath      = "configuration/System.Workflow.ComponentModel.WorkflowCompiler/authorizedTypes/targetFx[@version='v4.0']"
83.         }
84.  
85.         if($IncludeNintexWorkflow.IsPresent)
86.         {
87.             $authorizedTypes += New-Object PSCustomObject -Property @{
88.                 Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
89.                 Namespace = "System.CodeDom"
90.                 TypeName  = "CodeTypeReferenceExpression"
91.             }
92.         }
93.        
94.         $authorizedTypes += New-Object PSCustomObject -Property @{
95.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
96.             Namespace = "System.CodeDom"
97.             TypeName  = "CodeBinaryOperatorExpression"
98.         }
99.  
100.         $authorizedTypes += New-Object PSCustomObject -Property @{
101.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
102.             Namespace = "System.CodeDom"
103.             TypeName  = "CodePrimitiveExpression"
104.         }
105.  
106.         $authorizedTypes += New-Object PSCustomObject -Property @{
107.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
108.             Namespace = "System.CodeDom"
109.             TypeName  = "CodeMethodInvokeExpression"
110.         }
111.  
112.         $authorizedTypes += New-Object PSCustomObject -Property @{
113.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
114.             Namespace = "System.CodeDom"
115.             TypeName  = "CodeMethodReferenceExpression"
116.         }
117.  
118.         $authorizedTypes += New-Object PSCustomObject -Property @{
119.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
120.             Namespace = "System.CodeDom"
121.             TypeName  = "CodeFieldReferenceExpression"
122.         }
123.  
124.         $authorizedTypes += New-Object PSCustomObject -Property @{
125.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
126.             Namespace = "System.CodeDom"
127.             TypeName  = "CodeThisReferenceExpression"
128.         }
129.  
130.         $authorizedTypes += New-Object PSCustomObject -Property @{
131.             Assembly  = "System, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=b77a5c561934e089"
132.             Namespace = "System.CodeDom"
133.             TypeName  = "CodePropertyReferenceExpression"
134.         }
135.  
136.         # added 10/15/2018 to match Nov 2018 CU
137.         $authorizedTypes += New-Object PSCustomObject -Property @{
138.             Assembly  = "System.Workflow.Activities, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
139.             Namespace = "System.Workflow.Activities.Rules"
140.             TypeName  = "RuleDefinitions"
141.         }
142.  
143.         # added 10/15/2018 to match Nov 2018 CU
144.         $authorizedTypes += New-Object PSCustomObject -Property @{
145.             Assembly  = "System.Workflow.Activities, Version=$systemAssemblyVersion, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
146.             Namespace = "System.Workflow.Activities.Rules"
147.             TypeName  = "RuleExpressionCondition"
148.         }
149.  
150.         #  this should exist in web.config already
151.         #$authorizedTypes += New-Object PSCustomObject -Property @{
152.         #    Assembly  = "Microsoft.SharePoint.WorkflowActions, Version=$farmMajorVersion.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
153.         #    Namespace = "Microsoft.SharePoint.WorkflowActions"
154.         #    TypeName  = "*"
155.         #}
156.     }
157.     process
158.     {
159.         foreach( $authorizedType in $authorizedTypes )
160.         {
161.             $netFrameworkConfig = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
162.             $netFrameworkConfig.Path     = $targetParentPath
163.             $netFrameworkConfig.Name     = "authorizedType[@Assembly='$($authorizedType.Assembly)'][@Namespace='$($authorizedType.Namespace)'][@TypeName='$($authorizedType.TypeName)'][@Authorized='True']"
164.             $netFrameworkConfig.Owner    = "NetFrameworkAuthorizedTypeUpdate"
165.             $netFrameworkConfig.Sequence = 0
166.             $netFrameworkConfig.Type     = [Microsoft.SharePoint.Administration.SPWebConfigModification+SPWebConfigModificationType]::EnsureChildNode
167.             $netFrameworkConfig.Value    = "<authorizedType Assembly=`"$($authorizedType.Assembly)`" Namespace=`"$($authorizedType.Namespace)`" TypeName=`"$($authorizedType.TypeName)`" Authorized=`"True`"/>"
168.            
169.             if( -not ($contentService.WebConfigModifications | ? { $_.Value -eq $netFrameworkConfig.Value }) )
170.             {
171.                 Write-Verbose "Adding Authorized Type: $($netFrameworkConfig.Value)"
172.  
173.                 $contentService.WebConfigModifications.Add($netFrameworkConfig);
174.                 $updateRequired = $true
175.             }
176.             else
177.             {
178.                 Write-Verbose "Authorized Type Exists: $($netFrameworkConfig.Value)"
179.             }
180.         }
181.  
182.         if( $updateRequired )
183.         {
184.             Write-Verbose "Updating web.configs"
185.             $contentService.Update()
186.             $contentService.ApplyWebConfigModifications();
187.         }
188.     }
189.     end
190.     {
191.     }    
192. }
193.  
194. function Remove-CodeDomAuthorizedType
195. {
196.     <#
197.     .Synopsis
198.        Removes any web configuration entires owned by "NetFrameworkAuthorizedTypeUpdate"
199.  
200.     .DESCRIPTION
201.        Removes any web configuration entires owned by "NetFrameworkAuthorizedTypeUpdate"
202.  
203.     .EXAMPLE
204.         Remove-CodeDomAuthorizedType
205.     #>
206.     [CmdletBinding()]
207.     param()
208.  
209.     begin
210.     {
211.         $contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
212.     }
213.     process
214.     {
215.         $webConfigModifications = @($contentService.WebConfigModifications | ? { $_.Owner -eq "NetFrameworkAuthorizedTypeUpdate" })
216.  
217.         foreach ( $webConfigModification in $webConfigModifications )
218.         {
219.             Write-Verbose "Found instance owned by NetFrameworkAuthorizedTypeUpdate"
220.             $contentService.WebConfigModifications.Remove( $webConfigModification ) | Out-Null
221.         }
222.        
223.         if( $webConfigModifications.Count -gt 0 )
224.         {
225.             $contentService.Update()
226.             $contentService.ApplyWebConfigModifications()
227.         }
228.     }
229.     end
230.     {
231.     }    
232. }
233.  
234. # will get the timerjob responsible for the web.config change deployment
235. # Get-SPTimerJob | ? { $_.Name -eq "job-webconfig-modification" }
236.  
237. # adds the updates to the farm, only needs to be run once per farm.
238. Add-CodeDomAuthorizedType -Verbose
239.  
240. # remove # below if you need to remove the web.config updates, you can with this function to retract the changes
241. # Remove-CodeDomAuthorizedType -Verbose