The Cure For Your SSU Fever

, , , , , , , , ,

Keeping the SCCM Cache Clean with DCM

, , , ,

SCCM Cache Clean

In environments with frequent software distributions the SCCM cache folder can quickly take up large amounts of disk space.  This really becomes problematic on older systems or virtual machines with limited amounts of disk space.  Our support team found themselves having to constantly track down systems with low disk space and clean the cache.  I came up with this DCM configuration item to automatically detect and cleanup content in the cache which is older than the given number of days.  The detection and cleanup scripts both write to their own application event logs so you can see a history of cleanup activities.

Creating the CI

Create a new configuration item and select Windows Desktops and Servers as the type of configuration item.

Choose the appropriate operating systems.  In my case I selected all operating systems as I wanted the cache to be cleaned across the board.

Create a new setting and set it’s type to script and data type to string.

Add a discovery script for detecting old items in the cache folder.  Customize the number of days as you see fit.  You can also modify the event log source if desired.

$MinDays = 30

New-EventLog -LogName SCCM_Cleanup -Source "DCM" -ErrorAction SilentlyContinue
Write-EventLog -LogName SCCM_Cleanup -Source "DCM" -EntryType Information -EventId 1000 -Message "Detection starting for Cleanup CCMCACHE" -ErrorAction SilentlyContinue

$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
$count = ($Cache.GetCacheElements() | where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} | Measure-object).Count

Write-EventLog -LogName SCCM_Cleanup -Source "DCM" -EntryType Information -EventId 1003 -Message "Total obsolete items found: $count" -ErrorAction SilentlyContinue
Write-EventLog -LogName SCCM_Cleanup -Source "DCM" -EntryType Information -EventId 1001 -Message "Detection ending for Cleanup CCMCACHE" -ErrorAction SilentlyContinue


Next, define a remediation script.  Once again you can customize the number of days and event log name.  The number of days should match your detection script.

$MinDays = 30

New-EventLog -LogName SCCM_Cleanup -Source "DCM" -ErrorAction SilentlyContinue
Write-EventLog -LogName SCCM_Cleanup -Source "DCM" -EntryType Information -EventId 1010 -Message "Remediation starting for Cleanup CCMCACHE" -ErrorAction SilentlyContinue

$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
$Cache.GetCacheElements() | where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} | foreach { $Cache.DeleteCacheElement($_.CacheElementID) }

Write-EventLog -LogName SCCM_Cleanup -Source "DCM" -EntryType Information -EventId 1011 -Message "Remediation ending for Cleanup CCMCACHE" -ErrorAction SilentlyContinue

The final step is to create your compliance rule.  Set the value to check against to 0 and check the run remediation script checkbox.

Now after you test the new CI assign it to the appropriate baseline(s) for your environment.  Now you can forget about having to manually cleanup the SCCM cache folder ever again.


ALSO CHECK : Have you heard about Get-WQLObject?

Bitlocker SSD Vulnerability

, ,

Bitlocker SSD Vulnerability

Hey all this is a super short and easy blogpost. Recently we saw some chatter online about a bitlocker ssd vulnerability. You can read about it here. Many environments will have concerns about how you can identify these systems, and how to report on this topic for management.  At my customers site we leverage the Compliance item created by my PFE @Brandon Linton. This compliance Item is useful for inventorying bit-locker status and inventorying hard drive media type. You can read about the compliance item on his blog.

in my SQL query / SSRS I’m reporting on more than just the bitlocker issue, but also a few other security features. I kind of like to always be able to see what is encrypted vs not, what is UEFI vs BIOS, Secureboot vs not, etc.

select  distinct

       VRS.NetBios_Name0 [System Name],

                 VRS.AD_Site_Name0 AS [AD Site Name],

       CSD.Model00 AS [System Model],

       CASE OSD.Version00 

                     WHEN '6.1.7601' THEN 'Windows 7'

                     WHEN '10.0.10586' THEN '1511'

                     WHEN '10.0.14393' THEN '1607'

                     WHEN '10.0.15063' THEN '1703'

                     WHEN '10.0.16299' THEN '1709'

                     WHEN '10.0.17134' then '1803'

      END AS [Windows Version],

       Case SMS_G_System_FIRMWARE.UEFI00

              When '0' THEN 'Legacy'

              WHEN '1' THEN 'UEFI'

       END AS [UEFI Information],

       CASE SMS_G_System_FIRMWARE.SecureBoot00

              WHEN '0' THEN 'Off'

              WHEN '1' THEN 'Secure Boot'

       END AS [Secure Boot Status],

       CASE EV.ProtectionStatus00

              WHEN '0' THEN 'not encrypted'

              WHEN '1' THEN 'encrypted'

        WHEN '2' THEN 'Encrypted Requires Pin'

       END AS [Bitlocker Status],


          BLE.Bustype0, -- 

          BLE.disktype0 AS [Disk Type],


          BLE.EncryptionMethod0 AS [Encryption Method],


                    -- WHEN BLE.EncryptionMethod0 = 'None' THEN 'ENCRYPT NOW' -- did not use this b/c many systems not reported encryption method data back

                    WHEN EV.ProtectionStatus00 = '0' THEN 'Encrypt Now'

                    WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 = 'Aes256Diffuser' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 = 'Aes128' THEN 'Not Vulnerable'

                                 WHEN BLE.EncryptionMethod0 IS NULL THEN 'Not Inventoried'

                                 WHEN BLE.EncryptionMethod0 = 'XtsAes128' THEN 'Not Vulnerable'

                    WHEN BLE.disktype0 = 'SSD' AND BLE.EncryptionMethod0 = 'HardwareEncryption' THEN 'Vulnerable'

                                 ELSE 'Not Vulnerable'

          END AS [Vulnerable],


                    WHEN dg.VirtualizationBasedSecurityS0 = '0' THEN 'VBS Not Enabled' -- 

                    WHEN dg.VirtualizationBasedSecurityS0 = '1' THEN 'VBS is Enabled, but not running'

                    WHEN dg.VirtualizationBasedSecurityS0 = '2' THEN 'VBS is enabled and running' -- cred guard running

          END AS [Credential Guard]


       v_R_System_Valid AS VRS 

       INNER JOIN Computer_System_DATA AS CSD ON CSD.MachineID = VRS.ResourceID 

       INNER JOIN Firmware_DATA AS SMS_G_System_FIRMWARE ON SMS_G_System_FIRMWARE.MachineID = VRS.ResourceID

       INNER JOIN Operating_System_DATA AS OSD ON OSD.MachineID = VRS.ResourceID  


       LEFT JOIN v_FullCollectionMembership_Valid AS VCM on VRS.ResourceID = VCM.ResourceID

          LEFT JOIN V_GS_BitLockerExtended AS BLE on BLE.ResourceID = VRS.ResourceID

          LEFT JOIN v_GS_DEVICE_GUARD AS DG on DG.ResourceID = VRS.ResourceID


       EV.DriveLetter00 = 'C:'

       -- AND CSD.Model00 not in ('VMware Virtual Platform', 'Virtual Machine', 'VMware7,1')

       AND EV.ProtectionStatus00 IS NOT NULL

          AND SMS_G_System_FIRMWARE.SecureBoot00 IS NOT NULL

          AND dg.VirtualizationBasedSecurityS0 is not null

       --AND BLE.disktype0 = 'SSD'

       --AND EV.ProtectionStatus00 = '0' -- not encrypted 

       --AND EV.ProtectionStatus00 = '1' -- encrypted

Example of Query Results:


Example of Reporting: Bitlocker SSD Vulnerability


I believe there is a CU that is coming out to remediate a few things. So this may be obsolete soon.

ALSO CHECK: Leverage Windows Analytics for Modern Ops