Quick and Dirty SCCM Application Deployment Reporting

, , ,

For this blog, I’m going to go over a very basic script I wrote to quickly get application deployment statuses without having to use the Configuration Manager GUI console. I find the Reporting\Deployments tab very slow to respond, and you still have to dig into each individual app if you want details.  What this function does is allow you to specify what you think is the name of the application and it will find anything like it, allow you to select the one you want, and then it will run a deployment summarization and output the results.

Examples: 

In this example, “Tanium Client” is the actual name of a software package, so it doesn’t need to pop up a prompt asking us which one we actually wanted.

 

In the above two images, I didn’t remember the full name of my Tripwire deployments, so I just typed “Tripwire” and let it look for it for me.
The Code: 
This is a fairly simple piece of code, but I wrote it to run quickly.  It first checks to see if the name you gave it when running already matches a software package. If not, it runs a WMI query (much faster than using Get-CMApplication with a where-object piped on) to look for anything like what you entered. It puts all results into an array which then selects the LocalizedDisplayName and filters out duplicates. Those unique values are then handed over to Out-GridView, which thanks to the -passthru flag assigns the selected result to our original $SoftwareName variable.  You’ll also see that I have to specify that I want the “.localizeddisplayname” NoteProperty. If you don’t do this, you’ll see the selected software name as “@LocalizedDisplayName={‘Whatever your name was’}”
After that selection process, everything proceeds as normal. It gets the CMDeployment object for that application and runs the Invoke-CMDeploymentSummarization cmdlet which refreshes the deployment status, gets you current numbers, etc.  After that, I have it get the deployment again and select what I found to be the relevant values for a list formatted report.  Because SummarizationTime is done in UTC, I have it convert to client local time for ease of reporting, and I also go ahead and do a quick math expression for the percent success, which is done with the Round function so we don’t get a dozen decimal places of needless precision.   The Query Time value was mostly tacked on at the end so the people I was getting this information for could see that the data was current.
Hopefully this is useful for someone out there. Thanks for reading!

Remediate unquoted service path vulnerability via compliance item.

, , , , , ,


I have now been to three different environments that have this vulnerability. In all three environments this was one of the top offenders per total count of vulnerability. This not something that is necessary a problem that will cause outages if not patched, but potential for malicious programs to run.There are already published posts with great explanation of the vulnerability from CommonExploits, and Tennable. The scope of this blog post will be how to identify the vulnerability, how to manually remediate it, and how to auto-remediate it via the compliance item.

 

To identify vulnerabilities locally on your system: 
Launch Elevated powershell > type the comand below

 

cmd /c  ‘wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows\” |findstr /i /v “””‘

Below we see that we do have 1 item that is vulnerable. 



This is what the ACAS Scans are finding however it does not tell you where to correct this within the registry. To remediate this we will have to locate the object within the registry and add quotes to the path. I  believe there is a way to configure reporting to be more verbose to include the registry location but I am unfamiliar with the ACAS tool. 

ACAS SCAN BEFORE IT IS FIXED

 

Manual Fix
          Launch Regedit.exe as Admin
          Navigate to HKLMSystemCurrentControlSetServices
          Search by Edit > Find > and enter the vulnerability. For our example we will search “AERTSr64”
          Select the string for our vulnerability
          Add quotes around the value

 

ACAS SCAN AFTER IT IS FIXED

NOTE: there is no screenshot for finding this on ACAS scans as it is remediated
 

Automated Fix via Compliance Item

We will create a compliance Item to discovery systems with the vulnerability and then remediate it. 

Discovery Script 

 

$value = cmd /c  ‘wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows\” |findstr /i /v “””‘
if ($value -like “* *”)

 

   {

 

   1

 

   }

 

   else

 

   {

 

   0

   }

 

Remediation Script 

Option Explicit
Const HKLM = &H80000002
Dim objWMIService
Dim colServices, objService
Dim strComputer
dim quote: quote=chr(34)
Dim strPathName
Dim strCommand,strArgs,message
Dim bBatch: bBatch = False
dim wshShell:Set wshShell = WScript.CreateObject(“WScript.Shell”)
Dim i, iCount, objReg
Dim bDebug:bDebug = False
‘If not CScript, re-run with cscript…
If (Not IsCScript()) Then
                For i  = WScript.Arguments.Count -1 to  0 Step -1
                                strArgs = WScript.Arguments(i) & Space(1) &  strArgs
                Next
                WshShell.Run “CScript.exe ” & quote & WScript.ScriptFullName & quote & space(1) & strArgs, 1, true
    WScript.Quit                  ‘…and stop running as WScript
End If
If WScript.Arguments.Count = 1 Then
                bBatch = True
                strComputer = WScript.Arguments(0)
Else
                strComputer = wshShell.ExpandEnvironmentStrings(“%COMPUTERNAME%”)
End If
If strComputer = “” Then WScript.Quit
strComputer = UCase(strComputer)
WMICX()
Main()
If Not bDebug Then
                WScript.Echo iCount & ” Unquoted Service Path(s) were fixed on ” & strComputer
End If
”””””’ Functions and Subs ”””””””””
Sub WMICX()
                ‘WMI connection
                On Error Resume Next
                Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer& “rootcimv2”)
                If Err.Number <> 0 Then
                                message = “Error reaching or connecting to ” & strComputer
                                If not bBatch Then
                                                MsgBox message, vbcritical + vbinformation,”Failure”
                                Else
                                                WScript.Echo message
                                End If
                                WScript.Quit(100)
                End If
                On Error GoTo 0
End Sub
Sub  Main()
                On Error Resume Next
                Set objReg = GetObject(“winmgmts:\” & strComputer & “rootdefault:StdRegProv”)
                Set colServices = objWMIService.ExecQuery (“SELECT pathname,displayname FROM Win32_Service”)
                iCount = 0
                For Each objService in colServices
                                strCommand = “”
                                strArgs = “”
                                strPathName = objService.PathName
                                ‘Parse the Pathname, which is the command
                                ‘This is a little complicated.
                                Dim iLastSlash, iProgEnd
                                ‘find the last character
                                iLastSlash = InStrRev(strPathName,””)
                                ‘look for a space beginning at last , put location in iProgEnd
                                iProgEnd = InStr(iLastSlash,strPathName,Space(1))
                              
                                ‘iProgEnd will be zero if no arguments
                                If iProgEnd > 1 Then
                                                strArgs= trim(Mid(strPathName,iProgEnd))
                                Else
                                                strCommand = strPathName
                                End        If
                              
                                If Left(strPathName,1) <> quote And InStr(strCommand,Space(1)) Then
                                                wscript.echo “Found ” & objService.DisplayName & ” Service with command line:” & _
                                                               VbCrLf & vbtab & objService.PathName
                                                FixService objService.Name, strCommand, strArgs
                                End If
                Next
End Sub
Sub FixService (strSvsName, strCommand,strArgs)
                If bDebug Then Exit Sub
                ‘add a space only if there are arguments
                If Len(strArgs) > 0 Then strArgs = strArgs & Space(1) & strArgs
                Dim strValue
                Dim strRegPath,strImagePath
                strRegPath= “SYSTEMCurrentControlSetServices”& strSvsName
                strImagePath = quote  & strCommand & quote & strArgs
                WScript.Echo “Setting Command line to ” & strImagePath
                objReg.SetExpandedStringValue HKLM,strRegPath,”ImagePath”,strImagePath
                iCount = iCount +1
End Sub
Function IsCScript()
    If (InStr(UCase(WScript.FullName), “CSCRIPT”) <> 0) Then
        IsCScript = True
    Else
        IsCScript = False
    End If

End Function

 
  
At this point go ahead and deploy the configuration item you have just created. I would recommend only performing this against workstations but only after serious testing. 

Unfortunately I forgot to take a screenshot when I fist deployed this compliance item, but I do have one after half the systems checked for policy.

 After systems get policy we are now looking at a very high remediation percentage.

NOTE: this will run on its own automatically but you can individually set this to run. This will be by launching the configmr client > Configurations Tab > Select the compliance item > Evaluate
This is what a successful report looks like for the configuration item.

The compliance item can be downloaded on Technet here.

I would like to thank Khalid Al Alul, and Ricky Richard for their time in working on this configuration item.