Blog Posts by Timokirch

Ask a question

KACE SMA (K1000) | Spectre & Meltdown Analysis

01/09/2018 update: added a Report and another CIR.
01/12/2018 update: added a screenshot of my device after installing the MS Patches.
                                updated the script to use the current script version of today (1.0.4)  > Download
                                Scriptchangelog from Microsoft:
                                        Added message directing users to explanation of output
                                        Addressed feedback regarding multiple CPUs when setting $cpu 


For an official statement from quest please visit: https://support.quest.com/kb/237193

Hi all, 

here a quick blog to check the hardware vulnarabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 or better known as Spectre and Meltdown.
I am using the Microsoft security guidance ADV180002 as base script with KACE modifications. 

The outcome of this blog will be that you can easily see, filter, report and label all your Windows clients higher than Windows 7 SP1 or Server 2012 R2 which are vulnerable or secure against Spectre and / or Meltdown. To archive this we first need a script. 

The script looks like this and can be downloaded here
If you need assistance to import it to your KACE SMA (K1000) please feel free to contact me. 
cpu01.png

The script will create the logfile: "C:\Windows\Logs\KACE_CPU_Check.log" and rewrite it every time. 

To have the posibility to search, label and report these date we would need a CustomInventory.
Here you have a screenshot and can find the export as a download here.
cpu02.png
ShellCommandTextReturn(cmd /c type ""C:\Windows\Logs\KACE_CPU_Check.log"")

After that you should be able to filter everything like you know to do it. 
Enabled protections appear in the output as "true".

Example for filtering for vulnerable devices:
cpu03.png
If you go to the details you would see that this device is vulnerable against both.
cpu04.png


Now you want to check with one klick which devices are vulnerable and compatible to get patches through Patching. To do that we first need again a custom inventory which checks if the compatibility registry key is available. You can download the ready to use package here.

RegistryValueReturn(HKEY_LOCAL_MACHINE64\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat, cadca5fe-87d3-4b96-b7fb-a231484277cc, REG_DWORD) 

The next step is to import the report which can be downloaded here


SELECT mc.NAME AS Device,
       mc.LAST_INVENTORY AS Inventory,
       mc.OS_NAME AS Operating_System,
       mc.USER_FULLNAME AS Username,
       mc.BIOS_MANUFACTURER AS 'Bios Manufacturer',
       mc.BIOS_VERSION AS 'BIOS Version'
FROM (MACHINE mc
INNER JOIN MACHINE_CUSTOM_INVENTORY mci1 ON (mc.ID = mci1.ID))
INNER JOIN MACHINE_CUSTOM_INVENTORY mci ON (mc.ID = mci.ID)
WHERE mci.STR_FIELD_VALUE LIKE '%false%' AND mci.SOFTWARE_ID = (SELECT sw.ID FROM SOFTWARE sw WHERE (sw.DISPLAY_NAME = 'Inventory: Spectre & Meltdown Analysis'))
AND mci1.SOFTWARE_ID = (SELECT sw1.ID FROM SOFTWARE sw1 WHERE (sw1.DISPLAY_NAME = 'Inventory: Spectre & Meltdown QualityCompat'))


You can modify / add / delete everything wihtin the scripts, custom inventories or SQL-Reports. 
If you rename your custom inventory rules change the names in the SQL query too.

The report should look like this:


Little Update after the installation of the Microsoft Patch for my system (KB4056890).



Cheers Timo

View comments (7)

KACE SMA - Adding Clients to AD Groups

Hi All,

this is a little AddOn to my previous post: KACE SDA - Adding Clients to AD Groups during deployment
This blog will focus on an ongoing management of AD security groups. 

First i have to say the main script is written by OneScript Team.

The idea here is to use KACE SMA to have an sheduled or an adhoc script wich will assign devices to specific AD securitygroup(s). 
First we will create an online KScript like this: 
sma_aag_001.png

After that we have to decleare on which device(s) it should be deployed to. Here you can choose to leave it empty or using a specific smartlabel or whatever you need it for.
After that you have to add credentials of a user who has the right to add the targeted devices to the targeted AD securitygroups.
Pro Tipp: Only use Domain Administrator if you are in a lab :)  
sma_aag_002.png

We don't need a notification and the shedule is up to you. Maybe you wan't to run it every monday to be sure that every device is in the correct group(s). 
Necessary to check is the "Allow run without a logged-in user". 
sma_aag_003.png

And now the final step: Upload the VBS as dependency and configure a task (or multiple).
sma_aag_004.png

Of course you can do here whatever you want. Feel free to proof registry keys or whatever you like before adding a computer to an AD securitygroup. 
You can add all securitygroup names seperated by a space as an argument. So you are able to create different sets of joining ad groups in one task. 

You can download the script together with my AutoIt Wrapper for KACE SDA:  Here 

Please note that this is a selfmate script without vendor support.

Kind Regards
Timo
Be the first to comment

KACE SDA - Adding Clients to AD Groups during deployment

Hi All, 

you are right here if you are looking for a solution to add your Windows Clients to AD groups during the inital deployment.

First i have to say the main script is written by OneScript Team.
I only added a short AutoIt wrapper to start this tool as a user which has the rights in the AD to add the actual client to the selected security group(s). 

Why did i use an AutoIt Wrapper? Because the Username and Password will not be stored as plaintext in the task.xml during the postinstallation task sequence. 

And that's the whole magic:
sda_aag_001.png
You only have to edit the script in the red marked square to your enviroment credentials. Then compile it via AutoIt SciTE and you will get an executable. 

After that you have to zip the VBS (AddGroup.vbs) and the executable to a normal compressed .zip file without password. 
Upload it afterwards to your SDA Postinstall-Tasks:
sda_aag_002.png

Now you are done. You can add all securitygroup names seperated by a space as an argument to the executable. So you are able to create different sets of joining ad groups in one task. 

If you have any problems or question reach out to me in the comments or contact me by mail (included in the AutoIt-Script). 

You can download my AutoIt Script together with the AddGroup.vbs from OneScript Team: Here

Please note that this is a selfmate script without vendor support.

Kind Regards
Timo

Be the first to comment

KACE SMA - automation of UserArchiv

Hi Guys, 

just want to share a simple AddOn for our newest KACE SMA release 7.2 from last week. One of the new features is the UserArchival. Wouldn't it be nice to have this automated? I imagine that if you disable an account in you directory service the same account in KACE should be archived. And here is how it works: 

First of all - this works only with Users imported from Windows Active Directory. 

Step 1 - Prepering the Usertable
First we have to add a custom field to the SMA usertable. To do that please open a random user and click on "Customize Additional Fields". 
ua_001.png

Rename an existing custom field or add a new one. I renamed mine to UserAccountControl.
ua_002.png

Step 2 - Getting the Data into the KACE
Now we have to edit our userimport to get the information whether we can archive a user or not. This will be decided by the attribute "userAccountControl". 
These values are necessary to know:
  • 512 - Enabled
  • 514 - Disabled
  • 66048 = Enabled, password never expires
  • 66050 = Disabled, password never expires

Expand the imported attributes like shown below:
ua_003.png

After you (or the system) have run the user import again you will see the userAccountControl values added to the users. 
ua_004.png

Step 3 - Create a ticket rule 
This is the last step to get the automatic user archival feature running. 
Create a new ticket rule directly with SQL and call it "automated user archival" (or something like this). Choose a priority that fits your environment. I would recommend to let this rule run at least once a day (a few minutes after your last userimport). 

Select SQL Statement:
SELECT 'USER_ACHIVAL' as REASON;

Then only select the checkbox for "Run update query"
Update SQL:
UPDATE USER AS USR1, (SELECT uID.ID FROM USER uID WHERE uID.USER_NAME = 'admin') AS USR2, (SELECT uID2.ID
FROM (USER_FIELD_VALUE USER_FIELD_VALUE
      INNER JOIN USER uID2 ON (USER_FIELD_VALUE.USER_ID = uID2.ID))
     INNER JOIN USER_FIELD_DEFINITION USER_FIELD_DEFINITION
        ON (USER_FIELD_VALUE.FIELD_ID = USER_FIELD_DEFINITION.ID)
WHERE (   USER_FIELD_VALUE.FIELD_VALUE = '514'
       OR USER_FIELD_VALUE.FIELD_VALUE = '66050')) AS USR3
SET USR1.MODIFIED = now(), USR1.IS_ARCHIVED = '1', USR1.ARCHIVED_DATE = now(), USR1.ARCHIVED_BY = USR2.ID
WHERE USR1.ID = USR3.ID AND USR1.IS_ARCHIVED = '0';

Please note that you can change the Username in line 1 to a username you want to archive these users.
That's it! You now have an automated user archival based on the AD account status. Enjoy :)

Regards
Timo
Be the first to comment

KACE SMA - Windows 10 End of Life Report

Changelog:
10/18/2017: 
  • Modified Query to have to EOL sections:
    • Calculated EOL Date based on MS 18 month support policy in the Semi-Anual-Channel. 
    • Fixed MS EOL Date
  • Added Windows 10 1709 into the Query.

Note: This query will not work with the Long-Term Servicing Channel. The support there is 10 years. 

Hi Guys, 

ever wanted to quickly get an overview on which managed Windows 10 device still has support? 
Note: this is not of interest for companies who are running the LTSB Version of Windows 10!
Based on that article i wrote an easy to extend report for you: Windows 10 lifecycle
If you need to know the current build numbers have a look here: Windows 10 Builds

The query will find all machines in the inventory of the current org with operating system name starts with "Microsoft Windows 10".
It will then use the build number to calculate different thinks like a readable OS Version everybody knows (like 1511, 1607 or 1703). 
Also it will check if we gave the build build number an EOL date. If not the query will use the Microsoft default of 18 month (starting with the release date) for a windows 10 build.
Note: Actually Microsoft is not setting Windows 10 1511 to EOL but it has exceeded the 18 month period. So we will see an date stamp in the EOL_DATE field but the query will not calculate the days over EOL. 

Here is the query:

SELECT MACHINE.NAME,
       MACHINE.OS_NAME,
       MACHINE.OS_BUILD,
       CASE MACHINE.OS_BUILD
          WHEN '10240' THEN '1507 (RTM)'
          WHEN '10586' THEN '1511'
          WHEN '14393' THEN '1607'
          WHEN '15063' THEN '1703'
          WHEN '16299' THEN '1709'
          ELSE 'Unknown OS Build'
       END
          AS OS_VERSION,
      CASE MACHINE.OS_BUILD 
          WHEN '10240' THEN Date_Add(Date('2015-07-29'),INTERVAL 18 MONTH)
          WHEN '10586' THEN Date_Add(Date('2015-11-10'),INTERVAL 18 MONTH)
          WHEN '14393' THEN Date_Add(Date('2016-08-02'),INTERVAL 18 MONTH)
          WHEN '15063' THEN Date_Add(Date('2017-04-05'),INTERVAL 18 MONTH)
          WHEN '16299' THEN Date_Add(Date('2017-10-17'),INTERVAL 18 MONTH)
          ELSE 'NO EOL DATE' 
      END 
          AS CALCULATED_EOL_DATE,
      CASE MACHINE.OS_BUILD 
          WHEN '10240' THEN Date('2017-05-09')
          WHEN '10586' THEN Date('2017-10-10')
          WHEN '14393' THEN 'Tentatively March 2018'
          WHEN '15063' THEN 'Tentatively September 2018'
          WHEN '16299' THEN 'Tentatively March 2019'
          ELSE 'NO MS EOL DATE' 
      END 
          AS MS_EOL_DATE,
      CASE MACHINE.OS_BUILD
          WHEN '10240' THEN DATEDIFF(DATE('2017-05-09'), NOW())
          WHEN '10586' THEN DATEDIFF(DATE('2017-10-10'), NOW())
          ELSE 'NO FIX EOL DATE'
       END
          AS DAYS_OVER_EOL
  FROM MACHINE MACHINE
 WHERE MACHINE.OS_NAME LIKE 'Microsoft Windows 10%'
 ORDER BY MACHINE.OS_BUILD DESC

You can copy it to a custom report in SMA:
win10eol1.jpg
And you will get this beautiful report:
win10eol2.jpg
View comments (1)
Showing 1 - 5 of 10 results

Top Contributors

Talk About Apple Mac OS X