Disable SMBv1 in your environments with Configuration Manager Compliance Settings

Cameron Cox posted an elegant way of disabling SMB v1 with all the current “hype” on ransomware.

As mentioned in previous articles, Compliances in SCCM are very powerful tools and can be a better usage for enforcement of settings than GPOs (Powershell DSC is very nice too)

Here is the article :

https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/22/disable-smbv1-in-your-environments-with-configuration-manager-compliance-settings/

 

SCCM Task sequence stuck/blocked in installing … My real solution

 

1 – With SCCM Client center : in “Agent Settings” tab, “Install/Repair” section, select “delete root\ccm”

This will delete the namespace in WMI

2017-04-12_14-05-12.jpg

2 – On same tab, repair the SCCM agent (it can take a while) , check c:\Windows\ccmsetup\Logs\ccmsetup.log for status

2017-04-12_14-06-13.jpg

3 – As the repair might reset the cache size to it’s default value (5120 Mb) . Go to the Cache option and re-modify the cache size to appropriate value and save

2017-04-12_14-13-42.jpg

 

Create SCCM collection based from Computers that ran Program during last X days for automatic cleanup (ex: Java)

I wanted to do an automatic cleanup of all unused Java to reduce maintenance and unnecessary vulnerabilities on the desktop environment.

I needed to be able to oversee who has java (packaged version or manually downloaded from internet) and who has java but is not using it. On top of that I would either clean or force upgrade to the latest secure version.

I created 3 software metering rules to cover the .exe that where mentioned by dev team to be launched on any Java app.

java.exe
javaw.exe
jp2launcher.exe

I then produced 2 collections :

Java Project – All Computers that ran Java last 190days

A collection that would include computers where at least one of them has been launched ( i.e. has Software Metering Data)

Query membership :

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_SYSTEM inner join SMS_MonthlyUsageSummary on SMS_R_SYSTEM.ResourceID = SMS_MonthlyUsageSummary.ResourceID    INNER JOIN SMS_MeteredFiles ON SMS_MonthlyUsageSummary.FileID = SMS_MeteredFiles.MeteredFileID    WHERE DateDiff(day, SMS_MonthlyUsageSummary.LastUsage, GetDate()) < 190 AND (SMS_MeteredFiles.RuleID = 106 OR SMS_MeteredFiles.RuleID = 107 OR SMS_MeteredFiles.RuleID = 125 )

SMS_MeteredFiles.RuleID   is the internal Software Metering rule ID

Java Project – All Computers that did not run Java last 190 Days

A collection that would include computers where java.exe is present but excluding those where at least one of the exe has been launched ( i.e. the exe is present but has no Software Metering Data)

Query membership :

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceId = SMS_R_System.ResourceId  WHERE SMS_G_System_SoftwareFile.FileName = "Java.exe"

Exclude menbership : Java Project – All Computers that ran Java last 190days

I could then start rolling my Java cleaner on the unused installations, and force update of the others.

More intersting notes :

http://blogs.technet.com/b/neilp/archive/2012/11/27/software-metering-deep-dive-and-automation-part-1-use-it-or-lose-it-the-basics.aspx

Software Metering Deep Dive and Automation Part 2: Use It Or Lose It – The Collections