SCCM Configmgr CI to check server role or feature installed

In this blog post, we will see how to use compliance item in configuration manager to check specific server role or feature installed on server or not .This request has come up to due to the fact that ,one of the engineer has enabled desktop experience feature on some of the servers which leads to install/enable flash player components in C:\windows\System32\Macromed\Flash folder. Qualys is is a provider of cloud security, compliance services which scan your network, servers, desktops or web apps for security vulnerabilities ,more at https://www.qualys.com/

If you install desktop experience feature on server, it will try to install adobe flash components and create some files/folders in macromed

Folder structure:

Adobe flash in control panel:

So ,Qualys scan based on the .dll file that are available on the server. If the version of .dll that is present on the server do not match with latest version of the product ,server will be flagged as vulnerable.

During last couple of weeks ,it has come to my notice that ,some of the servers being detected as vulnerable for flash player but when i look into the server ,there is no flash related applications installed on the server (by looking at programs and features ).

If there are no applications installed, there is no way for SCCM to detect the flash player components are installed and you cannot try to patch/update flash either using manual method /patching/software distribution.

So there is need to identify how many servers are installed with desktop experience feature and remove this component if not needed.

Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if installed output False as Non-compliant and if not installed, output as COMPLIANT.

All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it your needs.

If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server

Get-WindowsFeature

Above listed are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.

In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.

How to create configuration item/compliance baseline ?

Follow my blog post to create Configuration item  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)

Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -ne "Installed")
{
write-output "True"
}
else
{
write-output "False"
}

Compliance Rule:

Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.

Hope it helps!