Close Menu
    Facebook X (Twitter) Instagram
    Monday, July 14
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»CM2012»How to use Configmgr Baseline to check server role or feature installed

    How to use Configmgr Baseline to check server role or feature installed

    Eswar KonetiBy Eswar KonetiAugust 22, 11:11 pm4 Mins Read CM2012 3,404 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Problem:

    If you are using qualys or Nessus tool or other tool to detect vulnerabilities on windows machines ,this post might be helpful to you.

    Recently ,our security team has reported that ,lot of servers are vulnerable for adobe flash player and claiming that, these servers are running lower version of Flash player.

    When i look at one of the server ,i could not find adobe flash player installed. If there are no application installed, there is no way for SCCM to detect the flash player components are running lower version (we do 3rd party patching as well) and you cannot patch/update flash either using manual method /patching/software distribution.

    So i requested security team to provide more information about the detection criteria that is being used to detect the vulnerabilities for flash player.

    They come with detection rule saying ,the file version flash.ocx is running low version in C:\windows\System32\Macromed\Flash.

    image

    So i look at C:\windows\System32\Macromed\Flash and tried to delete the files because there is no flash player installed ( verified from programs and features). I could not delete the files directly from the folder to match with qualys results.

    But what i found is ,an applet in control panel with flash player created as well which is weird to me.image

    I tried downloading the latest adobe flash version and tried installing but could not go through it (installation did not happen as it says ,server 2012 R2 don't need flash player).

    Nothing worked for me until here ,so i dig deeper to identify the reason for creating this folder structure and also applet in control panel.After some time ,found that ,it is coming from desktop experience feature that got installed with OS build image.

    So ,i tried to remove the desktop experience feature manually from roles and features ,reboot the server (Reboot is mandate for this feature removal).

    After the removal of the feature ,Flash player and the files in flash folder are disappear.

    Now ,how do i know the list of servers that has desktop experience feature installed on server and how to remove it through automation ?

    Solution:

    I use SCCM compliance baseline to identify the list of servers that had desktop experience feature installed .If the role is installed ,you can remove the role as part of remediation script or get list of servers and then create a batch file to remove the role and reboot during the maintenance window.

    Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if feature installed then output results as Non-compliant (server is vulnerable) and if not installed, output as COMPLIANT (server non vulnerable)

    All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it as per your needs.

    If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server

    Get-WindowsFeature

    image

    The list above are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.

    In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.

    How to create configuration item/compliance baseline ?

    Follow my blog post to create Configuration item  http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)

    Import-module servermanager
    $DE=(Get-WindowsFeature -name desktop-experience).Installed
    If ($DE -notlike "Installed")
    {
    write-output "True"
    }
    else
    {
    write-output "False"
    }

    Compliance Rule:

    image

    Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.

    This is only to discover the list of servers with this feature installed. Once you get the list server that are non-compliant ,create collection and a simple package with following command line and deploy to the collection .

    Once the package run on the server ,it wont reboot the server immediate rather, it wait for the maintenance window for reboot which will happen anyway with schedule reboot.

    Powershell.exe -ExecutionPolicy Bypass -command Remove-WindowsFeature -Name Desktop-Experience

    Hope it helps!

    Check Desktop Experince check server roles and features using SCCM CI configmgr configuration baseline Configuration Item Powershell qualys for adobe flash SCCM
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    SCCM SQL Report – Compare Installed Apps on TWO Different Computers

    July 13, 10:35 am

    Exporting Intune Win32 Apps with All Properties Using PowerShell and Microsoft Graph

    June 30, 7:01 pm

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.