In this blog post, we will see how to use compliance item in configuration manager to check specific server role or feature installed on server or not .This request has come up to due to the fact that ,one of the engineer has enabled desktop experience feature on some of the servers which leads to install/enable flash player components in C:\windows\System32\Macromed\Flash folder. Qualys is is a provider of cloud security, compliance services which scan your network, servers, desktops or web apps for security vulnerabilities ,more at https://www.qualys.com/
If you install desktop experience feature on server, it will try to install adobe flash components and create some files/folders in macromed
Folder structure:
Adobe flash in control panel:
So ,Qualys scan based on the .dll file that are available on the server. If the version of .dll that is present on the server do not match with latest version of the product ,server will be flagged as vulnerable.
During last couple of weeks ,it has come to my notice that ,some of the servers being detected as vulnerable for flash player but when i look into the server ,there is no flash related applications installed on the server (by looking at programs and features ).
If there are no applications installed, there is no way for SCCM to detect the flash player components are installed and you cannot try to patch/update flash either using manual method /patching/software distribution.
So there is need to identify how many servers are installed with desktop experience feature and remove this component if not needed.
Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if installed output False as Non-compliant and if not installed, output as COMPLIANT.
All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it your needs.
If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server
Get-WindowsFeature
Above listed are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.
In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.
How to create configuration item/compliance baseline ?
Follow my blog post to create Configuration item http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)
Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -ne "Installed")
{
write-output "True"
}
else
{
write-output "False"
}
Compliance Rule:
Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.
Hope it helps!
7 Comments
For some reason your script returns "True" if the Desktop Experience is installed and not installed.. :S
SERVERA: Desktop Experience installed:
PS C:\Windows\system32> Get-WindowsFeature -name desktop-experience
Display Name Name Install State
------------ ---- -------------
[X] Desktop Experience Desktop-Experience Installed
Your script run:
PS C:\temp> .\check.ps1
True
SERVERB: Desktop Experience NOT installed:
PS C:\Users\tom.scott.adm> Get-WindowsFeature -name desktop-experience
Display Name Name Install State
------------ ---- -------------
[ ] Desktop Experience Desktop-Experience Available
Your script run:
PS C:\temp> .\check.ps1
True
Hi Tom,
thanks . I corrected it now . The only correction is -notlike replaced with -ne .
Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -ne "Installed")
{
write-output "True"
}
else
{
write-output "False"
}
Thanks,
Eswar
I changed client settings to ByPass for PS and the script error disappeared.
Ram
Yes,that was the fix.
Regards,
Eswar
Thanks Eswar. The script worked out fine. Just one Q - What does failure mean? I understand Non Compliant and Compliant. I have 2 system with failure and I looked at deployment details (script is not signed) error. Strange because the script ran successfully. Anyway I will troubleshoot more.
What selection did you make for Setting Type and Data Type right below where you added the powershell script to Discovery script?
Hi,
I just updated the blog post with link to refer previous blog post to create CI: http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/
Please check now.
Regards,
Eswar