Monday, February 20, 2012

SCCM 2012 – Customize / Extend Hardware Inventory


Overview

 SCCM 2012 has come a long way in terms of inventory management. It has come a long way since SMS days when the MOF file had to be deployed on each client to collect the inventory. In SCCM 2007, there was a sms_DEF.mof that was required to define the WMI classes that are to be inventoried.
In SCCM 2012, the concept of hardware inventory is fairly simple. You can define any WMI classes that are to be inventoried in SCCM Console as part of Client Agent settings. These client agent settings can be advertised on collections. This means that now you have the flexibility to customize the inventory gathering based on models, operating systems, business units etc
The client then reads all inventory information through WMI (Windows Management Instrumentation). The SCCM Client agent then imports these classes when it runs the machine policy refresh cycle. Therefore, the client now polls for any changes to the configuration chages from the server.

Detailed Step by Step procedure for extending Hardware Inventory in SCCM 2012
There are 8 key steps to extend inventory in SCCM:
  1. Create the MOF file to extend inventory
  2. Make a backup of the Inboxes\CliFiles.src\HInv\Configuration.MOF file on the CAS
  3. Copy the contents of the MOF file between the two customer headings at the very bottom of the Configuration.MOF
  4. Manually compile this modified Configuration.MOF file on a test client using MOFComp
  5. Bring up properties of the Default Client Agent Settings on your CAS
    1. Select Hardware Inventory and click Set Classes
    2. Click Add and connect to \\WKS\root\CIMV2 (where WKS is the name of the client used above)
    3. Select <the class added> and press OK
  6. Monitor PolicyPv.log on the primary to which the client reports indicate that it has updated policy to reflect the new class
  7. pdate Machine Policy on the client side, allow a minute or two for that to process and then force a Hardware Inventory cycle
  8. Once the data is relayed to the MP and procesed there, it should appear in Resource Explorer.
In the section below I will discuss each of these steps in detail.
Let me take a small example:
We want to inventory "HKEY_LOCAL_MACHINE\SOFTWARE\Absolute Software Inc\" registry key with Esn (where Esn is a Reg_Sz or String value)


STEP 1 - Create the MOF file to extend inventory
This is where most of us run into issues. We must ensure that the correct MOF file is created. Here is a sample code for the registry that we want to inventory. 


// Registry property provider
#pragma namespace ("\\\\.\\root\\cimv2")
#pragma deleteclass("Absolute_Software_Inc", NOFAIL)
[DYNPROPS]
Class Absolute_Software_Inc
{
[key] string KeyName;
String Esn;
};
[DYNPROPS]
Instance of Absolute_Software_Inc
{
KeyName="Absolute Software Inc";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Absolute Software Inc|Esn"),Dynamic,Provider("RegPropProv")] Esn;
};


TAKE CARE OF WORD WRAP


It is important to understand how to create this MOF file, therefore let us look at it section by section.


#pragma namespace ("\\\\.\\root\\cimv2")
You must declare the namespace into which you will be adding the new class. You use the #pragma command to inform the MOF compiler that you will be using the specified namespace to add this object to. In this example, you enumerate the root \cimv2 namespace of the local computer. This is where the information for the new provider will be located.
Note the extra backslash characters in the definition of the namespace. The first backslash character specifies a special character that follows. The second backslash character defines the special character that you want to use. This is known as "escaping" special characters so that the MOF compiler will interpret them literally.


#pragma deleteclass("Absolute_Software_Inc", NOFAIL)
The #pragma deleteclass command is used in SMS/Configuration Manager hardware inventory modification to delete class information from WMI repositories. It is recommended to use deleteclass if you are testing new hardware inventory modifications and making changes to your mof edits during testing and want to start with a clean slate each time the client compiles the new mof file. When deleting WMI classes from clients that have already performed hardware inventories (especially if you have changed a Key field), you should also delete the class information stored in the site database as well.


[DYNPROPS]
The DynProps qualifier identifies a class as having properties that are maintained by the property provider identified by the Provider qualifier


Class Absolute_Software_Inc
{
[key] string KeyName;
String Esn;
};
Here we add the class definition in the root\cimv2\sms namespace to specify inventory collection. A new Class – Absolute_Software_Inc is defined. It also defines the KeyName variable with string datatype.


[DYNPROPS]
Instance of Absolute_Software_Inc
{
KeyName="Absolute Software Inc";
[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Absolute Software Inc|Esn"),Dynamic,Provider("RegPropProv")] Esn;
};


Next we instantiate the class, and define the properties of the class that need to be inventoried. The actual registry value that is retrieved is called the Property context. This value must have the same name as the registry value that you are enumerating. The name must be enclosed in quotation marks. The display name is the name by which the data will be referenced. MOF file syntax is derived from Microsoft® Visual C++ syntax for class definitions.


Step 2 – Take a backup of the Inboxes\CliFiles.src\HInv\Configuration.MOF file on the CAS
This is extremely important. The Configuration.MOF file must be backed up before before making any changes.


STEp 3 - Copy the contents of the MOF file between the two custom headings at the very bottom of the Configuration.MOF
Open the configuration.mof file and browse to the end of the file and look for the following content:


#pragma namespace ("\\\\.\\root\\cimv2")


//========================
// Added extensions start
//========================


//========================
// Added extensions end
//========================


Copy paste the content of the MOF File created earlier between the Added extensions start.


Step 4- Manually compile this modified Configuration.MOF file on a test client using MOFComp.exe
Open command prompt and type the following command to compile the configuration.mof file on a TEST CLIENT.


mofcomp.exe -check Configuration.mof
This will check the syntax of the MOF File.

 mofcomp.exe Configuration.mof


 Step 5- Add hardware inventory in SCCM from the remote computer namespace
Open the SCCM Console On the Central Administration Site server and Click on Administration -> Client Settings -> Hardware Inventory -> Set Classes
Click on Add.


Click on Connect -> Select the name of the TEST CLIENT and enter the WMI Namespace as root\cimv2 and click on CONNECT

This should enumerate all the Classes including the one we just created – Absolute_Software_Inc



Select the Class that needs to be added and click on OK and it should show up in SCCM as well.



Step 6 - Monitor PolicyPv.log on the primary to which the client reports indicate that it has updated policy to reflect the new class
Update "Machine Policy Retrieval & Evaluation Cycle" on the client side. Allow a minute or two for that to process and then force a "Hardware Inventory" cycle.


Validate the InventoryAgent.log on the Test Client to see whether our class has been inventoried.



Similarly, policypv.log will report any updates to the inventory class.


Once the data is relayed to the MP and procesed there, it should appear in Resource Explorer.


Posted by at 31 comments:

Monday, February 13, 2012

0.0 Understanding System Center End Point Protection


Application Description: Microsoft SCCM 2012 integrates with System Center End Point Protection (SCEP) to provide end to end capability to manage anti-virus client installation, policy updates, and definition updates.
The key aspects of SCEP integration with SCCM include:
  1. Setup End Point Protection Server
  2. Configure and Install SCEP Client Agent
  3. Configure and Install SCEP Antimalware Policies
  4. Configure and Install Antivirus Definition
  5. Validate SCEP Settings on Client
  6. Configure Alerts in SCEP

This guide is created with the following intention:
  1. Give an understanding of HOW SCEP WORKS at tandem with SCCM 2012
  2. What considerations do SECURITY TEAMS need to validate while configuring SCEP
  3. What considerations do SCCM EXPERTS need to validate while configuring SCEP
  4. Give an understanding of HOW TO CONFIGURE SCEP end to end with SCCM 2012
Posted by at No comments:

6.0 Configure Alerts for EndPoint Protection


To be performed by SCCM Administrators and security team

 
Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts can be displayed in the Configuration Manager console, through reports, or optionally can be emailed to specified users.

 
In order to configure Email Alerts in SCCM perform the following steps:
  • Open the SCCM Console and click on Administration -> Site -> CAS Server -> Settings -> Email Notification

  • Enter the SMTP Server Details and the Sender Address.

  • Once the SMTP connection is tested, browse to the collection that needs to be monitored for any malware issues, right click on the collection, click on Properties, and Click on Alerts.
  • Select all the alerts that need to be set and notified for the collection.
  • Once the alerts are created, Go to Monitoring-> Alerts and select the alert for which email subscriptions are to be created.

  • Click on Create Subscription and enter the Name and Email Address of all users who should receive the emails whenever the alert is triggered.
Other guides:
  1. Setup End Point Protection Server
  3. Configure and Install SCEP Antimalware Policies
  4. Configure and Install Antivirus Definition
  5. Validate SCEP Settings on Client
  6. Configure Alerts in SCEP
    7. Configure and Install SCEP Client Agent




 
Posted by at No comments:

Sunday, February 12, 2012

5.0 Validate SCEP Settings on Client


To be performed by SCCM Administrators and security team

 
Once the SCEP Client is installed on a client, it will show up under Start -> All Programs.





You can also view the latest defintion status and policy details by clicking on Help -> About System Center End Point Protection





The deployed Antivirus Definitions Version can also be located in the registry settings under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\ASSignatureVersion







Details of the Antimalware Client Agent can be accessed at the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0C243024-B7AF-478B-B6F1-574A4AB0E07C}





Other guides:
  1. Setup End Point Protection Server
  3. Configure and Install SCEP Antimalware Policies
  4. Configure and Install Antivirus Definition
  5. Validate SCEP Settings on Client
  6. Configure Alerts in SCEP
    7. Configure and Install SCEP Client Agent
Posted by at No comments:

4.0 Configure and Install Antivirus Definition


To be performed by SCCM Administrators and security team

 
SCCM ASUP Server will be configured to download the antivirus definitions on a daily basis. The Antivirus definitions are downloaded by the ASUP component of the SCCM Server.
In order to configure the ASUP server to download antivirus defintions, log on to the central adminiration site server
  • open the SCCM Console -> Go to Administration -> Sites -> Central Administration Site Server ->Settings -> Configure Site Components -> Software update Point
  • Click on Classifications and select Definition Updates
  • Click on Products and select Forefront EndPOint Protection
  • Click on Sync Schedule and set the synchronization schedule as desired



Once configured, SCCM will sync the patches with Microsoft website and all antivirus definitions will show up under Software Library -> All Software updates



 

Manage Antivirus Definitions

To be performed by SCCM Administrators and security team
Once the definitions show up in SCCM, the next logical steps include:
  1. Create a grouping of relevant updates. These are referred as Software Update Groups
  2. Download the definitions in SCCM
  3. Deploy the definitions on a target collection
Operationally this entire process will be automated by utilizing the Automatic Deployment Rules feature of SCCM. Ensure the following entities are available before creating an Autotic Deployment Rule:
  1. A common share to deploy the defintions
  2. Target collection to deploy the definitions
Follow the following steps to create Automatic Deployment Rules for SCEP:
  1. On the SCCM Console, go to Software Library -> Automatic Deployment Rule-> Right Click and Click on Create Automatic Deployment Rule
  2. Name the Deployment Rule and link it to an appropriate collection. Ther are two options to select either to add the definitions to existing software update group or to create a new one. Select to create a new software update group so that a new update gets created periodically and the security team can monitor which definition gets deployed when. There is an additional overhead to delete earlier software update groups which can be automated.
  1. Click Next and Select appropriate deployment settings
  2. Click Next and select the Filter for deploying the Antivirus Defintions.
  3. Click Next, and set the Evaluation Schedule. Ensure that the evaluation is scheduled to run after the patches are synced up by the Activue Software update Point e.g. in our case the update sync happens at 10:00am and the evaluation happens at 2:00pm everyday.


  4. Click Next and set the deployment schedule for the definitions. The defintions will be available as soon as possible while the installation deadline will be set to expire 2 hours after the deployment.

  5. Click Next and set the User Experience and Alerts as required
  6. Click Next and set the Download Settings. For the first time that we create the automated rule, a new deployment package can be created a linked to the share where all the definitions should be downloaded.



  7. Click Next and specify the Distribution Points where the defintions should be distributed. In a production environment, a defintion should go to all the DPs in the environment.

      
  8. Once the rule is set, the definitions will start getting downloaded at the location specified


 
 
Other guides:
  1. Setup End Point Protection Server
  3. Configure and Install SCEP Antimalware Policies
  4. Configure and Install Antivirus Definition
  5. Validate SCEP Settings on Client
  6. Configure Alerts in SCEP
    7. Configure and Install SCEP Client Agent
Posted by at No comments:

3.0 Configure and Install SCEP Antimalware Policies


To be performed by SCCM Administrators and security team


SCEP Client policies define where the client can obtain the defintion updates, when does it perform scans, and what files are scanned.
In order to create a new policy, right click on Assets and Compliance and click on Create Antimalware Policy. As a best practice, a new policy should be created and deployed to a limited number of computers using a collection.

 The SCCM Antimalware Policy allows us to set the following options:
  • Scheduled Scans
  • Scan Settings
  • Default Actions
  • Real-Time Protection
  • Exclusion Settings
  • Advanced Settings
  • Threat Overrides
  • Microsoft Active Protection Service
  • Definition updates
The section below provides the best practice settings for the Antimalware Policy settings. The details of each scan setting are available at the following link:
http://www.microsoft.com/sqlserver/en/us/get-sql-server/try-it.aspx



Scheduled Scans
The schedules scans settings enable to specify the behavior of the scan details for a client.


Setting DescriptionSettingDefault
Scan time 4:00pm2:00am
Check for the latest definitions updates before running a scan TrueFalse
Randomize the scheduled scan start time (within 30 minutes)TrueFalse


Scan Settings

The scans settings specify the content that should be scanned on a client.




Setting DescriptionSettingDefault
Scan email and email attachments TrueFalse
Scan archived files TrueFalse
Randomize the scheduled scan start time (within 30 minutes)TrueFalse


Default Actions
The default actions allow SCEP to respond to certain threats in a specified manner.



Real-Time Protection
The real-time protection settings allow SCEP to ascertain whether to scan real time files such as program activity, scripts, and system files etc.




Exclusion Settings
The exclusion settings allows SCEP to exclude certain files and file types from Antivirus scans

The following files are excluded from any antivirus scans.

Advanced Settings

Advances settings allow SCEP to configure additional settings such as user interaction with the agent and other antivirus settings.


Threat Overrides

Threat Override settings allow SCEP to define remediation actions that can be taken for a specified threat name when detected during a scheduled scan.


All the threats are enlisted in SCEP and an appropriate action can be ascertained.

Microsoft Active Protection Service
The Microsoft Active Protection Service enables MS to collect and send information about and detected Malware.




Definition updates


The defintion updates setting allows SCEP to determine the methodology to deploy definitions.



Setting DescriptionSettingDefault
Check for EndPoint 6 hours8 hours
Check for end point protection definitions daily at 12 PM3 PM
Set sources and Order for Endpoint Protection definition updates3
  • Updates from SCCM
  • Updates from UNC Share
  • Updates from Malware Protection Center
1


Antivirus definitions will also be downloaded manually to a UNC path on the Primary Site Server such that the definitions are available to all clients even if the SCCM CAS server goes down and is not able to dync the latest definitions from Microsoft.

Other guides:
  1. Setup End Point Protection Server
  3. Configure and Install SCEP Antimalware Policies
  4. Configure and Install Antivirus Definition
  5. Validate SCEP Settings on Client
  6. Configure Alerts in SCEP
    7. Configure and Install SCEP Client Agent
Posted by at 12 comments:

2.0 Configure and Install SCEP Client Agent


To be performed by SCCM Administrators and security team


This section provides details on the steps necessary to install the SCEP Client Agent on an end user computing device. There are 2 options to install the SCEP Agent:
  1. As part of the Task Sequence / Image Install
  2. Automated fashion using SCCM Client Agent Settings
Deploy SCEP using Task Sequence
SCEP can be deployed using a Task Sequence for all end user computing devices using a command to install the SCEP agent.
The application should have a deployment type with the following command:
Scepinstall.exe /s /q
Refer to the following link for more details on how to deploy SCEP using command line:
http://technet.microsoft.com/en-us/library/gg412485.aspx
 Deploy SCEP using SCCM Client Agent
SCEP can also be deployed automatically using SCCM Client Agent policies.
Open Administration -> Client Settings in SCCM 2012 and create a new policy for End Point Protection.
It is a good practice to create a new policy for end point protection and not integrate with the default client settings since you can deploy the customized policies on a handful of computers to ensure it works as desired before making a production rollout.


Set the Manage EndPoint Protection client on Client Computers to TRUE. Setting this value to true will
push the SCEP client on any client that has a healthy SCCM Client agent working. You can manage the scope of the SCEP installation by deploying the policy to a collection with a restricted set of computers.

 

The best practice settings are as follows:


Client SettingsValues
Manage Endpoint Protection client on client computersTrue
Install Endpoint Protection client on client computersTrue
Automatically remove previously installed antimalware software before Endpoint Protection is installedFalse
Suppress any required computer restarts after the Endpoint Protection client is installedFalse
Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)24 hours (default)
Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computersTrue


Refer to the following link on description for each setting:
http://technet.microsoft.com/en-us/library/hh508770.aspx



With the following settings in place:
  • SCEP will be installed on an end user computing device that has SCCM Installed
  • The command that SCCM uses for the SCEP client installation is "C:\Windows\ccmsetup\SCEPInstall.exe" /s /q /noreplace /NoSigsUpdateAtInitialExp /policy "C:\Windows\CCM\EPAMPolicy.xml"
  • Here EPAMPolicy.xml refers to the SCCM policy being pushed to the client. SCCM Policy will be covered in the subsequent section
  • The EndpointProtectionAgentLog file on http://www.blogger.com/ shows the following entries:
    • End point is triggered by WMI notification
    • It installs the command line "SCEPINstall.exe"
Other guides:
  1. Setup End Point Protection Server
  3. Configure and Install Antivirus Definition
  4. Validate SCEP Settings on Client
  5. Configure Alerts in SCEP
    6. Configure and Install SCEP Client AgentConfigure and Install SCEP Antimalware Policies
Posted by at 16 comments:

1.0 Setup End Point Protection Server



To be performed by SCCM Administrators
This section provides details on the integration on SCEP with SCCM. SCCM Introduces the End Point Protection Point Site System role that should be configured on the CAS. This task can be performed by the SCCM Administrator who has the rights to manage the SCCM Environment.
In order to install the End Point Protection role
  • Go to Administration tab -> Site Configuration -> Sites and Site Systems-> Right click on the Central Adminitration Site Server and Click on "Add Site System Roles"
  • Select the End Point Protection Point from the list of roles listed
  • Installation of End Point Protection Point can be tracked in the <SCCMInstalllationDirectory>\Logs\EPSETup.log
     
  • Validate once the EndPoint Protection Point is installed by going to Administration tab -> Site Configuration -> Sites and Site Systems-> LEFT click on the Central Adminitration Site Server and look at the Site System Roles on the installed.

Other guides:
  1. Setup End Point Protection Server
  2. Configure and Install SCEP Client Agent
  3. Configure and Install SCEP Antimalware Policies
  4. Configure and Install Antivirus Definition
  5. Validate SCEP Settings on Client
  6. Configure Alerts in SCEP
Posted by at No comments:
Subscribe to: Posts (Atom)