MECM Baseline: Check for GRUB vulnerability Windows 10

We needed to check for the GRUB vulnerability on our Windows 10 devices.

See advisory below:

We have a few thousand devices to check, so checking manually was going to be a issue, we decided to use MECM baseline to run a script to check for devices that had the issue.

Microsoft give the below command in the advisory to check if the issue exist

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’

If this command returns a true value the device is vulnerable.

To use the command in a baseline we used the try / catch in PowerShell to get a compliance response as the above command is a terminating error and wont return a result other wise.

$GRUBCheck = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’
if ($GRUBCheck -eq $true){
$complinant = ‘False’
$complinant = ‘True’
catch {


This slideshow requires JavaScript.

Once we had the script we needed to create the configuration item and baseline.

To create the configuration item open MECM console > Assets and Compliance > Overview > Compliance settings > Configuration item

Create Configuration ItemGRUB3Select Windows Desktops and Servers (custom)GRUB4Select Windows 10 as the version of Windows that will be assessed. GRUB5Add a new settings item. GRUB6Give the item a name

Setting type to script and data type to string. Click Add script. GRUB7Put in the script above.grub8Next add in a compliance rule.GRUB10

Give the compliance rule a name, select the settings item we create earlier, set the value to True so that any devices that doesn’t have the vulnerability will return as compliant. GRUB11Once all the settings and compliance rules are configure following the wizard to complete GRUB12Next we need to create the configuration baseline

Assets and Compliance > Overview > Compliance settings > Configuration item GRUB13Give the compliance baseline a name

Click add and select configuration item.GRUB14Add the configuration item created earlier. GRUB15Click ok to complete the baseline GRUB16Once the baseline is configured, deploy the baseline to the required device collection GRUB17You can either wait for the next time the client does a machine policy retrieval or run the action manually from the client.  Once the client get the updated policy the baseline should show under configurations.GRUB18

Once evaluated we can check the deployment in MECM to find device that are compliant or non-compliant.GRUB19

Adding Multiple Devices To SCCM Collection PowerShell

I recently needed to add a few hundred devices to a collection in SCCM. I couldn’t use a query to achieve this as there where no attributes that I could use. So it would have to be a direct query and I didn’t really want to manually add hundreds of servers as this would take a long time and PowerShell is a much easier and faster option. I decided to write a quick script to get a list of device from a txt file and do a loop to add each device to the specified collection.

First I need to open a PowerShell connect to SCCM I prefer to use Powershell ISE as I can edit and test my script while in one console. To connect go to the SCCM console On the blue drop down icon on the top left, click it and then choose Connect via Windows PowerShell ISE.


Once PowerShell ISE is open you should see the connection script.  Just click run script at top of ISE to connect to SCCM. Coll2

Once in ISE copy the script below and change the collectioname, computers and logpath variables to the correct location and collection that you want to added to.  Below is what the script should look like when it run.


$collectionname = “RDS Deploy Collection”
$Computers = Get-content “c:\temp\Server_List.txt”
$logpath = “c:\temp”
foreach($computer in $computers) {
try {
Write-Host “Adding $computer to $collectionname” -ForegroundColor Green
Add-CMDeviceCollectionDirectMembershipRule -CollectionName $collectionname -ResourceId (get-cmdevice -Name $computer).ResourceID
catch {
Write-Warning “Cannot add client $computer object may not exist”
$computer | Out-File “$logpath\$collectionname-invalid.log” -Append
$Error[0].Exception | Out-File “$logpath\$collectionname-invalid.log” -Append

There is also a log file that will be export to give devices that have not been added and the error exception generated by PowerShell.