We needed to check for the GRUB vulnerability on our Windows 10 devices.

See advisory below:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011

We have a few thousand devices to check, so checking manually was going to be a issue, we decided to use MECM baseline to run a script to check for devices that had the issue.

Microsoft give the below command in the advisory to check if the issue exist

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’

If this command returns a true value the device is vulnerable.

To use the command in a baseline we used the try / catch in PowerShell to get a compliance response as the above command is a terminating error and wont return a result other wise.

try{
$GRUBCheck = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’
if ($GRUBCheck -eq $true){
$complinant = ‘False’
}
else
{
$complinant = ‘True’
}
}
catch {
}

$complinant

This slideshow requires JavaScript.

Once we had the script we needed to create the configuration item and baseline.

To create the configuration item open MECM console > Assets and Compliance > Overview > Compliance settings > Configuration item

Create Configuration ItemSelect Windows Desktops and Servers (custom)Select Windows 10 as the version of Windows that will be assessed. Add a new settings item. Give the item a name

Setting type to script and data type to string. Click Add script. Put in the script above.Next add in a compliance rule.

Give the compliance rule a name, select the settings item we create earlier, set the value to True so that any devices that doesn’t have the vulnerability will return as compliant. Once all the settings and compliance rules are configure following the wizard to complete Next we need to create the configuration baseline

Assets and Compliance > Overview > Compliance settings > Configuration item Give the compliance baseline a name

Click add and select configuration item.Add the configuration item created earlier. Click ok to complete the baseline Once the baseline is configured, deploy the baseline to the required device collection You can either wait for the next time the client does a machine policy retrieval or run the action manually from the client.  Once the client get the updated policy the baseline should show under configurations.

Once evaluated we can check the deployment in MECM to find device that are compliant or non-compliant.

I recently needed to add a few hundred devices to a collection in SCCM. I couldn’t use a query to achieve this as there where no attributes that I could use. So it would have to be a direct query and I didn’t really want to manually add hundreds of servers as this would take a long time and PowerShell is a much easier and faster option. I decided to write a quick script to get a list of device from a txt file and do a loop to add each device to the specified collection.

First I need to open a PowerShell connect to SCCM I prefer to use Powershell ISE as I can edit and test my script while in one console. To connect go to the SCCM console On the blue drop down icon on the top left, click it and then choose Connect via Windows PowerShell ISE.

Once PowerShell ISE is open you should see the connection script.  Just click run script at top of ISE to connect to SCCM. 

Once in ISE copy the script below and change the collectioname, computers and logpath variables to the correct location and collection that you want to added to.  Below is what the script should look like when it run.

$collectionname = “RDS Deploy Collection”
$Computers = Get-content “c:\temp\Server_List.txt”
$logpath = “c:\temp”
foreach($computer in $computers) {
try {
Write-Host “Adding $computer to $collectionname” -ForegroundColor Green
Add-CMDeviceCollectionDirectMembershipRule -CollectionName $collectionname -ResourceId (get-cmdevice -Name $computer).ResourceID
}
catch {
Write-Warning “Cannot add client $computer object may not exist”
$computer | Out-File “$logpath\$collectionname-invalid.log” -Append
$Error[0].Exception | Out-File “$logpath\$collectionname-invalid.log” -Append
}
}

There is also a log file that will be export to give devices that have not been added and the error exception generated by PowerShell.