by Mark | Jul 13, 2016 | How To, Patch Management, Patch Releases, Security
The following eleven Patch Tuesday updates / patches have been released by Microsoft for the July 2016 Update deployment.
Are you ready to start deploying and remove the patching risk using SnaPatch Patch Management Software?
MS16-084 – Critical
Cumulative Security Update for Internet Explorer (3169991)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS16-085 – Critical
Cumulative Security Update for Microsoft Edge (3169999)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
MS16-086 – Critical
Cumulative Security Update for JScript and VBScript (3169996)
This security update resolves a vulnerability in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS16-087– Critical
Security Update for Windows Print Spooler Components (3170005)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.
MS16-088 – Critical
Security Update for Microsoft Office (3170008)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
MS16-089– Important
Security Update for Windows Secure Kernel Mode (3170050)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory.
MS16-090 – Important
Security Update for Windows Kernel-Mode Drivers (3171481)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
MS16-091 – Important
Security Update for .NET Framework (3170048)
This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application.
MS16-092– Important
Security Update for Windows SMB Server (3164038)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.
MS16-093 – Important
Security Update for Adobe Flash Player (3174060)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10.
MS16-094– Important
Security Update for Secure Boot (3177404)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.
See how SnaPatch can help and remove the risk of Patch Tuesday updates.
by Mark | Jul 12, 2016 | Errors, Fixes, How To, VMWare
VMWare PowerCLI Installation Failed
If you are installing VMWare’s PowerCLI for remote administration of your VMWare farm, or for SnaPatch or Snapshot Master you may at times receive the following error, “Setup has detected that the installation package is corrupted. Please be aware that this installer may have been tampered with.” One of the possible causes for this is that the root certificate for VeriSign isnt installed on your computer. There are a few ways to fix this issue, one is to download the root certificate from VeriSign themselves and then to install it to the local computer account under Third-Party Root Certification Authorities-Certificates, or to export it from the VMWare PowerCLI installation package.
VMWare PowerCLI setup error
These screenshots show the error you would receive while trying to install the VMWare PowerCLI installer.
How to Manually install the root certificate
First off we will see if the root certificate is in fact already installed or not. From a command prompt type mmc.exe to open up the Microsoft Management Console.
Now go to File, then Add/Remove Snap-in
Next we have to choose the Certificates addin. Highlight Certificates then click on Add.
You will now need to select Computer Account and then click Next.
Choose Local Computer for the location that this snap-in will manage then click Next.
Now click OK and the Certificates Snap-in will be available.
Expand Certificates, then Third-Party Root Certification Authorities and finally Certificates. You will now need to look for the Root Certificate, VeriSign Class 3 Public Primary Certification Authority – G5. In this example you can see that the certificate is installed. If it isnt installed you can download and install the certificate to the shown location. If you cannot download the root certificate it is possible to import the certificate from the VMWare PowerCLI installation package, as shown in further steps.
How to import the certificate from the VMWare package
Now you will need to export the Root Certificate from the VMWare PowerCLI installation package. To do so, locate the EXE file and right click it then choose properties.
Change the tab to Digital Signatures then click Details.
As you can see in this example, “the certificate in the signature cannot be verified”. Click View Certificate to proceed.
Change to the Certification Path tab and make sure you select the top of the certification path. In this example, you can see it highlighted as VeriSign Class 3 Public Primary Certification Authority – G5. Once selected click View Certificate.
Again, in the next window go to the Details tab then click Copy to File.
The Certificate Export Wizard starts next. Click on Next to proceed with the Wizard.
Leave the Format as DER and then click on Next.
Choose the location and filename where you want to save the exported certificate and then click Next.
You can now click Finished and the Certificate Export Wizard will then close.
Next we need to import the VeriSign Root Certificate to the correct location. Right click the exported certificate and select Install Certificate.
The Certificate Import Wizard now starts. Click Next.
Select Place all certificates in the following store and then choose Third-Party Root Certification Authorities. Click Next when ready to do so.
Now click Finish.
The Root Certificate from VeriSign should now have installed in to the correct location and you can then restart the installation of VMWare PowerCLI.
by Mark | Jul 11, 2016 | How To, VMWare
How to Create a VMWare Template for Deployment
So you are deploying Servers regularly and ask becoming sick of completing this the manual way. Well to create a template for quick deployment is relatively easy, just follow the steps in this blog post and you will be deploying VMs in no time.
There are two methods to create a VMWare template, Clone to Template or Convert to Template.
Clone to Template
Clone to Template does exactly that. It creates an exact copy of the VM and leaves the original VM you choose intact. Choosing this option allows you to change the format of the Virtual Disk to either Thick or Thin Provisioning. Thin Provisioning the disk will allow the VM to use only the disk space it requires, and grow with time. Thick Provisioning the VM will use the amount of Disk Space you specify. Creating a Clone to Template VMWare duplicates the Virtual Disks and the .VMX file that holds all the configuration settings for that Virtual Machine.
Convert to Template is the other possible method available to you. (This is what I use in this example). It is much faster than using Clone to Template as it is not required to duplicate the source Virtual Machine disks. What it does is changes this VM to a Template format.
Once you have finished creating a VMWare Template following this post, Click this link to see how to make a VM automatically join a Windows Domain.
Convert to Template
Convert to Template is the other possible method available to you. (This is what I use in this example). It is much faster than using Clone to Template as it is not required to duplicate the source Virtual Machine disks. What it does is changes this VM to a Template format.
Once you have finished creating a VMWare Template following this post, Click this link to see how to make a VM automatically join a Windows Domain.
VMWare Template FAQs
What is a VMWare template?
VMWare template is a pre-configured virtual machine that can be easily duplicated and deployed.
Why should I create a VMWare template?
Creating a VMWare template can save you time and effort when deploying multiple virtual machines with the same configuration.
What are the two methods for creating a VMWare template?
The two methods are Clone to Template and Convert to Template.
What is the difference between Clone to Template and Convert to Template?
Clone to Template creates an exact copy of the virtual machine, while Convert to Template changes the virtual machine to a template format.
Which method is faster, Clone to Template or Convert to Template?
Convert to Template is generally faster as it doesn’t require duplicating the source virtual machine disks.
What are the steps to create a VMWare template?
The steps are: log in to your VMWare console, create a new virtual machine, specify the name, host/cluster, storage, operating system, network, and disk settings, install the operating system, shut down the virtual machine, and finally convert it to a template.
How can I customize the hardware settings of my VMWare template?
You can customize the hardware settings by selecting “Edit Settings” on the virtual machine and changing the appropriate settings.
How can I deploy a virtual machine using my VMWare template?
To deploy a virtual machine using your VMWare template, right-click the template, choose “New Virtual Machine,” and follow the prompts.
Can I change the configuration of a VMWare template after it has been created?
Yes, you can edit the settings of a VMWare template by converting it back to a virtual machine, making the necessary changes, and then converting it back to a template.
Are there any considerations to keep in mind when creating a VMWare template?
Yes, it’s important to ensure that the operating system is properly licensed and that any necessary updates and patches are applied before creating the template. It’s also important to follow best practices for securing virtual machines.
Create a VMware Template in the VMware Console
Login to your VMWare Console
Log in to your VMWare console and then Right Click your datacentre and choose New Virtual Machine.
VMware Templation Creation
Now give the VM a name. As this is going to be a template for future deployment of Windows Server 2016, I have chosen 2016 Template to make it easier to see which Operating System this template will install.
VMware Host / Cluster Tab
Chose the Host or Cluster you want the VM to be deployed to then click on Next.
VMware Host / Cluster Tab
Chose the Host or Cluster you want the VM to be deployed to then click on Next.
VMware Storage Tab
Next you specify the storage location for the VM to reside on. Select the appropriate VM datastore and then click on Next.
VMware Guest Operating System Tab
Choose the Operating System you want to install on the VM and click Next.
VMware Template Creation Network TAB
Select the VMware network you want this VM to communicate on and click Next.
VMware Template Disk Creation
Specify the size of the Operating System Disk then click Next.
VMware Template Completion
Confirm the settings are correct and click on Finish. In this example I checked the checkbox for Edit the virtual machine settings before completion to show you what hardware settings you can change. Click Finish when ready.
VMware Template Settings
Now the VM is ready to install the operating system, you will have to attach an ISO file for the installation. Find the VM then Right Click the Virtual Machine and select Edit Settings.
Edit VMware VM Settings
Select CD/DVD drive then Datastore ISO file. Browse to the datastore location of your Operating System installation media and select the appropriate media then click on OK. You can also change other hardware settings for this template.
VMware Template – Power On
Now we need to install the Operating System so that we can easily redeploy this VM as a template. Right Click the VM and choose Power On.
VMware Template – Open the VM Console
Right Click the VM again and choose Open Console so that you can install the Operating System.
Install the VM Operating System
Next will require you to install the Operating System. Please note that if you are going to change this to a VM Template, do not join your Windows Domain.
Shutdown the VM
Once the machine has logged in to Windows for the first time, shut the machine down.
Create a VMWare Template
Once the installation of the Operating System has completed and the Virtual Machine is powered off we can now create a VMWare Template. Right Click the Virtual Machine, go to Template, then Convert to Template. This will now change the Virtual Machine and convert it to a ready to deploy Template for quick and easy future deployment.
Creating a VMWare template can save you time and effort when deploying servers regularly. By following the steps in this post, you can create a VMWare template using the Convert to Template method. Remember to shut down the VM after the first Windows login and then convert it to a template. With a VMWare template, you can deploy VMs in no time and focus on other tasks that need your attention.
by Mark | Jul 11, 2016 | How To, VMWare
Virtual machines have become an essential part of modern IT infrastructure, as they allow administrators to create and manage multiple computing environments on a single physical machine. This can be incredibly useful for tasks such as testing, development, and training. When deploying a virtual machine, it is often necessary to perform customizations, such as joining the machine to a domain, setting network configurations, and specifying local administrator password, among others. This article provides a step-by-step guide to deploying a virtual machine and joining it to a domain automatically using VMWare Customization script. The article covers each step of the customisation process, including how to specify domain information, set the computer name, configure the Windows license, set the time zone, and much more. This guide is intended for administrators who want to automate the process of deploying virtual machines and joining them to a domain, and it provides detailed, actionable instructions for achieving this goal.
How to Deploy a VM and join a Domain Automatically
If you ever have the need to deploy a Virtual Machine and have some customisations for deployment (i.e. Network Settings or have the automatically join a domain), this post will show you how to.
The VMWare Customistation script will allow you to specify;
- Domain to join automatically
- Network settings
- Registration Settings
- Computer Name
- Windows License
- Time Zone
- Local Administrator Password
- Operating System Settings.
Assuming here (I know, never assume anything) that you have already created a VM template to deploy (If you havent already created one, click the link to see a blog post on How to Create a VMWare Template) follow these steps to create your very own VMWare Customisation Script.
VMWare vCentre Console
1. Log in to your Vmware vCentre Console. Choose Home, then Inventory, Management and finally Customistation Specifications Manager.
VM Properties Tab
2. The VMware Customisation Wizard starts. Choose the Operating System and provide a Name and Description then click Next.
Registration Information Tab
3. Provide the Name and Organisation that the server will belong to then click Next.
Virtual Machine Computer Name Tab
4. Next we need to configure the name of the VM. In this example, I am choosing to use the Virtual Machine name as this will match against Vmware and Active Directory making it easier to identify. Click Next when ready to proceed.
Windows License Tab
5. If you have a product key you can enter it here. As I am using KMS in my domain for Windows Licensing, I chose to leave this blank. Again, click Next when ready.
Administrator Password Tab
6. Add the Administrator password and how many times you wish for the Administrator account to login. This is used for the Local Administrator account not a Domain Administrator. Click Next.
Time Zone Tab
7. Choose the Time Zone relevant to your environment then click Next.
Run Once Tab
8. If you wish for any commands to run (ie scripts to customise your server further) you can enter them here. I havent any for this Customisation so have left this as black. Click Next.
Network Tab
9. For the Network portion of the wizard, you can choose custom settings if required (i.e DNS server and IP address settings). Im using the typical settings (i.e. DHCP). Click Next when you have chosen the settings you require.
Workgroup or Domain Options Tab
10. Now the important part. If you want the VM to deploy and then to automatically join your Windows domain you will need to add the Domain Name, Administrator Account and Password. Click Next when ready.
Operating System Options Tab
11. Allow the VMWare customisation script to Generate New Security ID (SID) then click Next.
Ready to Complete Tab
12. Finally, check the settings are correct then click Finish to proceed.
Deploy Virtual Machine from this Template.
13. Now hopefully everything went well and you are ready to start using the VMWare Customisation Script you created and deploy your first VM with these settings. Choose the template you wish to apply this customisation to, Right Click and choose Deploy Virtual Machine from this Template.
Name and Location Tab
14.Give the VM a name and then the Inventory Location the machine will reside in and then click Next.
Host and Cluster Tab
15. Choose a Host or Cluster for the VM to run on then click Next.
Storage Tab
16. Next you choose the storage location that the VM will use to store its files (VMDK). Select the storage destination then click Next.
Guest Customisation Tab
17. This is another important part of the VM deployment process. You can choose not to customise but since this blog post is about using the customisation we created earlier, choose Customise using an existing customisation specification. Select the VMWare customisation you created then click Next.
Ready to Complete Tab
18. Check the settings that are specified in this screen are what you have selected and when confirmed click Next. You can also edit the Virtual Machines hardware if you wish to do so (i.e. set CPU, Ram, Disk Space etc)
Finished 🙂
19. You should now be able to see that your new Virtual Machine is deploying using the VMWare Customisation Script you created. It will now automatically join the Windows Domain and be ready to use once the installation has completed.
by Mark | Jul 5, 2016 | Deployment, How To, Patch Management, Patch Releases, Risk, SCCM, Security
Deploying a Zero Day Exploit Fix with Microsoft SCCM 2012
Zero Day exploits are vulnerabilities that are found and can be used by hackers to exploit and use for malicious or personal intent. These exploits have been known to affect both software and hardware, causing issues to programs, data, computers, and networks. Once a patch or fix is released by the vendor, the issue is no longer known as a Zero Day vulnerability. In this article, we will discuss how to remediate Zero Day attacks and how to deploy a Zero Day exploit fix using Microsoft SCCM
Remediating Zero Day Attacks
Unfortunately, there isn’t much that can be done until a fix or update is released that patches the security hole. Once a patch is released, it is best to deploy and apply the patch as soon as possible. To reduce the risk of unknown vulnerabilities, it is good practice to keep your hardware and software up to date. This will remove any previously found vulnerabilities from your environment as patches are applied. Having a patching process in place and suitable infrastructure to do so (e.g., Microsoft SCCM and SnaPatch) where you can deploy updates easily and often are also good practices.
Deploying a Zero Day Exploit Patch Using SCCM
Unfortunately, there isn’t much that can be done until a fix or update is released that patches the security hole. Once a patch is released, it is best to deploy and apply the patch as soon as possible. To reduce the risk of unknown vulnerabilities, it is good practice to keep your hardware and software up to date. This will remove any previously found vulnerabilities from your environment as patches are applied. Having a patching process in place and suitable infrastructure to do so (e.g., Microsoft SCCM and SnaPatch) where you can deploy updates easily and often are also good practices.
Zero Day Exploit Overview
So what exactly is a Zero Day Exploit you ask? To be exact, a Zero Day Exploit is a vulnerability that is found that a possible Hacker can use to exploit and use for malicious or personal intent. The Vendor (software or hardware) has Zero Days to plan, mitigate and fix the issue so that there is no further exploitation of the vulnerability. The exploits have been known to be for either software (Operating Systems and Software) and hardware. They have been known to cause issues to programs, data, computers and to the network.
Zero Day Attack Timeline
In the case of a breach being found in some software, a Zero Day Exploit normally follows this;
- A hacker finds a vulnerability with a product (software/hardware).
- The hacker writes an exploit and uses it either to be malicious or financial gain.
- Exploit is detected either by Users, Security Companies or the Vendor themselves.
- The Vendor studies the new exploit and develops a fix.
- The Vendor releases a new patch to fix the exploit
- Users install the Patch or Virus Definition update.
The biggest issue with a Zero Day Exploit is that they are generally unknown until they have been used to breach systems, leaving everyone vulnerable until the Vendor releases security advice on how to remediate the issue or a patch or update. This could be days, weeks, months or even years before the Vendor learns of the vulnerability. Once a Patch or Fix has been released by the Vendor, then the issue is no longer known as a Zero Day Vulnerability.
How to remediate Zero Day Attacks
Unfortunately there isnt much that can be done until there is a fix or update released that patches the security hole. Once a patch is released it is best to deploy and apply the patch as soon as is possible.
To also reduce the risk, it is good practice which will aid you in mitigation of vulnerabilities that are unknown to yourself if you keep your hardware and software patched up to date. This will remove from your environment any previously found vulnerabilities as patches are applied. Having a Patching Process in place and suitable infrastructure to do so (ie Microsoft SCCM and SnaPatch for instance) where you can deploy updates easily and often are also good practice.
Using SCCM to deploy a Zero Day Exploit Patch
If you are using Microsofts SCCM 2012, you can easily deploy an update that addresses a Zero Day Vulnerability by following these steps;
- Log on to your SCCM console, then go to Software Library, then expand Software Updates and highlight All Software Upates. Now Right Click and choose Synchronise Software Updates. This will synchronise your SCCM server with your WSUS updates server. Allow a few minutes for the new updates to populate the view. You can check the Wsyncmgr.log to view the update synchronisation.
- If you know the Bulletin ID number (the update number released by Microsoft in the format MSXX-XXX. In this example I am choosing MS16-082), you can now search for this within the console.
- Make sure that the update has downloaded and if not, right click the update and choose Download. You will obviously need to give the update sometime to download in to your environment and be ready for deployment. Click this link to see how to manually download updates if you dont know how.
- When the update is downloaded and ready for deployment, you are now ready to deploy the Update. (If you are using SnaPatch to deploy the updates, go straight to the SnaPatch Section below.)
Right Click the update (or updates) and choose Deploy.
Enter in a Deployment Name, a Description, and choose the collection you wish the Zero Day exploit to deploy to. Once you have chosen the correct settings, click on Next.
- On the Deployment Tab, leave the type of deployment as Required and choose the level of detail you want then click on Next.
- Now to schedule when you want the update to deploy. As this is a Zero Day Exploit that you want patched quickly, schedule the patch to be available As Soon As Possible for both the Software Available Time and Installation Deadline. Please note, that more often than not, the installation of an update will cause systems to restart. Please make sure you have informed the appropriate people and that you have approval for deployment. Nothing worse than deploying an update and having to answer to Management as you caused unwarranted system outages.
- The User Experience Tab is where you set how the deployment will interact with Users. You can set if the users are notified within the Software Centre that an update is available for installation, when the deployment deadline is reached whether the update can install and restart the system outside a maintenance window, and finally whether you wish to suppress a system restart. As this is an urgent deployment, I have chosen to allow installation and restart to be allowed outside any maintenance windows. Choose the settings you require and click on Next.
- If you have System Centre Operations Manager (Microsoft SCOM) in your environment you can choose to generate an alert with criteria you specify. In this example we are not going to specify any settings. Click on Next when you have made your selections.
- The Download Settings tab allows you to choose client download settings. If a client is on a slow or unreliable network boundary you can choose if they dont install the update or from another distribution point. Allowing clients to share content between themselves is a great feature of SCCM as it will stop other client machines downloading the same updates and possibly flooding a network link. The clients will all share the update between themselves if they are on the same subnet. Also if they cannot download the update from a SCCM distribution point, allowing them to download from Microsoft Update is available as well.
Click on Next when ready to.
- Now you can review all the settings on the Summary Tab. Confirm you are happy with all the settings and then click Next.
- The progress of the deployment will now be shown.
- Your Zero Day Exploit deployment should now be ready to be deployed to your SCCM clients as per the settings you have set.
Using SnaPatch for Zero Day Exploit Deployment
If you are using SnaPatch to aid you with the deployment of Windows Updates with Microsoft’s SCCM, you can follow on from Steps 1 to 4 from above.
- Open the SnaPatch console and choose the SnaPatch Icon to start the snapshot and patch deployment process.
- Now you are presented with all the SCCM Collections and Systems available to deploy the Zero Day Exploit to. Choose the systems you want to receive the patch and click on Add.
If the machines are virtual (either a VMWare or HyperV virtual machine) you can choose whether to take a snapshot of the servers prior to deployment of the zero day patch. Should the servers not have a successfully snapshot completed, then they will not receive the update deployment. The snapshot of the virtual machines gives you a quick rollback position should the update cause an issue in your environment.
When you have chosen all the machines you wish and if you would like a snapshot, click on the green arrow to continue.
- The next window in the SnaPatch process, is to chose the update you wish to deploy. As this is a Zero Day patch and we know the Microsoft article number (which in this example is MS16-082), type in the KB or MS article number and choose search.
Select the update, confirm that it has been downloaded (as per step 3 above) and now choose if you want the update to deploy to an existing Update Group or to create a new one. 
- As this is an urgent deployment, I am choosing Create & Deploy Update Group. Give the Software Update Group a Name and Description and click Create.
- Confirmation that the Software Update Group has been created. Click OK.
- Next we have to schedule deployment. Click Schedule Job.
- Now on the scheduling window, click on New.
- Choose an appropriate schedule when you would like the deployment to happen. This will set up the update deployment for the time you specify. Click OK when you are ready to proceed, then close the scheduling Window.
- On the Maintenance Window choose the duration you want the snapshots to be performed and the updates to be installed during. Click on Finish when complete.
Thats all there is to it. SnaPatch will now create a deployment of the Zero Day Exploit Patch within Microsoft SCCM and set the Maintenance Window. When the maintenance window is reached, SnaPatch will interact with your Vmware or HyperV hosts and start a snapshot of the servers you have selected. Once the snapshot is complete SnaPatch then contacts SCCM and allows SCCM to deploy the patch to those servers. You will also receive email notifications throughout the snapshot and deployment process.
Click for further information on SnaPatch Patch Management.
Zero Day exploits can cause serious issues to programs, data, computers, and networks. It is essential to deploy patches and fixes as soon as possible to reduce the risk of exploitation. Using Microsoft SCCM 2012 to deploy a Zero Day exploit fix is an easy process that can be completed by following the steps outlined above. Keeping your hardware and software up to date and having a patching process in place are good practices to mitigate the risk of unknown vulnerabilities.
by Mark | Jun 30, 2016 | Deployment, Endpoint Protection, How To, SCCM
SCEP Definition Automatic Deployment Rule in SCCM 2012 R2
If you have setup your SCCM environment with the Microsoft product, System Centre Endpoint Protection (SCEP) and have deployed the SCEP agent to your client computers the next task you need to complete is the creation of an Automatic Deployment Rule for the antivirus updates. Automatic Deployment Rules as the name suggests, automate the deployment of updates and definitions to your environment. You can set deadlines when things should install, maintenance windows when reboots and installation should occur and also the download of Windows updates ( you can specify products you would like updates to download for and what severity ie critical, important and security) and SCEP definitions without any manual intervention.
Creating an Automatic Deployment Rule for System Centre Endpoint Protection (SCEP) definition updates in SCCM can help streamline the process of deploying and updating antivirus definitions across an organization. By automating the deployment of updates and definitions, IT administrators can save time and ensure that all client computers have the latest protection against known threats. With SCCM’s customization options, administrators can set deadlines for updates, specify maintenance windows, and even control the download of Windows updates. This ensures that updates are deployed efficiently and without any manual intervention, allowing administrators to focus on other important tasks.
Creating an Automatic Deployment Rule in SCCM 2012 R2 for SCEP Definition Deployment
Create Automatic Deployment Rule
Open your SCCM 2012 console and navigate to Software Library – Overview – Software Updates – Automatic Deployment Rules.
Right click Automatic Deployment Rules and then choose Create Automatic Deployment Rule
SCEP ADR – General Tab
Now specify a descriptive name for the Automatic Deployment Rule, a description that will easily identify what this ADR is for and then choose an appropriate template from the dropdown box (I have chosen the standard definitions updates). Then Click on Next
SCEP ADR – Deployment Settings Tab
I left the settings as default on this page as I want to automatically approve any license agreements and dont have a requirement to wake up client computers. If you want to deploy the SCEP updates after hours while your client computers are off and wish to wake them up for the client updates (this depends on if your environment has Wake On Lan capability) choose the Wake On Lan checkbox.
SCEP ADR – Software Updates Tab
Make sure that the search criteria is correct, that the Product says Forefront Endpoint Protection 2010 or Windows Defender and that the Update Classification shows Definition Updates and choose next.
SCEP ADR – Evaluation Schedule Tab
Choose how often the Software Update Point synchronises.
SCEP ADR – Deployment Schedule Tab
Now we can configure when the updates are available to be installed on client computers. In the example below, I left this as the default 1 Hour. You can choose what ever is suitable for your environment.
SCEP ADR – User Experience Tab
The following screen is where you set whether or not you will notify the users that there is a new SCEP definition update available for their machines. Most often than not, it is best to suppress these notifications from the end user as there could be multiple updates released daily. Notifying them every few hours would surely annoy them, which in turn they will annoy the Administrator.
SCEP ADR – Alerts Tab
If you have System Centre Operations Manager (Microsoft’s SCOM) you can choose whether any alerts are enabled / disabled and if required, what conditions to generate an alert
SCEP ADR – Download Settings Tab
Now we are up to the Download Settings page. Choose the option that is suitable to your environment. It is always a good idea, if you have lots of remote sites without an SCCM distribution Point available, to allow the clients to share content with other clients on the same subnet.
SCEP ADR – Deployment Package Tab
On this page, we are creating a new deployment package for the Definitions Updates. Again, it is good practice to give a descriptive name and description that is easily identifiable to others. Also, choose a source location with enough storage to store the definitions.
SCEP ADR – Distribution Points Tab
Choose which distribution points you would like the update definitions to be shared to and from. I choose the All Distribution Points as I want the updates available from everywhere in the environment.
SCEP ADR – Download Location Tab
If you are downloading the definition updates manually, you can set the location for where SCCM should look for new definitions. If not, choose Download Software Updates from the Internet and click on Next.
SCEP ADR – Language Selection Tab
Specify which languages you wish the SCEP definition update to deploy as. You can choose multiple languages as required.
SCEP ADR – Summary Tab
Review the Summary page to confirm you are happy with the settings you have chosen. Once you are satisfied with your selection, click Next.
SCEP ADR – Progress Tab
The Automatic Deployment Rule will quickly run through some checks, and once completed, click on Close.
SCEP ADR – Manual Invocation
That is all there is too it. The Automatic Deployment Rule will run with all the settings you have selected. If you ever wish to manually run the rule, right click it and choose run now.
Click on the link to see how to create an SCCM Automatic Deployment Rule for Windows Updates.
SCCM ADR for SCEP Conclusion
Creating an Automatic Deployment Rule in SCCM 2012 R2 for SCEP Definition Deployment is a straightforward process that can save administrators valuable time. Once you set up the Automatic Deployment Rule, the updates will deploy to your client computers without any manual intervention.
T
