Not planned
Intel� Management Engine Critical Firmware Update (Intel SA-00086)
Any chance we'll be getting a package for this Intel detection tool so we can run it against all our systems?
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
0
Comments
Hey there Steve,
Looks like we won't be able to get this up and running with any speed as the License Agreement is pretty clear and the only way around is a written agreement between Intel and us:
In the past, Colby put together some useful tools you can try to to use from the last time Intel did a whoops https://support.pdq.com/hc/en-us/community/posts/115000035311-Intel-Active-Management-Technology
I'm working on a package for ya. They won't be able to provide it in the library. But that doesn't mean if you download the binaries that I can put an XML document here for you to Import :).
I'm testing it now, give me about an hour to polish it up and post.
Ok here's a PDQ Package that seems to do the trick. NOTE: I do tattoo the registry with this, but it's for a cool purpose I'll get to in a secon.
Deploy Pacakge:
Now, onto the Inventory Side of things.
First you'll need a Registry Scanner:
And then Some collections:
This is useful cause once you deploy a patch you can create a package and set a condition like this:
Or, you know, just Select that Collection when picking your targets. This is a good excuse to use that new feature though.
Awesome, thanks! It's worked on most machines I've tested it on so far. A few are getting an error from the detection tool, I believe it's because the hardware isn't found. We have some older machines out there. But a few have also got this PowerShell error.
Invoke-Expression : Exception calling "Load" with "1" argument(s): "The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters."
At C:\WINDOWS\AdminArsenal\PDQDeployRunner\service-1\exec\Error Handling Wrapper.ps1:39 char:1
+ Invoke-Expression "& '.\$($Parameters[0])' $($Parameters[1])"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-Expression], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException,Microsoft.PowerShell.Commands.InvokeExpressionCommand
Thank you Stephen, I was working on something similar yesterday. I'm curious, why did you choose to disable the detection tool's registry logging? It logs a bunch of useful stuff like System Risk and ME Version.
I'm trying to write a blog about this today, so I want to figure out the best way to go about it.
@Steve Cain: My guess is that those systems have a matching file buried deep in the Temp folder. You can add a line below Line 1 to see what it's trying to load.
I initially wrote the script as something not to be used with PDQ products, and dump the XML data to a central location on a network share.
I just pieced that apart to come up with what I did to work with PDQ without going back to the drawing board.
Really, it's probably a better idea to use the -r switch and dump details to the registry.
Ah, Ok.
I had a few issues with false negatives one of my systems didnt report "is" it reported "may be" vulnerable so i have made a change to the powershell and added a switch statement with a regex switch to do the search. I also added a few steps to to remove the registry keys to allow the script to be run multiple times as when trying this before the powershell was failing because the regkey was already in place. You will need to tweak the collections to catch the different statuses.
0 for not vulnerable
1 for is vulnerable
2 for may be vulnerable
3 for could not be determined
I also had to expand the filter in the search for the xml file from "SA*.xml" to "SA-00086*.xml" as my first test uncovered several
xmls with similar names which caused the powershell search to fail.
clear
$xmlName = Get-ChildItem -Path C:\Windows\Temp -Recurse -Filter SA-00086*.xml | Select-Object -ExpandProperty Name
$xml = New-Object -TypeName xml
$xml.Load("C:\windows\Temp\$xmlName")
$risk = $xml.System.System_Status.System_Risk
Write-output "$risk Flag set in HKLM:\Software\Intel."
if ((Test-Path -Path 'HKLM:\Software\Intel\SA-00086'))
{
Write-Host 'SA-00086 Exits at HKLM:\Software\Intel\SA-00086'
Remove-Item -Path 'HKLM:\Software\Intel\SA-00086'
}
if ((Test-Path -Path 'HKLM:\Software\Wow6432Node\Intel\SA-00086'))
{
Write-Host 'SA-00086 Exits at HKLM:\SOFTWARE\Wow6432Node\Intel'
Remove-Item -Path 'HKLM:\SOFTWARE\Wow6432Node\Intel\SA-00086'
}
switch -regex ($risk)
{
'This system may be vulnerable'
{
Write-Host "This system may be vulnerable"
New-Item -Path 'HKLM:\Software\Intel' -Name 'SA-00086'
New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 2
$KeepLooping = $false
}
'This system is vulnerable'
{
Write-Host "This system is vulnerable"
New-Item -Path HKLM:\Software\Intel -Name SA-00086
New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 1
$KeepLooping = $false
}
'This system is not vulnerable'
{
Write-Host "This system is not vulnerable"
New-Item -Path HKLM:\Software\Intel -Name SA-00086
New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 0
$KeepLooping = $false
}
default
{
Write-Host 'State could not be determined...'
New-Item -Path HKLM:\Software\Intel -Name SA-00086
New-ItemProperty -Path HKLM:\Software\Intel\SA-00086 -Name Vulnerable -Value 3
}
}
Are there any step on how to get this code into PDQ deploy? Create a new package but which of these would I paste this code into?
You can just copy the above and save it as an XML file and then go to File > Import and select the XML and it will put the package together for you.
@John,
You'll want to save each one as an XML file and then import (File > Import) those files into Deploy or Inventory. Some of those are packages and some are collections. You'll want to look at each to see what it is before trying to trying to import a collection into Deploy or a package into Inventory. Nothing terrible will happen, but Deploy or Inventory will squawk a little bit at you.
Thank you both! I imported the PDQ Deploy one, needed to upgrade to version 15 first. Then imported the other two into PDQ inventory.
PDQ Deploy is running the script and I see some showing up under successful now. How long before I should see some stats under PDQ Inventory? I see it try to update occasionally but still show 0
Sorry I found it under "Scan Collection" in PDQ Inventory. Thanks again for this great script!
@colby, I'm trying to follow the recipe you posted on the blog today, but in step 8 I can't see the new scan profile in PDQ Deploy. It does appear in PDQ Inventory. I tried restarting both services on the central server to no avail.
Is there anything I need to do to make PDQ Inventory scan profiles visible to PDQ Deploy?
Thanks,
- Joe
PS I also was unable to post a comment directly on the blog. It wants an e-mail address to submit, but no such field is shown.
@Joe Stern
Which version and license mode are you using for each product?
I submitted a ticket about the blog comment issue. Thank you for letting us know.
@Colby Bouma -- Deploy is 15.3.0.0 Enterprise, Inventory is 14.3.0.0 Enterprise
@Joe - Did you create a collection after creating your scan profile? Scan profiles gather information in order to build collections, and Deploy will see the collections but not the scan profiles themselves. Clear as mud? :)
@Katie Sorenson
Joe is talking about this blog: https://www.pdq.com/blog/intel-sa-00086/
@Joe Stern
Did you import those files on a Client console?
@Colby Bouma,
Yes, I imported everything on my admin workstation, which is running as a client console.
I followed the blog instructions and everything worked fine for me. Except Intel's test tool choking on some of our older HP machines. :D
The blog comment issue has been fixed.
I am unable to replicate your issue Joe. The "Intel SA-00086" scan profile is always available for me in the package dropdown.