Cleanup #ConfigMgr Software Update Groups via PowerShell

We use Automatic Deployment Rules (ADR) for Security Updates, other updates, Defender updates and 3rd party Software Update Catalogs. Since all these updates need to be tested through our internal rings, we use the option ‘Create a new Software Update Group’. So, if the ADR detects added updates it creates a new Software Update Group […]

‘Trend Micro Deep Security Agent’ prevents #ConfigMgr SMS_PROVIDERS component from updating

The Configuration Manager current branch (CMCB) shows every 60 minutes errors for SMS_PROVIDERS. It goes: Message ID 1018: Site Component Manager is reinstalling this component on this site system Message ID 1090: Site Component Manager could not stop the winmgmt service on site system Message ID 1020: Site Component Manager failed to reinstall this component […]

Windows 10 1709/1804 Inbox App language

If you use Windows 10 language packs, the sources in the MultiLang-iso-files do not contain language updates for the Inbox Apps. In general, they should be updated by a scheduled task (Microsoft -> Windows -> Windows Update -> Automatic App Update), but this task requires the Store app to be accessible and the machine to […]

Detect Microsoft ADV170012 vulnerable machines via Configuration Manager

Microsoft published yesterday a security advisory (ADV170012 -Vulnerability in TPM could allow Security Feature Bypass), that shows a key generation weakness in Infineon’s TPM chip firmware. To solve the issue we first have to update the firmware of all vulnerable machines, so we have to identify them. As always, ‘Configuration Manager – Hardware Inventory’ can […]

VMware Workstation Pro Tech Preview 2017

VMware Workstation Pro Tech Preview 2017 is available. But even if it is now supporting Virtualization Based Security (VBS) features in Windows 10 guests, it still can’t be used on VBS enabled Windows 10 hosts. So, in enterprises VMware-based VMs still need to be converted in Hyper-V-based VMs.

Extend Configuration Manager Hardware Inventory with INTEL-SA-00075 discovery information

Intel discovery tool Download the Intel discovery tool: If the Intel-SA-00075-console.exe is executed with ‘-c’ it creates registry entries for the scan result, e.g. Extend hardware inventory I used RegKeytoMOF 3.3 (credits to Mark Cochrane – with help from Skissinger, SteveRac, Jonas Hettich, Kent Agerlund & Barker) to create the mof-files to extend the […]

Virtualization Based Security vs. Thunderbolt DMA attacks

Direct memory Access (DMA) attack DMA Allows I/O devices to transfer data directly to or from memory without having the data handled by the CPU   DMA controller (DMAC) Defines the operational mode interactions with CPU (system bus) DMAC does not control access to memory areas First party DMA Peripherals can have their own DMAC, […]

Using Windows 10 internal rings in Workplaces changes

After the internal ring concept is implemented it should be used for processing all changes in Workplace configuration: settings, standard applications, quality updates and feature updates. GPO To test new settings in the rings, run ring specific settings in separate GPOs, selected by WMI filters Configuration Manager To create collections based on the rings, the […]