Month: October 2017

Introduction

Coming Patch Tuesday this month, Microsoft revealed a whooping vulnerability in some infineon TPM chips; ADV170012

In the above article, Microsoft gives us some insight on the vulnerability itself, as well as how to detect and counter the vulnerability.

As how to detect the vulnerability, they released a patch which writes an entry to the event log and highlights the vulnerability in TPM.msc.

They also released a Powershell script, which they in turn – unfortunately – don’t go into much details about. They tells us to use PSremoting to query multiple computers and nothing else.

So, how about using ConfigMgr to detect whether our computers are vulnerable or not? Compliance Settings to the rescue!

I rewrote their script to instead return $true or $false, and make it usable to detect compliance or non-compliance.

So, following is my edition of the script, and how to setup the CI in ConfigMgr

Configuration

<#

.DESCRIPTION
    Detect if Infineon TPM is vulnerable to Microsoft ADV170012 through Compliance Settings in ConfigMgr

.NOTES
    FileName:    CIDetectTPM.ps1
    Author:      Martin Bengtsson
    Created:     14-10-2017
   
#>

$IfxManufacturerIdInt = 0x49465800 # 'IFX'
		
		function IsInfineonFirmwareVersionAffected ($FirmwareVersion)
		{
			$FirmwareMajor = $FirmwareVersion[0]
			$FirmwareMinor = $FirmwareVersion[1]
			switch ($FirmwareMajor)
			{
				4 { return $FirmwareMinor -le 33 -or ($FirmwareMinor -ge 40 -and $FirmwareMinor -le 42) }
				5 { return $FirmwareMinor -le 61 }
				6 { return $FirmwareMinor -le 42 }
				7 { return $FirmwareMinor -le 61 }
				133 { return $FirmwareMinor -le 32 }
				default { return $False }
			}
		}
		
		function IsInfineonFirmwareVersionSusceptible ($FirmwareMajor)
		{
			switch ($FirmwareMajor)
			{
				4 { return $True }
				5 { return $True }
				6 { return $True }
				7 { return $True }
				133 { return $True }
				default { return $False }
			}
		}
		
		$Tpm = Get-Tpm
		$ManufacturerIdInt = $Tpm.ManufacturerId
		$FirmwareVersion = $Tpm.ManufacturerVersion -split "\."
				
		if (!$Tpm)
		{
			#No TPM found on this system, so the issue does not apply here."
            Return $True
		}
		else
		{
			if ($ManufacturerIdInt -ne $IfxManufacturerIdInt)
			{
				#This non-Infineon TPM is not affected by the issue."
                Return $True
			}
			else
			{
				if ($FirmwareVersion.Length -lt 2)
				{
					#Could not get TPM firmware version from this TPM."
                    Return $True
				}
				else
				{
					if (IsInfineonFirmwareVersionSusceptible($FirmwareVersion[0]))
					{
						if (IsInfineonFirmwareVersionAffected($FirmwareVersion))
						{
							#This Infineon firmware version {0}.{1} TPM is not safe. Please update your firmware." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
                            Return $False
						}
						else
						{
							#This Infineon firmware version {0}.{1} TPM is safe." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
                            Return $True
						}
					}
					else
					{
						#This Infineon firmware version {0}.{1} TPM is safe." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
                        Return $True
					}
				}
			}
		}

• Create a new CI. Give it a name and enable it to run on all Windows Desktops and Servers (Custom)

• At the Specify settings for this OS page, click New

• In the Create Setting page, select Script and Boolean. Insert my script from above in Edit Script

• In the Create Rule page, select the newly created CI

• Add the completed Configuration Item to a Configuration Baseline and deploy to selected collections

Summary

• Taking a closer look directly on the client on the Configurations tab of the ConfigMgr client, you will either notice a compliant or non-compliant state

• For a better summary of compliance, I personally like to create collections. Go to the deployment of the Configuration Baseline, and right click. Below is your options to create additional collections

• The net result is a set of collections which memberships clearly tells the compliance state of the TPM vulnerability

Download my CI and baseline here: https://www.imab.dk/mab/CB_TPMVulnerability_Status.zip

Enjoy 😎

 

Introduction

Following is a post on how I let (some) of our users decide whether they want to roll on the Current Channel (now called Monthly) or the Deferral Channel (Now called Semi-Annual and Broad) for Office 365 ProPlus.

According to numerous blogs on the www, there are several ways of doing this; modifying registry, GPO, reinstalling Office or to rerun setup.exe from the Office Deployment Tool (ODT).

I’ve chosen to go with the last option, and modify the channel through setup.exe coming from ODT. (I spent some time on GPO and modifying the registry without the expected results. However using setup.exe gives you visibility and a method that yields the results right away)

Configuration

• Go ahead and download Microsoft Deployment Tool (ODT) if you haven’t already. Link: Download Office 2016 Deployment Tool
• Create two new .xml files containing following content (one for each channel switch)

Semi-Annual channel (also called Deferred or broad):

<Configuration> 

	<Updates Channel="Deferred" /> 

</Configuration>

Monthly channel (also called current):

<Configuration> 

	<Updates Channel="Monthly" /> 

</Configuration>

• Put the .xml files in folder next to setup.exe from the Microsoft Deployment Tool (ODT)
• Create two .bat files containing following content (one for each channel switch)
  • I’m deleting the current regkeys responsible for setting the channel prior to making the actual switch. This is due to some weirdness I’ve been seeing where the values are not properly updated.

SetDeferred.bat:

@echo off
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v CDNBaseUrl /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v UpdateChannel /f
"%~dp0setup.exe" /configure "Deferred.xml"
"%CommonProgramFiles%\microsoft shared\ClickToRun\OfficeC2RClient.exe" /update user

SetMonthly.bat:

@echo off
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v CDNBaseUrl /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration /v UpdateChannel /f
"%~dp0setup.exe" /configure "Monthly.xml"
"%CommonProgramFiles%\microsoft shared\ClickToRun\OfficeC2RClient.exe" /update user

• Put the two .bat files into the same folder and copy the content to your content library used in ConfigMgr (Whereever that may be. This is pretty standard, so I’m not going into details here)
• Create two new Applications in ConfigMgr with a Deployment Type set to Script Installer. Below the snippets from the Create New Application process.

• Set the previously created .bat files as the installation program (SetDeferred.bat)

• Detection rules for the applications will be the corresponding registry keys. The value of the below registry key is changing upon switching channels.

Monthly Channel: http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60

Deferred Channel: http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114

• Distribute the content of the newly created applications to your preferred distribution points (groups), and deploy the applications.

Summary

Running the applications will result in either an upgrade or downgrade of Office 365 ProPlus.  This should be followed by a series of windows which will take you through the process for the new channel that you have switched to.

This is something I have deployed internally in the IT department, enabling them to easily switch between the channels.

Enjoy! 😎

References:

https://support.microsoft.com/en-us/help/3185078/how-to-switch-from-deferred-channel-to-current-channel-for-the-office
https://blogs.technet.microsoft.com/odsupport/2017/05/10/how-to-switch-channels-for-office-2016-proplus/