Fixes – Page 2 – SCCMOG – Deployment Blog

6th March 2017

SCCM WSUS Proxy – Allow Basic Authentication

I was at a clients today and came across the issue to do with Credentials for a proxy that are required to be sent as clear text. The exact tick box wording is:

“Allow Basic Authentication (password is sent in cleartext)”

Anyway after hunting around to find a solution for SCCM 2012 and above installations, I came to the conclusion that it would be quicker to write a script to check the configuration and change if it has been removed by SCCM. This script runs as a scheduled task and I have included the XML for that also below.

The Script:

################################################################################
# Author  : SCCMOG - Richie Schuster C5                                        #
# Website : www.sccmog.com                                                     #
# Usage   : .\Set-WSUSCredsNonSSL                                              #
# Version : 2.7                                                                #
# Created : 2014/07/17                                                         #
# Purpose : This script was created to be run as a scheduled task to reset the #
#         : "Allow Basic Authentication" in the proxy server settingd of WSUS  #
#         : as SCCM removes this setting while performaing maintanance tasks.  #
################################################################################


#Connect to WSUS Configuration
#Set WSUS server to connect to
$wsusserver = "SCCMOG-CM-01"

#Load required assemblies
[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

#Connect to WSUS Remote
#$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$false)
#Connect to WSUS Local
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer()

#$WSUS | FL *
#$WSUS | Get-Member

$Config = $wsus.GetConfiguration()
$CurrentSetting = $Config.AllowProxyCredentialsOverNonSsl

If ($CurrentSetting -ne $true){
    Write-Host "Incorrect... Correcting!" -ForegroundColor Yellow
    $Config.AllowProxyCredentialsOverNonSsl = $true
    $Config.Save()
    Exit 0
    }
Else {
    Write-Host "Still Correct!" -ForegroundColor Green
    Exit 0
    }

################################################################################

################################################################################

# Author : SCCMOG - Richie Schuster C5 #

# Website : www.sccmog.com #

# Usage : .\Set-WSUSCredsNonSSL #

# Version : 2.7 #

# Created : 2014/07/17 #

# Purpose : This script was created to be run as a scheduled task to reset the #

# : "Allow Basic Authentication" in the proxy server settingd of WSUS #

# : as SCCM removes this setting while performaing maintanance tasks. #

################################################################################

#Connect to WSUS Configuration

#Set WSUS server to connect to

$wsusserver = "SCCMOG-CM-01"

#Load required assemblies

[void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

#Connect to WSUS Remote

#$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($wsusserver,$false)

#Connect to WSUS Local

$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer()

#$WSUS | FL *

#$WSUS | Get-Member

$Config = $wsus.GetConfiguration()

$CurrentSetting = $Config.AllowProxyCredentialsOverNonSsl

If ($CurrentSetting -ne $true){

Write-Host "Incorrect... Correcting!" -ForegroundColor Yellow

$Config.AllowProxyCredentialsOverNonSsl = $true

$Config.Save()

Exit 0

}

Else {

Write-Host "Still Correct!" -ForegroundColor Green

Exit 0

}

################################################################################

The Scheduled Task XML to be imported:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2017-03-06T20:11:59.7036984</Date>
    <Author>LAB\SCCM-Admin</Author>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger>
      <Repetition>
        <Interval>PT1M</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2017-03-06T20:13:05</StartBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>Powershell.exe</Command>
      <Arguments>-Executionpolicy Bypass -file E:\Change\ToYourLocation\Set-WSUSCredsNonSSL.ps1</Arguments>
    </Exec>
  </Actions>
</Task>

<?xml version="1.0" encoding="UTF-16"?>

<Author>LAB\SCCM-Admin</Author>

</RegistrationInfo>

<StopAtDurationEnd>false</StopAtDurationEnd>

</Repetition>

</TimeTrigger>

</Triggers>

<RunLevel>HighestAvailable</RunLevel>

</Principal>

</Principals>

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

<StartWhenAvailable>false</StartWhenAvailable>

<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>

<RestartOnIdle>false</RestartOnIdle>

</IdleSettings>

<Hidden>false</Hidden>

<RunOnlyIfIdle>false</RunOnlyIfIdle>

<WakeToRun>false</WakeToRun>

</Settings>

<Exec>

<Command>Powershell.exe</Command>

<Arguments>-Executionpolicy Bypass -file E:\Change\ToYourLocation\Set-WSUSCredsNonSSL.ps1</Arguments>

</Exec>

</Actions>

</Task>

3rd March 20173rd March 2017

Disable or Enable Sophos Services PowerShell Script

I was working at a clients the other month and was getting frustrated with Sophos interfering with what I was try to accomplish.

Here is a quick script to Disable the Sophos services when needed and then Enable the Sophos services when you have finished. Commands are in the info of the script.

#########################################################################################################
#Script Name:   Disable/Enable Sophos                                                                   #
#Script Author: SCCMOG - Richie Schuster 03/03/2017 WWW.SCCMOG.COM                                      #
#########################################################################################################
#Script Usage: "Disable-Enable_Sophos.ps1 -Mode Disable" to disable and "-Mode enable" to enable.       #
#########################################################################################################
 
 #Install Mode Parameter
PARAM (
    [string]$MODE
)
 
#Sophos Service names
$SophosServices = @("Sophos Agent", "SAVService", "SAVAdminService",`
                    "Sophos AutoUpdate Service", "Sophos Device Control Service",`
                    "Sophos Message Router", "SntpService", "sophossps",`
                    "Sophos Web Control Service", "swi_service", "swi_update_64")

#If entry is input run script
If ($mode -ne $null){   
    #If Mode input is Enable - Enable sophos services
    If ($MODE -eq "Enable"){
        foreach ($Service in $SophosServices){
                Set-Service -Name $Service -StartupType Automatic
                start-Service -Name $Service -Force
                }
        }
    #If Model is Disable - Disable sophos  services
    If ($MODE -eq "Disable"){                
        foreach ($Service in $SophosServices){
                Set-Service -Name $Service -StartupType Disabled
                Stop-Service -Name $Service -Force
                }
        }
    #If mode input does not match inform user.
    Else{
        Write-host 'Incorrect Params please format this way: "Disable-Enable_Sophos.ps1 -Mode Disable"`
                    to disable and "-Mode enable" to enable.'
    }
}
#If params are not specified then inform.
Else{
    Write-host 'Script Params must be used : "Disable-Enable_Sophos.ps1 -Mode Disable" to disable and`
               "-Mode enable" to enable.'
    }
#########################################################################################################

#########################################################################################################

#Script Name: Disable/Enable Sophos #

#Script Author: SCCMOG - Richie Schuster 03/03/2017 WWW.SCCMOG.COM #

#########################################################################################################

#Script Usage: "Disable-Enable_Sophos.ps1 -Mode Disable" to disable and "-Mode enable" to enable. #

#########################################################################################################

#Install Mode Parameter

PARAM (

[string]$MODE

)

#Sophos Service names

$SophosServices = @("Sophos Agent", "SAVService", "SAVAdminService",`

"Sophos AutoUpdate Service", "Sophos Device Control Service",`

"Sophos Message Router", "SntpService", "sophossps",`

"Sophos Web Control Service", "swi_service", "swi_update_64")

#If entry is input run script

If ($mode -ne $null){

#If Mode input is Enable - Enable sophos services

If ($MODE -eq "Enable"){

foreach ($Service in $SophosServices){

Set-Service -Name $Service -StartupType Automatic

start-Service -Name $Service -Force

}

#If Model is Disable - Disable sophos services

If ($MODE -eq "Disable"){

foreach ($Service in $SophosServices){

Set-Service -Name $Service -StartupType Disabled

Stop-Service -Name $Service -Force

}

#If mode input does not match inform user.

Else{

Write-host 'Incorrect Params please format this way: "Disable-Enable_Sophos.ps1 -Mode Disable"`

to disable and "-Mode enable" to enable.'

}

#If params are not specified then inform.

Else{

Write-host 'Script Params must be used : "Disable-Enable_Sophos.ps1 -Mode Disable" to disable and`

"-Mode enable" to enable.'

}

#########################################################################################################

6th November 2016

Error 0x80070193 – Automatic Deployment Rules Software Updates (ADR) SCCM

So the other day… I was setting up one of my clients Automatic Deployment Rules (ADR) for SCEP Definition Updates. Everything went fine until I went to run the rule and I saw “HttpSendRequest failed HTTP_STATUS_FORBIDDEN or HTTP_STATUS_DENIED” followed by “ERROR: DownloadContentFiles() failed with hr=0x80070193” in the PatchDownloader.Log file.

PatchDownloader.Log error 80070193 — ERROR: DownloadContentFiles() failed with hr=0x80070193

This was a shock as this error usually only occurs when the traffic is blocked by a proxy server and at this customer site I was told to bypass the proxy using DNS host targeting.

After some trial and error it dawned on me. The System account of the machine must still be pointing to the clients proxy or using a PAC file. So I grabbed my trusty tool PSEXEC and spawned a CMD as System using a CMD as Administrator and the command: “PSEXEC.EXE -I -S CMD”

psexec_systemcmd — PSEXEC to launch CMD as “System”

After this I navigated to “c:\Program Files (x86)\Internet Explorer” and launched “Iexplore.exe”.

Then I navigated in IE to Tools, Internet Options and finally LAN Settings, and her presto there it was, it was grabbing a PAC file!

So I checked if I could browse to MSN and sure enough I was blocked.

With Automatically detect Settings enabled

So I unticked the box, restarted IE from the System CMD and tried again… MSN! First time I think I had ever been happy to see that laggy page!

Without Automatically detect settings enabled.

Jumped back into ConfigMgr (SCCM) and ran my ADR rule to find all definitions downloading successfully. Hope that’s helps someone out!

Successfully downloading definition patches!