On November 20, Intel released details of a new vulnerability in the Intel Management Engine. They provided a detection tool to tell you if your device was vulnerable, but no real way of deploying or monitoring the results on multiple devices (or in the case of some organizations, thousands of devices).
This post will detail one way to use ConfigMgr to deploy the detection tool and get back the results. This process will likely work for other vulnerabilities as well that use the same criteria. For more information on this vulnerability, see this notice from Intel: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr.
This post will only detail how to detect which of your devices are vulnerable. See the Intel security post for details on how to patch the vulnerability.
The detection tool from Intel writes a series of registry keys to a computer. We will use a ConfigMgr package to deploy and execute the tool on a schedule, then use a ConfigMgr Configuration Item and Baseline to pick up the resulting registry keys.
The detection tool is available from here: https://downloadcenter.intel.com/download/27150. Download and extract the ZIP file.
Create ConfigMgr Package
I am creating this as a package instead of an application. Scheduling when to run the tool is easier with a package, as is running the tool more than once. Once the download from Intel is extracted, copy the “DiscoveryTool” folder to your ConfigMgr software source location.
Create a ConfigMgr package. I won’t go through all the wizard, but only the highlights of the things you should set.
First, your package will require a program. The command line to run the tool is this (note it’s two dashes (–):
Intel-SA-00086-console.exe --noconsole --delay 0
It’s two dashes for the parameters. Double dashes do not translate well on webpages.
You’ll also want to set the program to run hidden and set it so it can run “Whether or not a user is logged on”.
On the next screen of the wizard, I suggest setting the “Maximum allowed run time” to 15 minutes.
Once the package is created, I suggest ensuring that the “Suppress program notifications” box is checked on the Advanced tab of the program options. This will prevent notifications from appearing and prevent an option to run this package from showing up in Software Center.
When you deploy the package, make sure to require it. The scheduling section is also important. I would suggest setting a date and time to expire the package, even if it’s months in the future. The assignment schedule is important. I suggest doing a schedule and configuring the recurrence pattern. If you want something smaller than weekly, do a custom interval.
After you have the schedule, you MUST change the rerun behavior to “Always rerun program”.
Also, if you have maintenance windows set for any device, either be sure to set the schedule to within this window, or check the “Software Installation” box on the next screen of the deployment wizard.
ConfigMgr Configuration Item
Now that we have the package, we need to create our configuration item. To do that, go to “Configuration Items” under Compliance Settings. Create a new one and give it a name. I suggest something like “Intel Vulnerability SA-00086”. Leave the other options alone on the first page of the wizard, and the second page where you can limit it to specific operating systems.
On the Settings page, click “New” and give it a name. I suggest “Intel Vulnerability SA-00086 System Status”. We’ll keep the “Setting type” set to “Registry value”. Set “Data type” to string. Here’s the key we’re targeting (goes in the “Key name” box):
SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status
The “Value Name” field should be “System Risk” and the “This registry value is associated with a 64-bit application” should be checked.
Now we can flip to the “Compliance Rules” tab and create a new one. Give the rule a name, I suggest “Not Vulnerable”. Everything on this page is left as default. Type “This system is not vulnerable.” (note the period) in the “the following values” box.
After you’ve set this, click all the way through the wizard and create the configuration item.
Now that we have the configuration item, just add it to a baseline and deploy it. I suggest creating a custom schedule that matches your package deployment; if you rerun the package every day, run the configuration baseline every day a little while after the package runs.
The way the configuration item is configured, a “compliant” machine is not vulnerable to the vulnerability, while a “non-compliant” system is vulnerable. You can use ConfigMgr reports to see your compliance status, or build collections in the console to show compliance.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.