CI – Check for a registry value.

/ Pontus

Hey! Sooner or late some upper management come to you and ask, if you can check your machines if they are infected of a registry key (often a virus). They also ask if you can post a nice report of this. So how do you do? Well in my opinion This is the best way. Configuration Item (In this case im looking for “HKLM:\Software\Classes\MJ” exist or not)

1. First, Go to your console -> Assets and Compliance -> Configuration Item
2017-09-04 10_55_37-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

2. Right click “Create Configuration Item”
2017-09-04 10_56_20-Namnlös - Paint.png
3. Pick a good name for your CI
2017-09-04 09_27_45-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

4. Go With Default settings, Next, Next, Summary, Close.
2017-09-04 09_29_19-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

5. Right click on the CI, go to Properties> Settings and New
2017-09-04 10_03_32-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

6. Do the settings like this
6.1 Name it to ” Check for a Registry Value”
6.2 Change Setting type to Script
6.3 Change Data type to String
2017-09-04 10_08_24-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png
6.4 Click on Discovery script
6.5 Script language to Windows Powershell, then copy this

function Get-Registrykey
{
    [CmdletBinding()]
    param ()
   

    Begin
    {
    }
    Process
    {
    Try {
    $Result = Test-Path "HKLM:\Software\Classes\MJ"
     
    ForEach-Object {
            If($Result -match "True") { 
                $State = 1} 
            ElseIf($Result -match "False") {
                $State = 0} 
                    }
     }
   catch {
   # Error hantering
   
   }
   $state


    }
    End
    {
    }
}
Get-Registrykey

2017-09-04 10_10_13-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

6.6 Click on Ok
7. Go to the Compliance Rule Tab
2017-09-04 10_11_41-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

8. Click on New
9. Then change the Following value to 1, and Check the box “Report noncompliance if this setting instance is not found. Then click on OK
2017-09-04 10_13_40-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

10. Apply, Apply, Ok.
11. Go to Configuration Baselines, Create Configuration Baseline
2017-09-04 10_15_59-Namnlös - Paint.png

12. Name it to ” Check for a Registry Value
13. Click on Add, Configuration Item
14. Ok.
2017-09-04 10_18_27-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png

15. Right click on the baseline, then Deploy
2017-09-04 10_19_22-Namnlös - Paint.png

16. Do the settings like this,
16.1 “Check Remidiate noncompliant rules when supported”
16.2 “Check Allow remidation outside the maintance window”
16.3 Select a Collection that you want to run the script on.
16.4 Simple Schedule, 1 Time each day.
2017-09-04 10_20_05-Invid - ASG-RemoteDesktop 2017 - invjkp-sccm03 (Work Resources).png
16.5 Ok.
17. Now we are done, The clients will report back if the registry exist or not.

Also shared the Files here, if you just want to import the CI
CI – Check for a Registrykey

Thanks for reading.
/Pontus

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s