Search This Blog

11 October, 2021

Finding Symantec Endpoint Protection with SCCM SQL Query

Finding Symantec Endpoint Protection with SCCM SQL Query

In IT environments, particularly in enterprise settings, maintaining visibility over installed software is crucial for security and compliance. One commonly used tool for endpoint security is Symantec Endpoint Protection (SEP). To efficiently track installations of SEP across systems managed by SCCM, a structured SQL query can be employed. Below is a detailed breakdown of the SQL query designed to identify whether Symantec Endpoint Protection is installed on machines within a specified collection.

Purpose of the Query

This query is structured to perform the following tasks:

  1. Identify Machines with SEP Installed: It checks for computers that have Symantec Endpoint Protection installed.
  2. Report Non-Installation: It provides a report for computers that do not have the software installed.
  3. Focus on a Specific Collection: The query restricts its search to a designated collection (e.g., "All Systems Collection").

Code Explanation

The SQL query is built using several components to ensure comprehensive results. Let's break down each part:

-- Declare parameters for user SIDs, product name, and collection ID Declare @UserSIDs as varchar(Max) = 'Disabled', @ProductName as varchar(50) = 'Symantec Endpoint Protection', @CollectionID as varchar(10) = 'SMS00001' -- All Systems Collection
  • Parameters:
    • @UserSIDs: This variable determines the visibility of the data based on the user's permissions.
    • @ProductName: This specifies the software we are searching for, in this case, Symantec Endpoint Protection.
    • @CollectionID: This identifies the specific collection of systems being queried (here, it targets all systems).

Main Query to Find Installed SEP

The first part of the query retrieves systems with Symantec Endpoint Protection installed:

select Distinct RV.Netbios_Name0 as 'ComputerName', RV.User_Name0 as 'UserName', U.Full_User_Name0 as 'FullName', U.Mail0 as 'EmailAddress', U.telephoneNumber as 'PhoneNumber', P.ProductName0 as 'ProductName', P.ProductVersion0 as 'ProductVersion', 'FoundStatus' = 'True' From fn_rbac_R_System_Valid(@UserSIDs) as RV join fn_rbac_GS_INSTALLED_SOFTWARE(@UserSIDs) as P on P.ResourceID = RV.ResourceID join fn_rbac_R_User(@UserSIDs) as U on U.User_Name0 = RV.User_Name0 Where RV.ResourceID in ( select P.ResourceID from fn_rbac_GS_INSTALLED_SOFTWARE(@UserSIDs) as P Where P.ProductName0 LIKE @ProductName ) and P.ProductName0 LIKE @ProductName and RV.ResourceID in ( select fcm.ResourceID from fn_rbac_FullCollectionMembership(@UserSIDs) as fcm where fcm.CollectionID = @CollectionID )
  • Select Clause: This retrieves a distinct list of fields related to the systems, including the computer name, user details, product name, and version.

  • From Clause:

    • fn_rbac_R_System_Valid(@UserSIDs): This function returns valid resources based on user permissions.
    • fn_rbac_GS_INSTALLED_SOFTWARE(@UserSIDs): This function returns the installed software for those valid resources.
    • fn_rbac_R_User(@UserSIDs): This function links the user details to the machines.
  • Where Clause:

    • Filters to find resources where the ProductName matches "Symantec Endpoint Protection".
    • Additionally, it limits results to those within the specified collection.

Main Query to Find Non-Installed SEP

The second part of the query handles the identification of systems without SEP installed:

UNION select Distinct RV.Netbios_Name0 as 'ComputerName', RV.User_Name0 as 'UserName', U.Full_User_Name0 as 'FullName', U.Mail0 as 'EmailAddress', U.telephoneNumber as 'PhoneNumber', 'ProductName' = 'Not Found', 'ProductVersion' = 'Not Found', 'FoundStatus' = 'False' From fn_rbac_R_System_Valid(@UserSIDs) as RV join fn_rbac_R_User(@UserSIDs) as U on U.User_Name0 = RV.User_Name0 Where RV.ResourceID not in ( select P.ResourceID from fn_rbac_GS_INSTALLED_SOFTWARE(@UserSIDs) as P Where P.ProductName0 LIKE @ProductName ) and RV.ResourceID in ( select fcm.ResourceID from fn_rbac_FullCollectionMembership(@UserSIDs) as fcm where fcm.CollectionID = @CollectionID )
  • UNION Clause: This combines results from both queries, ensuring that systems without SEP are included in the final report.
  • Select Clause: Similar to the previous section, but returns a status of "Not Found" for systems without the product installed.
  • Where Clause:
    • The not in subquery ensures only systems without the product are selected.
    • It also checks for systems within the specified collection.

Final Output and Ordering

ORDER BY FoundStatus

The final output is ordered by FoundStatus, allowing systems with SEP installed to appear first in the results.

Conclusion

This SQL query serves as an effective tool for IT administrators managing endpoint security through SCCM. By clearly identifying which systems have Symantec Endpoint Protection installed and which do not, organizations can ensure compliance and security standards are met. Moreover, the ability to run such queries empowers administrators to maintain oversight of their software environment, facilitating proactive management of potential vulnerabilities.

Using structured SQL queries like this one not only enhances visibility into the software landscape but also supports strategic decision-making regarding security posture and software management across an organization.

Fix System Time Date

Fast resolution would be as you stated connect to VPN and it should automatically set the time appropriately.


Here are the faster alternatives is simply to add or subtract minutes from this system by using the following PowerShell command.

 

Here is Microsoft’s documents on how to use the commandlet: Set-Date (Microsoft.PowerShell.Utility) - PowerShell | Microsoft Docs

 

Open as Admin PowerShell:

To subtract 10 minutes -

Set-Date -Adjust -0:10:0 -DisplayHint Time

 

To add 10 minutes -

Set-Date -Adjust 0:10:0 -DisplayHint Time

 

The other option is simply to run the resync command with the win32 time method.

Once again will be opening the PowerShell as administrator.

 

w32tm /resync

 

I did verify that this command works both on and off of VPN.

 


How to Install RSAT Tools on Windows 10 and 11

How to Install RSAT Tools on Windows 10 and 11

Microsoft has streamlined the installation of Remote Server Administration Tools (RSAT) in Windows 10 and 11. Instead of requiring a separate installer, these tools can now be added via the Deployment Image Servicing and Management (DISM) command or PowerShell cmdlets, which utilize DISM on the back end.

Importance of RSAT Tools

For administrators managing workstations and servers in a Microsoft infrastructure, RSAT tools are essential for efficient system management and configuration. These tools allow IT professionals to perform various administrative tasks remotely, reducing the need for physical access to servers or workstations. With RSAT, administrators can manage Active Directory, Group Policy, DNS, and other critical server roles directly from their client machines, enhancing productivity and streamlining workflows. This capability is particularly beneficial in large organizations, where centralized management is key to maintaining system integrity, security, and compliance.

Installing RSAT Tools via PowerShell Cmdlets

  1. Open PowerShell as Administrator:

    • Right-click on the Start menu and select Windows PowerShell (Admin) or search for "PowerShell," right-click it, and choose "Run as administrator."
  2. List Available RSAT Tools: To see all available RSAT tools that can be installed, run the following command:

    Get-WindowsCapability -Name "*RSAT*" -Online

    Example Output:

    Name : Rsat.ActiveDirectory.DS-LDS.Tools State : NotInstalled Name : Rsat.GroupPolicy.Management.Tools State : NotInstalled Name : Rsat.RemoteAccess.Management.Tools State : Installed Name : Rsat.ActiveDirectory.Management.Tools State : Installed
  3. Check Installation Status of Specific Tools: If you want to check the installation status of specific tools, such as the Active Directory Domain Services (AD DS) and Group Policy Management tools, use:

    "Rsat.ActiveDirectory.DS-LDS.Tools*","Rsat.GroupPolicy.Management.Tools*" | ForEach-Object {Get-WindowsCapability -Name $PSItem -Online}

    Example Output:

    Name : Rsat.ActiveDirectory.DS-LDS.Tools State : NotInstalled Name : Rsat.GroupPolicy.Management.Tools State : NotInstalled
  4. Install RSAT Tools: To install the desired RSAT tools, modify the command as follows:

    "Rsat.ActiveDirectory.DS-LDS.Tools*","Rsat.GroupPolicy.Management.Tools*" | ForEach-Object {Add-WindowsCapability -Name $PSItem -Online}

    Note: The applications will be retrieved from Microsoft servers and installed on your local system. If you encounter connection issues, you may need to disconnect from your corporate network, as access control lists (ACLs) may block the connection to Microsoft servers.

    Example Output During Installation:

    Adding Windows Capability: Rsat.ActiveDirectory.DS-LDS.Tools... Operation complete. Adding Windows Capability: Rsat.GroupPolicy.Management.Tools... Operation complete.
  5. Completion Status: After the installation is complete, the status will be displayed, indicating whether a restart is required. You can verify the installation by running the initial command again:

    Get-WindowsCapability -Name "*RSAT*" -Online

    Example Output After Installation:

    Name : Rsat.ActiveDirectory.DS-LDS.Tools State : Installed Name : Rsat.GroupPolicy.Management.Tools State : Installed Name : Rsat.RemoteAccess.Management.Tools State : Installed Name : Rsat.ActiveDirectory.Management.Tools State : Installed

Conclusion

By following these steps, you can efficiently manage and install RSAT tools on your Windows 10 or 11 system. This streamlined approach not only simplifies administrative tasks but also enhances your ability to maintain and configure Windows Server environments effectively.

How to Remotely Log Off a User

How to Remotely Log Off a User

In various IT environments, administrators may need to log off users from remote systems for a variety of reasons, such as freeing up resources, enforcing security protocols, or troubleshooting. To accomplish this, you’ll need to know the user’s session ID on the target machine. This article will guide you through the process step-by-step.

Prerequisites

Before you begin, ensure that you have the following:

  • Administrative privileges on the target system.
  • The name of the remote computer (in our example, ITS-ENG-TEST01).
  • The session ID of the user you wish to log off.

Step 1: Querying Active Sessions

To find out which users are logged into the remote system, use the quser command. This command queries the user sessions on a specified server.

  1. Query Local Sessions: If you type quser without any flags in your command prompt, it will return a list of active user sessions on your local machine.

    PS> quser

    Output Example:

    USERNAME SESSIONNAME ID STATE IDLE TIME user1 rdp-tcp#1 2 Active 00:10:15 user2 rdp-tcp#2 3 Active 00:05:30
  2. Query Remote Sessions: To check the active user sessions on a remote computer, use the /server flag followed by the remote computer's name. For example, to query ITS-ENG-TEST01, run the following command:

    PS> quser /server:'ITS-ENG-TEST01'

    Output Example:

    USERNAME SESSIONNAME ID STATE IDLE TIME user3 rdp-tcp#3 4 Active 01:15:45

    This command will show all active sessions on the specified remote server. You can identify which users are logged in and their corresponding session IDs.

Step 2: Identifying Logged-In Users

With the output from the quser command, you can see the usernames, session names, session IDs, and states of each session. Take note of the session ID for the user you wish to log off. In our example, suppose the user user3 is logged in with session ID 4.

Step 3: Logging Off the User

To log off a user, you'll use the logoff command followed by the session ID and the /server flag for the target machine. Here’s how to do it:

  1. Construct the Command: To log off user3, who has session ID 4 on ITS-ENG-TEST01, enter the following command:

    logoff 4 /server:'ITS-ENG-TEST01'
  2. Execute the Command: Run the command in your administrative command prompt. The command will not return any output if it executes successfully. This means the user has been logged off without confirmation.

Step 4: Verifying the Log Off

After executing the logoff command, it’s good practice to verify that the user has been successfully logged off:

  1. Requery the Remote System: Run the quser command again to check active sessions on the remote system:

    PS> quser /server:'ITS-ENG-TEST01'
  2. Check the Output: You should no longer see the session for user3 in the output, confirming that they have been logged off successfully.

    Output Example After Log Off:

    USERNAME SESSIONNAME ID STATE IDLE TIME

Summary

Logging off users from a remote system can be a straightforward process if you follow these steps:

  1. Use quser to find active sessions on the remote machine.
  2. Identify the session ID of the user you want to log off.
  3. Use the logoff command with the appropriate session ID and server name.
  4. Verify the log-off action by checking the active sessions again.

By managing user sessions effectively, you can maintain system performance and security in your IT environment.