Configuring Windows Update with Tanium

There really is only two ways to configure the Windows Update Agent:  Manually through UI or the Windows Update API.  Unfortunately as an enterprise admin, you need to use command line utilities to configure endpoints and Microsoft does not provide that.  Thus, I’ve put together a really quick command line utility that uses the Windows Update API to allow you to configure using our favorite platform… Tanium.

Download Solution Pack

First thing you must do is download the entire Tanium solution pack for Windows Update.   Once you’ve downloaded the Windows_Update.xml, you must import it through your Console->Authoring->Import Content.

wu1

You’ll find it contains multiple sensors, packages and saved questions for reading and changing the configuration.

Ensure Package Files Download

wu2One of the packages requires external files that are downloaded from files.danielheth.com.  These files are served up via https and thus you must configure my Certificate Authority in order for your Tanium Server to properly download from that location.  You must also configure a White Listed URL as well.  You can read more about doing this at https://danielheth.com/2015/02/02/secure-downloading-of-package-files-with-tanium/

OR you can simply download the three files manually and update the Distribute Windows Update Tools package.  We will explore this second option in this article:

Download all following files:

  1. https://files.danielheth.com/7za.exe
  2. https://files.danielheth.com/install-wu4tanium.vbs
  3. https://files.danielheth.com/wu4tanium.zip

Then edit the Distribute Windows Update Tools package by going to Console->Authoring->Packages, filtering by “Distribute Windows Update Tools” and edit the correct package.  Then “Delete” all three files linked to this package…

wu3

Now we will “Add Local Files…” for each of the three files we downloaded earlier.

wu4

Now that we have all three “local” files uploaded into the package we’re ready to start using this solution…

Windows Update Dashboard

Included in the solution pack is a new dashboard which groups all the functionality together in a single location.  Browse to that dashboard by looking under “Other Dashboards” and finding the one called Windows Update.

wu5

As you can see from the screenshot, there are two included saved questions.  One lets you know about the installation status of the special utility we’re using and the other uses that utility to return the current status of the Windows Update Agent using the API.

Deploy Windows Update Tools

I already have one system deployed with the utility, but my other 9+ systems do not have it.  I can drill down to determine what the names of these systems are and distribute to specific machines, but I want my entire infrastructure to have this utility.  Thus I will right click on the “No” answer and deploy the package we edited before, the Distribute Windows Update Tools package.  Complete the deployment of that action and within 10 or so minutes, you should start seeing the Windows Update Configuration appear in the right answer grid.

wu6

Configure Windows Update Status

The Windows Update Agent has a few modes of operation:

  • Not Configured means “not configured” by the user or by a Group Policy administrator.  Users are periodically prompted to configure Automatic Updates.
  • Disabled is self explanatory… Users are not notified of important updates for the computer.
  • Notify Before Download prompts users to approve updates before it downloads or installs the updates.
  • Notify Before Installation will download the updates but prompt users to approve the updates before installation.
  • Scheduled Installation will automatically install updates according to the schedule that is configured by the user or by the wu4tanium utility.

To make changing this mode-of-operation status easy, I’ve included a Configure Windows Update Status package with the above described options.  Select the configuration answers that are not configured as you want and launch this package to change it.

wu7

Configure Windows Update Schedule

If you chose to schedule the automatic installation of updates you can use the Configure Windows Update Schedule package to change the day and time updates will install.

I would like all my systems to download and automatically install updates every day at 1am.  To do that, select all the configurations that do not match your desires, Right click and Deploy Action.  Select the Configure Windows Update Schedule package from the dropdown and two parameters will appear.  One to specify the day of the week and the other the hour.  The hour is specified in 24-hour “military” time and is only configurable for on-the-hour.

wu8

After 10 minutes, the Windows Update Configuration answer grid will start updating with the newly configured schedule.  The Windows Update Config sensor is set with a max age of 10min, thus we must wait that long before the sensors script is executed again and the new configuration starts appearing in the answer grid.

Conclusion

I hope this helps those of you who wish to use the Windows Update Agent to update your systems rather than using a more involved patching solution. 

Note that this solution DOES NOT USE the Tanium file/shard downloading functionality… each endpoint will download updates directly from Microsoft.

Also I have only tested this on Windows 7 systems.  It is possible the Windows Update API will not function as coded on other versions of Windows.  If you wish to view the code for the wu4tanium utility, it is available on github.  Feel free to fork that project to add functionality or compatibility with other versions of Windows.

Advertisements

Broadcasting Screens

During the setup of my broadcasting studio, I found the need to hide the backgrounds behind the two people on the show.  I wanted to provide a way to have multiple screens of different colors, including chroma-key Green.  Then mount those screens so they are kept stretched and smooth for the broadcast.  What I came up with was a four point mounting and an innovative Indie screen system.

IMG_0865

Using cheap hardware from Lowe’s, building these screens was a breeze!

Required Parts (for 4-point mounting):

  (4) Eye hooks
  (1) Drill with properly sized bit
  (1) Stud finder

First locate where you plan to mount your screens, and use the stud finder to help you find the perfect spot.  Drill your holes and screw in the Eye hooks.

Required Parts (for one screen):

  (4) bungee cords of appropriate length which depends on where your wall mounting points are.
  (4) Eye hooks
  (1) Bed Sheet, Twin bed size was perfect for my needs
  (2) 2”x1”x96” boards
  (6) Carpet tack strips (for mounting the bed sheet)

Spread the sheet out and position the 2” boards on either side.  Roll the sheet around the 2” boards for one or two turns and use the carpet tacks to hold everything in place.  Lastly, drill pilot holes into both ends of both 2” boards and screw in the eye hooks.

Roll the rest of the sheet around one of the 2” boards and wrap with Velcro straps for storage. 

Mounting this is very easy and done within minutes by one person.

IMG_0861Clip one of the 2” boards across the top to the bungees attached to the upper two mounting points.

IMG_0863

 

 

 

Then unwrap the Velcro and unfurl the screen slowly… don’t let it drop since you may damage the carpet tacks.

Lastly attach the lower bungees so the screen is nice and stretched.

IMG_0864

Once your all stretched it should look like the image at the top of this article.

I built multiple screens of various colors.  They store very easily in my closet and I pull out the appropriate one depending on topics of our show.

TIP:  Spray Downy wrinkle eliminator onto the screens when they are stretched before your show.  It puts a pleasant smell in the air and smooth’s your screen out very nicely.

If you have any questions or suggestions on other broadcasting equipment, please comment below.

And to see all of my Screen pictures, visit http://www.flickr.com/photos/danielheth/sets/72157629653027764/

Adding LDAP Authentication to the TEM (BigFix) Console

The latest version (8.2.x) of Tivoli Endpoint Manager comes with it the ability to authenticate console users with your LDAP directory.  Here is a simplified step-by-step guide for setting that up.

Open your console and use one of your Master Operator accounts.  Find the LDAP Directories branch in the left side tree and right click it.  Choose to Add LDAP Directory from that list…

image

Enter any “Name” you’d like and specify your LDAP authentication server as well as if it is a global catalog server.  In my tiny network, I only have the one DC.

image

Click the Test button to validate the connectivity…

image

My network is very tiny, however I would encourage you if alternate DC servers are available to specify them in the Backup Server X spaces provided.

image

 

Adding the link to the DC is one step… next you’ll probably want to create a special AD group which Console users will belong.  Remember that within TEM, we have Console Operators and Master Operators.  Each user/group has a specified set of computers they are responsible for and this can be extended into AD.  Simply create a AD user group for how your organization is divided and based on their required level of console access.

In my case I created two AD groups:  BigFix_Admin and BigFix_Console.  Then added my user account to the Admin group.

image

 

Our next/last step is to specify the level of access each of these new AD groups have within the TEM infrastructure.

image

You can name this new Role anything you’d like, however I like to match the AD group name up with this Role name to make it easy to understand.

image

My Admin group has near unlimited privileges… thus I’ll chose yes to the following options:  Master Operator, Custom Content, and Show Other Operators’ Actions.

image

Next we’ll need to assign the computers that this group will have control over… in my case I’ll be specifying “all computers”

image

Using this dialog I can specify individual computers as well as systems based on Retrieved Properties or Group Membership.

image

I will not be adding TEM users to this group as it was setup specifically for my LDAP Admin group… so I’ll skip the “Operators” tab.

image

Instead I’ll be focusing on the LDAP Groups tab… and Assigning LDAP Group to this TEM Group I’m currently defining…

image

Search for the group to be added to this TEM group, and Assign it.

image

image

Lastly I’ll glaze over the Sites tab since I currently only have 1 site in this new infrastructure, however I can specify specific site permissions just like I can for TEM users.

image

Don’t forget when you are done to Save Changes…

image

Since this is a fresh installation, the setting which requires entering your authentication password to authorize this new action has been disabled by default.  In a different article I will explain this very cool security feature, how it works and how to force the password requirement just like in previous versions.   For now, let’s log in with my Domain credentials to test things out!

image

image

Let’s re-launch the console but this time using my Domain credentials…

Be sure to include your Domain within the User name field…  In my case it’s “MoranIT\Daniel”

image

Success!!  The authentication was accepted and I’m logging into the console!

image

Something very important to notice here is that my operator site and account was automatically generated upon login.  This means that if too many new users login it could cause network traffic on your network since a subscription action is deployed to the authorized computers list.

image

 

Enjoy your new LDAP authenticated user access… let me know if you have any questions or comments in the section below.  I respond to all my comments, so please engage…