Using ConfigMgr (SCCM) 2012 to Monitor IE Zero-Day Patch Levels

As many IT professionals are aware, a large zero-day vulnerability affecting Internet Explorer 6-9 was revealed earlier this week.  Microsoft released a “Fix-It” on 9/20/2012 and an out-of-cycle patch on 9/21/2012.  Many organizations will be using WSUS or System Center Configuration Manager (ConfigMgr) to deploy this patch to their environment.

Details of this specific vulnerability (KB2744842) and the associated fixes are located here: (Microsoft Security Bulletin MS12-063 – Critical / Cumulative Security Update for Internet Explorer (2744842)).

“This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” – Microsoft Security Bulletin MS12-063

Your IT security personnel will probably need information about the patching status of vulnerable workstations in your environment.  Using Compliance Settings within ConfigMgr 2012, you can easily create a configuration item and baseline (if needed) to evaluate your workstations for their compliance with this patch.

To do this, we need to first create a configuration item.  In the ConfigMgr 2012 console, right-click “Configuration Items” and choose “Create Configuration Item”

In the “Create Configuration Item Wizard” window, enter in the name of the item and a small description.  Choose “Windows” for the type of configuration item and assign it categories if desired.  It should resemble this window below:

Click “Next >” and on the screen that follows, choose all Windows 7 items.  Separate configuration items/baselines can be developed for OS and IE versions other than Windows 7 with Internet Explorer 9.  The screen should look similar to below, when finished:

Click “Next >” to continue to the settings window.  Click “New” to open the “Create Setting” window.  Enter in a name and short description and then select “Registry Value” for “Setting Type” and “String” for “Data Type”.  After selecting those options, select “HKEY_LOCAL_MACHINE” for “Hive” and then click the “Browse” button.

Connect to a patched Windows 7 workstation and then browse to HKLM\Software\Microsoft\Internet Explorer\.  When you select this key, the registry values will populate on the right hand side of the window.  Select the value named “svcUpdateVersion” and ensure it has the data value of “9.0.10”.  Make sure all of the settings match the image below:

Click “OK” to complete the window.  The “Create Setting” window should now appear similar to below:

Click the “Compliance Rules” tab and open each item listed and change the “Severity” to “Critical” if desired.  Otherwise click “OK” to return to the “Create Configuration Item Wizard”.  The wizard should look similar to the image below:

Click “Next >” and you will have a second chance to review the compliance rules we created in the earlier steps.  If everything looks correct, click “Next >” to continue.

Review the summary and if everything looks correct, click “Next >” to continue.

When the wizard completes, click “Close” to continue.

Next, we need to create a baseline (if you don’t already have one) for this configuration item.  In the console, right-click on “Configuration Baselines” and then choose “Create Configuration Baseline”.  Enter in a name and short description for the baseline and select any applicable categories if desired. Once this is complete, click the “Add” button and select “Configuration Item”.

In the window that appears, select the configuration item we chose earlier, in this case “KB2744842”, and then click the “Add” button.  This will move the item from the top area of the screen to the bottom area.  Once this is done, click “OK” to continue.

After reviewing the “Create Configuration Baseline” window for accuracy, click “OK” to create the baseline.

Now that the baseline has been created, we can deploy it to our environment.  In this case, we are deploying it to our Windows 7 Workstations.  To deploy the baseline, right-click on the baseline in the ConfigMgr console and then select “Deploy”.  Choose the settings that apply to your environment and then click “OK” to deploy it.  Monitor the baseline configuration compliance through the Monitoring section of the ConfigMgr console.

If you are looking for a great book about SCCM 2012, then please check out the Mastering System Center 2012 Configuration Manager book.  I have used both this book and the 2007 version in my career and they are valuable guides to the SCCM software.  You can get the book at Amazon or other major retailers.

Connect with me on LinkedIn:

Leave a Reply

%d bloggers like this: