## SCCM Script – Uninstall McAfee

Here is a short but effective script to be run out of SCCM to completely uninstall McAfee from a device. Obviously EPO will do the same thing but usually you have to wait for the agents to check in. This script is great for those pilot users or systems that just aren’t playing nice. The script will first check to see if the EPO agent is installed and if so it will run the agent force uninstall. Next, it will run through add/remove programs and uninstalls anything with “McAfee” in the title. Finally, it copies the McAfee Endpoint product removal tool which removes anything left over, then reboots. I cannot supply the McAfee Endpoint product removal tool. However, if you have EPO already you can download the tool from McAfee for free. Due to this, you will need to update the hash value in the if statement otherwise the tools will not run. You can remove the if statement if you wish. Although, I highly recommend you always hash any files you are copying in your scripts. In my experience, has been the sledgehammer to uninstall McAfee. I hope it helps!

### Checks for the agent locally installed and if so it runs the force uninstall of the agent
if (Test-Path -Path "C:\Program Files\Mcafee\Agent\x86\FrmInst.exe" ) {
start-process -Wait -FilePath "C:\Program Files\Mcafee\Agent\x86\FrmInst.exe" -ArgumentList "/forceuninstall"
}

### Checks installed programs looking for any package with the name
$Packages = get-wmiobject -Class Win32_Product| where {$_.name -like "*McAfee*"}| select * -ErrorAction Stop

foreach ($Package in$Packages) {
$name =$package.LocalPackage
cmd.exe /c "msiexec /x $name /qn" } ### Create a temp dir if its not already there and copy the uninstall tool$dir = "C:\temp"
mkdir $dir ### Copy McAfee Endpoint product removal tool to the local PC robocopy "\\Path\to\Source\Folder" "C:\temp" "McAfeeEndpointProductRemoval_20.11.0.111.exe" #Get hash value of the file we just copied... JUUUUST in case$hash_value = Get-FileHash -Path "C:\temp\McAfeeEndpointProductRemoval_20.11.0.111.exe"

#Compare the hash value and only run the exe if they match.
if ($hash_value -eq "4690CFDD6C9557EBA62D079255A14A3416F1BD3E91237D1259126837274949BF") { #Run the uninstall silently Start-Process -FilePath "C:\temp\McAfeeEndpointProductRemoval_20.11.0.111.exe" -Wait -ArgumentList "--accepteula --ALL" } #Remove the uninstall tool since we are done with it Remove-Item -Path "C:\temp\McAfeeEndpointProductRemoval_20.11.0.111.exe" -Force -Confirm:$false

Tagged : / /

## SCCM Script – Force Remove Flash

Well, Flash is finally dead and you probably want to get it off all your systems. Here is a script that you can use to uninstall flash and remove all leftover folders. See my post here to learn how to create and run a script in SCCM. The script leverages the uninstall tool that adobe provides here and also removes the app data folders for each user. The only thing you need to modify in this script is the source path where you put the uninstaller. You may want to re-hash the when you download it as well just in case its different than what in the script.

EDIT 3-19-21: I have run into additional permission issues on some PCs where, for some reason, ‘Trusted Installer’ is the owner of the Flash folders. Below is the updated script that handles this issue by giving ‘System’ ownership of the folder.

#Create a temp dir if its not already there and copy the uninstall tool
$dir = "C:\temp" mkdir$dir
robocopy "\\Put\Source\Path\Here"  "C:\temp" uninstall_flash_player.exe

#Get hash value of the file we just copied... JUUUUST in case
$hash_value = Get-FileHash -Path "C:\temp\uninstall_flash_player.exe" #Compare the hash value and only run the exe if they match if ($hash_value -eq "3319A87F23773CEA36181069FA0832AC1264A7D49CEA9BF7C78DA6C650871D47") {

$acl = Get-Acl C:\Windows\SysWOW64\Macromed\Flash$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl C:\Windows\SysWOW64\Macromed\Flash$acl = Get-Acl C:\Windows\SysWOW64\Macromed\Flash
$object = New-Object System.Security.Principal.Ntaccount("NT AUTHORITY\SYSTEM")$acl.SetOwner($object)$acl | Set-Acl C:\Windows\SysWOW64\Macromed\Flash

foreach($_ in (Get-ChildItem "C:\Windows\SysWOW64\Macromed\Flash" -recurse)){$acl = Get-Acl $_.fullname$object = New-Object System.Security.Principal.Ntaccount("NT AUTHORITY\SYSTEM")
$acl.SetOwner($object)
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")$acl.SetAccessRule($AccessRule)$acl.SetAccessRuleProtection($false,$true)
$acl | Set-Acl$_.fullname
Set-ItemProperty $acl -name IsReadOnly -value$false
}

$acl = Get-Acl C:\Windows\system32\Macromed\Flash$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl C:\Windows\system32\Macromed\Flash$acl = Get-Acl C:\Windows\system32\Macromed\Flash
$object = New-Object System.Security.Principal.Ntaccount("NT AUTHORITY\SYSTEM")$acl.SetOwner($object)$acl | Set-Acl C:\Windows\system32\Macromed\Flash

foreach($_ in (Get-ChildItem "C:\Windows\system32\Macromed\Flash" -recurse)){$acl = Get-Acl $_.fullname$object = New-Object System.Security.Principal.Ntaccount("NT AUTHORITY\SYSTEM")
$acl.SetOwner($object)
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Allow")$acl.SetAccessRule($AccessRule)$acl.SetAccessRuleProtection($false,$true)
$acl | Set-Acl$_.fullname
Set-ItemProperty $acl -name IsReadOnly -value$false
}

#Run the uninstall too silently
cmd /c "C:\temp\uninstall_flash_player.exe /uninstall"

#Remove system folders that get left behind from the uninstall tool
Remove-Item -Path "C:\Windows\system32\Macromed\Flash" -Recurse -Force -Confirm:$false Remove-Item -Path "C:\Windows\SysWOW64\Macromed\Flash" -Recurse -Force -Confirm:$false

#Get all users
$users = Get-ChildItem -Path "C:\users\" | Select-Object -ExpandProperty name #Loop through all use foreach ($user in $users) { Remove-Item -Path "C:\users\$user\AppData\Roaming\Adobe\Flash Player" -Recurse -Force -Confirm:$false Remove-Item -Path "C:\users\$user\AppData\Roaming\Macromedia\Flash Player" -Recurse -Force -Confirm:$false } } #Remove the uninstall tool since we are done with it Remove-Item -Path "C:\temp\uninstall_flash_player.exe" -Force -Confirm:$false


Tagged : / /

## SCCM Script – Choco Checker (check for and install chocolatey)

This is a pretty straight forward script that I end up using in a lot of other scripts. Firstly, it checks for Chocolatey with the “choco” command. If Chocolatey is not installed, it attempts the install. I go over what Chocolatey is and what you can do with it in this post. You can learn how to create scripts in SCCM here. This does not HAVE to be used out of SCCM, it is just convenient.

## Script

try {
invoke-command -scriptblock {choco} -erroraction stop
write-host "Has Choco. all is good!"
}

catch {
Write-Host "Needs Choco.  Trying install..."
try {
invoke-command -scriptblock {Set-ExecutionPolicy Bypass -Scope Process -Force; Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))} -ErrorAction Stop
}
catch {
write-host "Install Failed"
}

}

Tagged : /

## Add Sites to Java security exceptions list with Powershell

Java security exceptions are a pain. Its a setting that needs to be set for each users. You should add sites to this list sparingly but chances are that if you have any internally hosted websites that use java, one of them will need to be in the exception list. Here is a script that will add sites to java security exceptions list with powershell.

## Deployment Options

The easiest way to use this script is to add to it SCCM. You can see how to do that in this post. This script can be run on a local PC as well or run on a remote PC using PSSession.

## Script

The only thing for you to edit in this script is the $SiteList array. The script will read all the user folder and add the sites that are in the$SiteList array to the Java security exceptions list for each of those users.

$SiteList = @()$SiteList = (
"https://site1.local.com",
"https://site2.local.com"
)

$UserFolders = Get-ChildItem -Path C:\users | select -ExpandProperty Name foreach ($User in $UserFolders) { foreach ($Site in $SiteList) { Add-Content -Path "C:\users\$User\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites" -Value "$Site" } } Tagged : / / ## SCCM Script – Disable Windows Firewall This is a simple script to disable windows firewall for all profiles (Private, Domain, Public). This is useful for a bunch of different reasons that I wont get into but here is the simple one line to put into the SCCM script. To create approve and add SCCM Scripts see this post. Set-NetFirewallProfile -All -Enabled False You can also use this one liner on a PC that you are logged into or have a pssession with. ## SCCM Script – Disable Weak TLS and SSL This SCCM script will make sure TLS 1.2 is enabled and disables TLS 1.0, TLS 1.1, SSL 2.0 and SSL 3.0. To create approve and add SCCM Scripts see this post. It will create and set the appropriate registry keys. No reboot is required. This will start working once applied. Be warned this may break some older web applications so always test: New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.2 has been enabled.' New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'SSL 2.0 has been disabled.' New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'SSL 3.0 has been disabled.' New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.0 has been disabled.' New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Write-Host 'TLS 1.1 has been disabled.' To run the script you find the device or collection you want to run it on. Right click and click Run Script and select the script you want to run. ## SCCM Script – Create and Run SCCM Script This is more of a reference post for my other posts with ACTUAL SCCM scripts in it. This on will show you how to create and run a SCCM script. Step 1: Make sure you have the appropriate permissions First and foremost if you are like me, you are probably the only one in your IT dept that knows powershell. By default in SCCM the author of a script cant approve his/her own script which is smart. However in my case there just isn’t anyone who is capable of honestly reviewing one of my scripts. To fix this setting go to the Administration tab and click Sites in the left pane and select your site. Now in the top bar select Hierarchy Settings now under general un-check the box next to Script authors require additional script approver Now we need to make sure our user has the right permissions. Still in the Administration tab expand the Security folder on the left and select Administrative Users right click on your user and click Properties now under the Security Roles tab and make sure you are either a Full administrator which already has the right permissions or create a new role with SMS_Scripts permissions. Step 2: Create a Script Creating a script is pretty simple. Go to the Software Library tab and click on Scripts in the left pane. Now in the top left click Create Script. The window that pops up is where you will name your script and insert your code. This script is very simple it just reboots the system it is run on. Here is what the window looks like. Once you name your script and add your code click Next, Next, Close. Step 3: Approve the Script Now that we have created the script we need to “approve” it. To do this make sure you are in the Software Library tab still and click on Scripts and select the script you want to approve and click Approve/Deny in the top bar. Now just Next, Put in a comment if you want, Next, Next, Close. Now the script is approved and ready to run. Step 4: Run a Script Scripts can be run on either a device directly or on a collection. To run a script go to the Assets and Compliance tab and select either Devices or Device Collections. For my example we are going to do a single device. From devices we search for the device we want to run the script on. Right click the device and select Run Script. In the window that comes up select the script you would like to run and click Next, Next. The script will now run on the device and you can see the status as is happens. You can close this window and view the status later from the Monitoring tab then select Script Status from the left pane. You can then double click on the script you just ran and see the status. This is helpful if you run a script that takes a while to run and/or you run it on a larger collection. Tagged : / ## SCCM Script – Visual C++ Redistributable updater While windows update will update the VCRedist packages you have installed it will not remove the old versions. Here is a script that can be used from the SCCM scripts section. To create approve and add SCCM Scripts see this post. The script will first check to see if chocolatey is installed and will attempt to install it if not found. After that as long as chocolatey was installed successfully it will move on to looking for installs of VCRedist and will uninstall all versions found and use chocolatey to install the latest version (it will install both x64 and x86). See comments in code for a few details like where you can add or remove versions to look for. #Start checking for Chocolatey try { invoke-command -scriptblock {choco} -erroraction stop write-host "Has Choco. all is good!"$Choco_installed = $true } catch { Write-Host "Needs Choco. Trying install..." try { invoke-command -scriptblock {Set-ExecutionPolicy Bypass -Scope Process -Force; Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))} -ErrorAction Stop$Choco_installed = $true } catch { write-host "Install Failed"$Choco_installed = $false } } Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -force; #Checks to see if the above was successful if ($Choco_installed -eq $true) { #this is where you can set the versions of VCRedist to look for$VCredistVersions = @()
$VCredistVersions = ( "2005", "2008", "2010", "2013", "2015", "2019" ) #Loop through each version foreach ($Version in $VCredistVersions) { if (get-wmiobject -Class Win32_Product| where {$_.name -like "*Microsoft Visual C++ $Version Redistributable*"}| select name,localpackage) { Write-Host "Found Microsoft Visual C++$version Redistributable.  Removing old versions and installing latest..." -ForegroundColor Yellow
$Packages = get-wmiobject -Class Win32_Product| where {$_.name -like "*Microsoft Visual C++ $Version Redistributable*"}| select name,localpackage -ErrorAction Stop foreach ($Package in $Packages) {$packagename = $Package.localpackage #Run the actual uninstall cmd.exe /c "msiexec /x$packagename /qn"
Write-Host "Successfully uninstalled $packagename!" -ForegroundColor Green } #Install latest version choco update vcredist$version -y -f
}
}
}

## SCCM Script – Force Windows update from SCCM or Microsoft

Sometimes I have a server or workstation that for whatever reason I need to update outside of its scheduled maintenance window. Instead of having to RDP in and update manually I have this SCCM script. To create approve and add SCCM Scripts see this post. This script can be run directly on a workstation but it is meant to be run out of SCCM. I’ll share another version of this that can be used outside of SCCM. The magic behind this script is a module called PSWindowsupdate. Awesome module that lets you kick off updates from powershell. This will log the updates that were installed in a file on the C:\ drive names PSWindowsupdatelog-date.log. If you are “watching” this you can psremote into the endpoint and run this command to tail the log file and watch the progress:

type C:\PSWindowsupdate-date.log -wait

Script:

This one will get all available updates from Microsoft.

 try {
Import-Module PSWindowsupdate -ErrorAction 1 -verbose
}
catch {
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module PSWindowsupdate -force -Confirm:$false -verbose Import-Module PSWindowsUpdate } Import-Module PSWindowsUpdate$updatelist = 0

$updatelist = Invoke-Command -ScriptBlock {Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process;get-windowsupdate -WindowsUpdate -verbose} Invoke-Command -ScriptBlock {Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process;$date = get-date -f MM-dd-yyyy-HH-mm-ss;Invoke-WUJob -runnow -Script "Set-ExecutionPolicy -ExecutionPolicy Bypass;ipmo PSWindowsUpdate;get-windowsupdate -MicrosoftUpdate -verbose; Install-WindowsUpdate -Microsoftupdate -AcceptAll -autoreboot | Out-File C:\PSWindowsUpdate-$date.log" -Confirm:$false -Verbose} -Verbose

This one will get all the updates that have been approved through SCCM.

 try {
Import-Module PSWindowsupdate -ErrorAction 1 -verbose
}
catch {
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module PSWindowsupdate -force -Confirm:$false -verbose Import-Module PSWindowsUpdate } Import-Module PSWindowsUpdate$updatelist = 0

$updatelist = Invoke-Command -ScriptBlock {Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process;get-windowsupdate -verbose} Invoke-Command -ScriptBlock {Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process;$date = get-date -f MM-dd-yyyy-HH-mm-ss;Invoke-WUJob -runnow -Script "Set-ExecutionPolicy -ExecutionPolicy Bypass;ipmo PSWindowsUpdate;get-windowsupdate -verbose; Install-WindowsUpdate -AcceptAll -autoreboot | Out-File C:\PSWindowsUpdate-$date.log" -Confirm:$false -Verbose} -Verbose