SCCM Script – Uninstall McAfee

Here is a short but effective script to be run out of SCCM to completely uninstall McAfee from a device. Obviously EPO will do the same thing but usually you have to wait for the agents to check in. This script is great for those pilot users or systems that just aren’t playing nice. The script will first check to see if the EPO agent is installed and if so it will run the agent force uninstall. Next, it will run through add/remove programs and uninstalls anything with “McAfee” in the title. Finally, it copies the McAfee Endpoint product removal tool which removes anything left over, then reboots. I cannot supply the McAfee Endpoint product removal tool. However, if you have EPO already you can download the tool from McAfee for free. Due to this, you will need to update the hash value in the if statement otherwise the tools will not run. You can remove the if statement if you wish. Although, I highly recommend you always hash any files you are copying in your scripts. In my experience, has been the sledgehammer to uninstall McAfee. I hope it helps!

### Checks for the agent locally installed and if so it runs the force uninstall of the agent
if (Test-Path -Path "C:\Program Files\Mcafee\Agent\x86\FrmInst.exe" ) {
    start-process -Wait -FilePath "C:\Program Files\Mcafee\Agent\x86\FrmInst.exe" -ArgumentList "/forceuninstall"
}

### Checks installed programs looking for any package with the name 
$Packages = get-wmiobject -Class Win32_Product| where {$_.name -like "*McAfee*"}| select * -ErrorAction Stop

foreach ($Package in $Packages) {
    $name = $package.LocalPackage        
    cmd.exe /c "msiexec /x $name /qn"        
}

### Create a temp dir if its not already there and copy the uninstall tool 
$dir = "C:\temp"
mkdir $dir

### Copy McAfee Endpoint product removal tool to the local PC
robocopy "\\Path\to\Source\Folder"  "C:\temp" "McAfeeEndpointProductRemoval_20.11.0.111.exe"

#Get hash value of the file we just copied... JUUUUST in case
$hash_value = Get-FileHash -Path "C:\temp\McAfeeEndpointProductRemoval_20.11.0.111.exe"

#Compare the hash value and only run the exe if they match.  
if ($hash_value -eq "4690CFDD6C9557EBA62D079255A14A3416F1BD3E91237D1259126837274949BF") {

    #Run the uninstall silently
    Start-Process -FilePath "C:\temp\McAfeeEndpointProductRemoval_20.11.0.111.exe" -Wait -ArgumentList "--accepteula --ALL"

  
}

#Remove the uninstall tool since we are done with it
Remove-Item -Path "C:\temp\McAfeeEndpointProductRemoval_20.11.0.111.exe" -Force -Confirm:$false

Tagged : / /

SCCM Script – Choco Checker (check for and install chocolatey)

This is a pretty straight forward script that I end up using in a lot of other scripts. Firstly, it checks for Chocolatey with the “choco” command. If Chocolatey is not installed, it attempts the install. I go over what Chocolatey is and what you can do with it in this post. You can learn how to create scripts in SCCM here. This does not HAVE to be used out of SCCM, it is just convenient.

Script

try {
	invoke-command -scriptblock {choco} -erroraction stop
	write-host "Has Choco. all is good!"
}

catch {
	Write-Host "Needs Choco.  Trying install..." 
	try {
		invoke-command -scriptblock {Set-ExecutionPolicy Bypass -Scope Process -Force; Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))} -ErrorAction Stop
	}
	catch {
		write-host "Install Failed"
	}
		
}
Tagged : /

Add Sites to Java security exceptions list with Powershell

Java security exceptions are a pain. Its a setting that needs to be set for each users. You should add sites to this list sparingly but chances are that if you have any internally hosted websites that use java, one of them will need to be in the exception list. Here is a script that will add sites to java security exceptions list with powershell.

Deployment Options

The easiest way to use this script is to add to it SCCM. You can see how to do that in this post. This script can be run on a local PC as well or run on a remote PC using PSSession.

Script

The only thing for you to edit in this script is the $SiteList array. The script will read all the user folder and add the sites that are in the $SiteList array to the Java security exceptions list for each of those users.

$SiteList = @()
$SiteList = (
    "https://site1.local.com",
    "https://site2.local.com"
)

$UserFolders = Get-ChildItem -Path C:\users | select -ExpandProperty Name

foreach ($User in $UserFolders) {
    foreach ($Site in $SiteList) {
        Add-Content -Path "C:\users\$User\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites" -Value "$Site"
    }    
}
Tagged : / /

SCCM Script – Disable Weak TLS and SSL

This SCCM script will make sure TLS 1.2 is enabled and disables TLS 1.0, TLS 1.1, SSL 2.0 and SSL 3.0. To create approve and add SCCM Scripts see this post. It will create and set the appropriate registry keys. No reboot is required. This will start working once applied. Be warned this may break some older web applications so always test:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
 
Write-Host 'TLS 1.2 has been enabled.'



 
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
            
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
            
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null
            
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
            
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'SSL 2.0 has been disabled.'




New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'SSL 3.0 has been disabled.'


New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.0 has been disabled.'




New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.1 has been disabled.'

To run the script you find the device or collection you want to run it on. Right click and click Run Script and select the script you want to run.

Tagged : / / / / /

SCCM Script – Visual C++ Redistributable updater

While windows update will update the VCRedist packages you have installed it will not remove the old versions. Here is a script that can be used from the SCCM scripts section. To create approve and add SCCM Scripts see this post. The script will first check to see if chocolatey is installed and will attempt to install it if not found. After that as long as chocolatey was installed successfully it will move on to looking for installs of VCRedist and will uninstall all versions found and use chocolatey to install the latest version (it will install both x64 and x86). See comments in code for a few details like where you can add or remove versions to look for.

#Start checking for Chocolatey
try {
	invoke-command -scriptblock {choco} -erroraction stop
    write-host "Has Choco. all is good!"
    $Choco_installed = $true
}

catch {
	Write-Host "Needs Choco.  Trying install..." 
	try {
		invoke-command -scriptblock {Set-ExecutionPolicy Bypass -Scope Process -Force; Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))} -ErrorAction Stop
        $Choco_installed = $true
    }
	catch {
        write-host "Install Failed"
        $Choco_installed = $false
	}
		
}
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -force;


#Checks to see if the above was successful
if ($Choco_installed -eq $true) {
    #this is where you can set the versions of VCRedist to look for
    $VCredistVersions = @()
    $VCredistVersions = (
        "2005",
        "2008",
        "2010",
        "2013",
        "2015",
        "2019"
    )

#Loop through each version
    foreach ($Version in $VCredistVersions) {
        if (get-wmiobject -Class Win32_Product| where {$_.name -like "*Microsoft Visual C++ $Version Redistributable*"}| select name,localpackage) {
            Write-Host "Found Microsoft Visual C++ $version Redistributable.  Removing old versions and installing latest..." -ForegroundColor Yellow
            $Packages = get-wmiobject -Class Win32_Product| where {$_.name -like "*Microsoft Visual C++ $Version Redistributable*"}| select name,localpackage -ErrorAction Stop
                    foreach ($Package in $Packages) {
                        $packagename = $Package.localpackage    
#Run the actual uninstall                        
cmd.exe /c "msiexec /x $packagename /qn"
                        Write-Host "Successfully uninstalled $packagename!" -ForegroundColor Green
                    }
                    #Install latest version
                    choco update vcredist$version -y -f
        } 
    }
}
Tagged : / / /