Jump to content
JamesRood

Monitor for TLS 1.2 Enablement

Recommended Posts

So, you're here because tomorrow 1 months time on 1st September you're going to lose a bunch of Automate agents due to TLS 1.2 compatibility. https://docs.connectwise.com/ConnectWise_Automate/ConnectWise_Automate_Supportability_Statements/Supportability_Statement%3A_TLS_1.0_and_1.1_Protocols_Unsupported

So there's some measures that while not foolproof, I whipped up in a couple of hours yesterday to at least get a good head start on sorting these devices out. 

1) 2 Searches, one that identifies Vista and below that will be gone no matter what you do, and one that identifies your Windows 7, Server 2008 and Server 2008 R2 machines that you can at least try to save

2) 2 remote monitors. One that looks for if the TLS 1.2 Patch is even applied to the machine, and one that checks if the DisabledByDefault registry key is set to 0

3) 2 scripts that can be used as an Autofix action to install the patch and set the registry key if necessary

 

So, 1). Attached are the two searches. 

2) You will want two remote monitors assigned to a group that you have limited to the 7-2008-2008R2 search. The first is an EXE monitor with this as the EXE. You want to monitor for the condition of "Exists".

"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "(get-hotfix -Id KB3140245,KB4019276 -ErrorAction silentlycontinue).hotfixid"

This is your monitor for if the patch is installed or not. 

Second monitor is to check if the registry key is set correctly. For this you can use a Registry key remote monitor to look at the following key. You want to monitor for a condition of "0". 

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault

3) The Autofix scripts. First is "Enable TLS 1.2". You will need Darren White's Email Technician function script, otherwise just remove lines 8,9,10,13,14,15. You can then set this script as an Autofix action for your remote monitor checking for the registry key

Second is "Deploy TLS1.2 Patch". You will need to enter the URL's to the patches here which you can download from the MS website. I wasn't sure if these were static URL's or not so I downloaded them and uploaded them to our web server which is why I've stripped the URL's out. You can get the downloads from the links provided in ConnectWise's KB article at the top of this post. Again you can then set this as an Autofix action against your monitor to check if the patch is installed. This patch will also set the registry keys as well as installing the patch. NOTE! It does not do anything but download the file on servers by default. You can edit lines 22 and 25 to GOTO :Install Patch instead if you want to allow it to automatically make changes to servers as well. It will not reboot machines as the WUSA command has the /norestart switch. You can drop that if you want to force reboots. 

I will throw one disclaimer out there. The Deploy TLS 1.2 script has had limited testing. We found that out of the machines that we tested that failed to have the patch installed, there was an underlying issue with patching in general. 

 

EDIT: So it would appear that there is another registry key potentially required. And that is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and KKLM\SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp for 64 bit machines. The value required is "DefaultSecureProtocols" and it needs to be set to 0x00000800

Again you can just fire up remote monitors for these, and then have an autofix script to set these appropriately. All I did for mine was copy the Enable TLS 1.2 script and swap out lines 6 and 7 appropriately like below (Note the OS Versions it runs on were changed for line 7 from Windows Server to Windows 64 bit)

image.thumb.png.de9ae19c42bc1b64acf8b7b11d8bd183.png

Deploy TLS 1.2 Patch Script.xml Enable TLS 1.2 Script.xml XP-2003-Vista Search.xml 7-2008-2008R2 Search.xml

Edited by JamesRood
  • Like 1

Share this post


Link to post
Share on other sites

Interesting development.  We might be seeing false positives on the powershell command to detect the update.

I have a few machines were 

"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "(get-hotfix -Id KB3140245,KB4019276 -ErrorAction silentlycontinue).hotfixid"

Returned a fail.  Manually running the installer for the 3140245 update said it was already installed.

However, running the following:

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | Where {$_.Title -like "*KB3140245*"} | ft title

Returns that the update is in fact installed.  

Title
-----
Update for Windows 7 for x64-based Systems (KB3140245)

It seems like get-hotfix and wmic qfe all actually rely on WMI for updates installed by CBS but not something done manually (although to be honest I don't think the machine I am testing on had that installed manually)

 

Out of 235 machines still running Windows 7 or 2008 r2 (sigh), only 4 seem to exibit this issue so probably not worth effort to change the setup.

Edited by Mark Hodges

Share this post


Link to post
Share on other sites
3 hours ago, Roland Penton said:

I am new to CW.

I am assuming i would import the searches in to in Automate.

Can you point me to a document on the process ?

 

Thank you

Basically import the XML Expansions and optionally move scripts to your own folder path.

Then create a new GROUP and filter it to only include Items in the Search results (you can select the new searches that it imports)

then save group....click on Computers...remote monitors..and from there you can pick the type of EXE as a monitor and put in the powershell command provided.

Then you can do another remote monitor and select registry..put in the path provided (after selecting HKLM) and then change the check to Contains and set value to 0

Now, for the autofix options, i would recommend editing the scripts that Patch and use the links James has in the script to save a copy of the files (since he did the work already) or if you are concerned, download them manually...change the download links to be your own file share (I use dropbox and just change the DL=0 to DL=1 in the shared link).

Then you can create new alert templates, and assign your registry and patch scripts to each of the templates.

Share this post


Link to post
Share on other sites
11 hours ago, Mark Hodges said:

Interesting development.  We might be seeing false positives on the powershell command to detect the update.

I have a few machines were 


"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command "(get-hotfix -Id KB3140245,KB4019276 -ErrorAction silentlycontinue).hotfixid"

Returned a fail.  Manually running the installer for the 3140245 update said it was already installed.

However, running the following:

$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Searcher.Search("IsInstalled=1").Updates | Where {$_.Title -like "*KB3140245*"} | ft title

Returns that the update is in fact installed.  

Title
-----
Update for Windows 7 for x64-based Systems (KB3140245)

It seems like get-hotfix and wmic qfe all actually rely on WMI for updates installed by CBS but not something done manually (although to be honest I don't think the machine I am testing on had that installed manually)

 

Out of 235 machines still running Windows 7 or 2008 r2 (sigh), only 4 seem to exibit this issue so probably not worth effort to change the setup.

Yeah I saw the exact same thing and did quite a bit of digging about the whole QFE thing but essentially settled that I will have a few that just don't detect properly. I was on a tight schedule to get these monitors out in just a couple of hours so didn't have the time to troubleshoot too much. Thankfully CW gave us another month so the pressure has been relieved a little bit!

Thanks for replying to Roland 👍

Share this post


Link to post
Share on other sites

I found in the patch script that there was no GOTO: Install for 2008 and 2008R2. It would just exit after downloading until I added that.

Share this post


Link to post
Share on other sites
11 hours ago, blckpythn said:

I found in the patch script that there was no GOTO: Install for 2008 and 2008R2. It would just exit after downloading until I added that.

That's correct, as per my original post

On 7/31/2020 at 9:40 AM, JamesRood said:

NOTE! It does not do anything but download the file on servers by default. You can edit lines 22 and 25 to GOTO :Install Patch instead if you want to allow it to automatically make changes to servers as well.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...