A use case for CMPivot: look for installed software FAST!

A use case for CMPivot: look for installed software FAST!

This is an extensive explanation on how CMPivot can help you pull information from clients in Configuration Manager. Specifically, we'll lookup an MSI Product Code for use with the Detection Method for an Application Deployment Type. But it covers some technical background and hints I hope you'll find useful. TL;DR If you already know about CMPivot and remote PowerShell and WMI, skip ahead to the CMPivot queries. If not, read on! What is CMPivot? If you're on Configuration Manager CB 1806 or later, you have access to the CMPivot feature. If you've never used it, just select a Device Collection in the CM Console and click Start CMPivot in the Actions Ribbon. You can't go wrong playing around with it as it only queries devices for stuff in a read-only fashion. But maybe start with a limited collection to avoid high resource impact. When you open the CMPivot tool, the Welcome message has a good description of what it can be used for: Note that...
Read More

Microsoft Defender ATP & Configmgr CMPivot with a CMG (Cloud Management Gateway) better together; How we saved the customer from Emotet related malware

In September 2018, one of our customers was targeted by a phishing attack in attempts to infiltrate malicious code on their systems. These attempts were successful and a widespread Emotet-related malware attack followed. This is the story on how we countered and contained it with the use of Configuration Manager CB 1806 and CMPivot. One of the tricky parts was that most workstations where still Windows 7 and Windows 7 embedded. Only 20% was native Windows 10 1709. The phishing email was well disguised and was made to believe it originated from a corporate director. The content of the email suggested that invoices had not been paid and requested the addressee to open attached Excel or PDF file and follow up. This was convincing enough to some, who indeed opened the files and clicked on whatever links or “Enable content” messages held within. This triggered the seemingly random creation of executables on the local system, which in turn contacted Command &...
Read More