Creating a Remediation operation for SCCM

A Remediation operation uses information gathered from a vulnerability management system to create an operation that corrects those vulnerabilities on servers managed with SCCM. You launch a Remediation operation from the Operator Dashboard

This topic contains the following sections:

Overview

In SecOps Response, security personnel typically use the Security Dashboard to assess the vulnerabilities affecting their server environment, spot historical trends, and project days needed to close all vulnerabilities. Operations personnel use the Operator Dashboard to identify vulnerabilities on servers and filter those vulnerabilities down to a set with the highest priority for remediation.  

When you have used the Operator Dashboard to identify a set of vulnerabilities that require remediation, you can launch the Remediation operation wizard directly from the dashboard. When you complete the wizard, SecOps Response generates operations that deploy software updates, applications, or application packages in SCCM to correct vulnerabilities detected on the servers you manage. A different operation is created for each of those types of deployments. You can view the progress of operations on the home page

Examples of the process

To view a topic that shows how to create a Remediation operation, see Walkthrough: Using SCCM to remediate server issues detected in a vulnerability scan.

 If you are connected to SCCM, you can take an interactive self-guided tour of the remediation process  (login to SecOps Response required). 

How does SecOps Response interact with SCCM?

When you complete the Remediation wizard and launch a Remediation operation, SecOps Response interacts with SCCM to perform the following actions:

  1. The initial actions differ depending on the type of operation:
    • For Software Updates, SecOps Response:
      1. Creates a collection of devices based on the targets specified in the the wizard. The collection is created in the background using Powershell calls.
      2. Creates a software update group containing all updates that are mapped to vulnerabilities and specified in the wizard. The software update group is created in the background using Powershell calls.
      3. Creates a deployment package (used to download software updates).
        Device collections, software update groups, and deployment packages are all assigned names using the same convention: OperationName_CollectionName_SRS. For example, JunitJob_All Systems_SRS.
      4. Downloads the contents of the software update group to a shared folder. The shared folder is identified during the onboarding process.
    • For Applications or Application Packages, SecOps Response creates a device collection of all selected targets on the SCCM server. The collection is created in the background using Powershell calls. The collection is assigned a name using this convention: OperationName_Application/PackageName_DeploymentType_CollectionName_SRS. For example, ToolkitUpdate_Config Mgr Toolkit_Package_All Systems_SRS.
  2. SecOps Response distributes the deployment package, application, or application package to distribution points for which the user has access. Security scopes control user access to distribution points. You can set configuration parameters to determine what percentage of distribution points must receive the deployment package before the Remediation operation begins.
  3. SecOps Response starts deployment of remediation content to target devices. The operation remains in a Running state in SecOps Response until all target devices have a status of compliant, non-compliant, or failed. Deployment can only proceed on a target when the policies defined for that device allow updates. (For example, a policy might specify a periodic software inventory for a server, and that inventory triggers deployment of  remediation content.) Because of this dependency on server-specific policies, the timeframe to complete a deployment can be lengthy.

Note

SecOps Response does not check for maintenance windows.

Before you begin

For SecOps Response to interact successfully with SCCM:

  • The SecOps Response user must have sufficient privileges in SCCM to create device collections, software update groups, and deployment packages. The user could have full administrative privileges in SCCM, but if you do not want to grant such extensive authority, the user must at minimum belong to an Active Directory group that is associate with at least one of the following security roles:
    • Operations Administrator
    • Infrastructure Administrator
  • A shared folder must be created on the SCCM server. All SCCM clients must have access to the shared folder. The shared folder is identified during the onboarding process.
  • Device collections should always be assigned to Active Directory groups.

To create a Remediation operation

  1. Open the Operator Dashboard by selecting SecOps Response > Operator Dashboard
  2. Use the filtering tools to identify a set of vulnerabilities that require remediation, as described here
  3. Launch the Remediation wizard by clicking Remediate. The wizard opens and shows the Definition page.

     If the Remediate button is not enabled, click here for more information.

    The Remediate button is only enabled when a set of conditions are satisfied, as illustrated in the following flowchart.

      Enable Remediate button flowchart


    If you answer yes to all the questions in the flowchart and the Remediate button is still not enabled, contact BMC Support

  4. Perform the following steps:

    1. Complete each page in the Remediation Operation wizard. The pages are listed below. Each page corresponds to one of the following sections on this page.
      After you provide all required information for a page, proceed to the next page by clicking Next (at bottom) or clicking the next chevron in the ribbon at top. At any time you can click Back (at bottom) to display the previous page in the process. Do not use the browser's Back button.

    2. When you have finished defining the operation, click Finish.
      When you click Finish, a placeholder message appears on the home page. The placeholder states that one or more operations are being created. You can follow links in the message to check the status of any operations being created. Refreshing the page shows the updated status of the operations. When the creation of the operation is complete, you can refresh the page so the operation appears on the home page. You can run the operation immediately or it can run according to its schedule. 
      You can also click Finish to save the operation even if you have not visited all the pages in the wizard.

The following sections describe in detail each step in the Remediation Operation wizard.

Definition

The Definition page provides general information about the operation.

The Definition page includes the following options:

OptionDescription
Name

Name of the operation.

When the wizard creates operations, it uses the following conventions to generate names:

For Software Update operations:

<text entered in Name field>_<target system collection>_SRS

For example, if you name this operation SCCMPasswordSecurity, and the operation is a software update that will be deployed to all managed servers, the operation will be named SCCMPasswordSecurity_All Systems_SRS

For Application and Package operations:

<text entered in Name field>_<type of operation>_<target system collection>_SRS

For example, if you name this operation SCCMPasswordSecurity, and the operation is an application package that will be deployed to all managed servers, the operation will be named SCCMPasswordSecurity_Package_All Systems_SRS.

Description

Optional descriptive text for the operation.

By default, descriptive text is added that lists the filters in effect and the scan files being used when you launched this wizard.

Security GroupSpecifies your current security group. If you are assigned to more than one group, this option is available. If you are assigned to only one group, this option defaults to that group and you cannot edit this option.

The boxes at right summarize the information provided for each page in the wizard.

Remediations

The Remediations page consists of a list of vulnerabilities requiring remediation. Each row represents a separate vulnerability that has been discovered on an endpoint and mapped to remediation content.

To appear on the Remediations page, a vulnerability must appear in the Actionable Vulnerabilities list of the Operator Dashboard. You can use filters on the Operator Dashboard to control the contents of the Actionable Vulnerabilities list.

Using the Remediations page, you can remove remediations from the list of those being deployed by clearing checkmarks on each row.

If necessary, you can sort the list of remediations by clicking on header names. You can also filter the items displayed in the list using the search boxes at the top of each column. Be aware that filtering items so they do not appear in the list does not remove those items from the list of remediations to be corrected. To remove a vulnerability, you must explicitly deselect that row so it does not include a check mark.

Modifying contents of the list

To remove a target from the list, click on a row representing a server. Clicking the row again, selects the target.

To remove all targets from the list, click the deselect all option, shown below. Clicking the option again, selects all targets.

 

Sorting data in columns

Sort columns of data on this page by clicking on column headers.

Filtering data in columns

Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.

Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.

SCCM Configuration Details

The SCCM Configuration Details page shows some configuration details.

This page is read only, and it only applies when SecOps Response is connected to SCCM. The values on this page are established during the onboarding process. This information may be useful for troubleshooting purposes.

This page provides the following information:

OptionDescription
Shared Folder Location (UNC)Read only: A folder on the SCCM server that all SCCM clients can access. The contents of the software update group used for remediation are downloaded to the shared folder. The shared folder is identified during the onboarding process. The location is identified using the Universal Naming Convention (UNC).

Operation

The Operation page lets you schedule and configure the operation or operations that the wizard creates. 

The Operation page shows the operations being created by the Remediation operation wizard in the Planned Operations section.

The page also lets you define a schedule for the operations. The schedule you define corresponds to the "software available time" that can be defined for a software deployment in SCCM. By default a deployment defined through SecOps Response specifies a software deadline time for this deployment to be one week after the software available time you schedule on this page.

Defining a schedule

  1. Click With Schedule.
  2. Click the clock icon  beside Run Once At.
    An interface similar to a digital clock appears.
  3. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
  4. Select the date when the operation runs.
  5. Select a time zone for the operation.

Executing operations immediately

You can schedule the operation to run immediately after you finish the Remediation operation wizard by clicking Execute Now.

Where to go next

After you have launched a remediation operation, it appears on the home page. There you can use the capabilities of SecOps Response for ongoing management of operations, such as executing the operation (if it has not already run), deleting the operation, or viewing results.

To view results of the remediation operation after it executes, see SCCM Remediation operation results - Viewing and using.

Was this page helpful? Yes No Submitting... Thank you

Comments