locked
WMI Query - Subscription and or Automation RRS feed

  • Question

  • Good Afternoon:

    I am trying to create some subscription based and or automated WMI queries within SCCM.  Basically I have a WMI query that is working just fine standalone.  I want to use this WMI query in this case determine if USB devices are connected to run at a frequent interval.  Is there anyway I can use WMI query or subscriptions to get this to generate a report and or alert via email or any means?

    I googled high and low with no luck - any help would be much appreciated.

    FYI - the Hardware Subcription is great - but it does not run frequently enough for me as I need this done pretty frequently.  Also SCOM is not an option for this either.

    Thanks for any help in advance

    Monday, June 2, 2014 10:34 PM

Answers

  • IMO “The Bosses” (and feel free to pass along my comments to them) need to re-think this request / requirement. There is “no”, “if”, “and” or “but” about it.  

    If this is strictly for auditing then why do you need inventory every 2 minutes? You don’t! You only need every 2 minutes if you are attempting to “catch” someone in the act.

    Let’s assume for just one minute that you can in fact be notified within 2 minutes that someone has inserted a USB drive into a system, that is more than enough time for a hacker to get the data what they want. Heck, it would take another 3-5 minutes to get to the PC and shut it down.

    This means that the data has been exposed to the world. The only (fairly) sure fire ways to prevent this, is for you to lockout the USB (and other devices like Bluetooth) from the system.

    So let’s bringing this back to the original question, Can CM12 or OM12 be used to capture this data? Sure but it can NEVER be used in a court of law. Why because just about anyone can edit the data in the database and leave no trail. Therefore does it make sense to do this with CM12 or OM12, particularly when you need 2 minutes to get the data back?  IMO no, it does not.  Therefore does it make sense to do this with CM12 or OM12 at all? It depends on the data and how it is used and how much data there is.

    Really “The Bosses” need to stop worrying about “catching” someone in the act, instead that should put their effort into preventing it by blocking all USB ports.


    http://www.enhansoft.com/

    • Proposed as answer by Dogtamer Wednesday, December 24, 2014 5:18 AM
    • Unproposed as answer by Dogtamer Wednesday, December 24, 2014 5:18 AM
    • Proposed as answer by Garth JonesMVP Monday, March 23, 2015 1:47 AM
    • Marked as answer by Garth JonesMVP Monday, February 1, 2016 6:27 PM
    Tuesday, June 3, 2014 10:13 PM
  • Thanks everybody for your time and responses - I am more versed in SCCM and only have a intermediate grasp on SCOM.

    I suggested this to another admin on our team who configured SCOM - and he mentioned that we just are licensed for this as we need to query all the workstations in our topology (based on the agent based subscription - it would cost to much based on the amount or workstations we have).  As we use SCOM for server monitoring currently.  Can this query be ran without the SCOM agent installed?  IE: Agentless Managed -  I am going to do more research now. 

    Tuesday, June 3, 2014 3:32 PM

All replies

  • How frequently do you need it run?

    Jason | http://blog.configmgrftw.com

    Monday, June 2, 2014 11:26 PM
  • PowerShell can be used to create permanent WMI subscriptions.

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-wmi-events-and-powershell.aspx

    Hope this helps


    Knowledge is Power{Shell}

    DexterPOSH

    My Blog

    Tuesday, June 3, 2014 3:31 AM
  • Thank you both for your reply.

    I honestly need it to run every 60 seconds - I know it sounds crazy, just a requirement to capture that data.

    Tuesday, June 3, 2014 1:34 PM
  • My opinion: CM isn't the place that could do every 60 seconds "something".  Even with state messages the most frequent interval is every 15 minutes.

    This sure sounds like a SCOM thing to me...


    Standardize. Simplify. Automate.

    Tuesday, June 3, 2014 1:43 PM
  • I strongly concur with Sherry on this -- this is not a task suited for ConfigMgr.

    Jason | http://blog.configmgrftw.com

    Tuesday, June 3, 2014 1:55 PM
  • SCOM can do this thing. You need to create a Monitor with the WMI Event type.

     

    Juke Chou

    TechNet Community Support

    Tuesday, June 3, 2014 2:50 PM
  • Thanks everybody for your time and responses - I am more versed in SCCM and only have a intermediate grasp on SCOM.

    I suggested this to another admin on our team who configured SCOM - and he mentioned that we just are licensed for this as we need to query all the workstations in our topology (based on the agent based subscription - it would cost to much based on the amount or workstations we have).  As we use SCOM for server monitoring currently.  Can this query be ran without the SCOM agent installed?  IE: Agentless Managed -  I am going to do more research now. 

    Tuesday, June 3, 2014 3:32 PM
  • I strongly concur with Sherry on this -- this is not a task suited for ConfigMgr.
    I also agree with Sherry and Jason but my question is what is your end goal, why do you need to gather results so frequently?

    http://www.enhansoft.com/

    Tuesday, June 3, 2014 5:18 PM
  • Garth:

    Strictly legal  - we need to determine if any user had a MASS USB device plugged in with a time stamp of any sort.  This needs to be queried every 1 or 2 minutes.  We use a third party tool now that just flags the attribute as true is it is based on a WMI query.

    I am just looking to leverage any native windows tools to achieve anything close to it.  Reporting, alert or anything with a little more functionality is just a bonus.

    My only concern with SCOM is the agent based subscription on all the workstations.

    Tuesday, June 3, 2014 6:25 PM
  • Ok but why every two minutes??? Doesn't adding a USB into a port add an entry into the event logs, therefore you can audit that?

    IMO you should look for a 3rd party tool for this and block all access to the USB posts except if the device/user is on an exception list.


    http://www.enhansoft.com/

    Tuesday, June 3, 2014 6:42 PM
  • Hi Garth:

    The powers that be feel if someone plugs a Mass USB device is to pull data from the local computer and quickly disconnects it - we want to trace/record that.  2 minutes being applicable - trust me - not my choice - but is what it is.

    Honestly yes - the event logs is currently what my WMI query is for and I have complied other WMI queries as well.  Just curious if I could use SCCM or SCOM (agentless) to query and generate some type of reporting (my original post) via auditing the event log.  I will look into a 3rd party tool if I have too - just was not sure if there was something native that I could leverage that I could not find at all.

    Thanks everyone for your responses thus far - I know its a little broad - so I appreciate it thus far.

    Tuesday, June 3, 2014 7:51 PM
  • IMO “The Bosses” (and feel free to pass along my comments to them) need to re-think this request / requirement. There is “no”, “if”, “and” or “but” about it.  

    If this is strictly for auditing then why do you need inventory every 2 minutes? You don’t! You only need every 2 minutes if you are attempting to “catch” someone in the act.

    Let’s assume for just one minute that you can in fact be notified within 2 minutes that someone has inserted a USB drive into a system, that is more than enough time for a hacker to get the data what they want. Heck, it would take another 3-5 minutes to get to the PC and shut it down.

    This means that the data has been exposed to the world. The only (fairly) sure fire ways to prevent this, is for you to lockout the USB (and other devices like Bluetooth) from the system.

    So let’s bringing this back to the original question, Can CM12 or OM12 be used to capture this data? Sure but it can NEVER be used in a court of law. Why because just about anyone can edit the data in the database and leave no trail. Therefore does it make sense to do this with CM12 or OM12, particularly when you need 2 minutes to get the data back?  IMO no, it does not.  Therefore does it make sense to do this with CM12 or OM12 at all? It depends on the data and how it is used and how much data there is.

    Really “The Bosses” need to stop worrying about “catching” someone in the act, instead that should put their effort into preventing it by blocking all USB ports.


    http://www.enhansoft.com/

    • Proposed as answer by Dogtamer Wednesday, December 24, 2014 5:18 AM
    • Unproposed as answer by Dogtamer Wednesday, December 24, 2014 5:18 AM
    • Proposed as answer by Garth JonesMVP Monday, March 23, 2015 1:47 AM
    • Marked as answer by Garth JonesMVP Monday, February 1, 2016 6:27 PM
    Tuesday, June 3, 2014 10:13 PM
  • Thanks Garth:

    Sounds like you have personal experience with a similar matter..LOL!

    Everyone thank you for your responses...

    Thursday, June 5, 2014 2:27 AM
  • Thanks Garth:

    Sounds like you have personal experience with a similar matter..LOL!

    Yup, I used to work for the Government (now I consult for them). I know all about these type of requests.

    http://www.enhansoft.com/

    Thursday, June 5, 2014 1:39 PM