Backup Registry

We have a fixlet to harden TLS by updating a registry key. I want to add relevance to backup this key in case we need to revert back. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002”.

How do I use BigFix to backup the registry key without PowerShell? Below is our working fixlet.

// Defined Parameters
parameter "CipherList"="HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"

// Update Cipher List with Preferred Order
if {((not exists value "Functions" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" of native registry != "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256"))}
	regset "[{parameter "CipherList"}]" "Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256"
endif

action requires restart "51db73c294b4949ca541a4849d5e77ca0664c0d9"

Try something like this:

I like to create a folder underneath the client folder to store them

//Back up existing REG key hive
if {NOT exists folder "C:\Program Files (x86)\BigFix Enterprise\BES Client\Reg_Backup"}
waithidden cmd.exe /C mkdir "C:\Program Files (x86)\BigFix Enterprise\BES Client\Reg_Backup"
endif

This would export:

waithidden cmd.exe /C REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" "C:\Program Files (x86)\BigFix Enterprise\BES Client\Reg_Backup\00010002.reg" /Y /reg:64

This is for 2008, 2008 R2, 2012, and 2012 R2. Do I need to use two commands to cover both 32 and 64 bit registry or just use native? Would it be “/reg:native” ?

I believe since it is in Polices, it gets duplicated in the both paths.

I do not have any 32 bit so I am not able to test, but if you need 32 and 64 bit, then yes, you would need one for each.

I was able to get this to work but after creating the folder I had to change “continue if” and the condition to just “end if”.

In other fixlets continue if works but not this one. Any idea why?

if {not exists folder “C:@oneneck\temp”}
folder create "c:@oneneck\temp"
continue if {exists folder “C:@oneneck\temp”}

Missing backslash between C: and @oneneck?

That’s just a formatting deal with this forum. I put it in with the \

if {not exists folder "C:\@oneneck\temp"}
folder create "c:\@oneneck\temp"
continue if {exists folder "C:\@oneneck\temp"}

Ok, so I understand, is it working now? I’m not sure whether you’re still having a problem…

The only difference between this fixlet and the one I took that code from is that I did it twice. So in the other fixlet it was just.

if {not exists folder "C:\@oneneck"}
folder create "c:\@oneneck"
continue if {exists folder "C:\@oneneck"}

But in this one I needed to create a subfolder so I did

if {not exists folder "C:\@oneneck"}
folder create "c:\@oneneck"
continue if {exists folder "C:\@oneneck"}

if {not exists folder "C:\@oneneck\temp"}
folder create "c:\@oneneck\temp"
continue if {exists folder "C:\@oneneck\temp"}

I hated that and would work if @oneneck already existed and it just needed to create temp but it would fail the entire action if it had to create both @oneneck and temp. I just changed it to end if and it works. I’m not understanding why.

To be clear, the if {} statement requires an endif, somewhere, to end the conditional execution. You should be able to embed a continue if {} inside the conditional statements, or have another continue if {} after, but there needs to be an endif somewhere to close out the if {}