Newbie question/s about Q/A and some additional I

Content Authoring BigFix.me
1

Hi all,

so my final goal is to push a firmware update base on the system model. as well as implementing a Fixlet that I downloaded to patch the AMT/Vpro Situation. Please keep in mind that per intel recommendation is better to wait for the OEM to patch the firmware and then apply the patch.(Lucky for us we haven’t enable AMT just yet, so no time constrain)

So, if I use the qna I can do

q: vendor names of processors
A: GenuineIntel
A: GenuineIntel
A: GenuineIntel
A: GenuineIntel
T: 0.033 ms

But how do I get this qna and how are the translate or where are the instructions that make the qna useful so it can be translated into relevance.
Because my confusion is, if qna are one way and relevance is:

if (exists wmi) then ((string value of selects "Model from Win32_ComputerSystem" of wmi) as trimmed string as lowercase = "20fxs0fg00") else (false)
where 20fxs0fg00 = to a T460p from Lenovo

how am I supposed to know the translation here? or can both codes be imputed and then one is more effective than the other?
should I use actions over relevance for evaluation? what is the best practice? very confuse.
Well… I guess if I use Relevance in the fixlet it will show relevant computers over having to execute the script and then returning not relevant?

Also, is it better to create individual Fixlets/Task for each model. or can I cramp all in one and have it go thru the script?

also the fixlet I’m talking about is https://bigfix.me/fixlet/details/24272 <— also where is this information dropped? is this a WebReports only info? anybody at leat this one then lol
not sure if I’m making this more complicated that it needs to be.

2

Not sure why Model from Win32_ComputerSystem is giving such an odd value. On my workstation, it gives

q: string value of selects "Model from Win32_ComputerSystem" of wmi
A: HP Z420 Workstation

Generally, you’d want to order your relevance clauses such that the earlier clauses either evaluate faster, or exclude more systems (so most systems don’t have to spend time evaluating the later clauses). For the Intel AMT vulnerability, you’d use the first clause to filter to only Intel processors

exists vendor names whose (it = "GenuineIntel") of processors

For the second clause, your WMI query targets only Lenovo T460p, and already returns a true/false, so you can use that in your fixlet relevance as well.

In the fixlet you reference, what they are doing is downloading and executing an Intel utility to scan for the vulnerability on the system, presumably leaving a file or registry entry that can be queried later in another fixlet/task. This is something you need to do on occasions where there are no built-in inspectors to find the information you want. In these cases you may need to run a utility to generate the data that you want to query later.

For the Intel AMT, I’d recommend you use the C3 offerings on BigFix.me from @strawgate. This includes the following series of tasks -

https://bigfix.me/fixlet/details/24410 Invoke - Intel SA 00075 Probe - Windows

  • This downloads the Intel utility to probe for the AMT status, and writes the results to the Registry.

https://bigfix.me/fixlet/details/24276 Invoke - Intel SA 00075 Unprovision Active Management Technology - Windows

  • This unprovisions the AMT capability. Requires the prior Probe to be run to detect that AMT is present and vulnerable.

https://bigfix.me/fixlet/details/24275 Invoke - Intel SA 00075 Remove Local Management Service - Windows

  • This removes the Local Management Service (the prior Probe must first be run to detect whether AMT is present and not provisioned)

Given these three fixlets, I don’t think you need to do any hardware model filtering. These aren’t flashing the BIOS to corrected versions of AMT, they are removing the AMT capability.

If you are actively using AMT, then you’ll need to take separate actions for each hardware model to flash the BIOS levels up to safe versions. For that I’d recommend separate fixlets for each hardware model, and you may need to do a similar “Action to probe the system and generate the data used to check Relevance on the correction fixlets”, since you may need to use a utility from each vendor to detect the BIOS configurations and versions.

1 Like
3

Hey Jason, Thank you for you response. in the past you have always given me good responses.
so I’m currently putting only 1 line in relevance

if (exists wmi) then ((string value of selects “Model from Win32_ComputerSystem” of wmi) as trimmed string as lowercase = "20fxs0fg00") else (false)

and it shows me that no systems are relevant, the odd part is that I know there are multiple systems with that model number