Audit Script related activities in Configuration Manager

A few hours ago, I just posted my auditing POC solution for Configuration Manager, and that solution also integrates with Log Analytics and Azure Sentinel.

In Configuration Manager, we can add Scripts, and if the Script is approved, we can execute these against a specific device or many devices or a specific Collection. These scripts run in real-time. If the client is online, it’s going to run the Script.

We also know that administrators copy and paste many scripts from the internet, and they may also enter different credentials there, etc. All the usual stuff and nothing special 😊

AZMEMCM allows you to capture all script executions, and we can capture the script content as well. Let me show you.

To add the Script in Configuration Manager, follow the following steps:

  • Open Configuration Manager admin console
  • Browse Software Library -> Scripts
  • Choose Create Script

After that, approve the Script, and now we can execute the Script against our devices or Collections. Let’s run the Script against All Systems 😊

Right-click All Systems and select Run Script

Select the Script that we downloaded from the Internet

Click Next and Finish the wizard

Go back to Scripts and delete the Script

What can we see from the logs?

From the Log Analytics side, we should see the following events:

  • 52500 new script
  • 52501 script approved
  • 40805 script execution against the Collection

Screenshot from the Log Analytics portal.

One additional query also shows us the ScriptContent, and it is the encoded value from the Configuration Manager. We can copy the ScriptContent value to PowerShell, and we can convert the encoded value to the real Script.

In PowerShell, we can do it like this:

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“%ENCODEDVALUEHERE%”))

Please remember that this is a POC solution – https://github.com/Kaidja/AZMEMCM

Have fun!