Great Worklet, Jack! We can’t keep up with you 😉
@jack.smith this is very helpful as we are testing umbrella! Would I take away the umbrella portion if we were only wanting to deploy the secure VPN?
@jack.smith this is very helpful as we are testing umbrella! Would I take away the umbrella portion if we were only wanting to deploy the secure VPN?
@ajamaya I’d confirm with documentation or support, but that would be my initial reaction as well.
I cant get your script to work on automox :(
I cant get your script to work on automox :(
Oh no. I’ve updated since this was first published. Perhaps this newer version could work.
Payloads
- OrgInfo.json
- cisco-secure-client-win-current-version-predeploy-k9.zip
- Cisco_Umbrella_Root_CA.cer
Then update the $ver variable with whatever current version you have uploaded for the payload above.
#region Prepare installation folder
$ver = '5.1.2.42'
$path = "C:\Windows\Temp\cisco-secure-client-win-$ver-predeploy-k9"
Copy-Item .\cisco-secure-client-win-$ver-predeploy-k9.zip C:\windows\temp\ -Verbose
Expand-Archive "$path.zip" -DestinationPath $path
IF((Test-Path $path) -eq $false){
Write-output "Failed to expand $path.zip to $($path)"
Exit 0
}
#endregion
#region Setup Root Certificate used to inpsect HTTPS traffic
$cert = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Subject -match "CN=Cisco Umbrella Root CA"
IF(!$cert)
{
# Missing Root Certificate. Installing
Write-Output "Installing Cisco_Umbrella_Root_CA certificate"
$cert = Get-ChildItem .\Cisco_Umbrella_Root_CA.cer
$cert | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
}
elseif($cert)
{
Write-Output "Cisco_Umbrella_Root_CA.cer already installed in root certificate store."
}
#endregion
#region Remove Cisco Umbrella (Legacy Client)
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
# Removing Umbrella Roaming Client
Write-Output "Removing Umbrella Roaming Client"
Start-Process msiexec -ArgumentList "/x $path\Setup.msi /qn" -wait
# Validate Removal
Start-Sleep -Seconds 15
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
Write-Output "Failed to remove Umbrella Roaming Client"
}
}
elseif(!$service)
{
Write-Output "Umbrella Roaming Client already removed."
}
#endregion
#region Install Cisco Secure Client VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
Write-Output "Installing Cisco Secure Client VPN Module."
$dVPN = (Get-ChildItem "$path\cisco*core-vpn-predeploy-k9.msi").FullName
Write-Output "MSI Path: $dVPN"
IF(!$dVPN -or (Test-Path $dVPN) -eq $false){
Write-Output "Failed to detect core-vpn-predeploy-k9.msi"
exit 0
}
Start-Process MsiExec -ArgumentList "/I $dVPN /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 LOCKDOWN=1 /lvx* C:\windows\temp\cisco-core-vpn-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client VPN Module. Review C:\windows\temp\cisco-core-vpn-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\cisco-core-vpn-predeploy-k9.log' -Tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Secure Client VPN Module already installed."
}
#endregion
# Install Cisco Secure Client Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Stopped")
{
Write-Output "Installing Cisco Diagnostics and Reporting Tool"
$dSWG = (Get-ChildItem "$path\cisco*dart-predeploy-k9.msi").fullname
Write-Output "MSI Path: $dSWG"
IF(!$dSWG -or (Test-Path $dSWG) -eq $false){
Write-Output "Failed to detect dart-predeploy-k9.msi"
exit 0
}
Start-Process msiexec -ArgumentList "/I $dSWG /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-dart-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client Diagnostics and Reporting Tool. Review C:\windows\temp\cisco-dart-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\cisco-dart-predeploy-k9.log' -tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Diagnostics and Reporting Tool already installed."
}
# Install Cisco Secure Client Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
Write-Output "Installing Cisco Secure Client Umbrella Roaming Security Agent"
$dUMB = (Get-ChildItem "$path\cisco*umbrella-predeploy-k9.msi").fullname
Write-Output "MSI Path: $dUMB"
IF(!$dUMB -or (Test-Path $dUMB) -eq $false){
Write-Output "Failed to detect umbrella-predeploy-k9.msi"
exit 0
}
Start-Process msiexec -ArgumentList "/I $dUMB /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-umbrella-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client Umbrella Roaming Security Agent. Review C:\windows\temp\cisco-umbrella-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\cisco-umbrella-predeploy-k9.log' -tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Secure Client Umbrella Roaming Security Agent already installed."
}
# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
Copy-Item OrgInfo.json 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\' -Verbose
}
Remove-Item C:\windows\temp\$zip -Recurse -Force
Remove-Item C:\windows\temp\$zip.zip -Force
oh thank you, let me give this a try
On my first test run with the second script i did get this,
VERBOSE: Performing the operation "Copy File" on target "Item: C:\Program Files
(x86)\Automox\execDir404182935\cisco-secure-client-win-5.0.05040-predeploy-k9.zip Destination:
C:\windows\temp\cisco-secure-client-win-5.0.05040-predeploy-k9.zip".
Installing Cisco_Umbrella_Root_CA certificate
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Umbrella Roaming Client already removed.
Installing Cisco Secure Client VPN Module.
MSI Path:
Failed to detect core-vpn-predeploy-k9.msi
File names were corrected but I never got it to produce anything on the activity log again..
This is the modify script that I'm using.
#region Prepare installation folder
$ver = '5.0.05040'
$path = "C:\Windows\Temp\cisco-secure-client-win-$ver-predeploy-k9"
Copy-Item .\cisco-secure-client-win-$ver-predeploy-k9.zip C:\windows\temp\ -Verbose
Expand-Archive "$path.zip" -DestinationPath $path -Force
IF((Test-Path $path) -eq $false){
Write-output "Failed to expand $path.zip to $($path)"
Exit 0
}
#endregion
#region Setup Root Certificate used to inpsect HTTPS traffic
$cert = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Subject -match "CN=Cisco Umbrella Root CA"
IF(!$cert)
{
# Missing Root Certificate. Installing
Write-Output "Installing Cisco_Umbrella_Root_CA certificate"
$cert = Get-ChildItem .\Cisco_Umbrella_Root_CA.cer
$cert | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
}
elseif($cert)
{
Write-Output "Cisco_Umbrella_Root_CA.cer already installed in root certificate store."
}
#endregion
#region Remove Cisco Umbrella (Legacy Client)
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
# Removing Umbrella Roaming Client
Write-Output "Removing Umbrella Roaming Client"
Start-Process msiexec -ArgumentList "/x $path\Setup.msi /qn" -wait
# Validate Removal
Start-Sleep -Seconds 15
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
Write-Output "Failed to remove Umbrella Roaming Client"
}
}
elseif(!$service)
{
Write-Output "Umbrella Roaming Client already removed."
}
#endregion
#region Install Cisco Secure Client VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
Write-Output "Installing Cisco Secure Client VPN Module."
$dVPN = (Get-ChildItem "$path\core-vpn-predeploy-k9.msi").FullName
Write-Output "MSI Path: $dVPN"
IF(!$dVPN -or (Test-Path $dVPN) -eq $false){
Write-Output "Failed to detect core-vpn-predeploy-k9.msi"
exit 0
}
Start-Process MsiExec -ArgumentList "/I $dVPN /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 LOCKDOWN=1 /lvx* C:\windows\temp\cisco-core-vpn-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client VPN Module. Review C:\windows\temp\cisco-core-vpn-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\core-vpn-predeploy-k9.log' -Tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Secure Client VPN Module already installed."
}
#endregion
# Install Cisco Secure Client Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Stopped")
{
Write-Output "Installing Cisco Diagnostics and Reporting Tool"
$dSWG = (Get-ChildItem "$path\cisco*dart-predeploy-k9.msi").fullname
Write-Output "MSI Path: $dSWG"
IF(!$dSWG -or (Test-Path $dSWG) -eq $false){
Write-Output "Failed to detect dart-predeploy-k9.msi"
exit 0
}
Start-Process msiexec -ArgumentList "/I $dSWG /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-dart-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client Diagnostics and Reporting Tool. Review C:\windows\temp\cisco-dart-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\cisco-dart-predeploy-k9.log' -tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Diagnostics and Reporting Tool already installed."
}
# Install Cisco Secure Client Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
Write-Output "Installing Cisco Secure Client Umbrella Roaming Security Agent"
$dUMB = (Get-ChildItem "$path\umbrella-predeploy-k9.msi").fullname
Write-Output "MSI Path: $dUMB"
IF(!$dUMB -or (Test-Path $dUMB) -eq $false){
Write-Output "Failed to detect umbrella-predeploy-k9.msi"
exit 0
}
Start-Process msiexec -ArgumentList "/I $dUMB /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-umbrella-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client Umbrella Roaming Security Agent. Review C:\windows\temp\cisco-umbrella-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\umbrella-predeploy-k9.log' -tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Secure Client Umbrella Roaming Security Agent already installed."
}
# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
Copy-Item OrgInfo.json 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\' -Verbose
}
#Clean Up
$zip = "cisco-secure-client-win-$ver-predeploy-k9"
Remove-Item C:\windows\temp\$zip -Recurse -Force
Remove-Item C:\windows\temp\$zip.zip -Force
Still no luck, I can run a modified version of your script locally by cd to the location of the zip first and it would complete all the way. but the moment i run it on automox i get the event type “Error” with no log summary. Only once did i see a flash of hope; after correcting the failure.. went back to errors and no logs..:(
VERBOSE: Performing the operation "Copy File" on target "Item: C:\Program Files
(x86)\Automox\execDir404182935\cisco-secure-client-win-5.0.05040-predeploy-k9.zip Destination:
C:\windows\temp\cisco-secure-client-win-5.0.05040-predeploy-k9.zip".
Installing Cisco_Umbrella_Root_CA certificate
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
************** CN=Cisco Umbrella Root CA, O=Cisco
Umbrella Roaming Client already removed.
Installing Cisco Secure Client VPN Module.
MSI Path:
Failed to detect core-vpn-predeploy-k9.msi
This is my script,
Evaluation:
# Predefinied Variables
$AppName = "Cisco Secure Client - Umbrella"
# Check 64bit hive on x64 devices
if([System.Environment]::Is64BitOperatingSystem)
{
$hklm64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,[Microsoft.Win32.RegistryView]::Registry64)
$skey64 = $hklm64.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Uninstall")
$unkeys64 = $skey64.GetSubKeyNames()
foreach($key in $unkeys64)
{
if($skey64.OpenSubKey($key).getvalue('DisplayName') -like "*$AppName*")
{
$installed += 1
}
}
}
# Check 32bit hive on 32/64 bit devices
$skey32 = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach($key in Get-ChildItem $skey32 -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object {($_.DisplayName -like "*$AppName*")})
{
$installed += 1
}
# Check Presence
if(!($installed))
{
Write-Output "Software not installed - Flagging for installation"
Exit 1
}
Write-Output "Software is already installed"
Exit 0
Remediation
#region Prepare installation folder
$ver = '5.0.05040'
$path = "C:\Windows\Temp\cisco-secure-client-win-$ver-predeploy-k9"
Copy-Item .\cisco-secure-client-win-$ver-predeploy-k9.zip C:\windows\temp\ -Verbose
Expand-Archive "$path.zip" -DestinationPath $path -Force
IF((Test-Path $path) -eq $false){
Write-output "Failed to expand $path.zip to $($path)"
Exit 0
}
#endregion
#region Setup Root Certificate used to inpsect HTTPS traffic
$cert = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Subject -match "CN=Cisco Umbrella Root CA"
IF(!$cert)
{
# Missing Root Certificate. Installing
Write-Output "Installing Cisco_Umbrella_Root_CA certificate"
$cert = Get-ChildItem .\Cisco_Umbrella_Root_CA.cer
$cert | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
}
elseif($cert)
{
Write-Output "Cisco_Umbrella_Root_CA.cer already installed in root certificate store."
}
#endregion
#region Remove Cisco Umbrella (Legacy Client)
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
# Removing Umbrella Roaming Client
Write-Output "Removing Umbrella Roaming Client"
Start-Process msiexec -ArgumentList "/x $path\Setup.msi /qn" -wait
# Validate Removal
Start-Sleep -Seconds 15
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
Write-Output "Failed to remove Umbrella Roaming Client"
}
}
elseif(!$service)
{
Write-Output "Umbrella Roaming Client already removed."
}
#endregion
#region Install Cisco Secure Client VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
Write-Output "Installing Cisco Secure Client VPN Module."
$dVPN = (Get-ChildItem "$path\core-vpn-predeploy-k9.msi").FullName
Write-Output "MSI Path: $dVPN"
IF(!$dVPN -or (Test-Path $dVPN) -eq $false){
Write-Output "Failed to detect core-vpn-predeploy-k9.msi"
exit 0
}
Start-Process MsiExec -ArgumentList "/I $dVPN /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 LOCKDOWN=1 /lvx* C:\windows\temp\cisco-core-vpn-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client VPN Module. Review C:\windows\temp\cisco-core-vpn-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\core-vpn-predeploy-k9.log' -Tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Secure Client VPN Module already installed."
}
#endregion
# Install Cisco Secure Client Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Stopped")
{
Write-Output "Installing Cisco Diagnostics and Reporting Tool"
$dSWG = (Get-ChildItem "$path\cisco*dart-predeploy-k9.msi").fullname
Write-Output "MSI Path: $dSWG"
IF(!$dSWG -or (Test-Path $dSWG) -eq $false){
Write-Output "Failed to detect dart-predeploy-k9.msi"
exit 0
}
Start-Process msiexec -ArgumentList "/I $dSWG /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-dart-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client Diagnostics and Reporting Tool. Review C:\windows\temp\cisco-dart-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\cisco-dart-predeploy-k9.log' -tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Diagnostics and Reporting Tool already installed."
}
# Install Cisco Secure Client Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
Write-Output "Installing Cisco Secure Client Umbrella Roaming Security Agent"
$dUMB = (Get-ChildItem "$path\umbrella-predeploy-k9.msi").fullname
Write-Output "MSI Path: $dUMB"
IF(!$dUMB -or (Test-Path $dUMB) -eq $false){
Write-Output "Failed to detect umbrella-predeploy-k9.msi"
exit 0
}
Start-Process msiexec -ArgumentList "/I $dUMB /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-umbrella-predeploy-k9.log" -Wait
Start-Sleep -Seconds 30
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service)
{
Write-Output "Failed to install Cisco Secure Client Umbrella Roaming Security Agent. Review C:\windows\temp\cisco-umbrella-predeploy-k9.log"
$log = Get-Content 'C:\windows\temp\umbrella-predeploy-k9.log' -tail 20
Write-Output $log
}
}
elseif($service)
{
Write-Output "Cisco Secure Client Umbrella Roaming Security Agent already installed."
}
# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
Copy-Item OrgInfo.json 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\' -Verbose
}
#Clean Up
$zip = "cisco-secure-client-win-$ver-predeploy-k9"
Remove-Item C:\windows\temp\$zip -Recurse -Force
Remove-Item C:\windows\temp\$zip.zip -Force
@jack.smith any chance you have a complete uninstall worklet for Cisco Umbrella?
