What worklets would you like us to write next?

We’re continuing to crank out more worklets for you to download and use:
https://community.automox.com/c/worklets

and we’re looking for some input from the community as to what we should work on next. What tasks would you love to automate but haven’t had the time to script? Tell us what you’d like and we can help by putting together a worklet for you.

Hello,
Having some templates available for various purposes would be super handy. Such as Installation of .exe .msi etc. One for uninstalling applications, changing the local admin password on all PC’s, Checking all laptops to ensure bitlocker is enabled and sending a report, deploy registry settings. I don’t know if this is possible (dreaming big) a worklet that you could run that would generate a detailed report for every OU in your AD. Then it could tie each user to each group that they are a member of and how those permissions are applied.

A scipt that could clean all of your PC’s junk files off, here is one that is for a command prmopt that could easily be modified for PS:

del /f /s /q %systemdrive%*.tmp
del /f /s /q %systemdrive%*._mp
del /f /s /q %systemdrive%*.log
del /f /s /q %systemdrive%*.gid
del /f /s /q %systemdrive%*.chk
del /f /s /q %systemdrive%*.old
del /f /s /q %systemdrive%\recycled*.*
del /f /s /q %windir%*.bak
del /f /s /q %windir%\prefetch*.*
rd /s /q %windir%\temp & md %windir%\temp
del /f /q %userprofile%\cookies*.*
del /f /q %userprofile%\recent*.*
del /f /s /q “%userprofile%\Local Settings\Temporary Internet Files*.
del /f /s /q “%userprofile%\Local Settings\Temp*.

del /f /s /q “%userprofile%\recent*.*”

1 Like

I noticed you created Worklets for installing Carbon Black and CrowdStrike on Mac OS. Could we get similar Worklets for Windows?

2 Likes

Thanks for the suggestions @Chris and @mfrick

To answer your question @Chris, we are working on adding worklets for Windows for installing Carbon Black and CrowdStrike. I’ll ping you once they are ready.

@mfrick - I think we have some of what you’re asking for already covered. I’ll go through your list more thoroughly and post links to the ones we already have, and then we’ll start working on anything that isn’t covered, from your list.

1 Like

I had some time this afternoon to go through your list and match up ones that might already be a fit for what you are asking:

  1. Windows installation template - you could copy one of the Pre-Packaged Worklets that show up in the sidebar when you create a new worklet and swap out the URL for the downloads and the registry keys to check if the app is installed:

  2. Uninstalling applications: This worklet is a generic uninstaller that you can customize by changing the $appName variable to match the app you’re wanting to remove:
    Worklet: Enforced Application Uninstall

  3. Changing the local admin password on all PCs: I’d hesitate to change the password from within the worklet itself, since that would require putting the new password in plain text in the worklet. A better approach might be this worklet which forces a new password at next login:
    Worklet: Force password reset Windows
    Currently the worklet does all of the local users, but you could add a filter to just flag the Administrator account to be changed at next login (assuming you haven’t renamed Administrator to something else).

  4. Bitlocker - we got you covered!
    Worklet: Enforce BitLocker Encryption

  5. Registry settings - I used this one as a template to make other worklets that check for a registry key and change it if necessary:
    Worklet: How to Disable Remote Desktop Protocol Connection

  6. The OU and AD reporting stuff is probably better done through AD itself, rather than trying to use Automox to grab that info. If someone has a good approach for this one please let me know!

  7. Cleanup script: I did one that uses cleanmgr.exe to accomplish something similar to your list of locations:
    Worklet: Windows Cleanup Tool

Let me know if the worklets listed here help get you where you need!

The Evaluation code for the Uninstall worklet can be reused for an installation template. They do the same thing but with reversed Exit Codes.

2 Likes

Hello Nic,

I was wondering if there was any update for creating a worklet to deploy Crowdstrike for Windows?

Thank you

Thanks for the reminder @K4F3R - that had fallen down my to-do list. Looking at the install process, it looks like you should be able to use a required software policy and this as the install command:

.\WindowsSensor.exe /install /quiet /norestart CID=<checksummed customer ID>

I’m going to test it out to make sure that works and I’ll report back later today hopefully.

Ok I confirmed that a required software policy will work with the above syntax. Here’s what you need to do:

  1. Create a new Required Software Policy for Windows
  2. For the Package Name, use CrowdStrike Windows Sensor and for the Version I used 5.23.10504.0
  3. Upload the WindowsSensor.exe as the Installation File (you download that from your Crowdstrike console)
  4. For the installation command use:
.\WindowsSensor.exe /install /quiet /norestart CID=<checksummed customer ID>

and put in your CID that you would also get from your Crowdstrike console.

Note that this only works for an initial deployment, and it’s assuming you don’t have a previous version of the Crowdstrike agent installed. Once you’ve deployed the agent then it will auto-update on its own. You can then disable the policy after the deployment is complete, or only apply it to new devices that you add to your network, as you don’t need it trying to reinstall over the top if the version number changes after the agent auto-updates.

Let me know if that does the trick!

Do you think it would require an extra switch if it is being installed over the top of Sophos?

The audit log says successful install however it doesn’t show up in programs. Perhaps I should reboot?

From this article it looks like installing over the top of other AV can cause problems. They recommend installing in “detection only mode” if you have an existing AV installed. Then removing the other AV, then changing the policy on those agents out of detection only mode.

There is another flag that I found called ProvNoWait, that you can add to the installer, with a value of 1: ProvNoWait=1. It overrides the post install provisioning step that requires successful connection to the console within 10 minutes or the Crowdstrike agent uninstalls itself. Found in this discussion:


If Sophos is preventing the agent from provisioning then that might explain why it’s not showing up in your add/remove programs.

Final option is to remove Sophos first and then deploy Crowdstrike, if that’s an option for you.

I uninstalled Sophos, and rebooted then tried the deployment again and it still did not install.

I add ProvNoWait=1 to the script and it deployed successfully.

Thanks Nic!

Glad that did the trick! Is the test machine showing up properly in the CrowdStrike console? Since it required the ProvNoWait flag, I wanted to make sure that the agent actually is able to get to the console ok. If it’s not showing up, you might need to whitelist some stuff on your firewall:
https://www.dell.com/support/article/us/en/04/sln316214/crowdstrike-falcon-sensor-system-requirements?lang=en

It is showing up in the console in the correct OU.

1 Like

Perfect!