Using AirWatch to remotely run batch files for uninstalling applications

I don’t get to work with MDM or UEM applications much anymore due to my focus on Azure so I got pretty excited when an ex-colleague asked me if there was a way to use VMware AirWatch (also known as Workspace One) to remotely execute an uninstall command for an application because I had gone through the process before. After digging up some old notes to guide him through the setup, I thought I’d write this blog post in case anyone else happens to ask me in the future.

The official documentation, although a bit outdated, for this feature can be found here:

Using Product Provisioning to Deliver Files to Windows 10: Workspace ONE Operational Tutorial
https://techzone.vmware.com/using-product-provisioning-deliver-files-windows-10-workspace-one-operational-tutorial#_991596

For the purpose of this example, I will be using a batch file that manually (and forcefully) removes Cylance Protect from devices. Not long ago I ran into an issue where attempting to uninstall Cylance Protect from devices would display the following error:

Cylance PROTECT
You are attempting to run the 32-bit installer on a 64-bit version of Windows. Please run the 64-bit installer.

I couldn’t determine how to get around this as none of the methods such as editing registry keys and executing the following msiexec.exe would work:

msiexec /x {2E64FC5C-9286-4A31-916B-0D8AE4B22954} /quiet

Reaching out to Blackberry support had an support engineer point me to:

Fix problems that block programs from being installed or removed

https://support.microsoft.com/en-us/mats/program_install_and_uninstall

The tool worked but it had to be ran interactively and did not allow me to use it at scale.

A bit more research led me to the following script written by James Gallagher, which worked but please note that as this was originally provided by Cylance but later modified by Cyberforce, use this at your own risk. It worked for me but may not for others.

Manual Removal Of CylancePROTECT
https://cyberforcesecurityhelp.freshdesk.com/support/solutions/articles/44002036687-manual-removal-of-cylanceprotect

In case the post ever gets deleted, I will paste the contents for the customized-CylanceCleanupTool.bat at the end of this post.

With the above scenario described, let’s begin creating the configuration in AirWatch Version: 20.11.0.5 (2011):

Create the Files/Actions

The first step is to create a Files/Actions that will allow you to upload the batch file, define where to store it on the device, and how to execute the batch file.

Begin by navigating to Devices > Provisioning > Components > Files/Actions:

Click on the ADD FILES/ACTIONS:

Select Windows under Add Files/Actions:

Select Windows Desktop under Select Device Type:

Type in a name for the action and select the appropriate organization for Managed By:

Navigate to the Files tab, click on the ADD FILES tab, then Choose Files to select the batch file that will be uploaded and pushed to the clients:

Specify a download path where the batch file will be downloaded to on the client:

C:\Temp\AirWatch\

Save the configuration and the following line will be displayed in the Files tab:

Navigate to the Manifest tab and click on Install Manifest:

Select Run for Action(s) To Perform:

Select System for the Execution Context so the batch file is running with elevated permissions and specify the path and batch file (the location specified earlier for downloading the batch file and the batch file name that was just uploaded:

C:\Temp\AirWatch\customized-CylanceCleanupTool.bat

The following configuration will be displayed under Install Manifest. We can specify a command to uninstall but there will not be one configured for this example:

Proceed to save the new Files/Actions:

Create the Product to assign to devices

With the creation of the Files/Actions completed, the next step is to assign it to devices.

Navigate to Devices > Provisioning > Product List View and click on ADD PRODUCT:

Select Windows under Add Product:

Select Windows Desktop under Select Device Type:

Provide a name and description for the product, select the appropriate organization, and select the Smart Group this product should be applied to. For the purpose of this example, we will be assigning it to all devices.

Click on the Manifest tab and then the ADD button:

Select File/Action - Install for Action(s) To Perform and the previously created Files/Actions for the Files/Actions field:

The saved Manifest will be displayed as such:

You can further specify Conditions, Deployment and Dependencies options:

With the configuration completed, decide to click Save button to simply save the Manifest or Activate to save and immediately activate the configuration:

For the purpose of this example, I will click on Activate, which will display the list of devices it will be applied to:

The new product should now be displayed:

Waiting a few seconds and refreshing the update the In Progress, Compliant and Failed values:

Hope this helps anyone who might be looking for instructions on how to remotely run batch files with AirWatch.

customized-CylanceCleanupTool.bat

@ECHO OFF

title UNIFIED DRIVER CYLANCE CLEANUP TOOL

Echo UNIFIED DRIVER CYLANCE CLEANUP TOOL

:SwitchToWorkingDirectory

cd /d "%~dp0" 1>nul 2>&1

:AdminCheck

openfiles>nul 2>&1

IF %ERRORLEVEL% == 0 (

:AdminCheckPass

GOTO ManualUninstall

) ELSE (

:AdminCheckFail

Echo * Please re-run the Unified Driver Cylance Cleanup Tool as Administrator.

Echo * Exiting...

GOTO CyExit

)

:ManualUninstall

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Cylance /f

reg delete HKEY_CLASSES_ROOT\Installer\Products\C5CF46E2682913A419B6D0A84E2B9245 /f

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CylanceSvc /f

taskkill /im CylanceUI.exe

takeown /f "C:\Program Files\Cylance" /r /d y

icacls "C:\Program Files\Cylance" /reset /T

rd /s /q "C:\Program Files\Cylance"

takeown /f "C:\programdata\Cylance" /r /d y

rd /s /q C:\programdata\Cylance

:InstallCleanup

Echo * Installing the Unified Driver Cylance Cleanup Tool service...

CyCleanupSvc.exe "-install"

IF %ERRORLEVEL% == 0 (

GOTO WaitCleanup

) ELSE (

Echo * Failed to install the Unified Driver Cylance Cleanup Tool service.

Echo * Please check the Logs directory.

Echo * Exiting...

GOTO CyExit

)

:WaitCleanup

Echo * Waiting for the Unified Driver Cylance Cleanup Tool service to cleanup...

ping -n 30 127.0.0.1 1>nul 2>&1

Echo * Unified Driver Cylance Cleanup Tool is finished.

Echo * Removing the Unified Driver Cylance Cleanup Tool service...

CyCleanupSvc.exe "-uninstall"

IF %ERRORLEVEL% == 0 (

GOTO FinishCleanup

) ELSE (

Echo * Failed to remove the Unified Driver Cylance Cleanup Tool service.

Echo * Please check the Logs directory.

Echo * Exiting...

GOTO CyExit

)

:FinishCleanup

Echo * Unified Driver Cylance Cleanup Tool service has been removed.

Echo * Exiting...

:CyExit

exit

Deploying Carbon Black Cloud via GPO with a with a transform (MST) file fails with: “CAInstallPreCheck: Expect a cfg.ini in the same directory as the MSI, but could not find it.“

Problem

You’ve completed setting up Carbon Black Cloud to be deployed via GPO as described in one of my previous posts:

Deploying Carbon Black Cloud via GPO with a transform (MST) file specifying the Company Code and Group Name
http://terenceluk.blogspot.com/2021/04/deploying-carbon-black-cloud-via-gpo.html

But notice that it fails with the following event log errors:

Log Name: Application
Source: CbDefense
Event ID: 49
Level: Error

The description for Event ID 49 from source CbDefense cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

CbDefense

CAInstallPreCheck: Expect a cfg.ini in the same directory as the MSI, but could not find it.

Log Name: Application
Source: Application Management Group Policy
Event ID: 102
Level: Error

The install of application Carbon Black Cloud Sensor 64-bit from policy Test Carbon Black Cloud Install failed. The error was : %%1603

Solution

One of the reasons why this error would be thrown is if the COMPANY_CODE was missed when creating the transform file. Verify that both the COMPANY_CODE and GROUP_NAME exists in the transform file.

Deploying Carbon Black Cloud via GPO with a transform (MST) file specifying the Company Code and Group Name

I was recently asked about deploying Carbon Black Cloud Sensor via Group Policy as a published MSI file and recall how much difficulty I had with incorporating the settings for the Company Code and Group Name so I decided to dig up my old notes and write this blog post in case anyone else who may be trying to find this information.

Before I begin, those who might be looking for the installation command for the deployment with, say, Workspace ONE can use the following:

installer_vista_win7_win8-64-3.6.0.1979.msi /L*vx log.txt COMPANY_CODE=XXXXXXXXXXXXXX GROUP_NAME=Monitored /qn

**Substitute the COMPANY_CODE value with your organization code and the GROUP_NAME with the name of your group.

Before publishing the Carbon Black Cloud Sensor MSI in Active Directory as GPO, you’ll need to customize the MSI file with the orca.exe tool. Trying to obtain it isn’t straight forward so I’ll outline the process here.

Obtaining orca.exe for creating a Transform file (.MST)

Navigate to the following site where Windows 10 SDK can be downloaded:

Windows 10 SDK
https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/

Download the ISO file:

Mount the ISO, navigate to the following directory:

E:\Installers

… and obtain the following files:

• a35cd6c9233b6ba3da66eecaa9190436.cab
• 838060235bcd28bf40ef7532c50ee032.cab
• fe38b2fd0d440e3c6740b626f51a22fc.cab
• Orca-x86_en-us.msi

Proceed to install Orca by running the MSI file and you should see the application in your start menu.

Creating a Microsoft Installer Transform (.MST) File

With Orca installed, we can proceed to modify the MSI file as demonstrated in the following KB:

To Create a Microsoft Installer Transform (.MST) File

https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/cbc-sensor-installation-guide/GUID-F28C735B-EC91-4A56-A041-3C07F9D36DE6.html

Open the MSI file with Orca and click Transform > New Transform:

Select the Property table, then click on Tables > New Row:

Click Property and enter "COMPANY_CODE" then click Value and enter the company registration code for your organization:

Repeat the same process for the GROUP_NAME:

You should now see the two parameters added:

Proceed to generate the transform file by clicking on Transform > Generate Transform:

Deploying Carbon Black Cloud via Group Policy

With both the MSI and transform file (MST) created, we can now publish it in a Group Policy:

Select Advanced as the deployment method:

Navigate to the Modifications tab and select the transform file:

Click OK and assign the GPO to the appropriate OUs containing the computer objects.

Installation of VMware.PowerCLI via PowerShell fails with: "Install-PackageProvider : No match was found for the specified search criteria for the provider..."

Problem

You’re attempting to install VMware PowerCLI with the Install-Module -Name VMware.PowerCLI cmdlet from within Powershell but notice that it fails with:

PS C:\scripts\vCheck-vSphere-master> Install-Module -Name VMware.PowerCLI

NuGet provider is required to continue

PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet

provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or

'C:\Users\tluk\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running

'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import

the NuGet provider now?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''.

WARNING: Unable to download the list of available providers. Check your internet connection.

PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider

'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package

has the tags.

At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21

+ ... $null = PackageManagement\Install-PackageProvider -Name $script:N ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [Install-Pac

kageProvider], Exception

+ FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider

PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name

'NuGet'. Try 'Get-PackageProvider -ListAvailable' to see if the provider exists on the system.

At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21

+ ... $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception

+ FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider

PS C:\scripts\vCheck-vSphere-master>

Solution

If you’re in a hurry and need to get the module installed, a quick workaround is to configure TLS 1.2 for the PowerShell session with the following command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The NuGet provider will install once the above is executed:

PS C:\scripts\vCheck-vSphere-master> [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

PS C:\scripts\vCheck-vSphere-master> Install-Module -Name VMware.PowerCLI

NuGet provider is required to continue

PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet

provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or

'C:\Users\tluk\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running

'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import

the NuGet provider now?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

Untrusted repository

You are installing the modules from an untrusted repository. If you trust this repository, change its

InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from

'PSGallery'?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): y

PS C:\scripts\vCheck-vSphere-master>

To permanently correct the issue, open the registry and navigate to the following path for the 64 bit .Net Framework:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319

Add the chUseStrongCrypto key with the following PowerShell cmdlet:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Repeat the same for the 32 bit .Net Framework:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord