Breach Remediation (MBBR) integrates with System Center Configuration Manager (SCCM) to allow administrators to manage scans on endpoints, remove threats, and generate reports. This article describes the requirements and configurations for the integration.
Windows environment requirements
- Active Directory Server
- SCCM Server running SQL Server
- Network Share
- Windows endpoints
- SCCM client agent installed on your endpoints. For more information, see Microsoft's support article: Configure custom client settings for Endpoint Protection.
Requirements
- You must have an active Endpoint Protection, Endpoint Detection & Response, or Incident Response subscription.
- Have your subscription license key available.
- If using a Syslog Server, have your Syslog Server IP and Syslog Server Port available.
SCCM - Breach Remediation installation
- Download the Breach Remediation for SCCM file here.
- Unzip the SCCM_MBBR_ALL.zip package. This contains two folders: SCCM_MBBR and SCCM_MBBR(Syslog).
- The SCCM_MBBR folder is intended for customers using a non-syslog environment, and the SCCM_MBBR(syslog) folder is intended for customers using a Syslog Server.
- If using a non-syslog environment:
- Open the SCCM_MBBR folder.
- Open Install_License.ps1 with Windows PowerShell.
- Enter your Nebula license key and press Enter. This propagates the license key to the other batch files.
- If using a Syslog Server:
- Open the SCCM_MBBR(Syslog) folder.
- Open Install_License.ps1 with Windows PowerShell.
- Enter your Nebula license key and press Enter.
- Enter your Syslog Serve IP and press Enter.
- Enter your Syslog Server port and press Enter. This propagates the license key, Syslog Server IP, and Syslog Server port to the other batch files.
- If using a non-syslog environment:
- Create a network shared folder with either the SCCM_MBBR or SCCM_MBBR(Syslog) files copied into your Active Directory or SCCM Server.
- Create a network shared folder to collect all of the Breach Remediation log files in your Active Directory or SCCM Server. Ensure the network shared folders are accessible by all of your SCCM clients.
- Copy the SCCM_Scripts folder to any location in your SCCM Server.
Integrate and approve scripts in SCCM
You can now import the SCCM scripts into SCCM console. The SCCM administrator must then approve each one before use. There are three total scripts:
- Deploy MBBR: The script to deploy Breach Remediation to an endpoint.
- Execute MBBR: The script to run scans and remediation with Breach Remediation on target endpoints.
- MBBR Scan Reports: The script to generate log files from target endpoints.
Configure the Deploy MBBR script
- On the SCCM Server Machine, click the Windows icon > Configuration Manager Console.
- In the Configuration Manager Console, go to Assets and Compliance > Devices to ensure you've installed the SCCM client agent on your endpoints. If installed properly, you see a green check mark under the Icon column, and the word "Active" under the Client Activity column.
- Go to Software Library > Scripts.
- Click Create Script.
- In the Create Script window, click Import > select Deploy MBBR.ps1 and click Open.
- On the Script Details screen, in the Script name field, enter Deploy MBBR > click Next to continue.
- In the Script Parameters window, enter the following details:
- In the FolderName field, enter the folder path you want to create on your client machines.
- In the SharePath field, enter the network shared folder path where you have stored SCCM_MBBR files.
- Click Next > Next > on the Completion screen, click Close.
- The administrator must now approve the script. On the Scripts screen, right-click Deploy MBBR > Approve/Deny from the context menu.
- In the Approve or Deny Script window, click Next > Next > Next. On the Completion screen, click Close.
Configure the Execute MBBR script
- Click Create Script > Import. In the Create Script window, click Import > select Execute MBBR.ps1 and click Open.
- On the Script Details screen, in the Script name field, enter Execute MBBR > click Next to continue.
- On the Script Parameters screen, leave the FilePath field empty for now. You will fill this field later when you run the script. Click Next > Next > Close.
- The administrator must approve the script. On the Scripts screen, right-click Execute MBBR > Approve/Deny from the context menu.
- In the Approve or Deny Script window, click Next > Next > Next. On the Completion screen, click Close.
Configure the MBBR Scan Reports
- To import the MBBR Scan Reports script, open the script in Notepad. Highlight and copy all of the contents.
- In the SCCM Scripts page, click Create Scripts.
- On the Scripts Details window, in the Script field, paste the contents of the MBBR Scan Reports script.
- Edit the first two lines of the script:
- For line one, assign the endpoint log file location.
- For line two, assign the network share location to collect the log files.
- Click Next > Next > on the Completion screen, click Close.
- The administrator must approve the script. On the Scripts screen, right-click MBBR Scan Reports > Approve/Deny from the context menu.
- In the Approve or Deny Script window, click Next > Next > Next. On the Completion screen, click Close.
For information on running the Breach Remediation for SCCM scripts, see Breach Remediation with Microsoft SCCM user guide.