Recently, we had a huge vulnerability in Outlook as mentioned here. You have a number of ways to address this like Cloud Policy Management, which I discussed here. Today, we’re going to discuss how you can get near instant remediation of big vulnerabilities by leveraging Freestyle Orchestrator powered by sensors, scripts, and a single workflow for office app remediation. Let’s cover this as it’s huge!
Creating the Sensors for the Office App Remediation Workflow
For us to make the magic happen, we will create two sensors (which I use to make sure things are actually accurate).
First, we focus on the Office Version Sensor, which can be found on my Github and it pretty simple for the most part:
# Returns the current O365 Version # Execution Context: System $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) $subKey = $key.OpenSubKey("SOFTWARE\Microsoft\Office\ClickToRun\Configuration") $regkey_value = $subKey.GetValue("ClientVersionToReport") return $regkey_value
This sensor will populate the current version of your office client, looks like this:
You will see why that is important later on. Now, we create the second sensor which captures the channel we are on. That code is:
# Returns the Office Channel # Execution Context: System $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64) $subKey = $key.OpenSubKey("SOFTWARE\Microsoft\Office\ClickToRun\Configuration") $regkey_value = $subKey.GetValue("UpdateChannel") $channel = $regkey_value.Replace('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60','Current Channel').Replace('http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6','Monthly Enterprise Channel').Replace('http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114','Semi-Annual Enterprise Channel') return $channel
This code grabs the UpdateChannel URL, and it’s important to note that it is NOT the CDNBaseURL which is a common misconception. This looks like this:
Now, we have the two pieces of data that we need to build an amazing workflow.
The Office App Remediation Workflow Design
Our Freestyle Orchestrator Workflow design is pretty simple, yet effective.
Depending on your needs, you might have a few variations (if you run multiple channels in your organization).
Firstly, we use sensors as a check condition. The playbook for these is the Office version history article, which tells me since we run Monthly Enterprise Channel that the right version is going to be 16026.20238. So I tell the workflow to ONLY run if their office version does not include 16026 and the update channel is Monthly Enterprise Channel. This helps account for the right things.
If you’re running two channels, you can expand on your workflow to account for two different channels, which is no big deal. (I’ll cover that in the demo).
Next, the script will be the other part of the workflow. The code is easy:
Start-Process 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'-ArgumentList '/update user displaylevel=false forceappshutdown=true'
It just invokes the Office C2R client to silently force it to update your Office client. It’s just that simple. From here, we can cut to the demo!
Demo of Creating the Workflow
As you saw, with a little bit of work you can solve complex and problematic issues quickly. The brilliance of Freestyle Orchestrator workflows is by understanding the issue and creatively solving it in a scalable fashion. Freestyle Orchestrator is a pliable platform for the most part, which still has some growing to do, but that doesn’t mean it can’t do great things at times.