Endpoint Services, MECM, Identify and remediate Dell firmware updater vulnerability DSA-2021-088

Overview

Follow this guide to identify and remediate Dell firmware updater vulnerability DSA-2021-088 via MECM.

Systems

Microsoft Endpoint Configuration Manager (MECM), formerly SCCM

Intended Audience

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

Identify affected endpoints

  1. In the MECM console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines

  2. Select the 'Detect Dell dbutil_2_3.sys driver for DSA-2021-088' baseline and deploy the baseline to the relevant collection for your unit

  3. Allow enough time for the baseline to run.  To speed up policy evaluation, right-click the relevant collection, select 'Client Notification', then select 'Download Computer Policy'.

Remediate affected endpoints

  1. Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines

  2. Select the 'Detect Dell dbutil_2_3.sys driver for DSA-2021-088' baseline, then select the 'Deployments' tab in the lower center pane

  3. Right-click the deployment to your unit's collection, select 'Create new Collection', then select 'Non-Compliant'

  4. While creating the collection, please rename the collection and add your unit's prefix (i.e. UIUC-YourUnit-DSA-2021-088).

  5. Navigate to Assets and Compliance > Overview > Device Collections, right-click the new collection, select 'Move', then select the appropriate folder within your unit

  6. Navigate to the collection's new location, right-click the collection, select 'Deploy', then select 'Program'

  7. In the 'Deploy Software Wizard', select 'Browse' next to the 'Software' field, then select the 'Dell DSA-2021-088 remediation utility' program

  8. Complete the wizard by selecting the 'Required' purpose, 'Never rerun deployed program' rerun behavior, along with your preferred schedule and user experience settings

  9. Allow enough time for the program to run.  To speed up policy evaluation, right-click the relevant collection, select 'Client Notification', then select 'Download Computer Policy'.

  10. Based on the schedule specified in the baseline deployment and collection, endpoints will fall out of the collection as they become compliant.  Right-click the collection and select 'Update Membership' for a current evaluation of non-compliant endpoints.

Contact the EPS team