Cisco ISE/AnyConnect Deployment and Remediation

A client with over 3000 endpoints needed Cisco ISE with AnyConnect deployed in their environment. Due to the age of some of their equipment, AnyConnect could not easily be deployed without a custom solution. I was able to provide the client advanced detection and reporting through SCCM using Configuration Items and Baselines, and developed a custom application to remediate devices that failed the AnyConnect automatic deployment for a variety of issues.

Documentation Supplied to Client

Overview

Purpose

The purpose of this Deployment Strategy and Plan document is to define a deployment strategy and plan for the Cisco AnyConnect 4.5.02036 upgrade. This document is comprised of two sections (in addition to the attached phase identification information) the Deployment Strategy and the Deployment Plan. The Deployment Strategy section is used to formulate a deployment approach for Cisco AnyConnect 4.5.02036. The Deployment Plan section contains detailed schedule, resource, technical, and support information necessary for successful deployment of Cisco AnyConnect 4.5.02036.

About AnyConnect

AnyConnect refers to a set of network security tools provided by Cisco that we use to provide our users VPN access and to prevent noncompliant devices from accessing our network.

This set of tools is installed on all of the workstation computers at Contoso Corp and is usually visible to the user as a small

Cisco icon which they would sometimes use to connect via VPN.

Components For Upgrade

The following components are scheduled for upgrade during this project to version 4.5.02036, which collectively and internally referred to as Cisco AnyConnect 4.3.03086, and more specifically, handle the VPN portion of the service:

  • Cisco AnyConnect Start Before Login Module 4.3.03086
  • Cisco AnyConnect Diagnostics and Reporting Tool 4.3.03086
  • Cisco AnyConnect Network Access Manager 4.3.03086
  • Cisco AnyConnect Secure Mobility Client 4.3.03086

The ISE compliance module is not being upgraded during this project which is the component used to prevent noncompliant devices:

  • Cisco AnyConnect ISE Compliance Module 4.2.426.0

Deployment Strategy

The Deployment Strategy section of this document provides an overview of the deployment strategy planned for Cisco AnyConnect 4.5.02036. Included in the deployment strategy is timeline information, a description of the deployment approach, and associated benefits, assumptions and risks.

Deployment Overview

Phases

Sites

Computers

Scheduled Dates

PRE-PILOT

SITE 1

27

October 2, 2017 – October 24, 2017

PILOT

SITE 2

169

October 30, 2017 – November 17, 2017

PRODUCTION

All Locations

1,500

November 15, 2017 – December 20, 2017

The Deployment Date’s referenced below are the date Cisco AnyConnect 4.5.02036 will attempt to begin installation on the selected computers. This does not indicate the completion date for this phase, which could take an additional 2 weeks.

Production Phase 1 (Site 1)

Sub Phases

Sites

Computers

Deployment Date

PHASE 1A

Site 1

243

November 15, 2017

PHASE 1B

Site 2

272

November 20, 2017

PHASE 1C

Site 3

295

November 27, 2017

810

Production Phase 2 (Site 2)

Sub Phases

Sites

Computers

Deployment Date

PHASE 2A

Site A 1/2

246

November 29, 2017

PHASE 2B

Site A 2/2

248

December 4, 2017

PHASE 2C

Other Sites

185

December 6, 2017

679

Production Phase 3 (Executive Staff)

Sub Phases

Sites

Computers

Deployment Date

PHASE 3

Executive Staff

11

Custom Arrangements

Deployment Approach


System Center Configuration Manager (SCCM) will be used to deploy Cisco AnyConnect 4.5.02036. When each phase is approached, the computers will be instructed to execute the installation in Parallel, within their maintenance window, which is typically between 8:00PM and 6:00AM each evening.

The deployment will require a software reboot once completed. Users have an option to install the software outside of their maintenance window via the Software Center found on the start menu, and if they do, will also require a restart, even if during the middle of the day. The software will be displayed as shown on the right.

Assumptions and Risks

Assumptions

The computers targeted for deployment are assumed to be left on and connected to the DMG corporate network between the hours of 8:00PM and 6:00AM at least a couple of the nights during the scheduled deployment. Additionally, the computer is assumed to currently have no currently known issues with the version of AnyConnect installed prior to upgrade.

Deployment Targeting and IP Scopes

Deployments were targeting based on DHCP scopes correlating to client’s active IP addresses. Active scopes and IP address mappings can be seen by having a server administrator run Get-DhcpServerv4Scope –ComputerName PCONADC001PRD | Select ScopeID, Name

Risks

Because AnyConnect is used as the primary means to authenticate a computer for compliance against our network, failed installations can result in a device not having any network connectivity until the installation is resolved or ISE compliance is turned off on the network port associated to the computer by a DMG Network Engineer.

Benefits to Deployment

Currently, we are running Cisco AnyConnect 4.3.03086, which is two major versions behind the latest version released in late October 2017, 4.5.02036. Amongst multiple security fixes that have been introduced since this version, some important ones include patches for the WPA2 KRACK vulnerability and a swath of “high vulnerabilities” as listed in our Nessus scanner results via Tenable.

Additionally, the upgrade will provide us a more refined path and plan for future AnyConnect upgrades.

Deployment Plan

The Deployment Plan section provides detailed information on the deployment of Cisco AnyConnect 4.5.02036. Included in the Deployment Plan are schedule and resource information, the engagement and promotion strategy, deployment methods, technology infrastructure and support considerations, deployment testing and training requirement, and any known conflicts or issues with the software.

Deployment Schedule and Resources

Pre-Pilot Schedule

Phase

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PRE-PILOT PHASE 1

Site 1

10

October 2, 2017

David Maiolo

Karl Wyld

PRE-PILOT PHASE 2

Site 2

3

October 9. 2017

David Maiolo

Karl Wyld

PRE-PILOT PHASE 3

Site 3

14

October 20, 2017

David Maiolo

Karl Wyld

Pilot Schedule

Phase

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PILOT PHASE 1

Site 1 Pilot

59

October 30, 2017

David Maiolo

Jason Salamando

PILOT PHASE 2

Site 2 Pilot

51

November 6. 2017

David Maiolo

Jason Salamando

PILOT PHASE 3*

Site 3 Pilot

118

November 13, 2017

David Maiolo

Jason Salamando

* Pilot Phase 3 contains all of the computers from Pilot Phase 1. The Pilot phase was restarted due to a small version upgrade Cisco released in late October 2017 which included additional WPA2 KRACK vulnerability fixes. This “restart” allows these early adopters to be included on the additional security updates. This was a change from version 4.5.02033 to 4.5.02036.

Production Phase 1 (Site 1)

Sub Phases

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PHASE 1A

Site 1

243

November 15, 2017

David Maiolo

Karl Wyld

PHASE 1B

Site 2

272

November 20, 2017

Bradly Jason

Jason Salamando

PHASE 1C

Site 3

295

November 27, 2017

Bradly Jason

Jason Salamando

Production Phase 2 (Site 2)

Sub Phases

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PHASE 2A

See xlsx attachment

246

November 29, 2017

Bradly Jason

Karl Wyld

PHASE 2B

See xlsx attachment

248

December 4, 2017

David Maiolo

Karl Wyld

PHASE 2C

See xlsx attachment

185

December 6, 2017

David Maiolo

Karl Wyld

Production Phase 3 (Executive Staff)

Sub Phases

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PHASE 3

Executive Staff

11

Custom Arrangements

David Maiolo

Jason Salamando

Resource Requirements

Helpdesk Team

Throughout the deployment process it is additionally considered there will be Technology Helpdesk Team resources available to provide immediate remediation efforts via the helpdesk x6868. The helpdesk technician should walk the user through starting the AUTOMATED REMEDIATION TOOL as shown later in this document and assist with other troubleshooting steps.

Endpoint Team

Additionally, the Endpoint Team can be considered as a Tier 2 resources to assist the helpdesk via requests in the SDE Ticketing system. The Endpoint Team engineer should attempt the steps and tools outlined in the section ADVANCED TECHNICAL SUPPORT

Server Infrastructure Team

The Network Engineers Team and Server Infrastructure Team resources not listed above are also thought to be available for emergencies and Tier 3 escalations from either Desktop or Helpdesk team. The Server Infrastructure Team resource should be available for any and all requests for assistance from the Helpdesk Team and Endpoint Team to assist with remediation, and work on additional remediation efforts if these teams do not have the resources available.

Network Engineers Team

The Network Engineers Team resource should assist in remediation and will likely be the first point of contact to disable ISE on the port where the customer is having a connection issue.

Engagement and Promotion Strategy

This engagement and promotion strategy that will be used for deploying Cisco AnyConnect 4.5.02036.

During each production phase, Technology Support TI-TCS@Davidmaiolo.com will be used as the method to communicate the strategy to associated Branch Managers during the Branch phase and management staff during the Back office phase.

E-Mail Template

Colleagues:

The Technology Infrastructure department has successfully completed testing of Cisco AnyConnect 4.5.02036 and is ready to begin the deployment portion of the project. The target date for deployment in your area is [Scheduled time per phase] between the hours of 8:00AM and 6:00PM.

This deployment is only an upgrade to the preexisting application on the computers in this area.

The Cisco AnyConnect software enables the streamlining of authentication, access controls and privileges, and network systems at DMG. For the most part, deployment and streamlined authentication and authorizations services occurs “behind the scenes” with minimal, if any, user disruption.

You should not notice any operational changes when the software is deployed to your computer, other than a reboot during the hours indicated above. However, our engineers and technicians are available to assist in the event the software installation causes an issue with a user accessing our network. Please call the helpdesk at x6868 immediately if you run into any VPN or network connectivity issues during this deployment.

Mahalo for your cooperation,

[Technology Infrastructure Signature]

Testing Methods and Customer Acceptance

The Cisco AnyConnect 4.5.02036 deployment has been passed through a pre-pilot and pilot phase, where some issues were observed. In those instances, it was of utmost importance that the customers’ issues were resolved quickly. In the event the Cisco AnyConnect 4.5.02036 installation failed, it was vitally important that the Network Engineers Team was available to “disable ISE” on the user’s network port so that the AnyConnect requirements were not needed during the resolution.

With additional support, proper remediation strategies from Endpoint Team, Technology Helpdesk Team and Server Infrastructure Team were required to bring the users’ computer back into compliance with the proper installation of Cisco AnyConnect 4.5.02036.

Monitoring The Deployment

Basic Monitoring

Central monitoring of the Cisco AnyConnect 4.5.02036 rollout can be viewed from your computer by visiting http://vconscm005prd/Reports/ and searching for the report ‘All application deployments (basic)’.

Choose By: Application

Select Application (Collection): Cisco AnyConnect 4.5.02036 (All Applications)

Select Collection (Application): All

The application metrics will be divided into the respective phases:

Clicking the “View Current” data for the phase will allow you to further drill down, even to the computer and user level if necessary:

The monitoring works by comparing Product installation UIs for each Cisco component with reported installed components on the workstations.

Advanced Monitoring

To assure a technician or technical contact has as much data as possible to troubleshoot Cisco AnyConnect 4.5.02036 deployment issues, several compliance items and baselines were written which assess specific values on the computers. These basslines look to see that certain conflicting software is not installed, required certificates are in place and not expired and all required components are installed successfully. To see the advanced monitoring that these baselines provide, again go to the central reporting site: http://vconscm005prd/Reports/ and search for the report: Summary compliance by configuration baseline

Configuration Baselines Name: CB.AnyConnect.4.5.02036.Full.Compliance

Clicking ‘View Report’ will allow you to drill down and see each compliance item and reason for failure.

Advanced Technical Support

If an installation of Cisco AnyConnect 4.5.02036 fails, the user is likely not to have any network access. During the planning and testing of Cisco AnyConnect 4.5.02036, many advanced methods, tools and configurations have been written to help support the rollout, monitor its progress, and provide technical staff (and users’) remediation options.

Compliance Checking

Algorithms were developed as SCCM configuration items to provide a detection service to track centralized deployment success and failures. By use from a technician, these compliance metrics are available to a computer with or without network access to show if a device passed or failed the installation and if so, identify where the installation failed.

This is available to the technician in the Control Panel -> Configuration Manager -> Configurations -> CB.AnyConnect 4.5.02036.Full.Compliance -> Evaluate -> View Report

Success and failures can be further clicked to elaborate on details.

Conflict Resolution Flow-Chart

To use this flowchart if the user does not have network connectivity, the technician will either need to perform this in person or after ISE has been disabled on the port.

cid:image001.png@01D357E9.F2B60D10

Automated Remediation Tool

A Cisco AnyConnect 4.5.02036 remediation tool has been developed, which should allow a user or technician a first-line defense to components in the flowchart above. The remediation tool was written in PowerShell and attempts to identify and resolve common issues.

The helpdesk or technician should first attempt to use this remediation tool before performing next steps. Network connectivity is NOT required to use the tool.

Use of the tool only requires the user to open Software Center and find the Cisco AnyConnect 4.5.02035 (REMEDIATION TOOL) and clicking Install as shown below. No user interaction is required. If the tool was successful, the user will be asked to restart their computer. If not, the tool will prompt to retry.

Advanced mode

For technicians using the tool, a more advanced and verbose mode is available. The technician would find the tool inside of c:\windows\ccmcache\xx\Invoke-DMGAnyConnect.ps1. If run as an administrate account, the tool will show progress and will log attempts for remediation.

Removing Computers From The Deployment

If a computer needs to be removed from the Cisco AnyConnect 4.5.02036 deployment, an SCCM administrator will need to add the computer to the following collection:

\Assets and Compliance\Overview\Device Collections\DMG – Workstations\Enterprise Tasks\Cisco AnyConnect 4.5.02036 Upgrade Project\EXCLUSIONS\Cisco AnyConnect 4.5.02036 Upgrade Project (EXCLUSIONS ONLY)

Further, the Phase collection, such as Cisco AnyConnect 4.5.02036 Upgrade Project (PRODUCTION PHASE 1A), would need to be updated (right click-> Update Membership) to reference the new exclusion.

Reference Documents

  • Cisco AnyConnect 4.5.02036 Upgrade Project (PRODUCTION PHASES).xlsx

Custom PowerShell Remediation Solution
After the application was deployed through SCCM, the Cisco installation could fail for a multitude of reasons. After working with the client, and determining the most common reasons for failure, the following “Remediation” application was developed and made available to end users to to install in the event the standard SCCM application did not work.

This method became so much more successful than the MSI installations provided by Cisco, that it was eventually modified to be the sole Cisco AnyConnect automated deployment through SCCM.


$toolslocation=(get-item -Path .).FullName 
$global:errorsleft = 0
$global:RestartPending = 0
$programversion = "1.4"
$programauthor = "c-dmaiolo"

Start-Transcript -Append -Path "C:\admin\Fix-DMGAnyConnect-$programversion-$(Get-Date -Format dd-MM-yyyy).log"

Function Get-DMGWelcomeScreen($Title){
    Write-Host ==============================================================
    Write-Host Title: $Title                                          
    Write-Host Version: $programversion
    Write-Host Author: $programauthor
    Write-Host ==============================================================

}

Function Get-DMGTitleScreen($Title){
    Write-Host ============================================================== -ForegroundColor Cyan
    Write-Host $Title  -ForegroundColor Cyan
    Write-Host ============================================================== -ForegroundColor Cyan
}

function Get-ConfigurationFileStatus
    {
    [CmdletBinding()]
    
    [OutputType([int])]


    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$true,
                   Position=0)]
        $ConfigurationFilePath="c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration.xml",
        $BadConfigurationFilePath="c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration_bad.xml",
        $GoodConfigurationFileDay = 20,
        $GoodConfigurationFileMonth = 10,
        $GoodConfigurationFileYear = 2016

    )


    Begin
    {
    
    }
    Process
    {
        if (Test-Path $ConfigurationFilePath){
            $ConfigurationFilelastModifiedDate = (Get-Item "$ConfigurationFilePath").LastWriteTime
            if ($ConfigurationFilelastModifiedDate.Day.Equals($GoodConfigurationFileDay) -and $ConfigurationFilelastModifiedDate.Month.Equals($GoodConfigurationFileMonth) -and $ConfigurationFilelastModifiedDate.Year.Equals($GoodConfigurationFileYear)){
                $result = 1
                Write-Verbose "Debug: $(Get-Date) - GOOD Configuration File was found: $ConfigurationFilelastModifiedDate"
                Write-Host "Success: $(Get-Date) - Configuration File Found With Good Date: $ConfigurationFilelastModifiedDate (needs to be $GoodConfigurationFileYear-$GoodConfigurationFileMonth-$GoodConfigurationFileDay)" -ForegroundColor Green
            }else {
                $result = 2
                Write-Verbose "Debug: $(Get-Date) - Bad Date Configuration File was found: $ConfigurationFilelastModifiedDate"
                Write-Host "Error: $(Get-Date) - Configuration File Found With Bad Date: $ConfigurationFilelastModifiedDate (needs to be $GoodConfigurationFileYear-$GoodConfigurationFileMonth-$GoodConfigurationFileDay)" -ForegroundColor Red
                $global:RestartPending++
            }
        }
        elseif (Test-Path $BadConfigurationFilePath) {
            $result = 2
            Write-Verbose "Debug: $(Get-Date) - BAD Configuration File was found"
        }
        else{
            $result = 3
            Write-Verbose "Debug: $(Get-Date) - NO Configuration File was found"
        }
    }
    End
    {
        $result
    }

}


function Set-ConfigurationFile
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$true,
                   Position=0)]
                   $var
        
    )

    Begin
    {
        Get-DMGTitleScreen ("CHECKING CISCO ANYCONNECT CONFIGURATION.XML...")
        $ConfigurationFileStatus = Get-ConfigurationFileStatus
        $ConfigurationFileDestination = "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\"
        $ConfigurationFileSource = "$toolslocation\tools\configuration.xml"
        
    }
    Process
    {
        if ($ConfigurationFileStatus -eq 1){
            Write-Host Success: $(Get-Date) - Configuration File is GOOD! -ForegroundColor Green
        }elseif ($ConfigurationFileStatus -eq 2){
            Write-Host Error: $(Get-Date) - Configuration File is Bad. Attempting to fix... -ForegroundColor Yellow
             if (Test-Path $ConfigurationFileDestination){
                Copy-DMGFile -filesource $ConfigurationFileSource -filedestination $ConfigurationFileDestination
                Restart-DMGService -Service nam -Verbose
	        } else{
                Write-Host Error: $(Get-Date) - Could not fix. AnyConnect is not installed! -ForegroundColor Red
            }
        }elseif ($ConfigurationFileStatus -eq 3){
            Write-Host Error: $(Get-Date) - No configuration file was found! Is AnyConnect installed? Attempting to fix... -ForegroundColor Red
             if (Test-Path $ConfigurationFileDestination){
                Copy-DMGFile -filesource $ConfigurationFileSource -filedestination $ConfigurationFileDestination
                Restart-DMGService -Service nam -Verbose
	        }else{
                Write-Host Error: $(Get-Date) - Could not fix. AnyConnect is not installed! -ForegroundColor Red
                }
        }
    }
    End
    {
        $result
    }
    
 }

 function Copy-DMGFile
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $filesource,
        $filedestination
    )

    Begin
    {
        Write-Host "Copying $filesource..."
    }
    Process
    {
        try{
            copy $filesource $filedestination
            Write-Host "Success: $(Get-Date) - Copied $filesource" -foregroundcolor green
        }
        catch{
            Write-Host "Error: $(Get-Date) - Could Not Copy $filesource" -foregroundcolor red
            $global:errorsleft++
        }
    }
    End
    {

    }
    
 }


 function Restart-DMGService
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $service
    )

    Begin
    {
        Write-Host Restarting $service Service...
    }
    Process
    {
        try{
            Restart-Service $service
            Write-Host "Success: $(Get-Date) - Restarted $service Service" -foregroundcolor green
        }
        catch{
            Write-Host "Error: $(Get-Date) - Could Not Restart $service Service" -foregroundcolor red
        }
    }
    End
    {
        $result
    }
    
 }


 function Is-DMGProgramInstalled {

    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $program,
        $version
    )

    Begin
    {

    }
    Process
    {
        $x86 = ((Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue) |
            Where-Object { $_.GetValue( "DisplayName" ) -like "$program" -and $_.GetValue( "DisplayVersion" ) -like "$version"} );

        $x64 = ((Get-ChildItem "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue) |
            Where-Object { $_.GetValue( "DisplayName" ) -like "$program" -and $_.GetValue( "DisplayVersion" ) -like "$version"} );

        if($x86){
            Write-Host "Success: $(Get-Date) - x86 Version Found at $x86" -foregroundcolor green
            $result = $TRUE
            }
        elseif($x64){
            Write-Host "Success: $(Get-Date) - x64 Version Found at $x64" -foregroundcolor green
            $result = $TRUE
        }
        else{
            Write-Host "Error: $(Get-Date) - No x64 or x86 version found" -foregroundcolor green
            $result = $FALSE
        }
    }
    End
    {
        return $result
    }
}


function Is-DMGAllProgramInstalled {


    Begin
    {

        Get-DMGTitleScreen ("CHECKING FOR INSTALLED COMPONENTS")
        $csv = import-csv $toolslocation\tools\anyconnect_programs.csv 

    }
    Process
    {
        
        $csv | foreach-object {
          $Program = $_.Program
          $Version =$_.Version
          $Required =$_.Required
          $MSI =$_.MSI
          $RestartRequired =$_.RestartRequired

          Write-Host Checking $Program $Version $MSI ...
          
          if (Is-DMGProgramInstalled -program $Program -version $Version){
             Write-Host "Success: $(Get-Date) - $Program $Version is installed. Re-installing anyway just to make sure." -foregroundcolor green
             Install-DMGProgram -Program $Program -Version $Version -Required $Required -MSI $MSI -RestartRequired FALSE
          }else{
             Write-Host "Error: $(Get-Date) - $Program $version NOT installed" -foregroundcolor red
             Install-DMGProgram -Program $Program -Version $Version -Required $Required -MSI $MSI -RestartRequired $RestartRequired
          }
        }

    }
    End
    {
        
    }
}

Function Install-DMGProgram{
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $Program,
        $Version,
        $Required,
        $MSI,
        $RestartRequired

    )

    Begin
    {
        $csv = import-csv $toolslocation\tools\anyconnect_programs.csv
        $n=1

    }
    Process
    {
        
                       
        while($n -lt 3){

        Write-Host "Installing $Program $Version $MSI (Try $n of 2)..."
        Start-Process msiexec.exe -Wait -ArgumentList "/i `"$toolslocation\tools\Cisco AnyConnect 4.5.02036\$MSI`" REBOOT=ReallySupress /passive /qb"

        if(Is-DMGProgramInstalled -program $Program -version $Version){
           Write-Host "Success: $(Get-Date) - $Program $Version installed succesfully" -foregroundcolor green
           if ($RestartRequired -eq $TRUE){
                $global:RestartPending++
            }
            $n=4
        }else{
            $n++;
            Write-Host "Error: $(Get-Date) - $Program $Version could not be installed" -foregroundcolor red
            Remove-DMGHKCRRegKey -Program $Program
        }
    }

    }
    End
    {
        Write-Verbose "Debug: $(Get-Date) - Install-DMGProgram Exit Level: $n"
        if($n -eq 3){
            $global:errorsleft++
        }
    }
}


function Get-DMGErrorsLeft{

    Begin
    {

    }
    Process
    {
        if ($global:errorsleft -gt 0){ 
				$return = $TRUE
		}
		else{
			$return = $FALSE
			$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Fix-DMGAnyConnect"
			$name = "Installed"
			$value = "1"
			$name2 = "Version"
			$value2 = "4.5.02036"

			if(!(Test-Path $registryPath))
			{
				New-Item -Path $registryPath -Force | Out-Null

				New-ItemProperty -Path $registryPath -Name $name -Value $value `
				-PropertyType DWORD -Force | Out-Null
				New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 `
				-PropertyType String -Force | Out-Null
			}
			else {
				New-ItemProperty -Path $registryPath -Name $name -Value $value `
				-PropertyType DWORD -Force | Out-Null

				New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 `
				-PropertyType String -Force | Out-Null
			}
		}
    }
    End
    {
        $return
    }

}
 

 function Get-FinalReport{

	 Get-DMGTitleScreen("FINAL REPORT")

	 if (Get-DMGErrorsLeft){
		 Write-Host "Error: $(Get-Date) - There were $global:errorsleft errors that could not be resolved!" -ForegroundColor Red
	 }else{
		 Write-Host "Success: $(Get-Date) - All Errors were resolved!" -ForegroundColor Green
	 }
     if ($global:RestartPending -gt 0){
        Write-Host "Warning: $(Get-Date) - A reboot is required!" -ForegroundColor Yellow
		#[System.Environment]::Exit(3010)
     }else{
        Write-Host "Success: $(Get-Date) - No reboot is required. The user may safely use the computer." -ForegroundColor Green
        #[System.Environment]::Exit(0)
     }
 }
 
 <#
 .Synopsis
    Short description
 .DESCRIPTION
    Long description
 .EXAMPLE
    Example of how to use this cmdlet
 .EXAMPLE
    Another example of how to use this cmdlet
 #>
 function Remove-DMGHKCRRegKey
 {
     [CmdletBinding()]
     
     Param
     (
         # Param1 help description
         [Parameter(Mandatory=$true,
                    ValueFromPipeline=$true,
                    Position=0)]
         $Program
     )
 
     Begin
     {

     }
     Process
     {

        New-PSDrive -PSProvider registry -Name HKCR -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue | Out-Null
        $PRODUCTS = Get-ChildItem "HKCR:Installer\Products"

        foreach ($PRODUCT in $PRODUCTS)
        {
            $PRODUCT_NAME = (Get-ItemProperty -Path ("HKCR:Installer\Products\" + $PRODUCT.PSChildName))."ProductName"

            if ($PRODUCT_NAME -like "*$Program*")
            {
                Write-Host "Removing Key: $Product.PSChildName "-" $PRODUCT_NAME ..." -ForegroundColor Yellow
                Remove-Item ("HKCR:Installer\Products\" + $PRODUCT.PSChildName) -Recurse
                Write-Host "Success: $(Get-Date) - $Product.PSChildName - $PRODUCT_NAME Removed" -foregroundcolor green
            }
        }

     }
     End
     {

     }
 }

function Stop-DMGServices
 {
     Begin
    {
        Get-DMGTitleScreen ("STOPPING SERVICES")
        $csv = import-csv $toolslocation\tools\anyconnect_services.csv
    }
    Process
    {
        $csv | foreach-object {
          $Service = $_.Service
          $Description =$_.Description
          Write-Host "Checking Service: $Description ($Service)..."
          try{
            (get-service -Name $Service).Stop()
            Write-Host "Success: $(Get-Date) - $Description ($Service) Stopped" -foregroundcolor green
            $result = $TRUE
            }
          catch{
            Write-Host "Error: $(Get-Date) - $Description ($Service) could not be Stopped" -foregroundcolor red
            $result = $FALSE
            }
        }
    }
    End
    {
        
    }
 }

function Invoke-DMGRemediateAnyConnect{
 Get-DMGWelcomeScreen("Cisco AnyConnect Fix Utility")
 Stop-DMGServices
 Is-DMGAllProgramInstalled
 Set-ConfigurationFile
 Get-FinalReport
}
 
 

Leave a Comment

Your email address will not be published.