Cisco ISE/AnyConnect Deployment and Remediation

Overview

Purpose

The purpose of this article is to help you define a deployment strategy and plan for a Cisco AnyConnect upgrade. I used a similar procedure to help a 3000+ client environment transition successfully to the latest version of Cisco Anyconnect by utilizing SCCM and a custom upgrade program I created just for the purpose. For demonstration purposes I will show an upgrade procedure to version 4.5.02036. This article is comprised of two sections: the Deployment Strategy and the Deployment Plan. The Deployment Strategy section is used to formulate a deployment approach for Cisco AnyConnect. The Deployment Plan section contains recommended schedule, resource, technical, and support information necessary for a successful deployment of Cisco AnyConnect.

About AnyConnect

AnyConnect refers to a set of network security tools provided by Cisco that can be used to provide your users VPN access and to prevent non-compliant devices from accessing your network.

This set of tools can installed on all of the workstation computers at your company and is usually visible to the user as a small

Cisco icon which they could also use to open your VPN tunnel.

Components For A Succesful Upgrade

The following sample components are recommended for upgrading to version 4.5.02036:

  • Cisco AnyConnect Start Before Login Module 4.3.03086
  • Cisco AnyConnect Diagnostics and Reporting Tool 4.3.03086
  • Cisco AnyConnect Network Access Manager 4.3.03086
  • Cisco AnyConnect Secure Mobility Client 4.3.03086

The ISE compliance module might not need to be upgraded during your project which is the component used to prevent noncompliant devices:

  • Cisco AnyConnect ISE Compliance Module 4.2.426.0

Deployment Strategy

The Deployment Strategy section of this article provides you the recommended deployment strategy for Cisco AnyConnect 4.5.02036. Included in the deployment strategy is recommended timeline information, a description of the deployment approach, and associated benefits, assumptions and risks.

Deployment Overview

Phases

Sites

Computers

Scheduled Dates

PRE-PILOT

SITE 1

27

October 2, 2020 – October 24, 2020

PILOT

SITE 2

169

October 30, 2020 – November 17, 2020

PRODUCTION

All Locations

1,500

November 15, 2020 – December 20, 2020

The Deployment Date’s referenced below are the date Cisco AnyConnect 4.5.02036 would attempt to begin installation on the selected computers. This does not indicate the completion date for this phase, which could take an additional 2 weeks.

Production Phase 1 (Site 1)

Sub Phases

Sites

Computers

Deployment Date

PHASE 1A

Site 1

243

November 15, 2020

PHASE 1B

Site 2

272

November 20, 2020

PHASE 1C

Site 3

295

November 27, 2020

810

Production Phase 2 (Site 2)

Sub Phases

Sites

Computers

Deployment Date

PHASE 2A

Site A 1/2

246

November 29, 2020

PHASE 2B

Site A 2/2

248

December 4, 2020

PHASE 2C

Other Sites

185

December 6, 2020

679

Production Phase 3 (Executive Staff)

Sub Phases

Sites

Computers

Deployment Date

PHASE 3

Executive Staff

11

Custom Arrangements

Deployment Approach


System Center Configuration Manager (SCCM) should be used to deploy Cisco AnyConnect. When each phase is approached, the computers would be instructed to execute the installation in Parallel, within their maintenance window.

A deployment will require a software reboot once completed. Users have an option to install the software outside of their maintenance window via the Software Center found on the start menu, and if they do, will also require a restart, even if during the middle of the day. The software could be displayed as shown on the right.

Assumptions and Risks

Assumptions

The computers targeted for deployment are assumed to be left on and connected to your corporate network during the maintenance window at least a couple of the nights during the scheduled deployment. Additionally, the computer is assumed to currently have no currently known issues with the version of AnyConnect installed prior to upgrade.

Deployment Targeting and IP Scopes

Deployments can be targeting based on DHCP scopes correlating to client’s active IP addresses. Active scopes and IP address mappings can be seen by having a server administrator run Get-DhcpServerv4Scope –ComputerName ADCSERVER| Select ScopeID, Name

Risks

Because AnyConnect is used as the primary means to authenticate a computer for compliance against your network, failed installations can result in a device not having any network connectivity until the installation is resolved or ISE compliance is turned off on the network port associated to the computer by a Network Engineer.

Benefits to Deployment

A client I worked with was running Cisco AnyConnect 4.3, which was two major versions behind the latest version released in late October 2017, 4.5.02036. Amongst multiple security fixes that were introduced since this version, some important ones include patches for the WPA2 KRACK vulnerability.

Additionally, developing your upgrade strategy will provide a more refined path and plan for future AnyConnect upgrades.

Deployment Plan

The Deployment Plan section provides recommended information on the deployment of Cisco AnyConnect. Included in the Deployment Plan are schedule and resource information, the engagement and promotion strategy, deployment methods, technology infrastructure and support considerations, deployment testing and training requirement, and any known conflicts or issues with the software.

Deployment Schedule and Resources

Pre-Pilot Schedule

Phase

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PRE-PILOT PHASE 1

Site 1

10

October 2, 2020

David Maiolo

Elon Musk

PRE-PILOT PHASE 2

Site 2

3

October 9. 2020

David Maiolo

Elon Musk

PRE-PILOT PHASE 3

Site 3

14

October 20, 2020

David Maiolo

Bill Gates

Pilot Schedule

Phase

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PILOT PHASE 1

Site 1 Pilot

59

October 30, 2020

David Maiolo

Elon Musk

PILOT PHASE 2

Site 2 Pilot

51

November 6. 2020

David Maiolo

Bill Gates

PILOT PHASE 3*

Site 3 Pilot

118

November 13, 2020

David Maiolo

Elon Musk

Production Phase 1 (Site 1)

Sub Phases

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PHASE 1A

Site 1

243

November 15, 2020

David Maiolo

Elon Musk

PHASE 1B

Site 2

272

November 20, 2020

Elon Musk

Elon Musk

PHASE 1C

Site 3

295

November 27, 2020

Elon Musk

Elon Musk

Production Phase 2 (Site 2)

Sub Phases

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PHASE 2A

Produce a xlsx attachment

246

November 29, 2020

Elon Musk

Elon Musk

PHASE 2B

Produce a xlsx attachment

248

December 4, 2020

David Maiolo

Elon Musk

PHASE 2C

See xlsx attachment

185

December 6, 2020

David Maiolo

Elon Musk

Production Phase 3 (Executive Staff)

Sub Phases

Sites

Computers

Deployment Date*

Server Resource

Network Resource

PHASE 3

Executive Staff

7

Custom Arrangements

David Maiolo

Elon Musk

Resource Requirements

Helpdesk Team

Throughout the deployment process it is additionally considered there should be Technology Helpdesk Team resources available to provide immediate remediation efforts via the helpdesk. Your helpdesk technician should walk the user through starting the AUTOMATED REMEDIATION TOOL as shown later in this article and assist with other troubleshooting steps.

Endpoint Team

Additionally, your Endpoint Team can be considered as a Tier 2 resources to assist the helpdesk via requests in the Ticketing system. The Endpoint Team engineer should attempt the steps and tools outlined in the section ADVANCED TECHNICAL SUPPORT

Server Infrastructure Team

Your Network Engineers Team and Server Infrastructure Team resources not listed above should also be thought to be available for emergencies and Tier 3 escalations from either your Endpoint or Helpdesk team. Your Server Infrastructure Team resource should be available for any and all requests for assistance from the Helpdesk Team and Endpoint Team to assist with remediation, and work on additional remediation efforts if these teams do not have the resources available.

Network Engineers Team

Your Network Engineers Team resource should assist in remediation and would likely be the first point of contact to disable ISE on the port where the customer is having a connection issue.

Engagement and Promotion Strategy

This recommended engagement and promotion strategy should be used for deploying Cisco AnyConnect 4.5.02036.

During each production phase, Technology Support should be used as the method to communicate the strategy to associated Managers during the phases and management staff during the executive phases.

E-Mail Template

Colleagues:

The Technology department has successfully completed testing of Cisco AnyConnect 4.5.02036 and is ready to begin the deployment portion of the project. The target date for deployment in your area is [Scheduled time per phase] between the hours of TIME1 and TIME. <--include times from your maintenance window

This deployment is only an upgrade to the preexisting application on the computers in this area.

The Cisco AnyConnect software enables the streamlining of authentication, access controls and privileges, and network systems at this company NNN. For the most part, deployment and streamlined authentication and authorizations services occurs “behind the scenes” with minimal, if any, user disruption.

You should not notice any operational changes when the software is deployed to your computer, other than a reboot during the hours indicated above. However, our engineers and technicians are available to assist in the event the software installation causes an issue with a user accessing our network. Please call the helpdesk at xNNNN immediately if you run into any VPN or network connectivity issues during this deployment.

Thank You for your cooperation,

[Technology Signature]

Testing Methods and Customer Acceptance

You should pass the Cisco AnyConnect 4.5.02036 deployment through a pre-pilot and pilot phase, where some issues could be observed. In those instances, it was of utmost importance that the customers’ issues would be resolved quickly. In the event the Cisco AnyConnect 4.5.02036 installation failed, it would be vitally important that the Network Engineers Team be available to “disable ISE” on the user’s network port so that the AnyConnect requirements would not be needed during the resolution.

With additional support, proper remediation strategies from Endpoint Team, Technology Helpdesk Team and Server Infrastructure Team would likely be required to bring the users’ computer back into compliance with the proper installation of Cisco AnyConnect 4.5.02036.

Monitoring The Deployment

Basic Monitoring

Central monitoring of the Cisco AnyConnect 4.5.02036 rollout could be viewed from your computer by visiting your SCCM SQL report link and searching for the report ‘All application deployments (basic)’.

Choose By: Application

Select Application (Collection): Cisco AnyConnect 4.5.02036 (All Applications)

Select Collection (Application): All

The application metrics should be divided into the respective phases:

Clicking the “View Current” data for the phase would allow you to further drill down, even to the computer and user level if necessary:

The monitoring works by comparing Product installation UIs for each Cisco component with reported installed components on the workstations.

Advanced Monitoring

To assure your technician or technical contact has as much data as possible to troubleshoot Cisco AnyConnect 4.5.02036 deployment issues, several compliance items and baselines were written which assess specific values on the computers. These basslines look to see that certain conflicting software is not installed, required certificates are in place and not expired and all required components are installed successfully. These could be viewed within you SCCM SQL Server by searching for the report: Summary compliance by configuration baseline

Configuration Baselines Name: CB.AnyConnect.4.5.02036.Full.Compliance

Clicking ‘View Report’ will allow you to drill down and see each compliance item and reason for failure.

Advanced Technical Support

If an installation of Cisco AnyConnect 4.5.02036 fails, the user is likely not to have any network access. During the planning and testing of Cisco AnyConnect 4.5.02036, many advanced methods, tools and configurations have been written to help support the rollout, monitor its progress, and provide technical staff (and users’) remediation options.

Compliance Checking

I developed algorithms that can developed as SCCM configuration items to provide a detection service to track centralized deployment success and failures. By use from a technician, these compliance metrics are available to a computer with or without network access to show if a device passed or failed the installation and if so, identify where the installation failed.

This would available to the technician in the Control Panel -> Configuration Manager -> Configurations -> CB.AnyConnect 4.5.02036.Full.Compliance -> Evaluate -> View Report

Success and failures can be further clicked to elaborate on details.

Conflict Resolution Flow-Chart

I developed this flow-chart to help a technician work with customers if they run into issues.

cid:image001.png@01D357E9.F2B60D10

Automated Remediation Tool

I further developed the Cisco AnyConnect Remediation Tool, which should allow a user or technician a first-line defense to components in the flowchart above. The remediation tool was written in PowerShell and attempts to identify and resolve common issues.

The helpdesk or technician should first attempt to use the remediation tool before performing next steps. Network connectivity is NOT required to use the tool.

If pre-deployed to user computers as a required deployment (but far off in the future), it will cache locally on the client. Use of the tool only requires the user to open Software Center and find the Cisco AnyConnect (REMEDIATION TOOL) and clicking Install as shown below. No user interaction is required. If the tool was successful, the user will be asked to restart their computer. If not, the tool will prompt to retry.

Advanced mode

For technicians using the tool, a more advanced and verbose mode is available. The technician would find the tool inside of c:\windows\ccmcache\xx\Invoke-DMGAnyConnect.ps1. If run as an administrate account, the tool will show progress and will log attempts for remediation.

Removing Computers From The Deployment

If a computer needs to be removed from your Cisco AnyConnect deployment, you should include an exclusion collection to your project. This would allow an SCCM administrator add the computer to the collection:

\Assets and Compliance\Overview\Device Collections\Cisco AnyConnect 4.5.02036 Upgrade Project\EXCLUSIONS\Cisco AnyConnect 4.5.02036 Upgrade Project (EXCLUSIONS ONLY)

Further, the Phase collection, such as Cisco AnyConnect 4.5.02036 Upgrade Project (PRODUCTION PHASE 1A), would need to be updated (right click-> Update Membership) to reference the new exclusion.

Reference Documents

  • Be sure to include reference documents

Custom PowerShell Remediation Solution
After the application is deployed through SCCM, the Cisco installation could fail for a multitude of reasons. After working with several clients, and determining the most common reasons for failure, the following “Remediation” application was developed and made available so that end users could install the tool in the event the standard SCCM application did not work.

In my scenarios, this method became so much more successful than the MSI installations provided by Cisco, that it was eventually modified to be the sole Cisco AnyConnect automated deployment through SCCM.


$toolslocation=(get-item -Path .).FullName 
$global:errorsleft = 0
$global:RestartPending = 0
$programversion = "1.4"
$programauthor = "c-dmaiolo"

Start-Transcript -Append -Path "C:\admin\Fix-DMGAnyConnect-$programversion-$(Get-Date -Format dd-MM-yyyy).log"

Function Get-DMGWelcomeScreen($Title){
    Write-Host ==============================================================
    Write-Host Title: $Title                                          
    Write-Host Version: $programversion
    Write-Host Author: $programauthor
    Write-Host ==============================================================

}

Function Get-DMGTitleScreen($Title){
    Write-Host ============================================================== -ForegroundColor Cyan
    Write-Host $Title  -ForegroundColor Cyan
    Write-Host ============================================================== -ForegroundColor Cyan
}

function Get-ConfigurationFileStatus
    {
    [CmdletBinding()]
    
    [OutputType([int])]


    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$true,
                   Position=0)]
        $ConfigurationFilePath="c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration.xml",
        $BadConfigurationFilePath="c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration_bad.xml",
        $GoodConfigurationFileDay = 20,
        $GoodConfigurationFileMonth = 10,
        $GoodConfigurationFileYear = 2016

    )


    Begin
    {
    
    }
    Process
    {
        if (Test-Path $ConfigurationFilePath){
            $ConfigurationFilelastModifiedDate = (Get-Item "$ConfigurationFilePath").LastWriteTime
            if ($ConfigurationFilelastModifiedDate.Day.Equals($GoodConfigurationFileDay) -and $ConfigurationFilelastModifiedDate.Month.Equals($GoodConfigurationFileMonth) -and $ConfigurationFilelastModifiedDate.Year.Equals($GoodConfigurationFileYear)){
                $result = 1
                Write-Verbose "Debug: $(Get-Date) - GOOD Configuration File was found: $ConfigurationFilelastModifiedDate"
                Write-Host "Success: $(Get-Date) - Configuration File Found With Good Date: $ConfigurationFilelastModifiedDate (needs to be $GoodConfigurationFileYear-$GoodConfigurationFileMonth-$GoodConfigurationFileDay)" -ForegroundColor Green
            }else {
                $result = 2
                Write-Verbose "Debug: $(Get-Date) - Bad Date Configuration File was found: $ConfigurationFilelastModifiedDate"
                Write-Host "Error: $(Get-Date) - Configuration File Found With Bad Date: $ConfigurationFilelastModifiedDate (needs to be $GoodConfigurationFileYear-$GoodConfigurationFileMonth-$GoodConfigurationFileDay)" -ForegroundColor Red
                $global:RestartPending++
            }
        }
        elseif (Test-Path $BadConfigurationFilePath) {
            $result = 2
            Write-Verbose "Debug: $(Get-Date) - BAD Configuration File was found"
        }
        else{
            $result = 3
            Write-Verbose "Debug: $(Get-Date) - NO Configuration File was found"
        }
    }
    End
    {
        $result
    }

}


function Set-ConfigurationFile
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$true,
                   Position=0)]
                   $var
        
    )

    Begin
    {
        Get-DMGTitleScreen ("CHECKING CISCO ANYCONNECT CONFIGURATION.XML...")
        $ConfigurationFileStatus = Get-ConfigurationFileStatus
        $ConfigurationFileDestination = "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\"
        $ConfigurationFileSource = "$toolslocation\tools\configuration.xml"
        
    }
    Process
    {
        if ($ConfigurationFileStatus -eq 1){
            Write-Host Success: $(Get-Date) - Configuration File is GOOD! -ForegroundColor Green
        }elseif ($ConfigurationFileStatus -eq 2){
            Write-Host Error: $(Get-Date) - Configuration File is Bad. Attempting to fix... -ForegroundColor Yellow
             if (Test-Path $ConfigurationFileDestination){
                Copy-DMGFile -filesource $ConfigurationFileSource -filedestination $ConfigurationFileDestination
                Restart-DMGService -Service nam -Verbose
	        } else{
                Write-Host Error: $(Get-Date) - Could not fix. AnyConnect is not installed! -ForegroundColor Red
            }
        }elseif ($ConfigurationFileStatus -eq 3){
            Write-Host Error: $(Get-Date) - No configuration file was found! Is AnyConnect installed? Attempting to fix... -ForegroundColor Red
             if (Test-Path $ConfigurationFileDestination){
                Copy-DMGFile -filesource $ConfigurationFileSource -filedestination $ConfigurationFileDestination
                Restart-DMGService -Service nam -Verbose
	        }else{
                Write-Host Error: $(Get-Date) - Could not fix. AnyConnect is not installed! -ForegroundColor Red
                }
        }
    }
    End
    {
        $result
    }
    
 }

 function Copy-DMGFile
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $filesource,
        $filedestination
    )

    Begin
    {
        Write-Host "Copying $filesource..."
    }
    Process
    {
        try{
            copy $filesource $filedestination
            Write-Host "Success: $(Get-Date) - Copied $filesource" -foregroundcolor green
        }
        catch{
            Write-Host "Error: $(Get-Date) - Could Not Copy $filesource" -foregroundcolor red
            $global:errorsleft++
        }
    }
    End
    {

    }
    
 }


 function Restart-DMGService
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $service
    )

    Begin
    {
        Write-Host Restarting $service Service...
    }
    Process
    {
        try{
            Restart-Service $service
            Write-Host "Success: $(Get-Date) - Restarted $service Service" -foregroundcolor green
        }
        catch{
            Write-Host "Error: $(Get-Date) - Could Not Restart $service Service" -foregroundcolor red
        }
    }
    End
    {
        $result
    }
    
 }


 function Is-DMGProgramInstalled {

    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $program,
        $version
    )

    Begin
    {

    }
    Process
    {
        $x86 = ((Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue) |
            Where-Object { $_.GetValue( "DisplayName" ) -like "$program" -and $_.GetValue( "DisplayVersion" ) -like "$version"} );

        $x64 = ((Get-ChildItem "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue) |
            Where-Object { $_.GetValue( "DisplayName" ) -like "$program" -and $_.GetValue( "DisplayVersion" ) -like "$version"} );

        if($x86){
            Write-Host "Success: $(Get-Date) - x86 Version Found at $x86" -foregroundcolor green
            $result = $TRUE
            }
        elseif($x64){
            Write-Host "Success: $(Get-Date) - x64 Version Found at $x64" -foregroundcolor green
            $result = $TRUE
        }
        else{
            Write-Host "Error: $(Get-Date) - No x64 or x86 version found" -foregroundcolor green
            $result = $FALSE
        }
    }
    End
    {
        return $result
    }
}


function Is-DMGAllProgramInstalled {


    Begin
    {

        Get-DMGTitleScreen ("CHECKING FOR INSTALLED COMPONENTS")
        $csv = import-csv $toolslocation\tools\anyconnect_programs.csv 

    }
    Process
    {
        
        $csv | foreach-object {
          $Program = $_.Program
          $Version =$_.Version
          $Required =$_.Required
          $MSI =$_.MSI
          $RestartRequired =$_.RestartRequired

          Write-Host Checking $Program $Version $MSI ...
          
          if (Is-DMGProgramInstalled -program $Program -version $Version){
             Write-Host "Success: $(Get-Date) - $Program $Version is installed. Re-installing anyway just to make sure." -foregroundcolor green
             Install-DMGProgram -Program $Program -Version $Version -Required $Required -MSI $MSI -RestartRequired FALSE
          }else{
             Write-Host "Error: $(Get-Date) - $Program $version NOT installed" -foregroundcolor red
             Install-DMGProgram -Program $Program -Version $Version -Required $Required -MSI $MSI -RestartRequired $RestartRequired
          }
        }

    }
    End
    {
        
    }
}

Function Install-DMGProgram{
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $Program,
        $Version,
        $Required,
        $MSI,
        $RestartRequired

    )

    Begin
    {
        $csv = import-csv $toolslocation\tools\anyconnect_programs.csv
        $n=1

    }
    Process
    {
        
                       
        while($n -lt 3){

        Write-Host "Installing $Program $Version $MSI (Try $n of 2)..."
        Start-Process msiexec.exe -Wait -ArgumentList "/i `"$toolslocation\tools\Cisco AnyConnect 4.5.02036\$MSI`" REBOOT=ReallySupress /passive /qb"

        if(Is-DMGProgramInstalled -program $Program -version $Version){
           Write-Host "Success: $(Get-Date) - $Program $Version installed succesfully" -foregroundcolor green
           if ($RestartRequired -eq $TRUE){
                $global:RestartPending++
            }
            $n=4
        }else{
            $n++;
            Write-Host "Error: $(Get-Date) - $Program $Version could not be installed" -foregroundcolor red
            Remove-DMGHKCRRegKey -Program $Program
        }
    }

    }
    End
    {
        Write-Verbose "Debug: $(Get-Date) - Install-DMGProgram Exit Level: $n"
        if($n -eq 3){
            $global:errorsleft++
        }
    }
}


function Get-DMGErrorsLeft{

    Begin
    {

    }
    Process
    {
        if ($global:errorsleft -gt 0){ 
				$return = $TRUE
		}
		else{
			$return = $FALSE
			$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Fix-DMGAnyConnect"
			$name = "Installed"
			$value = "1"
			$name2 = "Version"
			$value2 = "4.5.02036"

			if(!(Test-Path $registryPath))
			{
				New-Item -Path $registryPath -Force | Out-Null

				New-ItemProperty -Path $registryPath -Name $name -Value $value `
				-PropertyType DWORD -Force | Out-Null
				New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 `
				-PropertyType String -Force | Out-Null
			}
			else {
				New-ItemProperty -Path $registryPath -Name $name -Value $value `
				-PropertyType DWORD -Force | Out-Null

				New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 `
				-PropertyType String -Force | Out-Null
			}
		}
    }
    End
    {
        $return
    }

}
 

 function Get-FinalReport{

	 Get-DMGTitleScreen("FINAL REPORT")

	 if (Get-DMGErrorsLeft){
		 Write-Host "Error: $(Get-Date) - There were $global:errorsleft errors that could not be resolved!" -ForegroundColor Red
	 }else{
		 Write-Host "Success: $(Get-Date) - All Errors were resolved!" -ForegroundColor Green
	 }
     if ($global:RestartPending -gt 0){
        Write-Host "Warning: $(Get-Date) - A reboot is required!" -ForegroundColor Yellow
		#[System.Environment]::Exit(3010)
     }else{
        Write-Host "Success: $(Get-Date) - No reboot is required. The user may safely use the computer." -ForegroundColor Green
        #[System.Environment]::Exit(0)
     }
 }
 
 <#
 .Synopsis
    Short description
 .DESCRIPTION
    Long description
 .EXAMPLE
    Example of how to use this cmdlet
 .EXAMPLE
    Another example of how to use this cmdlet
 #>
 function Remove-DMGHKCRRegKey
 {
     [CmdletBinding()]
     
     Param
     (
         # Param1 help description
         [Parameter(Mandatory=$true,
                    ValueFromPipeline=$true,
                    Position=0)]
         $Program
     )
 
     Begin
     {

     }
     Process
     {

        New-PSDrive -PSProvider registry -Name HKCR -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue | Out-Null
        $PRODUCTS = Get-ChildItem "HKCR:Installer\Products"

        foreach ($PRODUCT in $PRODUCTS)
        {
            $PRODUCT_NAME = (Get-ItemProperty -Path ("HKCR:Installer\Products\" + $PRODUCT.PSChildName))."ProductName"

            if ($PRODUCT_NAME -like "*$Program*")
            {
                Write-Host "Removing Key: $Product.PSChildName "-" $PRODUCT_NAME ..." -ForegroundColor Yellow
                Remove-Item ("HKCR:Installer\Products\" + $PRODUCT.PSChildName) -Recurse
                Write-Host "Success: $(Get-Date) - $Product.PSChildName - $PRODUCT_NAME Removed" -foregroundcolor green
            }
        }

     }
     End
     {

     }
 }

function Stop-DMGServices
 {
     Begin
    {
        Get-DMGTitleScreen ("STOPPING SERVICES")
        $csv = import-csv $toolslocation\tools\anyconnect_services.csv
    }
    Process
    {
        $csv | foreach-object {
          $Service = $_.Service
          $Description =$_.Description
          Write-Host "Checking Service: $Description ($Service)..."
          try{
            (get-service -Name $Service).Stop()
            Write-Host "Success: $(Get-Date) - $Description ($Service) Stopped" -foregroundcolor green
            $result = $TRUE
            }
          catch{
            Write-Host "Error: $(Get-Date) - $Description ($Service) could not be Stopped" -foregroundcolor red
            $result = $FALSE
            }
        }
    }
    End
    {
        
    }
 }

function Invoke-DMGRemediateAnyConnect{
 Get-DMGWelcomeScreen("Cisco AnyConnect Fix Utility")
 Stop-DMGServices
 Is-DMGAllProgramInstalled
 Set-ConfigurationFile
 Get-FinalReport
}
 
 

Leave a Comment

Your email address will not be published.