News Contact Company



April 21, 2011
April 2011 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

April 2011

We are busy planning for the new labs we will release later this summer and fall, lots of cool and exciting new releases from Microsoft coming our way and we feel the urge to spread the word and educate.

Currently we are looking at a new ConfigMgr2012 lab, see more below in Kent’s column, as well as new 5 day “Geek Week lookalike” class focusing on deployment with the new versions: “Mastering the deployment process with ConfigMgr2012 (beta) and MDT2012 (beta)”. Stay tuned for dates and location.

Before then though, we have our deployment workshops in Europe, www.deploymentroadshow.com as well as the popular current version of the Geek Week in London in June.

The security group at TrueSec will have more labs scheduled for the fall as well. This team has consultants and instructors that are recognized worldwide for their expertise in various IT security aspects. Find the services provided by them under the Services tab. Jump start by attending Marcus Murray’s “Hacking the Windows Platform” in Amsterdam in June.

 

 


Michael Petersen:

USMT 4.0 Hardlink and Bitlocker in SCCM OSD

Johan Arwidmark:

Hydration - Automating builds in your datacenter using MDT 2010

 

kent-mugshot.jpg

Kent Agerlund:
New Configuration Manager 2012 beta2 training

 

Hydration - Automating builds in your datacenter using MDT 2010
Time to unleash the power of MDT 2010 with a post on how to build your DataCenter.

This post, the video, and the sample files will guide you, step-by-step, on how to automate the deployment a few different servers in a datacenter. The servers are two domain controllers, one deployment server with WDS, and one ConfigMgr 2007 SP2 R2 server, including all the requirements, SQL Server 2008 R2 etc.

Screenshot of the server ro
les and configuration

 

Video that shows the setup

Downloads

Download the Hydration solution (72 kb)

Hydration Installation instructions

Step 1 - Download the necessary software

On your Hyper-V host, create the C:\Downloads folder and download the following software:

§  ConfigMgr 2007 R2

§  ConfigMgr 2007 with SP2

§  ConfigMgr 2007 Toolkit V2

§  PowerShell Management Library for Hyper-V
(
http://pshyperv.codeplex.com/releases/view/38769)

§  SQL Server 2008 R2 Enterprise x64

§  SQL Server 2008 R2 Express x64 with Management Tools

§  Windows Server 2008 R2 Enterprise


Step 2 - Prepare the Hydration environment

  1. Configure Execution Policy in PowerShell, by typing the following in a PowerShell prompt:
    Set-ExecutionPolicy Unrestricted
  2. Extract the HydrationMDT2010.zip file to C:\HydrationMDT2010
  3. Edit the C:\HydrationMDT2010\HydrationSource\Applications\ConfigMgr 2007 SP2\ConfigMgrUnattend.ini and add the real PID (AAAAA-BBBBB-CCCCC-DDDDD-EEEEE is the place holder), To find out what PID you have, start the ConfigMgr 2007 Setup on a Server, and a few steps into the setup wizard the PID will be displayed. Please note that the setup needs to be executed on a domain member server, otherwise you will only be able to install the ConfigMgr console, and the PID will not be displayed.
  4. Create the Hydration Deployment Share by running the 1_CreateHydrationDeployment.ps1 script
  5. Copy the following folders C:\HydrationMDT2010\HydrationSource to C:\Hydration, replace any existing files.

    Applications
    Control
    Operating Systems
    Scripts
  6. Copy the ConfigMgr 2007 Toolkit V2 installation files (ConfigMgrTools.msi) to the C:\Hydration\Applications\ConfigMgr 2007 Toolkit V2\Source folder.
  7. Copy the ConfigMgr 2007 SP2 installation files to the C:\Hydration\Applications\ConfigMgr 2007 SP2\Source folder.
  8. Create the C:\Tmp\PreReqs folder, and run the C:\Hydration\Applications\ConfigMgr 2007 SP2\Source\SMSSETUP\BIN\I386\Setup.exe file with the /Download C:\Tmp\PreReqs command line option.
  9. Move the content of the C:\Tmp folder to the C:\Hydration\Applications\ConfigMgr 2007 SP2\Source\PreReqs folder
  10. Copy the ConfigMgr 2007 R2 installation files to the C:\Hydration\Applications\ConfigMgr 2007 R2\Source folder
  11. Copy the C:\Hydration\Applications\ConfigMgr 2007 SP2\Source\SMSSETUP\BIN\I386\EXTADSCH.exe to C:\Hydration\Applications\Extend ConfigMgr 2007 Schema\Source
  12. Copy the SQL Server 2008 R2 installation files to the C:\Hydration\Applications\SQL Server 2008 R2\Source folder
  13. Copy the SQL Server 2008 R2 Express installation (en_sql_server_2008_r2_express_with_management_tools_x64.exe) files to the C:\Hydration\Applications\SQL Server 2008 R2 Express\Source folder.
  14. Copy the Windows Server 2008 R2 Enterprise files to C:\Hydration\Operating Systems\Windows Server 2008 R2 x64
  15. Create the HydrationServers media item by running the 2_CreateHydrationMediaItem.ps1 script
  16. Copy the C:\HydrationMDT2010\Media001\Control folder to C:\HydrationServers\Content\Deploy, replace existing files
  17. Update the HydrationServers media item by running the 3_UpdateHydrationServersMedia.ps1 script


Step 3 – Create and deploy the virtual machines

  1. Install the PowerShell Management Library for Hyper-V by running the install.cmd script, ignore any errors about .NET Framework
  2. Verify that the files are not having any alternative data streams, if they do, remove it (using explorer or streams from Sysinternals).
  3. Create the virtual machines by running the 4_CreateVirtualMachines.ps1 script.
  4. Using Hyper-V Manager

a.    Start the DC01 virtual machine, and wait until the setup is complete

    1. Start the DC02 virtual machine, and wait until the setup is complete
    2. On DC01, verify that AD replication works with DC02.
    3. Start the MDT01 virtual machine, and wait until the setup is complete
    4. Start the CM01 virtual machine, and wait until the setup is complete

Done... Good luck with your hydrations...

Johan Arwidmark – Microsoft MVP Setup / Deployment
@jarwidmark
www.facebook.com/deploymentresearch www.deploymentresearch.com

 

New Configuration Manager 2012 beta 2 training

A new version of Configuration Manager 2012 is a about to be released later this year. The version is much more than “just a facelift”. New features are being introduced and the infrastructure has undergone major changes.

This class will take you through the installation and configuration of the main features in Configuration Manager 2012 beta 2 based on Windows 2008 R2 and Windows 7. After the training you will have a solid understanding off the product and be able to use and design these features:

·         Installing different site servers

·         Working with multiple sites

·         Configuring site settings

·         Role based security

·         Configuring, maintaining and installing clients

·         Migrate from Configuration Manager 2007

·         Inventory Management

·         Reporting

·         Application deployment

·         Software updates

·         Settings management

·         Image deployment

·         Forefront Endpoint Protection 2012 beta (when released in public beta)

Sign up for the training and review a detailed agenda

See you in class! Best regards 
Kent Agerlund
Microsoft Configuration Manager MVP
http://blog.coretech.dk/author/kea/

USMT 4.0 Hardlink and Bitlocker in SCCM OSD

I'm often asked if it’s possible to use the USMT 4.0 hardlinking (keep backup file on the OS Disk), in combination with bitlocker.

I guess the reason for the question is that one might think!

·        How can I do a backup of a machine, and keep the files on the encrypted drive, and then be able to reinstall that same drive with a new OS, gaining access to the backup that was on the encrypted drive?

·        How do I stage WinPE on the Bitlocked disk, and then gain access to that same disk for the OS installation part when inside WinPE?

Not only is it possible, it will also save you the time it takes to encrypt the drive again. Even though a new OS is applied to the disk, the encryption is still in effect.

Let’s look at the scenarios….

If we have a machine, where bitlocker is enabled, and we choose to do a bare metal installation, where the disk is formatted, we will have to make sure to create the 300+ bitlocker partition, and then start encrypting the entire drive once again…

We could also do a refresh scenario, where the TS is advertised to the running XP/vista/win7 client, and executed from there. In that case, running a standard wizard build TS (unless it’s a MDT Task Sequence, and I'll get back to that), the TS is either going to backup to the SMP (state migration point), or boot directly to WinPE depending on whether or not the USMT part is enabled. Either way, the TS I going to fail, because we cannot stage WinPE on a locked drive, and therefore, not boot into WinPE!

This small bump in the road, is easily fixed though, by adding an extra step to the TS, that temporarily disables Bitlocker


By adding this step, bitlocker is temporarily disabled, and access to the locked drive will become available, enabling the TS to put WinPE on to the disk.

Be aware though, that by default SCCM cannot stage WinPE on a bitlocked harddisk if it is in the process of being either encrypted or decrypted. There is however no problem, if the disk is fully de-or encrypted. For testing scenarios where you might be I the proses of doing exactly that, WinPE can be stage on the Bitlocker Boot partition if it has a drive letter assigned, and has at least 500 MB free space.

Once WinPE is on the disk, the computer will reboot, pick up the TS, and format the drive. You then have to create the Bitlocker boot partition again, enable bitlocker on the OS drive, and do the encryption all over again!

With Hardlink!

Now, let’s say that we choose to use hardlinking. In that case all the backup data is stored locally on the disk, which means, we cannot format it, or the data will be lost. The standard Wizard build TS already has taken this into account, like you see in the picture beneath.



As you can see, the partition step will only run if _SMSTSClientChache, does not exist. When doing hardlink USMT, this variable will exist, and the TS will skip the partitioning step. The “Apply Operating system Image” step will by default clean the disk, but not format (basically leaving the USMT data intact). The Clean/wipe of the disk also keeps the disk bitlocked, so all you will have to do is enable bitlocker again at the end of the task sequence, and the disk will be locked, and fully encrypted straight away.


Note: If you like me, have a step that creates the Bitlocker boot partition, just put a “continue on error” on it, as it will fail if the boot partition is already there!

So, what can be concluded from this! Well the most important thing is that Hardlink and Bitlocker works perfect together, but also that it actually gives you the benefit of not having to run the entire process of locking down the disk again, as it is already locked… So if you are reinstalling machines with bitlocker enabled, and you do not do and USMT or use the SMP to store the data, make sure to do refresh, and set options on your partition step so that the disk is not formatted… If you use a MDT build TS, this is default, and so is hardlinking if you have the step “Determine Local or Remote UserState

 

Best Regards
Michael

 

Where to find us......

Mastering ConfigMgr 2012 Beta 2

Long Beach, CA

June 6-8

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Michael Petersen    

Chicago

May 16-18

Deployment Workshop with Johan Arwidmark and Mikael Nystrom

Amsterdam

May 10

Deployment Workshop with Johan Arwidmark and Mikael Nystrom

Munich May 11

Deployment Workshop with Johan Arwidmark and Mikael Nystrom

London May 12

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

London, UK

June 6-10

Hacking the Windows Platform with Marcus Murray      Amsterdam      June 14-16

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

July 18-22

Full schedule at http://www.truesec.com

 

 

 

 

 

 

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement