News Contact Company



December 21, 2010
December 2010 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

 

December 2010

2010 is winding down I like to thank you for reading our newsletter and hope you have found it useful in your daily work with deployment, system management or security. Please help us to continue improve it by sending suggestions and comments.

During the fall we have formed a partnership with New Horizons in the North East and Great Lakes region. They being the world’s leading IT training provider, helps us continue deliver our Master level labs in a professional environment. Besides our scheduled labs we will together with them deliver a one day seminar in “Building the cloud infrastructure” in Chicago and Boston January 27 and 28 run by ours Mikael Nystrom. Look out for a separate invitation shortly.

In February and March we will run a Security Track starting with the ever so popular lab “Hacking the Windows platform” with Marcus Murray in Boston followed by “Fighting malware with Forefront” with Johan Blom and “Mastering PKI & Certificate Services 2008 R2” with Hasain Alshakarti. Three important and highly popular labs with the world’s foremost consultants in their respective area of expertise!

Don’t miss the Deployment Geek Week! This time we will run it on Microsoft Campus in Redmond, WA, March 7-11 2011. Join Mikael and Johan for 5 days taking you thru all aspects of the deployment process. This is a “full service non-stop” lab with hotel, breakfast and lunch included in the price. A unique training in a unique environment.

Lab schedules for the next three months listed at the bottom of this mail as usual.

Happy Holidays and a Happy New 2011.

  johan-arwidmark-soft-mugshot.png

Johan Arwidmark:

In the spirit of giving - Deployment Videos

  mikael-nystrom-soft-mugshot.png

Mikael Nystrom:

Making the Server Deployment a bit better

  marcus-murray-soft-mugshot.png

Marcus Murray:

Merry Christmas! Meet me in Boston.

  kent-mugshot.jpg

Kent Agerlund:
Using Software Distribution and Desired Configuration Management to fix non-compliant computers

In the spirit of giving - Deployment Videos

In this final article for 2010 I decided to share a few deployment demos/videos with you. The videos are recorded using Camtasia 7.1, resolution is 1024 x 768 and they are encoded into Flash/MP4 format. For best playback experience make sure to select “full size” in the screencast interface. The videos will be available for you over the holidays (until January 31, 2011).

Demo 1 - Following a Windows 7 Setup

In this demo I will take you behind the scenes of a Windows 7 setup, explaining how the setup process and log files work

Demo 2 - Using WSIM

A demo of using Windows System Image Manager to author unattend.xml files, and how it integrates with MDT 2010 Lite Touch.

Demo 3 - CBS Resources

Just sharing some resources on where to find good information about component based servicing.

Demo 4 - Windows 7 Device Drivers

The Windows 7 driver store explained, device driver ranking and much more...

The link to the videos: Windows 7 deployment - Christmas Videos

The password is: Panther

 Happy holidays,

/ Johan Arwidmark

Chief Technical Architect - Knowledge Factory

Using Software distribution and Desired Configuration Manager to fix non-compliant computers

Desired Configuration Management (DCM) is a feature in Configuration Manager which helps us tracing non-compliant computers. In Configuration Manager 2012 the feature also allows us to automatically remediate non-compliant computers. With Configuration Manager 2007 we can use a combination of DCM and Software Distribution to achieve the same functionality. In this example I will create a DCM CI that will report a workstation as non-compliant if Adobe Flash automatic update is enabled. To fix the problem, I have a script that will disable the check for new updates. The script will be deployed using a normal software package.

Part I – Desired Configuration Management

Create the DCM objects

A DCM rule consist of a least one Configuration Item (CI) that is added to a Baseline. The baseline is advertised to a collection and compliant data are automatically sent back to the site server.

Create the CI

1. In the Configuration Manager Console, navigate to Computer Management, Desired Configuration Management, Configuration Items.
2. Right Click and create a new General CI.

k1.jpg

3. Name the CI, Automatic Update, assign a custom category and click Next.

k2.jpg

4. Click New, File or Folder

k3.png
5. Select

Type: File
Path: %windir%\system32\Macromed\Flash\
File or folder name: mms.cfg
Name pattern search depth: Specified path

k4.jpg

6. Select the Validation tab. We want to make sure
that a single file exists and the file size is 19 kb.
Instance count operator: Equals
Value: 1

k5.jpg
7. Click New, File Size and select
Operator: Greater than or equal to
Value: 19

k6.jpg
8. Click OK twice and finish the wizard using the default values.


Create the Baseline
1. In the Configuration Manager Console, navigate to Computer Management,
Desired Configuration Management, Baselines.
2. Right Click and create a new baseline.

k7.png

3. Name the baseline Automatic Updates, assign a custom category and click Next.

k8.jpg
4. Click applications and general, select the Automatic updates CI and click finish
the wizard.

k9.jpg

5. Right click the baseline and Assign it to a collection using the default values.

Part 2 – The Software deployment

Create the Collection

The target collection for our software deployment is based on a dynamic query that looks
 for the unique baseline name.
1. Create the dynamic query rule
a. Create  a new simple value
b. In Attribute class select Configuration Item Compliance State
c.  In Attribute select Configuration State Name
k10.png

d. Click OK
e. In the Criterion Properties window click Value and select non-compliant

k11.jpg
f. Click OK to save the criteria
g. Create a new criteria:
i. Attribute class select Configuration Item Compliance State
ii.  Attribute select Localized Display Name
iii. In the Criterion Properties window click Value and select Automatic Updates
iv. Click OK to save the criteria
h. Back in the in query statement your criteria’s should look like this:

k12.png
i. Click Show Query Language:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System
inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId
 where SMS_G_System_CI_ComplianceState.ComplianceStateName = "non-compliant" and
SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "Automatic Updates"
j. Click OK to save the query statements and finish the collection

The package and advertisement
The package is a VB script that will copy mms.cfg to the correct location. Create the two
files and place them in the same source location.

1. Create a text file and type AutoUpdateDisable=1 save the file as mms.cfg

12b.jpg
2. Create a new VB script called disableAUflash.vbs
Dim objFSO,ObjNet
Dim strUsername,strDestfile, strScriptLocation

strFileName = "mms.cfg"

strScriptLocation = Replace(WScript.ScriptFullName,WScript.ScriptName,"")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
strAppData = objShell.ExpandEnvironmentStrings("%windir%")
strDestFolder = strAppData & "\system32\Macromed\Flash"
If Not objFSO.FolderExists(strDestFolder) Then
     objFSO.CreateFolder strDestFolder
End If
objFSO.Copyfile strScriptLocation & strFileName,strDestFolder&"\",True
3. Create the package and run the script as the program, like this “cscript.exe disableAUflash.vbs

k13.jpg
4. Make sure the program runs under the local system account without any user interaction.

k14.jpg
5. Finish the package and program using default settings. Remember to copy the package to your
distribution points.
6. Create a new advertisement with a recurrence schedule. In my example I run the package once a week.
Also make sure you configure the rerun behavior to always rerun program.

k15.jpg

Local DCM report from non-compliant computer

k16.jpg

Local DCM report after running the package

 k17.jpg

Kent Agerlund
Senior Consultant

Microsoft Configuration Manager MVP



Making Server Deployment a bit better…

This is the last newsletter before Christmas for me. This year has been fantastic, more travel, more hotels, more LAB time, more customers, more events and much more fun deployment and since holidays are coming up, this is going to be easy and relaxing stuff.

Timing Issue

I do a lot of server deployment and that is fun, the fun thing is that on the client side most people are doing pretty well, but on the server side of deployment much can be “improved so to speak. I have two small issues that I see from time to time and the first one is about time. It is pretty common that you upgrade firmware on servers before you deploy them and sometimes the time-warp just happens, the bios take a gigantic leap back in time. No worries, it will fix it self when joining into the domain, but what if you are installing a domain controller and miss the time with 30 plus years, how do you think Active Directory will “feel”, there will be all kinds of problems, AD does not work, certificates for Windows Update are busted and so on. The easiest fix I come up with so far is to sync the time with the deployment server before we deploy the OS by just adding

Net time \\MDT01 /set /yes

As a “Run Command” in the beginning of the task sequence will fix this issue

The extra partition

The next issue is somewhat more of a pain, the extra partition that is created. It is meant to be used with Bit Locker, but since bit locker does not make any sense on a virtual machine it is kind of pointless IMHO. SO the first question is: -How do I remove it if it is blocking the possibility to extend the drive and I just want to get rid of it?

This is how (Just a warning, you do this on your own risk, not my fault if you slip up, ok?)

1.      Logon to the server as a local admin

2.      Open disk manager, select the C: Drive and right click and make it “Active” (Rebooting now is a bad idea…)

3.      open an elevated command prompt and execute “BCDBoot C:\Windows”, This will make the C: able to boot the OS

4.      Reboot (cross your fingers)

5.      Delete the extra partition

Well, that is how we fix it, but it would be much easier to fix it before it actually happens, by prohibit MDT to create the 300Mb extra partition and that you can do by setting the

DoNotCreateExtraPartition=YES in the Tasksequence before the disk is partitioned (You can of course set this in cs.ini or in the database to), but if you are smart you can combine this with the IsVM variable. So, open the task sequence, browse to just before the disk partitioning will take place, insert a Task Sequence Variable where you set DoNoCreateExtraPartition=YES with a condition that say IsVM=True. Now, no VM will ever have the extra partition anymore.

And as always, you will find a blog post with pictures here http://itbloggen.se/cs/blogs/micke/default.aspx

Mike

MVP Setup/Deployment

Stay secure!
I am taking the Christmas off, but dont expect the hackers to. Linked is the session i did at TechEd earlier this fall.
Looking forward to meet you in my lab "Hacking the Windows Platform" in Boston.

Merry Christmas and  Happy New Year!
Marcus Murray
Microsoft MVP Security, TrueSec

Where to find us......

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Johan Arwidmark

New York City

January 19-21

Unleash the Power of MDT 2010 Lite Touch with Johan Arwidmark

New York City

January 22-23

Mastering MDT 2010 and WDS with Johan Arwidmark

New York City

January 24-26

Masterign Windows Server 2008 R2 with Mikael Nystrom

Chicago

January 24-26

Hacking the Windows Platform with Marcus Murray

Boston

January 31-February 2

Mastering SCCM 2007 SP2 R3 with Kent Agerlund

Chicago

February 8-10

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Michael Petersen

Boston

February 8-10

Fighting malware with Forefront, Johan Blom

Boston

February 23-25

Mastering PKI & Certificate Services 2008 with Hasain Alshakarti

Waltham

March 7-9

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

March 7-11

Mastering SCCM 2007 SP2 R3 with Kent Agerlund

New York City

March 16-18

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Michael Petersen

Chicago

March 16-18

 Full schedule at http://www.truesec.com

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec
8201 164th Ave NE, Redmond, WA 98052

 

 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement