As we left the holidays behind and are facing the usual day to day work with deployment, management and security issues, I hope this issue will help shed some light! This month I like to introduce yet another of our consultants/instructors, Michael Petersen.
This is how he introduces himself:
"I've been working with OS deployment since 2001, doing client and server deployment projects for 30+ companies, ranging from a few hundred employees to several thousands. During the period i have worked intensively with RIS/WDS, BDD/MDT (since the early 2.0 days) and SMS/ConfigMgr (since SMS 2003)."
Michael will run our popular class "Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2" on several occasions in the US. Next time already February 8th in Boston.
I like to take the opportunity to also promote Johan Blom's lab: Fighting Malware with Forefront. The first (and only?) class in market to cover the inclusion of FEP in Forefront. Coming up in Boston late February.
Don’t miss the Deployment Geek Week! We have promoted this special 5 day lab in earlier newsletters and mails. We have seats available still, but we are filling up fast.....
Lab schedule for the next three months listed at the bottom of this mail as usual.
Pincode "protect" MDT 2010 Lite Touch
Howdy, dear readers.
A couple of weeks ago I was at a customer, they wanted to deploy Windows 7 using Lite Touch, well, that’s not a challenge, but then they needed a “feature” that was not really built in. They wanted something that protected some task sequences from being shown when doing New Computer scenarios; something that only show the Approved subsets of task sequences for the “normal” IT pros but all task sequences for the “uber IT Pro” that have the correct “PIN code”.
I actually needed a Coke and 5 minutes of thinking and then I had the plan, I did not have time to make it work in the customers environment but luckily I had an 10 hour flight in front of me, it worked when I got off the plane.
The way I fixed it was to use a script that I compiled to an .EXE that is used to verify the correct PIN, if the correct pin is entered it runs:
X:\Deploy\Scripts\LiteTouch.wsf /WizardMode:ADMIN and if not it runs X:\Deploy\Scripts\LiteTouch.wsf.
Now, that variable /WizardMode does not exist but the LiteTouch.WSF script accepts command line arguments and keeps them, so if we just add some stuff in the CustomSettings.INI file, like this:
It will consume this information and use it, as you can see the switch /WizardMode:ADMIN will execute the block [ADMIN] and it will then use the WizardSelectionProfile=AllTaskSequences and “AllTaskSequences” is a selection profile that contains all sequences, the other SelectionProfile only contains some of the task sequences, the “approved” once.
The trick is that we cannot use the wizard to set variables in the same wizard we are running and we cannot run a wizard inside a wizard so we need something else to create the selection for us. I used AutoIT to create a script and then compiled that into an executable and last was to modify the templates for WinPE so that we run these files instead.
So, when everything is looking great, it looks like this:
If you want to see all the details around this, scripts, links samples and so on, just go to my blog:
Have a nice deployment
MVP Setup/Deployment, TrueSec
Deploying applications in MDT 2010 (Vbscripts vs. Batch files)
Over the years I have been answering quite a number of posts from people trying to run batch files in MDT. And as fun as the old batch files ever are, you simply get way more features when converting them into vbscripts...
Here is the deal, MDT does support batch files, but batch files have quite many limitations compared with vbscripts. The most common issues relates to the working directory and UNC paths, using pushd and "%~dp0" for temporary mappings. Others relate to calling cmd /c before the actual command etc., not to mention the lack of "real" objects...
By converting the batch file into a vbscripts we can take advantage of all the object properties in MDT, get a better error handling and logging. Shorthand - it will just work. On top of that we can have a common standard on how we deploy applications.
This batch file from one of the forum posts that was supposed to install QuickTime 7; the post was about the batch file not working correctly with MDT.
REM Install Application Support first:
AppleApplicationSupport.msi /quiet /passive /norestart
REM Install Quicktime
QuickTime.msi /quiet /passive /norestart ASUWISINSTALLED=0 APPLEAPPLICATIONSUPPORTISINSTALLED=1 DESKTOP_SHORTCUTs=NO QT_TRAY_ICON=NO SCHEDULE_ASUW=NO
REM Delete the AutoRun key
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QuickTime Task" /f
Rather than even spending a minute on debugging the batch file I converted it into a vbscript that you can download from this link: QuickTime 7 installation script for MDT 2010
- 1. Create a D:\AppSource\QT\Source folder structure
- 2. Copy the QuickTime installation files (msi) to the D:\AppSource\QT\Source folder
- 3. Copy the Install-QuickTime.wsf script to D:\AppSource\QT
- 4. Create an application in MDT, set the source path to D:\AppSource\QT when importing, and set the command-line to cscript.exe Install-QuickTime.wsf
When deploying the app you get additional logging the in the C:\MININT\SMSOSD\OSDLOGS from the script itself as well as the individual msi installs.
For testing purposes it's very useful to create a custom task sequence that only installs the QT application, and execute that sequence from the running OS (so that you don't have to do a full deployment every time you need to test an app).
Chief Technical Architect - Knowledge Factory
Not long ago I was involved in an investigation regarding websites being hit by DDOS-attacks.
If you are not familiar with the term is means “Distributed Denial of Service” and the idea is to overload the target website or server by issuing more traffic than the site can handle.
DDOS-attacks comes in many shapes and forms from simple TCP/IP connection to more advanced attacks focusing on for example resource-consuming queries that are custom made to target a specific website.
In this particular case the attack was targeting a number of sites in Sweden and a group that calls themselves Anonymous claimed to be the ones behind the attack.
Normally when someone initiates a DDOS-attack they are using a Botnet consisting of thousands of malware-infected, remotely controlled hacked computers. (Actually the largest botnets today consists of more than a million hacked computers)
During this investigation we say something really strange.. Many of the computers involved in the DDOS-attacks was not infected by malware or hacked in any way. We realized that they were run by activists that has volunteer installed a DDOS-tool called LOIC (Low Orbit Ion Cannon).
Loic is a tool that is tailor-made to attack internet web-sites and we found out that during this attack the activists had not only installed LOIC but they had also installed a special module called the Hivemind module and configured it to be remotely configured by someone-else using IRC (Inter relay chat) channels
This way the activist build up a voluntary botnet that could be effectively controlled by an anonymous attacker to perform DDOS-attacks.
These attacks were so effective that the attackers managed to bring down several different websites and even ISP:s that hosted a large number of sites that was not even targeted in the first place.
You may have read some about these attacks in the press already since they were related to the controversies around Wikileaks and their founder Julian Assange.
I think there are numerous things we can learn from the attack:
If you are hosting your websites on an ISP, make sure that they have the infrastructure and processes in place to mitigate a DDOS attack and that your sites will not be affected if one of their other customer sites is attacked.
If you think there is ever a risk that your site will be hit directly, then it´s a good idea to have an emergency bandwidth-upgrade plan in place with your internet provider. If some attacker sends 200mbit/second of traffic your way it´s a really nice thing to be able to make a phone-call to your provider and get a temporary 1024mbit/second internet access.
If that´s not an option then consider a secondary backup-site and the possibility to quickly redirect traffic to that site. That will also involve a strategy around your DNS-records and so on.
Another interesting consideration is when you move your web-infrastructure to the cloud.
A question you must ask yourself is if you will be less or more vulnerable to DDOS-attacks in the cloud?
Well that will differ a lot depending on your choice of cloud providers. My simple recommendation in this case is the bigger the provider is and more capacity they have the better it is
Just some food for thought!
TrueSec, Microsoft MVP, Security
Using System Center Custom Updates Publisher 4.5
In almost all my projects discussions about handling 3rd. party updates always comes up. A while ago Microsoft released the latest version of Custom Updates Publisher. The product is a free add-on to WSUS and Configuration Manager. The idea is to create your own custom updates, or download catalogs with custom updates from 3rd. vendors like Adobe, HP etc. in this guide you will be taken from A to Z when it comes to installing SCUP, creating custom updates, deploying custom updates and importing vendor specific catalogs. In my guide I have references to two files used to deploy the needed certificates. Those are:
Certutil.exe and certadm.dll, both files are part of the Windows Server 2003 Administration Tools Pack.
Download the SCUP 4.5 Installation and Configuration guide.
Microsoft Configuration Manager MVP
Getting a HardCopy of the TS progress report in HTML
I guess everyone uses the report showing how fare along a Task Sequence actually is, or if one of the steps has failed. But sometimes this report disappears after the TS finishes, so wouldn’t it be nice to always have it available afterword to see it one or more steps have failed, or to evaluate if an option acts like expected..
Well with a little help from one of my colleagues (Claus Codam) I created this routine to have that available, in by LOGS folder, and here is how.
- 1. Create a new user to use for reporting (in this example the account will be CM-Report), or choose an existing one.
- 2. Grant that user reporting rights and modify rights to the LOG share.
Grant reporting rights
Log on to the site server holding the Reporting Point Role. Go to “Local Users and Groups” – “Groups”, open “SMS Reporting Users” and add the user to the Group.
Open the Config.Mgr console, navigate to “Security Rights” – “Rights” and grant the new (or existing) user
Read permissions on the Report Class.
Finally create a logs folder, and grant the user modify permissions to the folder.
The ReportID should be 143 as it is in the script. To find the correct ID number, open “Reporting” – “Reports” in Config.Mgr and look for “History - Specific task sequence advertisements run on a specific computer”
- 1. Add the actual script that will create the report, to a package, to make it available during deployment. The script can be downloaded here http://blog.coretech.dk/downloadTSReport.zip
- 2. Modify the script to support your own environment, by changing the ReportingPoint and ReportID variables.
The ReportingPoint value can be found by opening the ConfigMgr reporting point Role
Once the changes have been made, update your DP.
- 1. Add steps to your TS to run the script.
Basically all you need to do is add a ”Run Command Line” step, as the last step in your TS, and run it as the report user created earlier. The syntax for running the script is as follows:
cscript.exe TSReport.vbs %SLShare% %_SMSTSAdvertID% %_SMSTSMachineName%
SLShare must be defined prior to running this step, or the share path can be typed in instead, AdverID and MachineName are picked up automatically by the TS, although you might want to change _SMSTSMachineName to OSDComputerName, depending on how you do your installation. The reason these variables are not picked up by the script is because they are not available when running the script under a different account.
In the screenshot beneath you will notice that I put in a step to have the TS wait for two minutes just before running the reporting step. This is because it takes a little while before the info on each steps are actually reported back to the DB.
That’s it. You will now get a report like this in your LOGS folder, with the same layout as the normal report.
Where to find us......
Mastering SCCM 2007 SP2 R3 with Kent Agerlund
Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Michael Petersen
Fighting malware with Forefront, Johan Blom
Mastering PKI & Certificate Services 2008 with Hasain Alshakarti
Deployment Geek Week with Johan Arwidmark and Mikael Nystrom
Mastering SCCM 2007 SP2 R3 with Kent Agerlund
New York City
Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Michael Petersen
Full schedule at http://www.truesec.com