News Contact Company



April 27, 2012
Newsletter April 2012

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

April 2012

At MMS we saw some major product release and as well as new naming. Windows Server 8 became Windows Server 2012, hence we immediately made sure that our new lab  ”Mastering Windows Server 12” was reflecting this. Mikael Nystrom has developed and is also delivering this 3 day class taking you thru how to build a Windows environment based on the new server and client. Mikael shares his experience from attending in Microsoft TAP program for Windows 8 fro the last 12 months.

In parallel we have also developed a client lab “Mastering the Windows 8 client in the enterprise” run by our Michael Anderberg who is also a contributor to our newsletter monthly. Read more below about the new features that secure and redefine the remote workplace.

In time for the new release of System Center suite, we have the in depth trainings in ConfigMgr2012, Operations Manager 2012 (SCOM) and Orchestrator 2012 based on the final code, not offered elsewhere. Run by specialists that have been involved with the product since its infancy. We can easily say that Kant Agerlund class “Mastering System Center Configuration Manager 2012” is the most popular in the market, and our other System Center class’ follow the same pattern. Developed with the understanding of how the real world looks like and that there are 3rd party s/w available to supplement.

We also broaden the offering for ConfigMgr 2012 trainings by release yet another video training by and with Johan Arwidmark: “The ConfigMgr 2012 essentials video training”.

If you want a full week of System Center 2012 and deployment, don’t miss out on our Geek Week in Redmond in July. As usual Johan and Mikael will take you on a 5 day journey in the heart of Windows land. If any training in the market is to be called unique, this is the one.

Finally, next major event is TechEd in Orlando in which TrueSec as usual will have a handful sessions run by our MVP’s. Keep your eyes open for Hasain Alshakarti and Marcus Murray’s session in security in current and future Windows versions. (Marcus has been rated top speaker twice at TechEd twice, so expectations are high). Hasain contribute in this month’s newsletter writing about Microsoft Security Compliance.


johan-arwidmark-soft-mugshot.png

Johan Arwidmark:

MMS 2012- using MDT2012 Remote Monitoring with SCCM2007 and SCCM2012

mikael-nystrom-soft-mugshot.png

Mikael Nystrom:

Back to Basic - CustomSettings.ini Explained

Hasain "The Wolf" Alshakarti:

CSCM 2.5 whats in it for me

Michael Anderberg:
Redefining working remotely

MMS 2012 - Using MDT 2012 Remote Monitoring with SCCM 2007 and SCCM 2012

As you probably know there are new remote monitoring capabilities in MDT 2012. Here is a guide on how to use the same feature with ConfigMgr 2007/2012. This solution was presented at MMS 2012 in Las Vegas.

Download sample files

Background
The monitoring in MDT 2012 is based on a web service and compact sql database to store info about the running deployments. The monitoring also have a connection to DaRT from MDOP, which allows you to connect to the machine remotely. Even when the machine is running in WinPE. By "borrowing" some of the MDT 2012 code, you can use the same feature with SCCM 2007/2012.

System Requirements
ConfigMgr 2007 or ConfigMgr 2012 integrated with MDT 2012.



The MDT 2012 Deployment Workbench showing a SCCM client being deployed.





The entry after opening it, note the DaRT Remote Control button





Remoting into the SCCM client from the server, while the client is still in WinPE.


Overview
Adding MDT 2012 Remote Monitoring to your SCCM deployments is done in three high-level steps.

  • Enable Monitoring on your SCCM server
  • Extract the DaRT files needed for monitoring
  • Configure the boot image for SCCM 2007/2012

Note: Since you only need a x86 boot image in SCCM 2007/2012 for both x86 and x64 deployments, I only provide steps for that platform.


Step-by-Step guide

Step 1 - Enable Monitoring on the SCCM server

  1. On the SCCM server, integrated with MDT 2012, create a Deployment Share.
     
  2. Right-click the Deployment Share, and select Properties
     
  3. In the Monitoring tab, select the Enable monitoring for this deployment share check box, and click OK

Step 2 - Extract the DaRT files needed for monitoring

  1. Download the sample files (link) and extract them to C:\ (or whatever driveletter you prefer). You will now have the following folder structure on C:\
     
    C:\Monitoring
    C:\Monitoring\Deploy
    C:\Monitoring\Deploy\Scripts
    C:\Monitoring\Deploy\Scripts\X86
     
  2. Download MDOP 2011 R2 from Microsoft.
  3.    
  4. Perform an administrative install of the x86 version of Dart 7 by running msiexec /a MSDaRT70.msi (This allows you to install x86 DaRT even when running on a x64 machine).
     
  5. Using Explorer (or WinRAR or any other extractor or mount utility), extract the C:\Program Files (x86)\Microsoft DaRT 7\v7\tools.cab to C:\Tmp.
     
  6. Copy the following folders from the C:\tmp\mount folder to C:\Monitoring.
     
    sources
    Windows
     
  7. You will now have a folder structure that looks like this
     
    C:\Monitoring
    C:\Monitoring\Deploy
    C:\Monitoring\Deploy\Scripts
    C:\Monitoring\Deploy\Scripts\X86
    C:\Monitoring\sources
    C:\Monitoring\sources\recovery
    C:\Monitoring\sources\recovery\tools
    C:\Monitoring\sources\recovery\tools\en-US
    C:\Monitoring\Windows
    C:\Monitoring\Windows\System32
    C:\Monitoring\Windows\System32\en-us

 Step 3 - Configure the MDT integrated boot image for SCCM 2007/2012

  1. Edit the C:\Monitoring\Deploy\Scripts\CustomSettings.ini file, and change the server name to match the name of your SCCM server.
     
  2. From the MDT 2012 Files Packages in SCCM 2007/2012, copy the following files to C:\Monitoring\x86\Deploy\Scripts
     
    ZTIUtility.vbs
    ZTIDiskUtility.vbs
    ZTIDataAccess.vbs
    ZTIGather.wsf
    ZTIGather.xml

     
  3. From the MDT 2012 Files Packages in SCCM 2007/2012, copy the Microsoft.BDD.Utility.dll file to C:\Monitoring\x86\Deploy\Scripts\X86
  4. From the MDT 2012 installation folder, copy the DartConfig.dat file to C:\Monitoring\Windows\System32.
     
  5. Use ImageX or DISM to mount your MDT 2012 integrated boot image for SCCM 2007/2012, in this example I mounted the boot image to C:\Mount.
     
    ImageX /mountrw \WinPE.wim 1 C:\mount
     
  6. Copy the content of C:\Monitoring to C:\Mount, select to merge content.
     
  7. Close all Explorer windows, and commit the changes to your mounted boot image.
     
    ImageX /unmount /commit C:\Mount
     
  8. Update the distribution point(s) on your SCCM 2007/2012 Server.

/ Johan

 

 

Back to Basic – CustomSettings.ini - Explained

One of the most important files in MDT (and in SCCM with MDT) is customsettings.ini, it is the rule file to rule your deployment. Yesterday Johan and I did a session at MMS and besides getting great scores and that is always fun. During that session I did a couple of demos around customsettings.ini and I would like to explain this a bit more. Because if you do understand the rules you can become much more dynamic and that will hopefully lead to less hassle and more work done in less time.

So, let’s start from the beginning:

When you use the MDT Toolkit (standalone, with WDS, with SCCM, it does not matter) the toolkit will as a part of the process run a script called ZTIGather.wsf, this script will do an asset inventory and also read the customsettings.ini file. This will result in a massive amount of information stored in memory (and in a file) during deployment that we then can use to dynamically update the unattend.xml file on the fly and also control conditions and that way also settings and steps in the TaskSequence

The best thing is that you can run this script without deploying any OS, so this way you can test the rules before you even begin deploying, and you can also test thousands of deployments in a couple of hours. (Here is a blog post on that http://deploymentbunny.com/2011/04/27/quick-and-dirty-testing-customsettings-ini-variables-in-mdt)

CustomSettings.ini – Act I

The basic Customsettings.ini looks like this

 

In the first row we see the section called [Settings] and this is what the script are looking for and on the next row you can see Priority=Default. That means that it will now consume everything in that section and convert all those lines in to varables in MDT. All the Properties you see under the Section [Default] is built into MDT, there are +100 properties that can be used and most of them are documented in the help file, just search for Properties and you will find a huge list. If we run ZTIGather.wsf against this file we will get the following output

 

And as you can see, it is using my customsettings.ini file that I pointed out by running cscript.exe ZTIgather.wsf /Inifile:”..\Control\customsttings.ini”, we can also see that the script is reading settings and finding the priority and then process the [Default Section]

CustomSettings.ini – Act II

Now let us assume that you would like to automatically set some settings based on location, things like computer name, language, time zone, something like that In that case, we would use the default gateway as an identifier for the location and would use part of the serial number to calculate a unique name for the computer that is based on the location and the serial number, but hey, let us do something crazy here, let us also add laptop or desktop into the name, so if the laptop is located in Stockholm the name should be STH-LT-0123456 and if a desktop is located in Redmond it would be called RDM-DT-0123456. So, that would look like this

 

Now, this is slightly “bigger”, but let me guide you through this one, it is not that hard.

The Settings Section

In the [Settings] section we added Init, ByLaptop, ByDesktop and DefaultGateway. The [Init] Section is things that I would like to be set in any situation, like default, but BEFORE default is running. The ByLapTop and ByDesktop contain something called SubSection and we will get back to that. DefaultGateway is a property in MDT so the script will take my current default gateway and match that to what I really have, more on that later.

Next line is the CustomProperties= and here we added a couple of properties that we will fill with data so that we later can use them to populate many variables into one, that’s how we can “build” the computer name, since that will be a combination of computer location + computer type + the first 7 characters in the serial number. So the complete Settings section look like this:

[Settings]
Priority=Init, ByLaptop, ByDesktop, DefaultGateway, Default
Properties=ComputerLocationName, ComputerTypeName, ComputerSerialNumber

The Init Section

The Init section will use the serial number (that has been inventoried by the script already), pick the 7 characters to the left and put that into my custom property ComputerSerialNumber, so that section would look like this: (You can to basically any kind of calculations like this, just go ahead and play with it)

[Init]
ComputerSerialNumber=#Left("%SerialNumber%",7)#

The ByLapTop Section and the ByDeskTop Section

These two  sections are a bit fun, what we do here is that we tell the script to jump to a subsection called LapTop-%IsLapTop% and %IsLapTop% will either be true or false and we will tell it to do the same for Desktop, and will also return the value of True or False, and since it cannot be a Laptop and an desktop at the same time, either will LapTop-True be true or DeskTop-True be true, so it will pick up regarding case type and then set the name to match that, like this:

[ByLaptop]
SubSection=Laptop-%IsLapTop%
ComputerTypeName=LT

[ByDesktop]
SubSection=Desktop-%IsDesktop%
ComputerTypeName=DT

In my case I have a laptop, so it will set the value of %IsLapTop% to True and the value of %IsDeskTop% to false, resulting in that the ComputerTypeName will be set to LT

The Default Gateway Section

This section will use the value from the gather script regarding the Default Gateway and based on the set jump to the name I have set for that Gateway, so in this case it will go to the section Stockholm if my Default gateway happens to be 10.2.0.4 and in that case it will set the Swedish keyboard and compterlocationname to STH and that part looks like this:

[Stockholm]
ComputerLocationName=STH
UserLocale=sv-SE
UILanguage=sv-SE
KeyboardLocale=041d:0000041d

The Default Section

This section will run last, not because it is last, it will be the last section since it is last on the priority line. That also means that if I have any property value here that has already been set the rule of thumb is that “First Writer Wins”, so they will not be over written (there are exceptions). Here you can see that I have property values for ComputerLocationName and ComputerTypeName, so why do I have that? Well I will set the name to UNK (Short for Unknown) if the computer is not a Laptop and neither a Desktop (Could be a Server? And yes, we could create rules for that to), also if the default gateway is something that I did not add in the customsettings.ini file, and then it will get the location name set to UNK to. So here is how it looks:

[Default]
OSInstall=Y
ComputerLocationName=UNK
ComputerTypeName=UNK
OSDComputername=%ComputerLocationName%-%ComputerTypeName%-%ComputerSerialNumber%
SkipCapture=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=NO
SkipBitLocker=NO

The fun part is that OSDcomputername is built by parts of location, type and serial number.

Running the Script will result in this:

 

 

So, here is how you could create dynamic deployment rules using notepad and a textile, I think that is really cool, but hey, I’m just a Bunny anyway J

(if you would like more samples, let me know…)

/mike

 

 

 

 

SCM 2.5, what's in It for Me?

Microsoft Security Compliance Manager (SCM) is a free tool from the Microsoft Solution Accelerators team. Using SCM gives you the ability to quickly configure and manage your computers, traditional datacenter, and private cloud using Group Policy and Microsoft® System Center Configuration Manager.

The main feature of SCM 2.5 is to provide ready to deploy policies and DCM configuration packs that are tested and fully supported by Microsoft . These baselines are based on Microsoft Security Guide recommendations and industry best practices, allowing you to manage configuration drift, address compliance requirements, and reduce security threats.

SCM 2.5 comes with some new features that include:
• Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities.
• Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project!
• Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature!
• Updated security guides: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important!
• Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems!
Read more about SCM 2.5 and download your copy today at http://technet.microsoft.com/library/cc677002.aspx

/Hasain

Blog: http://secadmins.com





Redefining working remotely

Much to the IT-department’s dismay, users more and more demand to be able to work from anywhere, be that their home, a remote office location or from the local Starbucks. To make things even more complicated, they in many cases want to or have to use their own non-managed PCs that are not under the control and protective umbrella of the IT-department.

With Windows 8 there is finally light at the end of the tunnel and I have been playing around quite a bit with it.

“Windows to Go” is a full installation of Windows 8 on a removable drive, most likely a USB stick or thumb drive. At boot, one can then choose to boot to either to your normal installation on the machine or to this instance sitting on the removable drive. This potentially opens up entirely new possibilities for corporate IT. Now you can create a standardized managed platform, that fulfills all of the corporate regulations, put it on a stick and give it to the user who wants to work remotely, and all of a sudden it doesn’t matter if the kids have been filling their family PC with malware or anything like that, since we’re bypassing that entirely. Instead, the user sticks in the thumb drive, boot the machine to it and then they’ll find themselves in the exact same environment that they have in the office and IT knows that they control it through policies, firewall settings, malware protection and all!

Is it hard to do? Not really!

First you need to pull down a tool called Imagex.exe (freely available from Microsoft) which is part of The Windows Automated Installation Kit (AIK) for Windows 7 it’s a rather hefty ~1.7GB download. You need the Windows 8 ISO file and a USB stick or other removable device that is at least 32GB in size. I would recommend a USB3 device for speed, but USB2 will suffice. Install AIK on your machine.

Insert your USB device and then from an elevated command prompt, go ahead and create a bootable USB stick with the help of diskpart.exe. I won’t outline here how to do that, but it is easy to search for. Please observe that this will wipe the stick, so don’t have any files that you want to keep on it! Mount the Windows 8.iso so you can get to the install.wim file which is located in the /sources/ folder of the ISO. For simplicity you can copy it to where you have imagex.

Once that’s done; go ahead and type

imagex.exe /apply install.wim 1 x:\

where x: is the drive letter of your USB stick. This will essentially install Windows 8 on the stick and depending on the speed of it, this may take a while.

Then the only thing left is to modify the boot record on the USB stick and you do that through:

bcdboot.exe h:\windows /s x: /f ALL

where again x: is the drive letter of your USB stick. Then you can go ahead and restart your machine, choose to boot from the USB stick during BIOS startup. If you don’t get that choice, may need to enable Boot from USB in your system settings in BIOS first.

The first time it boots it will take some time as Windows configures itself, but subsequent boots will be much faster.

In next month’s newletter I will be explaining how to make this new instance of Windows look exactly like your corporate desktop and behave like it through something called User-environment virtualization.

Until then, take care and good luck!

/Mike

 

 

 

 

 

 

 



Where to find us......

Mastering System Center Operations Manager 2012 with Kare Rude Andersen

Minneapolis

June 19-22

Mastering System Center Orchestrator 2012 with Jakob Gottlieb Svendsen

Minneapolis

May 21-23

Mastering Windows Server 2012 with Mikael Nystrom 

Minneapolis

June 4-6

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

July 16-20

Mastering System Center Config Mgr 2012 with Chris Nackers

Minneapolis

June 11-14

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Johan Arwidmark

New York City

April 12-14

Full schedule at http://www.truesec.com

 

 

 

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement