SCCM diet

Online notes for reference

HP Elitepad 1000 G2 , BIOS Application Error (501)

While imaging HP Elitepad 1000 G2 I ran into the problem when trying to enter BIOS. Elitepad was hooked to docking station and connected to keyboard. When I pressed F2 I got the following error

The HP BIOS location selected is corrupt or missing.Please install the application and try again
BIOS Application error (501)

1000G2_0

 

Upon research I found out that this is an expected error for UEFI secure bios and I need to create a extra thumb drive to boot this tablet into BIOS.

Here is download link to HP hardware diagnostics tool .This tool lets you enter BIOS and provide other diagnostics utilities as well.

After you download it the HP hardware diagnostics utility , You can install it on USB Drive . Ensure that USB drive has no data and is formatted . This utility will rename the USB drive to HP_TOOLS

1000G2_1

 

Click Next

 

1000G2_2

 

Accept the licence agreement, Click next

1000G2_3

Wizard will decompress it to temp location

1000G2_4

 

Click Next

1000G2_5

 

Select USB Drive

 

1000G2_6

 

Files are extracted and program is ready to install , Click next

1000G2_7

 

Beginning install

 

1000G2_8

 

Installation Wizard ask to create HP_TOOLS volume label.

 

1000G2_9

 

This completes the installation

 

1000G2_10

 

This is what is inside the boot media. Main folder Hewlett-Packard and three sub folders

 

1000G2_12

 

Now connect the newly created HP Diagnostic media to HP Elitepad 1000 G2 docking station

Boot up the tablet while pressing the volume key on tablet and press F2

1000G2_13

This takes you to BIOS , Now you can press F10 or navigate using keyboard to enter BIOS

1000g2_14

 

This concludes the post

Message ID 1610,Failed to write state message file error 112

 

 

 

I found this error one of secondary site servers .

Message ID 1601 .

SS00

When I checked the statesys.log file . There was error that state message cannot be written to the file.

SS01

It turned out that server was out of space .

Once I cleared the space on the server , Server was functional again.

SS02

 

 

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 5

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

In Part 2 I created a SQL job to run daily . This job will copy the backed up files from SCCM database server. Then this job will attach the copied database files .

In Part 3 I exported the certificate from SQL server and imported in on a machine where reports will be authored.

In Part 4 I created data source from SQL reporting services server to SQL01 server and verified connection is working.

Part 5

In part 5 I am going to create SCCM reports using the data source created in Part 4 and then publish reports to SQL reporting website.

Open report builder and to system center icon and click on options

DBRepl48

Configure the report server as http://<sql reporting services server name>/reportserver and click ok

DBRepl49

Now on the bottom of report builder console click on connect

DBRepl50

As seen below , Report builder is not connected to reporting server and can use the data sources from the servers.

DBRepl51

Click on new – Data source

 

 

DBRepl52

Provide the name of data source ( LocalSQL01DataSource in this case) and click on browse

 

DBRepl53

Browse to folder on reporting server , SCCM Reports from SQL01 and select the SQL01 data source

 

DBRepl54

Now click on test connection

 

DBRepl55

Now you are able to connect to SQL01  database using a data source stored on reporting server from a window 7 client machine on the network. Click OK

 

 

DBRepl56

As seen the data source appears under Data sources on the left side menu in report builder window

 

DBRepl57

Up until now I am able to connect to database server . Next step is add some data from the database to create a report.

Subset of data from the database is called dataset. Dataset can tables , views and at time can contain joins between two tables or two or more sql views .

 

 

DBRepl58

Provide the name of Dataset

select data source from drop down and click on query designer

 

DBRepl59

When you click on query designer , It will take you inside CM_R01 database on server SQL01 .

Of all the data that is available in this data base , I am going to select a small amount of data to create a dataset.

 

 

DBRepl60

Expand views and select v_R_System and click OK

 

 

DBRepl61

You can review this query and what columns are listed and click OK

 

 

DBRepl62

Now in report builder console under datasets the data set is display . This is from view v_R_System

 

 

DBRepl63

Finally ………………………………………. Its time to create a report 🙂

On the ribbon click on insert and select insert table

 

 

 

 

DBRepl64

This by default will add a blank table

 

 

DBRepl65

Drag and drop the fields you want from data set to table , I added Name0, Obsolete0 and client0 and click on run

 

 

DBRepl66

You can view what the report looks like now

 

 

DBRepl67

Click on save and browse to the folder created to storing SCCM reports from SQL01 .

Provide the name of report and click save

 

 

DBRepl68

Report is generated from alternate SQL01 server and published to SQL reporting services server too

 

 

DBRepl69

 

 

Additional notes – There are multiple ways to author SQL reports , I am using report builder

You can store data source locally too , You can also store reports locally and publish them later .

 

This concludes Part 5

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 4

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

In Part 2 I created a SQL job to run daily . This job will copy the backed up files from SCCM database server. Then this job will attach the copied database files .

In Part 3 I exported the certificate from SQL server and imported in on a machine where reports will be authored.

Part 4

In part 4 I am going to install Report Builder 3.0 on client machine Win7 and configure data source for creating SQL reports. SQL reporting services is running from SCCM Primary server . See network diagram in Part 1

At this time you should have report builder 3.0 installed for SQL 2012 on a Windows 7 machine . If you do not have it installed download it from here and install on the workstation

DBRepl41a

Once Report builder is installed .

Open SQL reporting services , In my case it is http://cm01/reports.

Click on New folder ( Only for keeping reports separate)

 

 

DBRepl42

Provide the name of the folder and click ok.

 

 

DBRepl43 DBRepl44

After the new folder is created , Go to folder SCCM reports from SQL01

Click on New Data Source

Data Source contains the connection information for a particular database.

 

 

DBRepl45

Provide the name to the data source , SQL01 DataSource

Check – Enable this data source

Data Source type – Microsoft SQL server

In the connection string type in the following

(Change the name of Initial_Catalog to your database name and data source to your SQL server name)

Persist Security Info=False;Initial Catalog=CM_R01;
Data Source=sql01.labserv.net;
Encrypt=True;TrustServerCertificate=True

As mentioned in part 1 user labserv\cmreports has read rights to CM_R01 database. Once this database is replicated same rights are assigned to the replicated database.

Check box – Use as windows credentials when connecting to the data source

 

DBRepl46

 

Click on Test connection

and ensure that data source is able to connect successfully.

 

DBRepl47

 

 

 

 

This concludes Part 4

 

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 3

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

In Part 2 I created a SQL job to run daily . This job will copy the backed up files from SCCM database server. Then this job will attach the copied database files .

Part 3

Part 1 & Part 2 were dedicated to standing up the alternate SCCM database.

In Part 3 I am going to detail the steps necessary to prepare machine from where reports will be authored.

In order to author SQL reports from a workstation , SQL database server ( SQL01 in this case) needs to trust the workstation.

This is done by exporting the server certificate from SQL database server where copied database is hosted from and importing it on workstation where reports will be authored.

Perform these steps on the SQL database server where replicated database is hosted (SQL01 in this case)

Open mmc – click on file and add remove snap-ins

Select Certificated and click on add

DBRepl23

Select computer account and click next

 

DBRepl24

Select local computer and click finish

 

DBRepl25

Click OK

 

DBRepl26

Now go to Certificates -> Personal->Certificates

 

DBRepl27

Select the Server authentication certificate and right click -> All tasks ->Export

 

DBRepl28

On the welcome certificate export wizard click next

 

 

DBRepl29

Leave default selected , No, Do not export the private key  and click next

 

 

DBRepl30

 

Leave default selected DER encoded binary X.509 and click next

DBRepl31

Browse and provide the path to the certificate and a name of the file and click next

DBRepl32

Click finish to complete the export

 

 

DBRepl33

Click OK and finish

 

DBRepl34

Copy the exported certificate to the workstation which will be used to author reports. This steps needs to be on all the machines which will be used to creating reports.

Right click the certificate and click on install certificate

 

 

DBRepl35

This will open the import certificate wizard , Click next

 

DBRepl37

 

Browse to certificate store and select Trusted Root Certification Authorities store and click next

DBRepl38

Click finish to finish the import

 

 

DBRepl39

Click OK

 

 

DBRepl40

To verify if the certificate is present in the certificate store , Open mmc , add certificate snap-in for local computer.

Go to Trust root certification authorities and on the right side as highlighted SQL01 certificate is present.

DBRepl41

 

 

This concludes Part 3

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 2

In Part 1 I backed up the SCCM database and copied the backed up data base files to a different SQL server. I also attached the data base files and created the database

Part 2

In part 2 I am going to create a SQL job which will automate this task to run daily .This job is scheduled a time later than SCCM Backup time so that the latest backup files are present when job runs.

Open SQL management studio on server (On the replicated DB server) SQL01 in this case.

Go to SQL server agent , right click and New Job

DBRepl11

On the general menu provide the name of SQL job

 

DBRepl12

Click on Steps and and click on New

DBRepl13

First step will be close the connections to SQL server .

Add the following command to put the database in single user mode and click OK

ALTER DATABASE CM_R01 SET SINGLE_USER WITH ROLLBACK IMMEDIATE

DBRepl14

Next Step is to detach DB . This step is needed because we need to copy the DB files from SCCM server and overwrite them. If you do not detach the database files will not be overwritten

SP_DETACH_DB ‘CM_R01’, ‘TRUE’

(Change the name of the data base in the above command)

DBRepl15

Next step is to copy the files from SCCM primary server to database server using the script as described in part 1

“c:\dbcopy\dbcopy.ps1”

DBRepl16

Once the data base files are copied next step is to attach the database to SQL server

CREATE DATABASE CM_R01
ON(FILENAME = ‘C:\DBCopy\CM_R01.mdf’),
(FILENAME = ‘C:\DBCopy\CM_R01_log.ldf’)
FOR ATTACH;
GO

Click OK

DBRepl17

Once all the steps in the job are complete. Next step is to schedule this job to occur daily sometime after the SCCM backups finish.

Since SCCM backups in my lab are scheduled to run at 1:00 AM everyday I have scheduled the job to run everyday at 4:00 AM to give enough time to backup to finish.

DBRepl18

Your job will appear under SQL Server agent – Jobs

DBRepl19

If you want to manually run the job to test if it runs correctly , Right click the job and select start the job at step 1

DBRepl20

You can always check the job history for troubleshooting purposes by right clicking the job and clicking on view history

DBRepl21

By expanding the step , each step is detailed. If there are any failure those will be recorded here.

DBRepl22

 

This concludes part 2

Replicating SCCM DB and adding replicated DB to SCCM Reporting – Part 1

Benefits of SCCM reporting are obvious. Some organisations depend more on SCCM reporting than others. Dataset used for SCCM reporting is the SCCM Database.If there are multiple reports being run , written and tested while there is a lot of client activity can cause database performance to degrade.

Some organisations prefer that SCCM reports be designed , coded and tested on a separate DB server and only the final report be imported to live SQL reporting server that connects to SCCM production database.

In order to achieve this you need a separate SQL server preferably running same version of SQL in the domain.

Lab Setup

CM01 – SCCM Primary server , SCCM Database , SQL reporting Services, SCCM reporting services point

SQL 01 – SQL Database server

WIN7 – Workstation running windows 7 , Report builder 3.0 for SQL 2012

domain\cmreports – This is a user account in AD and has read permissions on SCCM database on server CM01.

Diagram below describes the systems in use for this lab setup.

DBRepl00

Enable shared folders and SCCM Backup

On SCCM Server (CM01 in this case) , Create a folder to store backups and share it.

DBRepl01

Go to SCCM 2012 console , Administration and sites . Go to site Maintenance

 

DBRepl02

As highlighted below backup is not enabled on the site . Enable the backups

DBRepl03

Then schedule the backups to occur daily or every weekday to your organisation’s standards and procedures.

DBRepl04

Now on other SQL server (SQL01 in the case)

Create a shared folder and provide permissions .

DBRepl05

 

I am using a powershell script to copy data base files from server CM01 to server SQL01. I am also storing the files in the shared folder that I just created on server SQL01.

You can down the DBcopy script and robocopy from here 

Extract the files and copy them to shared folder.

DBRepl06

Open and edit the power shell script using either ISE or any other power shell editor of your choice.

Change the path of $source = \\your sccm server\SCCMBACKUP\<sitecode>Backup\SiteDBserver

Change the path of $destination \\your sql server\DBcopy

Change the path of $log \\your sql server\DBCopy\DBCopy.log

Here are the switches for robocopy command

S- copy subdirectories, But not empty ones

E – copy subdirectories, including empty ones

/COPY:DAT

DAT D:DATA A:ATTRIBUTE T:TIMESTAMP

R – Number of retries after failed attempt , Default is 1 million

/LOG   – Name of log time to be created

DBRepl07

Save the script and run it .

Important – Run this script only after making sure that SCCM backup has run on SCCM primary server (CM01) and the backup files are present in backup folder c:\SCCMBackup on SCCM server.

DBRepl08

Once the script finishes running . Database file and log file of SCCM database has been copied to sql server SQL01 .

DBRepl09

Review the CopyDB.log to verify the size of database and log files.

DBRepl10

Now log on with an account that is SQL admin and rights to add database on SQL server and run the following commands to create a database .( Change the path if needed )

CREATE DATABASE CM_R01
ON(FILENAME = ‘C:\DBCopy\CM_R01.mdf’),
(FILENAME = ‘C:\DBCopy\CM_R01_log.ldf’)
FOR ATTACH;
GO

DBRepl10a

Once the command is run successfully ,Refresh the console . Replicated copy of the SCCM database will show up in SCCM Console.

DBRepl10b

Now we have a copy of SCCM database running on a separate SQL server.

 

This concludes Part 1

Deploying Office 2013 application with SCCM 2012

This post describes creating SCCM Office 2013 application and installing it from client computer using application catalog.

Office 2013 is available from Microsoft to download for evaluation for 60 days. There are two versions of Office 2013 install that are available.

Volume Licence

Retail

You can download retain version from evaluation site. However retail version does include the customization binaries. Customization binaries are needed to customize the Office 2013 install.

Download them from here

Extract the downloaded files and copy the admin folder to office2013 source files folder

Office2013-01

 

To start the customization , Open admin command prompt and go office2013 source folder and type in

setup.exe /admin .

Office2013-02

Setup.exe /admin open prompt to create a setup customization file . Select create new file and click ok

Here is the technet link to Microsoft Customization Tool.

 

Office2013-03

Welcome scree tell you that you are about to create a MSP file that will store all the customization

 

 

Office2013-04

Provide the install location and Origination Name

 

Office2013-05

Enter the product Key

Accept the licence agreement.

Set display level to none. For enterprise use display level none is recommended because the install then does not wait for any user input. However if display level none is selected it is also recommended that users be made aware to close all the open office files.

When display level none is selected completion notice and No cancel does not apply so does not matter if they are checked or note.

Suppress modal will not show any warnings if any files are open or if there are any errors it wont pop up on the screen.

 

 

Office2013-06

 

Next is Modify setup properties

Here is link to all the setup properties for office 2013.

Office2013-07

Add a setup property HIDEUPDATEUI and add value True . This will hide the update prompt at the start

 

 

Office2013-08

Click on add again and add another property SETUP_REBOOT and set the value to AutoIfNeeded.

Based on the office install if the a reboot is needed system will reboot after installation.

 

 

 

Office2013-09

Next to Modify user settings -> office 2013 ->Privacy->Trust Center and disable Opt-in Wizard on first run.

 

 

Office2013-10

 

Next is set feature installation states – and remove Microsoft access , Microsoft Publisher, Microsoft infopath, Microsoft Lync. (Later in the post I will verify if these components are actually not installed)

 

Office2013-11

Click on File and save as , Save this to updates folder in office 2013 source files folder

 

 

 

Office2013-12

I named the file Office2012setup.msp . This completes the msp creation process

 

Office2013-13

I am not ready to create the application . Go to SCCM console -> Software Library -> Overview -> Application Management right click create new application

 

 

 

Office2013-14

Provide the msi file path  (If it is Volume licence version folder name is proplus and if it is retail version folder name if proplusr )

\\cm01\Sources\applications\office2013\proplusr.ww\proplusrww.msi

 

 

Office2013-15

SCCM will automatically import all the information from the msi

 

 

Office2013-16

Provide the name of application , Fill in any other fields as necessary

 

 

 

 

Office2013-17

Review the summary and click Next

 

 

Office2013-18

This finishes adding application with basic settings to SCCM

 

 

 

 

Office2013-19

Now select the application from console and from the bottom screen select deployment types

right click and properties and click on content tab

Content location will be \\cm01\sources\application\office2013\proplusr.ww

Change it to \\cm01\sources\application\office2013

 

 

Office2013-20

 

Click on programs tab and change the installation program to setup.exe

Change the uninstall program to setup.exe /uninstall proplusr .

Click on apply OK to finish.

 

Office2013-21

At this point application is ready to distributed to distribution points . Once application is distributed to all distribution points .

Now create a collection of users to whom this application will be deployed.

Create a deployment to deploy this application to users.

Browse to provide the application

Browse again point to the collection you created previously and click next

 

 

Office2013-22

Content will show on which distribution points this application resides

 

 

Office2013-23

Click next

In deployment settings , Choose action install and purpose as available .

Click next

 

 

Office2013-24

I am want application to available immediately , Click next

 

 

Office2013-25

click next leaving defaults

 

 

Office2013-26

Review the summary if changes are needed at this point go back and fix them .

If every this is ok , click next

 

 

Office2013-27

Review the completion notice and click close

 

 

Office2013-28

After the deployment is complete , Go to users machine and login with the same user account which the member of the collection where the application is advertised ( errr… or deployed I meant)

Go to software center and click on application catalog website and you will see Office application if the policy is updated

 

 

Office2013-29

Select the application and click on Install

 

 

 

Office2013-30

click Yes

 

 

Office2013-31

 

 

 

Office2013-32

Application will prepare to download and then it will download the applicaiton

 

Office2013-33

At this point application install status can be checked from software center.

 

 

Office2013-34

Once install is finished , Software center displays message the application install was successful

 

 

 

Office2013-35

Now go to start and expand office 2013 and review

As seen  – Microsoft access , Microsoft Infopath , Microsoft Lync and Microsoft Publisher and not installed as configured in the msp

 

 

Office2013-36

In order to uninstall office , Close any open office files and go to software center .

Under installed software , Select office and click on uninstall

 

 

 

Office2013-37

Click Yes to uninstall

 

 

 

Office2013-38

Progress bar displays office is being uninstalled

 

 

 

Office2013-39

 

Finally confirmation that office is uninstalled from the computer.

 

 

 

Office2013-40

 

 

This concludes the post !

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 11

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

In Part 8 I discussed the script compliance item

In Part 9 I discussed SQL compliance item

In Part 10 I discussed WQL query compliance item

Part 11 – X path Query Compliance item

XML documents are written in the form or tree with nodes . Xpath query provides  a way to query the data in XML files . Data is structured in nodes and using Xpath syntax is easy to obtain the data from XML document.

I created a sample XML document to use for this post . You can download it or use it or create your own.

Here is the link to download a sample XML file that I am using in the post . For testing purposes the test machines have a folder in c drive ( c:\scratch)  and XML file is copied to c:\scratch on all the machines .

Go to Assets and compliance  compliance settings  , configuration items right click and new configuration item

CIXpath01

Provide the name CI – Xpath Query , leave the configuration item as Windows and click next

 

 

CIXpath02

Select the operating systems where this setting will apply and click next

 

CIXpath03

click on new to create the configuration item

 

CIXpath04

Type in the name of XpathQuery , From setting type select X path query and data type as string.

Path – c:\scratch

File Name CI-Xpath.xml ( This file can be downloaded from link provided above)

in Xpath Query type in

/Library/Address/City

 

CIXpath05

 

Click Apply OK ,

Click next to go to compliance rules

CIXpath06

Click on new to create a compliance rule

CIXpath07

Provide the name of compliance rule and click on browse

CIXpath08

Select the configuration item just created in previous step and click on select

CIXpath10

In rule type select value

and type in equals “Hidden Valley”

CIXpath11

 

 

Click Next

CIXpath12

Review all the settings , If changes are needed go back to previous screen

CIXpath13

SCCM is working its magic 🙂

CIXpath14

Once configuration item is created , Next step is to create configuration baseline

Go to configuration baseline , right click and select create a new configuration baseline

Provide the name  CB – Xpath Query

Click on add and select configuration items

CIXpath15

select the configuration item CI – Xpath Query if not already selected and click OK

CIXpath16

Click OK to finish configuring the configuration baseline

CIXpath17

Next step is to create Deployment to , Right click the configuration baseline and select deploy

CIXpath18

‘Select the configuration baseline

Select the generate alert below the percentage you want .

Point it to collection where compliance needs to be evaluated

and change the evaluation to run every 3 hours and click OK

CIXpath19

Go to the client and from the configuration tab select CB – Xpath Query and click on evaluate .

CIXpath20

Click on view report . Machine below shows compliant

CIXpath21

Go to machine where this file is not present , For this test ,  I have not copied the file to c:\scratch .

Click on evaluate and it show error

CIXpath22

If you click on view report it shows error and not Not Compliant . Because the file is missing

CIXpath23

You can also review more information in DcmWmiProvider for more information for troubleshooting.

 

CIXpath24

This concludes Part 11

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 10

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

In Part 8 I discussed the script compliance item

In Part 9 I discussed SQL compliance item

 Part 10 – WQL compliance item

WQL query is way to query WMI on a computer and then creating compliance item and compliance rules around that query

I am going to query WMI for a service start mode status . Service that I am querying is Windows update service.

Open an admin command prompt and type in wbemtest , This will launch wmi tester

CIWQL001

Leave the name space as root\cimv2 and click on connect  .

Click on query in the WMI tester window

In query window type in

Select startmode from win32_service where name=’wuauserv’

CIWQL002

Now it will return Win32_service=<no key> , Double click on that line

CIWQL003

Under properties scroll down to StartMode , As seen for Windows 8 , Start mode of Windows update service is manual.

and for Windows 7 this startmode will be auto . So I am going to create a compliance item base on startmode and if the startmode is auto a machine will be compliant.

Now since that is over , Lets go to SCCM

CIWQL004

Go to Assets and Compliance , compliance settings , configuration items

Right click  and select create configuration item

CIWQL02

Type in the name of configuration item CI – WQL Query  , Leave the configuration item type as Windows and click next

 

CIWQL03

Select the Operating systems where this configuration item will apply and click next

 

 

CIWQL04

Click on New

 

 

CIWQL05

Type the name of settings CI – WQL Query , From settings select WQL Query and data type as string

Namespace root\cimv2 ( as discussed in the beginning of the post )

Class – Win32_ service ( as discussed in the WQL query above)

Property – Name ( as discussed in the WQL query above)

and in where clause type in  startmode=’auto’

Click Apply OK

 

CIWQL06

Click next to go compliance rules

 

 

CIWQL07

Click on New to create a compliance rule

 

 

CIWQL08

Provide the name of the rule

 

 

CIWQL09

Click on browse and select the configuration item created just above and click on select

 

 

CIWQL10

in the rule type select value

in the rule type in

CI – WQL Query equals wuauserv , Click on OK

 

 

CIWQL11

Click next

 

 

 

CIWQL12

This screen provides the summary of settings , if any changes are needed you can go back and change

 

 

CIWQL13

SCCM is working its magic now 🙂

 

 

CIWQL14

This completes the created of configuration item .

 

 

 

CIWQL15

In order to deploy this configuration item to the machines , I need to create a configuration baseline .

Go to Configuration baseline and right click and select create configuration baseline

 

 

CIWQL16

Provide the name of Configuration baseline CB – WQL Query , Click on Add and from drop down select configuration item

 

 

CIWQL17

Select the configuration item and click OK

 

 

CIWQL18

Click OK to  finish creating the configuration baseline

 

 

CIWQL19

Next step is to create deployment for this configuration baseline

Select the configuration baseline , right click and select deploy

 

 

 

CIWQL20

Select the configuration baseline as CB – WQL Query

select generate and alert mention the threshold where you will like to see the alert

Provide the collection name

Set the evaluation schedule to every 3 hours for lab , For production this should be once or twice a week . As compliance evaluation is CPU intensive task and click on OK to finish creating the deployment

 

 

CIWQL21

Go to the client ( Windows 8.1 ) in this case

Click on configuration tab and select the configuration baseline and click on evaluate .

 

 

CIWQL22

Click on view report and as expected this machine is non compliant as start mode is manual and configuration item is looking for startmode = auto

 

 

CIWQL23

 

This concludes part 10

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 9

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

In Part 8 I discussed the script compliance item

 Part 9 – SQL compliance item 

SQL compliance items can be used to query different elements for SQL servers in the environment . This compliance settings is particular useful if there are lot of SQL servers in production and those servers needs to adhere to certain organisational standards

Needless to say that this compliance setting is designed to be run only on SQL servers. I am going to do a basic checking for SQL version in this post .

You will also need a collection with SQL servers or a server to test the settings .

To create configuration item , Go to SCCM console , Configuration items and right click and new configuration item .

 

CISQL01

Assign a name to configuration item CI – SQL Version

 

CISQL02

 

Select the operating system where this setting will apply and click next

 

CISQL03

 

Click on New to create the configuration item

 

CISQL04

Provide the name to the setting , From settings type select SQL query and type string

Now to form an SQL query that is going to run on the computers  select the database as master and for column select version

type in

Select @@VERSION as version;

and apply OK

 

CISQL05

Click next to go to compliance rule

 

CISQL06

Click on new to create a compliance rule for SQL version

 

CISQL07

Type in the compliance rule name and click on browse

 

 

CISQL08

Select the SQLquery compliance item created in previous step and click on select

 

 

 

CISQL09

From rule type select value if not already select

Now next step is where the query will be evaluated and if the the version of SQL begins with Microsoft SQL server 2012 SP1 and click ok

 

CISQL10

 

Click next to finish creating the compliance rules

CISQL11

This page provides the summary for compliance item and rules , if changes need to made you can go back and make changes .

Click next

 

CISQL12

SCCM is working its magic.

 

CISQL13

The screen provides the summary of configuration item

 

CISQL14

 

Next step is to create configuration baseline before the setting is applied to the SQL servers

Right click on configuration baseline and select create configuration  baseline

 

 

CISQL15

Provide the name of the configuration baseline CB – SQL Query – version  , Click on add and select configuration  items from  drop down.

 

CISQL16

select the configuration item and click OK

 

CISQL17

Click OK to complete the creation of configuration baseline

 

 

CISQL18

Now I am ready to deploy this configuration baseline to a collection . select the configuration baseline and select deploy

 

 

CISQL19

Select the configuration baselines

select generate alert if compliance is below certain thresh hold

select the SQL collection name and for schedule change it to run every 3 hours for lab or test setup and click OK

 

 

CISQL20

To verify the settings , Go to a SQL server where this configuration baseline is applied

Open SCCM client properties , Configuration tab and select CB – SQL – Check SQL Version and click on evaluate

 

 

CISQL21

Click on view  report to check if the version is how is defined in compliance rule or not .

This server is running SQL 2012 SP1 and is therefore compliant

 

 

 

CISQL22

 

 

This concluded part 9

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 8

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

In Part 7 I discussed the registry key value compliance item

Part 8 Script compliance item 

In part 8 I am going to use a script for evaluating  compliance on computers . I am going to keep focus on compliance item only therefore using a basic power shell script . It is also possible to use one script to evaluate the compliance of a machine and second script to remediate non compliant machines.

In post I am going to discuss how to a script  to evaluate compliance on a machine

Script first , The script that I am using is a basic script that checks state of Windows update service . It is a one line power shell script .

Script running on a Windows 8 machine

get-service -Name wuauserv | select-object -ExpandProperty “Status”

When this script is run result is stopped .

Script01

When this script is run on a Windows 7 machine

get-service -Name wuauserv | select-object -ExpandProperty “Status”

When this script is run result is running

 

 

 

 

Script02

Based on this I know the outcome of script would differ depending on which OS the script is run. (By default windows update service is not running on Windows 8 and is running on Windows 7)

Now since that is out of the way , Lets get back to compliance items in SCCM

Go to Assets and Compliance , Compliance settings configuration items , right click and select Create a new configuration item

 

 

 

 

 

Script03

 

 

Provide the name CI – Script – Windows update service check , Leave the configuration item type as windows and press next

 

Script04

 

Select the OS where this configuration item will be applied and click next

 

Script05

 

To create configuration item click new

Script06

Type in the name CI – Script , From drop down of settings type select script and data type as string .

There are two options to specify where a script would reside

Discovery Script

Remediation Script

I am going to place my script in discovery script since I am going to evaluate compliance , Click on add script

 

Script07

Select script language as Windows power shell  and type in the script as explained in the beginning of the post and click ok

 

Script08

Click next

 

Script09

Now compliance rule needs to be created , This rule  will determine how the compliance is reported once the script runs on a computer ( Based on how I define the compliance a machine could be either compliant or non compliant ).

Click on new

 

Script10

 

Type in the compliance rule name and click on browse

Script11

Select the name of the configuration setting that I just created , If not already selected and then click on select

 

Script12

In the Rule Type select value and then select if the value returned is running .

Now as discussed in the beginning if it Windows 7 the value will be running and if it Windows 8 value will be stopped (By default) . So if this setting is applied to a collection of windows 8 and Windows 7 machines , Windows 7 machines will be compliant and windows 8 won’t

click OK

 

Script13

Click next

 

Script14

This screen presents the summary of the settings , If any changes are needed then you can go back and make changes here . Click next

 

Script15

 

SCCM is working its magic here 🙂

Script16

And configuration item is ready .

 

Script17

Next step is to create configuration baseline . Right click Configuration baseline and create configuration baseline.

 

 

Script18

 

Type the name of configuration baseline CB – Script – Window update service . Click on add and select configuration item from drop down

 

 

Script19

Select the configuration item  just created and click ok . This would finish creating configuration baseline

 

 

Script20

 

Now it is time to deploy this base line to machines

Go to configuration baseline and right click and select deploy .

Script21

Select the configuration baseline CB – Script – Windows update service

Browse and point it to the collection

In lab scenario change the evaluation schedule to every three hours . In production running this probably once or twice a week is recommended based upon network size

click OK

 

Script22

Go to Windows 8 client , Click on configurations and click on evaluate.

 

Script23

Since we know by this time that on windows 8 this is going to be non compliant because the value returned by script is going to be stopped .

Script24

 

 

Now go to a windows 7 client and click on configurations tab and click on evaluate

 

Script25

Windows 7 machine reports this settings as compliant because value returned by script is running .

 

 

Script26

 

 

This concluded part  8

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 7

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

In Part 6 I discussed the registry key compliance item

Part 7 – Registry key value compliance item

This post is very similar to Part 6 where registy key is involved . In the post , Compliance item can be created for a registry key value.

To start , Go to Assets and Compliance and configuration items and right click Configuration item and select Create Configuration Item.

RegKeyValue01

Type in the name CI – Registy Key  Value  , Leave the configuration item type as Windows

RegKeyValue02

Select for which operating systems this compliance item will apply and click next

RegKeyValue03

Click on new

RegKeyValue04

Type the name of the setting CI – RegistyKey and click on browse

RegKeyValue05

On the left hand pane navigate to the key in this example to HKLM\Software\Vmware, Inc\Vmware Tools\InstallPath

(note that install path is c:\program files\Vmware\Vmware Tools)

Click OK

RegKeyValue06

So far I have defined the setting , Click OK here

RegKeyValue07

Click next to go to compliance options

RegKeyValue08

On the next screen click on new and provide the name of the compliance rule . Compliance rule will determine how this setting will be evaluated

Click on browse

RegKeyValue09

Select the name of the compliance item that I just created and click select

RegKeyValue10

From drop down select rule type as existential and make sure the value “Registry value must exist on client devices” and click OK

RegKeyValue11

Click next

RegKeyValue12

This screen provides the summary of compliance item and compliance setting , If any thing needs to  be changed I can go back and change it

Click next

RegKeyValue13

SCCM is working its magic now 🙂

RegKeyValue14

This will complete the creation of compliance item .  Next step is to create Configuration Baseline.

Go to Configuration baseline right click and select

RegKeyValue15

 

Provide the name of Configuration Baseline , In this case CB – Registry Key Value

Click on Add and select Configuration Item from dropdown

RegKeyValue16

Select the compliance item just created and click OK

 

RegKeyValue17

Click OK again

RegKeyValue18

After configuration baseline is created next step is to advertise it .

Select the configuration baseline right click and select deploy

RegKeyValue19

On the deployment screen select the configuration baseline just created

Point it to the collection

and select schedule to run  every 3 hours and click OK

RegKeyValue20

On the client go to control panel and configuration manager client and click on configurations tab . There is a new configuration item .

Click on evaluate and click on view report

RegKeyValue21

Well this machine is compliant.

RegKeyValue22

 

 

This concludes part 7

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 6

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance item

In part 3 I discussed the Assembly Compliance item

In part 4 I discussed the file system compliance item

In part 5 I discussed the IIS metabase compliance item

Part 6 – Registry Key Compliance Item

With registry key compliance we can check if a certain registry key exist on the devices or not. Based on what I specify in the compliance rule I can then determine if the device is compliant or not.

To configure Registry Key compliance item , Go to Assets and compliance , compliance settings – Configuration item . Right click and new configuration item

P-Registry01

 

Provide the name of configuration item .  Click next

 

P-Registry02

Select all the operating system version to which this setting will apply .

P-Registry03

Now click on new to configure the configuration item

P-Registry04

 

Specify the name for setting CI-RegistryKey .

From setting type drop down select registry key

For hive name select HKEY_LOCAL_MACHINE from drop down and then click on browse to go the actual registry key

P-Registry05

 

If the registry key exists on the server where are you configuring the setting browse to the key and select . Else on the computer name field type in \\Computer_name and browse to registry key . Also ensure remote registry service is running

Now ensure the radio button – This key must exist on client devices is selected . Click OK

P-Registry06

Ensure that key name is selected and click ok

 

 

P-Registry07

Next step is to define the compliance rule, Compliance rule will determine how this setting is evaluated . Click on new

 

P-Registry08

Provide the name for Compliance rule and click on browse to select the compliance settings

 

 

P-Registry09

 

Select CI-RegistyKey and click on select

 

 

P-Registry10

 

Now select rule type as Existential from drop down

And ensure Registry key must exist on the client devices click ok

P-Registry11

Review the compliance settings and compliance rule, if everything looks ok click next

 

 

P-Registry12

SCCM is working its magic now

 

 

P-Registry13

This complete creation of Compliance setting

 

 

 

P-Registry14

 

Next step is to create Configuration baseline

Right click configuration baseline and select create configuration baseline

 

 

 

 

 

P-Registry15

 

Provide the name CB-RegistryKey . Click on add and select configuration item  . This will complete creation of configuration baseline.

 

 

P-Registry16

Select the configuration item  CI-RegistryPath  and click OK

 

 

P-Registry17

Next step is to deploy the configuration baseline to collection . Right click configuration baseline CB-RegistryKey and select deploy

 

 

 

P-Registry18

 

 

On the deployment configuration window , Ensure CB-RegistyKey is selected for baselines

select generate alert

Click on browse to point it to a device collection

on schedule , select every 3 hours for LAB , In production it should be every few days to distribute the load on client computers

 

 

P-Registry19

Now  , On the client computer , Go to control panel , configuration manager – click on configurations tab and select the configuration baseline  CB-RegistryKey

Click on evaluate  , This will check if the registry key exists on this computer or not

P-Registry20

 

After that click on View report to view local web style report

 

 

 

 

P-Registry21

 

This concludes part 6

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 5

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance items

In part 3 I discussed the Assembly Compliance items

In part 4 I discussed the file system compliance items

Part 5 – IIS Metabase Compliance item

IIS Metabase compliance item can look through IIS Server metabase and report compliance based on conditions defined in compliance rules.

There are changes made to IIS Metabase after IIS 6.0 and some of the functionality is moved to xml based configuration files.

If working with servers Windows 2008 and higher (which have versions of IIS greater than 6.0) there are certain prerequisites that need to completed.

On IIS servers running version greater than IIS 6.0 install IIS 6 metabase compatibility from server manager program and features

IISMetabase01

Download IIS 6.0 resource kit from here and install it on IIS servers to navigate and exlpore the IIS metabase.

Double click on resource kit installer

IISMetabase02

Click Next

 

 

IISMetabase03

 

Accept license agreement

 

IISMetabase04

Provide user name and company name and click next

 

 

IISMetabase05

 

Select custom and click next

 

IISMetabase06

Select the location or choose default location of install

IISMetabase07

Select Metabase explorer 1.6

IISMetabase08

Click Next

IISMetabase09

Click on finish

 

 

IISMetabase10

 

Open IIS metabase explorer as highlighted in the picture below . I am going to check the compliance for PID 3001 and if the path of the website on a webserver is c:\inetpub\wwwroot . If the path is c:\inetpub\wwwroot then the webserver is compliant

 

IISMetabase11

 

 

OK , With all that out of the way , Lets start with SCCM now

Go to Assets and Compliance -> Compliance Settings ->Configuration Items-> Right click Create Configuration item

IISMetabase12

 

Provide a name CI – IIS Metabase ( in this case)

 

 

 

 

 

IISMetabase13

Select the operating systems where this compliance item will apply , For IIS Metabase settings you may only want to choose where IIS is installed in the environment. Click next

 

 

 

 

IISMetabase14

 

To create a configuration item for IIS , Click on new

IISMetabase15

 

Provide the name of setting, Select setting type as IIS Metabase , Data type string

For metabase path as explained in this post in the beginning  will be LM ( for local server) , Property ID 3001 for the path .

Click OK

 

 

IISMetabase16

 

Click on New to create a compliance rule on how this configuration setting will be evaluated by SCCM

 

 

IISMetabase17

Provide the name for Compliance rule and click on browse to select the compliance setting

IISMetabase18

Select IIS metabase compliance setting if not already selected  and click select .

 

 

IISMetabase19

Rule type select value

in rule specify c:\inetpub\wwwroot ( if pid 3001 value for W3SVC\1\ROOT  is c:\inetpub\wwwroot then a machine will be in compliant state)

 

 

 

IISMetabase20

 

Click ok and Review the settings in this step , If anything needs to changed , You can change it by going to previous steps

IISMetabase21

 

SCCM is working its magic 🙂

 

 

IISMetabase22

 

Next step is to create Compliance baseline . To create compliance baseline right click configuration baseline and select create configuration baseline

 

 

IISMetabase23

 

 

Provide a name for configuration baseline ( CB – IIS Metabse Settings)

IISMetabase24

Click on Add -> Configuration Items , Select CI -IIS Metabase created earlier and click OK

 

 

IISMetabase25

 

 

Once Configuration Baseline is created , I am ready to deploy it to Web servers collections . If you have not already created a collection until now , Create the collection first which has webs servers to evaluate IIS metabase compliance.

Right click the configuration baseline and select deploy

 

 

 

 

IISMetabase26

 

Make sure CB -IIS Metabase Settings is selected .

Select generate alert

Click on Browse and point it to web servers collections

Set evaluation schedule to run every three hours and click ok

IISMetabase27

 

 

Go to web server where the compliance is evaluated , Go to configuration manager client properties in control panel and select configurations tab . Click on evaluate to check if the machine in compliant or not

 

IISMetabase28

 

Click on view report to see detailed status.

 

 

 

 

IISMetabase29

 

This means that on server LABSERV1 default website has path c:\inetpub\wwwroot .

This concludes part 5

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 4

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance items

In part 3 I discussed the Assembly Compliance items

Part 4 – File system Compliance items 

File system compliance item can be used to search for a file or folder Including sub folders . Compliance can be reported for either a value of if the file or folder exists on the device or not.

I am going to check a existence of a file in the drive . ( C:\Scratch\file\Filecompliance.txt) if this text file exists , System is compliant else system will be non-compliant .

This machine below has the text file in location c:\scratch folder . Machine name is WIN8

P-File01

 

 

Machine below has c:\scratch folder but there is no file , So this machine will be non-compliant . Machine name is WIN7

P-file02

 

Well since that is out of the way . Let go to SCCM

Go to Compliance settings -> Configuration Items-> right click -> Create a new configuration item

P-File03

 

 

Provide Name – CI – FileSystem , Leave type as Windows and click next

 

P-File04

 

 

Select the operating system to which this configuration will apply . By default all operating systems are selected. Click Next

P-File05

 

This is where File System setting will be defined.  Click on New

P-File06

 

 

Specify the Name – It could be anything  . Here it is FileSystem .

From the drop down select the setting type as file system

Specify the path (c:\scratch) in this case

and name of the file  (FileCompliance.txt) in this case and Click OK.

 

P-File07

 

Next step is to create compliance rule  . Compliance rule will determine what to do when compliance setting is evaluated

 

P-File08

 

Type the name of compliance rule . Click to browse to select the configuration settings that I just created above

P-File09

 

Select FileSystem compliance settings , If not already selected and click select

P-File10

 

Specify the rule type as Existential . I want to check if the file exist in location c:\scratch on the computers . Click OK.

P-File11

 

Click next

P-File12

This screen presents the summary , if changes are needed you can go back and change it from here

 

P-File13

 

 

SCCM is working its magic now 🙂

 

P-File14

 

Configuration item is created and summary is presented

P-File15

 

Next step is to create configuration baseline based upon configuration item that we just created

To create configuration baseline , Go to Configuration baseline under compliance settings and right new configuration baseline

 

P-File17

Provide the name of new configuration baseline

Click on add and select Configuration items

P-File18

Select the configuration item created earlier CI- FileSystem . Click on OK . This will create the configuration baseline.

P-File19

 

Next step is to deploy the configuration baseline to computers . Select the configuration item , right click  and select deploy.

P-File20

 

 

Make sure the configuration baseline is selected to the right CB-FileSystem

Select on generate an alert to generate a alert . I set to 90%

Point the deployment to compliance collections

Set the deployment schedule to run every 3 hours .

P-File21

 

Go the machine which has file present in c:\scratch folder. In my example this computer is WIN8

P-File22

 

Click on evaluate and then scroll to right to see the compliance status or click on view report

P-File23

 

Now go the system which does not have file in c:\scratch . In my case the computer name is WIN7

P-File24

Click on evaluate and scroll to right , As seen this machine is non-compliant . Click to view report to check detailed status

 

P-File25

 

This concludes part 4

 

 

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 3

In Part 1 I discussed the basic of Compliance settings .

In part 2 I discussed the Active Directory Query Compliance items

Part 3 – Assembly Compliance settings

An assembly is code that applications can share. The global assembly is located under %systemroot%\Assembly .

P-Assembly01

In this post , I am going to verify if the Microsoft.VisualC assembly exists on computers on not. If it exists then a machine is compliant.

OK , Since that is out of the way , Lets get back to SCCM.

Under Assets and Compliance , Go to compliance settings -> Configuration items .

Right click configuration items and select new configuration item

 

P-Assembly02

 

Type in the name and description and click next

P-Assembly03

Select operating systems to which this setting will apply

P-Assembly04

 

On Specify settings for Operating System , Click on new

P-Assembly05

 

Type name Microsoft.VisualC , Setting type Assembly and then name of assembly for which compliance needs to be evaluated

P-Assembly06

 

Now specify the compliance rules , Compliance rules would determine how this compliance item is evaluated.

P-Assembly07

Specify the name and click on browse to select the compliance setting

 

P-Assembly08

Select Microsoft.VisualC from the list and click OK

P-Assembly09

 

Change the rule type to Existential . Select radio button setting must exist on client devices. Click OK

P-Assembly10

Review the summary , If changes need to made you can go back and change . If everything looks ok click next

P-Assembly11

SCCM is working its magic now 🙂

P-Assembly12

Compliance item created successfully .

P-Assembly13

Next step is to create Compliance baseline .

Go to Configuration Baseline , Right click Configuration baseline and select Create configuration baseline.

P-Assembly14

Provide name of the Configuration Baseline.

Click on add , select Configuration item from the list

P-Assembly15

 

Select the configuration item CI – Assembly – Microsoft.VisualC if not already added and click on add. Click OK

P-Assembly16

 

Next step is to deploy the base line to a device collection .

Right click CB – Assembly – Microsoft.visualC and select deploy .

 

 

 

 

P-Assembly17

Make sure CB – Assembly – Micrsoft.VisualC is selected.

Select on Generate alert .

Browse to device collection to evaluate the compliance for. Change the schedule to occur every 2 hours . For production large network you may want to set this to once a week or once every few days. Click OK .

 

P-Assembly18

 

Go to client computer to review compliance settings is applied to device . By going to control panel , click on configuration manager client and selecting configurations tab.

P-Assembly19

 

Click on view report to see expanded results .

 

P-Assembly20

 

This machine has Microsoft.visualC assembly and is therefore compliant .

This concludes Part 3

 

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 2

In Part 1 I discussed the basic of Compliance settings .

Before proceeding to Part 2 create a device collection which will be used for deploying configuration baselines.

Part 2 – Active Directory query  Compliance settings.

I am going to create a Active directory configuration item , This configuration item will evaluate a Active directory property value to determine compliance.

Open ADSI edit tool and navigate to a object property . I am going to use attribute “isCriticalSystemObject” in Active directory compliance setting.

P-ADConfig01

OK , Since that is out of the way , Lets get back to SCCM.

Under Assets and Compliance , Go to compliance settings -> Configuration items .

Right click configuration items and select new configuration item

P-ADConfig02

 

Give name to Configuration item . Notice the type of configuration item is windows and click next

P-ADConfig03

Select the applicable operating system , Choosing all OS that you want to evaluate the compliance for

P-ADConfig04

 

This is where Configuration setting is defined . Click on new to start configuring the configuration item.

P-ADConfig05

Assign a name to configuration settings

Select Active Directory query from down for settings Name and data type string

LDAP prefix LDAP://

Distinguished Name   OU=MBAM Testing OU,OU=MBAM,DC=labserv,DC=net  ( I am only evaluating the compliance for OU name MBAM testing)

Search filter – (objectclass=*) means all types of object ( users, computers , printers etc )

Scope – select subtree if you need to evaluate the current OU as mentioned in Distinguished Name and all sub OU’s

Property – I am using property isCriticalSystemObject as explained above .

Once all this is done , Click apply OK.

P-ADConfig06

 

This is where Compliance rule is configured . Compliance rule determine how compliance item is reported after being evaluated.

Click on new

 

P-ADConfig07

Assign the name , click on browse to select the configuration item I just created.

 

P-ADConfig08

select the CI-Active Directory – IsCriticalSystemObject  configuration item and click select

P-ADConfig09

Select

Rule Type – value ( Because I am going to evaluate value for AD attribute isCriticalSystemObject

Select value equals FALSE

SO — Our compliance settings is if an AD object has a attribute isCritialSystemObject value FALSE , It will be a compliant object.

Click ok

P-ADConfig10

This is finalized screen with all the settings , If changes are needed there is still time and hope , You can go back 🙂

If everything looks good , click next

P-ADConfig11

SCCM is working its magic right now 🙂

P-ADConfig12

Final confirmation screen for Configuration item creation wizard.

P-ADConfig13

 

Once Configuration item is created , Next step is to create Configuration baseline.

Right click configuration baseline -> Create Configuration Baseline

P-ADConfig14

 

Provide a name for Configuration Baseline .

Under configuration data , Click on Add and select Configuration item

P-ADConfig15

Select the configuration item  CI – Active Directory – IsCriticalSystemObject and click on OK

P-ADConfig16

Now that the Configuration baseline is created , It is time to deploy it to collection

Right click the Configuration item and select deploy

P-ADConfig17

 

Select the configuration baseline CB – Active Directory – IsCriticalSystemObject

Also select Generate an alert when compliance is below 95% . Data and time when deployment should start.

Select the collection

For lab I updated the evaluation to every 2 hours . For production environments you want to keep it Once every few days.

 

 

P-ADConfig18

 

Go to a Client machine which has this compliance baseline applied . Go to control panel and open configuration management client

select configuration tab

 

Select the CB – Active Directory – IsCriticalSystemObject and click on evaluate. Then click on refresh

P-ADConfig191

Click on view report

It show this Compliance settings green and compliant

P-ADConfig20

 

 

This concludes Part 2

SCCM 2012 Configuration Items, Configuration Baselines , Compliance Settings – Part 1

Compliance Settings in SCCM 2012 can be used to evaluate a setting on devices and or users objects which are present in SCCM by targeting to devices or user collections.

To evaluate compliance , Configuration baselines are deployed to collections. Configuration baselines are made up of Configuration items and or software updates . Configuration items are further made up of configuration settings .

SCCM 2012 offers 3 different categories of settings  configuration items

1. Windows

2. Mobile Device

3. Mac OS X

P-Configuration01

In these posts I am going to cover Windows ( Operating system) Category since I don’t have Mobile OS and Mac OS in my lab.

Configuration settings structure 

Chart below explains how Configuration items and Configuration baselines works together to form Compliance settings

P-ConfigurationItems-1

Configuration Settings for Windows – Section 1 

There are total 10 configuration settings available to use in Windows Configurations items as outlined by red line in the picture above , But the scope of what can be achieved is great. Understanding these configuration settings is very important to effectively use compliance settings.

I am going to explain each of these settings with an example .

One or more of these configuration settings form a Configuration item.

Picture below show these windows settings available to use as seen in SCCM

P-Configuration02

Configuration Items – Section 2 

There are 3 types of Configuration items as show in section 2 + Software updates

In the post following this one I am going to cover Windows Configuration item from section 2 .

Note – Though software Update is a configuration settings it cannot be configured from level 1 and can only be added from level 2 up directly to configuration baseline.

Configuration Baseline – Section 3

Configuration baseline is group which could consist of

one configuration item

One or more configuration item

configuration items and software update

software update only

SCCM Collections – Section 4

Configuration baselines are applied to SCCM collections and that is where compliance is evaluated . One collection can have multiple configuration baselines applied at one point in time.

Compliance can be evaluated for device collections or user collections.

From next post I am going to start configuring these settings .

Enable Compliance from Device policies

P-Configuration03

Ensure Compliance evaluation on client is set to Yes . I changed the compliance evaluation schedule to every 3 hours . However based on an organization requirement it could either default once a week or higher.

Compliance evaluation has some implications for clients activity therefore very frequent compliance evaluations can slow down clients.

This concludes Part 1

 

SCCM 2012 OSD integrated with HTA including offline backup – Part 7

I have read here, here, here, here and here for HTA .I used HTA available here and modified and used in my task sequence.

I have read here, here, here and here to learn about log capture and used in my task sequence.

I have read here for how to sequence steps in task sequence

In Part 1 I explained the code in HTA , various HTA options and created package for HTA.

In Part 2 I explained how to create a custom USMT Package

In Part 3 I explained different groups in the task sequence highlight what each group does.

In Part 4 I explained hard drive partition group

In Part 5   I explained the offline USMT and Reinstall OS Step

In Part 6 I explained New Computer Install , Post Install and Applications Install Group

Part 7 – Copy logs Group

This group is set to continue on error because if there any error in copying logs , It will appear as if entire task sequence has failed. However it is up to you if you think copy logs is critical then uncheck continue on error.

P-4TS01

 

Next Sub Group is OSD Failed.

This sub group only runs if the if there is an error in steps before Copy Logs group. The is done by setting a task sequence variable as a condition

If _SMSTSLastActionSucceeded is false then only this sub group “OSD Failed” runs . Else the subgroup is skipped

P-4TS02

 

If the task sequence variable condition is true then next step is

Connect to OSD Logs Folder . This is a shared folder on the server (in my case SCCM Server) and everyone has change permissions to this folder.

HOWEVER ..I was not able to connect to this folder if I used any other account other than Domain admin account.I don’t why yet.

P-4TS03

 

 

Next step is Delete Folder if exists

This step has a checked Continue on error . This is done because if the folder for machine does not exist this step will fail because there is nothing to delete.

P-4TS04

 

 

However if the folder with machine name exists

Command as shown in screen below runs and deletes the folder

P-4TS05

 

Next create Folder to copy logs

If this step is run under sub group OSD Successful the folder will be Z:\OSD_Success rest everything will be same.

P-4TS06

 

Next step is Copy Logs

If this step is run under sub group OSD Successful the folder will be Z:\OSD_Success rest everything will be same.

P-4TS07

 

Next Sub Group is OSD Successful

This sub group only runs if the if all the steps before Copy Logs group complete. The is done by setting a task sequence variable as a condition

If _SMSTSLastActionSucceeded is True then only this sub group “OSD Successful” runs . Else the subgroup is skipped

P-4TS08

All the steps under OSD Successful are same as under OSD Failed described above. Any differences in path is noted in steps above.

This concludes the Part 7 and entire task sequence 🙂

 

SCCM 2012 OSD integrated with HTA including offline backup – Part 6

I have read here for how to sequence steps in task sequence

If you are new to HTA with SCCM it could take you 1 or 2 days to just setup your environment so just in keep in mind that it is a lengthy drawn out process.

In Part 1 I explained the code in HTA , various HTA options and created package for HTA.

In Part 2 I explained how to create a custom USMT Package

In Part 3 I explained different groups in the task sequence highlight what each group does.

In Part 4 I explained hard drive partition group

In Part 5   I explained the offline USMT and Reinstall OS Step

Part 6  – New Computer Install , Post Install and Applications Install Group

New Computer Group – This Group only runs if the task sequence variable OSDOSConfig is set to new computer else this group is skipped. The task sequence variable is set when new computer is selected in HTA.

P-3TS01

 

 

Next step is Use toolkit package

We need to run this because the next step is validate which runs a scripts , Validate script is part of MDT Tool kit package and needs to downloaded to computer before running validate step.

P-3TS02

 

Next step is validate

This step runs script name ZTIvalidate.wsf . This script will check if the hardware meets the minimum requirements  of windows 7 . You can change these settings if needed.

P-3TS03

 

Next Step is Apply Operating System

This step will install the OS onto a new computer .

P-3TS04

 

 

Next Step is Post Install . This group will for both new and refresh computers

P-3TS05

 

Next step is Use tool kit package .

P-3TS06

 

 

Next step is Gather , This runs MDT script ZTIGather.wsf . This script reads the envirnoment and sets task sequence variable values and run the rules set in CustomSettings.ini files .

If you dont use any steps in customsettings.ini you can also select first option “Gather only local data (do not process  rules)

P-3TS07

 

Next Step is Apply windows settings

Specify the Org Name , Product Key , Licensing mode , local Administrator password and time zone.

P-3TS08

 

Next is Apply Network settings.

In this step you can join computer to domain . Provide the user account that has rights to join computer to domain

P-3TS09

 

 

Next Step is Configure

It updates the values from unattend.xml in native MDT task sequence.

P-3TS10

 

Next Step is Auto Apply Drivers

Since I am using virtual machine there are no drivers involved , However during imaging of a physical machines this step is critical and will need more discussion.

P-3TS11

 

Next Step is Setup Windows and ConfigMgr

This step install SCCM Cilent

P-3TS12

 

Next Step is install software updates

You can choose to install either mandatory or all software updates.

Some times software updates takes long time if there are lots of updates to apply . Choose what is best in production.

If imaging needs to finish in a certain time then you can disable this step

P-3TS13

 

 

Next Step is restore User Data

This step will only run if the task sequence variable OSDOSConfig is set to Reinstall . This selection is made on the HTA screen

 

 

P-3TS14

 

Next step is Restore User State

It this uses USMT package

Enable continue on error or else if a file is missed during task sequence whole task sequence will fail

P-3TS15

 

When selected Customize how use profiles are restored , Add the files as shown below including the wallpaper.xml to restore wallpaper and other two files for profile data.

P-3TS16

 

 

Next step in Install Application . This group will run for both new computer install and reinstall computer scenario.

This step will install applications select in HTA

When an application is selected for install , It sets a task sequence variable as explained in Part 1

 

P-3TS17

 

In the example below if the task sequence variable is set to true then the application MS XML SP1 will be installed else this install will be skipped . The task sequence variable is set when the application is selected from HTA screen.

for MS XML SP1 task sequence variable is OSDXMLnotepad , If checked in HTA its stored value is true.

Download HTA and open in notepad to review these variables.

P-3TS18

 

If this task sequence variable is set to true , Application MS XML SP1 will be installed

P-3TS19

 

This concludes part 6

SCCM 2012 OSD integrated with HTA including offline backup – Part 5

I have read here for how to sequence steps in task sequence

If you are new to HTA with SCCM it could take you 1 or 2 days to just setup your environment so just in keep in mind that it is a lengthy drawn out process.

In Part 1 I explained the code in HTA , various HTA options and created package for HTA.

In Part 2 I explained how to create a custom USMT Package

In Part 3 I explained different groups in the task sequence highlight what each group does.

In Part 4 I explained hard drive partition group

Part 5  – This part will cover offline USMT , Reinstall OS steps in task sequence.

After partition group in task sequence  next  group is Restart in WinPE

This step is needed task sequence to check if machine is in WinPE or not . If not than this step will boot the machine in WinPE using variable _SMSTSInWinPE

P-2TS01

If the variable _SMSTSInWinPE is false then this step will run.

We need to run this step in order to do two things

P-2TS02

First – To display HTA and Second to backup the computer if this is reinstall.

Offline backup has one advantage that no user is logged in and no  processes are running .So likely hood of USMT failing is less .

Next Step  Is Display HTA

P-2TS04

As shown above package HTA1 just contains one file “SCCMDiet.hta” . It is a run command line step of task sequence. Now at this point the task sequence will be in WinPE and HTA will display.

From here on task sequence will run or skip steps based on selections made in HTA

Backup User data

Backup user data step will run if the task sequence variable OSDOSConfig  is set to reinstall.

P-2TS05

 

If the above condition evaluates to be true then next step is to Set local state location.

P-2TS06

Next step defines how backup will be done. With USMT 5.0 it has become very simple to do hard link backup in WinPE

P-2TS07

If you select the options as displayed in the screen above you will be able to capture User data in WinPE. This step is using USMT v1 package created earlier. This USMT package has extra wallpaper.xml in it.

We need to specify wallpaper.xml file in order for USMT to migrate the wallpaper.

P-2TS08

Select files and then add name of all three files.

After backup is complete next step is to install operating system. This group will run if OSDOSConfig task sequence variable is set to reinstall. ( This variable gets set while making OS selection in HTA)

P-2TS09

Next step is Apply Operating system

P-2TS10

This step will install the operating system . Windows 7 in this case.

 

This concludes part 5

SCCM 2012 OSD integrated with HTA including offline backup – Part 4

I have read herehereherehere and here for HTA .I used HTA available here and modified and used in my task sequence.

I have read hereherehere and here to learn about log capture and used in my task sequence.

I have read here for how to sequence steps in task sequence

If you are new to HTA with SCCM it could take you 1 or 2 days to just setup your environment so just in keep in mind that it is a lengthy drawn out process.

In Part 1 I explained the code in HTA , various HTA options and created package for HTA.

In Part 2 I explained how to create a custom USMT Package

In Part 3 I explained different groups in the task sequence highlight what each group does.

Part 4  – New Computer Hard drive partition

In part 4 I am going to review steps in first section of the task sequence .

Task sequence explained in Part 3 is basically divided into 2 groups

1st group is Execute task Sequence

2nd group is Copy logs

Execute Task Sequence

As seen below , 1st group is set to continue on error. What this means is that if task sequence fails at any step before 2nd group it will not abort the task sequence instead it will go to 2nd group Copy logs.

P-TS01

 

Partition if necessary

P-TS02

This is group as-is from MDT standard client task sequence . This group evaluates few conditions before executing next step.

As you can see from screen capture above All the conditions need to be true for this step to run

_SMSTSInWinPE equals TRUE – This is first condition that is processed , If the task sequence is the WinPE or not , If not in WinPE this step will be skipped.

_SMSTSMedia Type not equals OEMMedia – If the task sequence variable _SMSTSMediaType = OEMMedia this step will be skipped and disk will not be formatted. Because if prestage media is present then disk is ready and does not need to formatted. When a prestage media ( wim file) is created it has task sequence variable _SMSTSMediaType set to OEMMedia.

Last condition has is being evaluated is a WMI query and it has 3 conditions

Logical Disktype = 3 means a local disk , Device ID is the drive letter

Here is the condition that will be eventually gets evaluated –

if logical disk type is not equal to 3 this step will be skipped

Device ID is X: this step will be skipped

if file system is NTFS this step will be skipped

 

Next step is Script exists and non-NTFS partitions

P-TS03

 

This step will run when following conditions are met

If ZTIConfirmDiskPart.vbs exists

If DiskIndex = 0 , Disk index is the index number of a the disk containing this partition.

If disk partition type is “Installable file system” , other examples of partition types are FAT , Extended partition , NTFS , unknown etc.

if disk partition type is NTFS

If all the above conditions are true then task sequence moves to next step

Confirmation to Partition Disk

P-TS04

 

This step will will run the script as shown in the screen above

Format and Partition Disk (UEFI) .

This step will only  run if the task sequence variable _SMSTSBootUEFI is true .

P-TS05

 

UEFI based computers  have different requirements than BIOS based computers . Windows 8 uses UEFI .

GPT (GUID Partition table) type disk can have partitions of size 2.2 TB

GPT (GUID Partition table)  also supports 128 partitions

P-TS06

Windows RE Tools – This partition should be separate from windows partition . No drive letter is assigned to this partition

This partition has two main functions

Support fail over of windows partitions

Support Booting from Bit locked partitions

EFI – EFI is the system partition of UEFI based computers. Computer boots from this partition . It is formatted with FAT32 . This partition is managed by Operating system and should not contain any other files.

MSR – Microsoft reserved partition – MSR partition is used for drive management. There is one MSR partition for each drive.

OSDisk – It is where operating system files reside along with data.

Format and partition

This step runs if task sequence variable _SMSTSBootUEFI is not true

P-TS07

 

This step is for computers with BIOS . It will install the OS in the drive. Formatted with NTFS

p-TS08

 

By default MDT standard client task sequence assigns it a task sequence variable to the drive named OSDTemporaryDrive. I removed the OSDTemporaryDrive and select next formatted partition from the list.

P-TS10

 

This concludes Part 4

 

 

 

SCCM 2012 OSD integrated with HTA including offline backup – Part 3

I have read herehereherehere and here for HTA .I used HTA available here and modified and used in my task sequence.

I have read hereherehere and here to learn about log capture and used in my task sequence.

I have read here for how to sequence steps in task sequence

If you are new to HTA with SCCM it could take you 1 or 2 days to just setup your environment so just in keep in mind that it is a lengthy drawn out process.

In Part 1 I explained the code in HTA , various HTA options and created package for HTA.

In Part 2 I explained how to create a custom USMT

Part 3 – Importing the task sequence in SCCM

Download the zip file for the task sequence as mentioned in part 1 and then go to configuration manager console

Go to Software library , Operating system deployment , Task sequence

Click on Import task sequence and ignore the dependencies

Open the task sequence and you will see following steps

P-HTAts01

 

These are ALL the steps in the task sequence. I have highlighted what each group does . I will explain each group in next post . At this time you time you resolve package dependencies before moving forward.

Some groups use task sequence variables created and set by HTA . Some groups use task sequence variables set by MDT and SCCM .

This concludes part 3

 

 

SCCM 2012 OSD integrated with HTA including offline backup – Part 2

I have read herehereherehere and here for HTA .I used HTA available here and modified and used in my task sequence.

I have read hereherehere and here to learn about log capture and used in my task sequence.

I have read here for how to sequence steps in task sequence

If you are new to HTA with SCCM it could take you 1 or 2 days to just setup your environment so just in keep in mind that it is a lengthy drawn out process.

In Part 1 I explained the code in HTA , various HTA options and created package for HTA.

Part 2 – Creating custom USMT package for wallpaper

In part 2 I am going to create a custom USMT package and adding and an xml file for wallpaper migration .

I do not like to modify the default USMT package so I am creating new one for using with my task sequence.

Link to download wallpaper xml file is provided in part 1

USMT package is created when SCCM is installed , Let me check the location of that package first

P-USMThta01

Default USMT package is stored in c:\Program files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\User State Migration tool\

Let review the content of this folder

P-USMThta02

 

This package has two folder amd64 and x86.

Now to create new USMT package , Create a new folder in your sources directory and copy both amd64 and x86 folders in there.

Now copy Wallpaper.xml file in Amd64

P-USMThta03

 

Now copy the same Wallpaper.xml file to x86 folder

P-USMThta04

Now create the package with USMTv1 as source folder for the package. No programs needed for USMT package .

Distribute the package to all distribution points . Now USMT package is ready for offline migration along with wallpaper

 

This concludes Part 2

 

SCCM 2012 OSD integrated with HTA including offline backup – Part 1

I have read here, here, here, here and here for HTA .I used HTA available here and modified and used in my task sequence.

I have read here, here, here and here to learn about log capture and used in my task sequence.

I have read here for how to sequence steps in task sequence

If you are new to HTA with SCCM it could take you 1 or 2 days to just setup your environment so just in keep in mind that it is a lengthy drawn out process.

Environment – This is tested in a SCCM 2012 R2 SP1 lab with single primary.

Prerequisites  

SCCM 2012 R2 SP1

SCCM client package (This package gets created when you install SCCM)

USMT package (This package gets created when you install SCCM)

MDT 2013 integrated with SCCM

MDT x86 boot image (This is created when you create a MDT Standard client task sequence)

MDT ToolKit Package (This is created when you create a MDT Standard client task sequence)

MDT Settings package (This is created when you create a MDT standard client task sequence)

HTA (You can download HTA from here)

Wallpaper xml file (You can download wallpaper xml file from here) .This file used for migrating wallpaper

Task Sequence (You can download full task sequence from here), But I encourage you to create a new MDT standard client task sequence then modify it or try both methods

If you are importing the task sequence just ignore dependencies and import.

Software packages as shown in HTA (Create at least couple if you want to see task sequence variables in action)

PART 1 – Reviewing HTA

In part 1 I am going to review the HTA that I will be using in the task sequence and looking at the code inside HTA to better understand what is in it.

Download the HTA file and open it , It will pop up and error about task sequence environment and that is normal (Since HTA in not in WinPE ) .

P-HTA01

HTA looks like shown above.

First field is Computer Name , If the computer already exists in SCCM and is known computer name is automatically shown in the computer name field

OS Selection – This is a radio type selection and you can select new computer or reinstall. If you select new computer it will format the HDD and install Windows 7 x64

If you select reinstall , it will backup user data from WinPE using hardlinking and reinstall Windows 7 x64

Select software to install

If you check box , respective software will be installed . This is done by setting a task sequence variable explained shortly down below in the this post

Clicking on finish will close the HTA when in WinPE

Inside HTA 

Now open with Notepad++ or any other advanced notepad software

In HTA you will notice it has two sections , First section is script which dictates the logic when selections are made within HTA  . Second section is HTML which dictates show code is displayed when HTA runs.

P-HTA02

 

As you see above one section of code is for hiding the task sequence progress bar when HTA is running.

Section below is code for setting computer name.

P-HTA03

The OS config sections sets a task sequence variable , Task sequence variable name is “OSDOSConfig” and also tells what the value of this variable will be based on selection , Which is explained further down in the post

Next section Apps sets the task sequence variable for each application , For application SevenZip it sets the task sequence variable “OSD7zip” . It also sets value of this Task Sequence variable to be “true” if it is checked in HTA

P-HTA04

Shown above is the HTML section of HTA , First section defines what computer field looks like and how many characters it can hold

OS configuration sets the value of Task sequence variable OSDOSConfig to either NewComputer or Reinstall based upon what selection is made

Software selection sections shows that it is a checkbox and selecting the check box for SevenZip will set a task sequence variable OSD7Zip to be true.

Task sequence variables can be used as conditions to either run a step in task sequence or skip it. I will detail that in a later post.

This is very short overview of what is inside HTA . Thanks again to Nick for providing HTA .

Copy the HTA to your sources folder and create a package without any program and distribute it to distribution points.

P-HTA05

 

This concludes part 1

 

Enable RDP during Task Sequence

To enable RDP on Windows 7 machines during OS install . Edit the task sequence after OS install and Setup configMrg client phase

Add a command line to task sequence , This will enable Remote Connections

cmd.exe /C reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /V “fDenyTSConnections” /t REG_DWORD /d 0 /f

P-EnableRDP01

 

After this step  , Add another step for clients to connect using RDP , Add following command line

cmd.exe /C reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v “UserAuthentication” /t REG_DWORD /d 0 /f

P-EnableRDP02

 

After OS is installed you will able to RDP to client without any extra configuration.

Installing MBAM 2.5 integrated with SCCM 2012 – Part 7

In Part-1 of installing MBAM 2.5 , We installed MBAM 2.5 server OS, Installed SQL , Configured reporting services, Downloaded MDOP 2013 and downloaded configuration files for SCCM and other software as needed.

In Part-2 of installing MBAM 2.5, We created service account , User id’s and groups to be used for installing and configuring MBAM .We also set SPN for application pool account.

In Part-3 of installing MBAM 2.5 , We updated inventory in SCCM and installed SCCM integration components

In Part-4 of installing MBAM 2.5, We installed and configured MBAM database and reports

In Part-5 of installing MBAM 2.5 , We are going to install and configure MBAM Web services and administration portal.

In Part-6 of installing MBAM 2.5, we are going to add Group Policy Templates and configure group policies for windows clients.

In Part 7 we are going to encrypt the OS drive on a Windows 8 virtual machine.

Install MBAM Client

 

From MBAM 2.5 install directory , Go to x64 folder and run MBAMClientSetup.exe . There are no prompts , But the client will be installed.

 

In Part -6 we configured an applied Active Directory group policies to allow MBAM to encrypt drive without compatible TPM chip.

Update group policies after installing MBAM client.

MBAMwin801

 

After updating the group policies , I had to wait for about 30 minutes for this screen to show up . So patience is must 🙂

If you want to speed up things , Add a reg key

HKLM\Software\Microsoft\MBAM

Key Name – NoStartupDelay

Value -1

MBAMwin802

Before going any further please ensure that no virtual CD rom is empty and ISO file is mounted.

Enter password ,Enter minimum of 8 characters ( as set in group policy in part-6 )

MBAMwin803

Click on create password  and the encryption will start.

MBAMwin804

At this point drive is encrypted . You can click on exit . If you want to change the password you can do later from control panel.

MBAMwin805

Restart the virtual machine which just finished encrypting , This is the first screen you will get.

Enter password and enter

MBAMwin806

Now the client is encrypted.

Lets review compliance information stored on SCCM Server .

Report below shows the compliance status . If there is another windows 8 virtual machine and if it was not encrypted compliance will not be 100% .

MBAMwin807

 

Report below show enterprise compliance status . This gives SCCM admins good idea of how many machines are pending bit locker roll out .

MBAMwin808

 

Bit locker Password recovery :

Steps below can be used if user forgot bit locker password .

When computer reboots , at the password screen press esc to get bit locker recovery options

Copy the first 8 characters of bit locker key.

MBAMwin809

 

Go to administration and monitoring website on MBAM server.

click on drive recovery options and enter first 8 digits on the key , I just selected first option OS boot order changed

MBAMwin810

 

Submit to get a recovery key for the drive

MBAMwin811

Copy this key and use it to login to machine

MBAMwin812

Once logged in you can reset the password again.

Go to control panel , Bit locker encryption option and reset the password.

 

This concludes part 7

 

Installing MBAM 2.5 integrated with SCCM 2012 – Part 6

In Part-1 of installing MBAM 2.5 , We installed MBAM 2.5 server OS, Installed SQL , Configured reporting services, Downloaded MDOP 2013 and downloaded configuration files for SCCM and other software as needed.

In Part-2 of installing MBAM 2.5, We created service account , User id’s and groups to be used for installing and configuring MBAM .We also set SPN for application pool account.

In Part-3 of installing MBAM 2.5 , We updated inventory in SCCM and installed SCCM integration components

In Part-4 of installing MBAM 2.5, We installed and configured MBAM database and reports

In Part-5 of installing MBAM 2.5 , We are going to install and configure MBAM Web services and administration portal.

In Part-6 we are going to add Group Policy Templates and configure group policies for windows clients.

 

Group policies form and integral part of MBAM implementation . These policies enforce what settings MBAM should force , behavior of passwords , TPM PIN

As detailed in part 1 download and install MDOP group policies template on a Domain Controller or any other machine capable of running AGPM or GPM templates.

There are two set of files that we need to unzipped files

1. admx

2. adml

MBAMgp01

 

 

adml files are under folder en-US

MBAMgp02

 

Now go to c:\Windows\PoliciesDefinations and copy admx files there

Copy adml files in en-US

MBAMgp03

 

Now we are ready to configure group policies.

Depending on your companies policy you would need to design where in Active Directory you want to apply the policy and who would be covered by this policy .

BUT for testing and Lab purposes , Create a new OU . Move test machine to new OU and link a new GPO there.

Before we go any further, Microsoft recommends NOT to configure Bit locker drive encryption for MBAM as seen below These setting are updated when we update MBAM policies.

MBAMgp04

 

Go to Computer configuration – Policies – Administrative Templates – Windows Components – MDOP MBAM (Bitlocker management)

(I will only be enabled minimum policies to get bit locker working , Based on your needs you may want to enable more settings if you desire.)

First policy to be enabled Client management.

MBAMgp05

 

Open MBAM Services settings

Important setting to note here is Configure MBAM Status reporting service :

This needs to disabled if MBAM is integrated with SCCM (Which in our case it is)

and MBAM status reporting service endpoint should be left blank. This information is collected by SCCM and can be retired using MBAM compliance reports from SCCM reports.

MBAMgp06

 

Second set of policies are Operating system drive policies  .

Two policies needs to be enabled here

Operating System Drive encryption settings

Configure use of passwords for operating system drives

MBAMgp07

 

Operating system drive encryption settings .

These settings are for TPM and PIN. Based on if you want to password and PIN or just TPM + PIN

To allow to encrypt without TPM select the check box (Allow bitlocker without TPM)

 

MBAMgp08

 

These settings follows the previous settings and defines password properties , such as complexity , length of password

To enforce complex passwords the password policies must allow complex password policies.

MBAMgp09

 

The last on removable drives . This would be again dependent on company policy for removable drives .If you want to allow user to encrypt removable drives , enable this setting

 

MBAMgp10

 

Next up is enforcement settings (New feature in MBAM 2.5)

We can either enforce the encryption settings on a fixed drive or on operating system drive. Depending upon what you choose .

I am setting policy under fixed drive ( You could choose to enforce only OS drive from “Operating system drive” settings)

MBAMgp11

 

Provide grace period. After grace period users cannot postpone the encryption to start

MBAMgp12

 

This concludes Part 6

Installing MBAM 2.5 integrated with SCCM 2012 – Part 5

In Part-1 of installing MBAM 2.5 , We installed MBAM 2.5 server OS, Installed SQL , Configured reporting services, Downloaded MDOP 2013 and downloaded configuration files for SCCM and other software as needed.

In Part-2 of installing MBAM 2.5, We created service account , User id’s and groups to be used for installing and configuring MBAM .We also set SPN for application pool account.

In Part-3 of installing MBAM 2.5 , We updated inventory in SCCM and installed SCCM integration components

In Part-4 of installing MBAM 2.5, We installed and configured MBAM database and reports

In Part-5 of installing MBAM 2.5 , We are going to install and configure MBAM Web services and administration portal.

Before starting this configuration , Change the port of default website to other than 80, If you wish to use 80 for mbam.

Step1 : 

On MBAM server (SQL01) , Go to programs and launch MBAM server configuration and click on Add new features

P-MBAMweb01

 

Select Administration and monitoring website and Self-service portal and click next

 

P-MBAMweb02

 

If all the prerequisites are met , select next

P-MBAMweb03

 

On the configure Web Applications page , Since I am not using PKI , I checked the “Do not use certificate) button.

Then add server name and suppy the web application pool account . This account needs to be of DB read write group.

For more information on user and groups review part-2 of installing MBAM 2.5

P-MBAMweb04

 

Scrolling down on Configure Web Applications page

Specify Server name for Compliance and audit database and Recovery database .

P-MBAMweb05

 

Scrolling down on Configure Web application page

Specify MBAM advanced helpdesk group

Specify MBAM helpdesk group

Make sure System center integration box is checked , Else it compliance reports will be installed again on web administration server . And we don’t want that because compliance reports are already installed on SCCM Server

Provide reporting services role group name

URL of reporting services installed on MBAM Server . (This in my case is different than SCCM  reporting services) I have two instances of reporting services running . one on SCCM server and one on MBAM server.

Virtual directory for helpdesk . URL for helpdesk would be http://sql01/helpdesk

P-MBAMweb06

 

On configure Web application page , scroll down to the end to specify the selfservice portal.

and click next

P-MBAMweb07

 

Review the summary of configuration and if everything looks good click on add

P-MBAMweb08

 

Web services installing

P-MBAMweb09

 
Click on close

P-MBAMweb10

 

This completes the installation of Web services portal for MBAM including self service portal.

Now lets review the installation

Go to IIS and review the new website. Notice that Helpdesk and Selfservice website (virtual directories) are created.

P-MBAMweb11

 

Now lets review Administration and monitoring website.

Notice that on left side there are no reports . That is because the user is only member of group G_MBAM_Advhelpdesk

If a user is member of both G_MBAM_Helpdesk & G_MBAM_AdvHelpdesk , Permissions of G_MBAM_AdvHelpdesk are effective.

P-MBAMweb12

 

Now add the user to G_MBAM_Reporting and notice the reports are available.

P-MBAMweb13

 

Lets review the self service portal

P-MBAMweb15

 

Once you accept the terms , next page show bit locker option. This page only a welcome screen

P-MBAMweb16

 

This complete the install of MBAM components.

One more thing ……

Lets review the reports again , You only see Recovery Audit report.

This is one way to verify MBAM is integrated with SCCM . If MBAM is not integrated with SCCM then you will see 3 compliance reports here as well.

P-MBAMweb17

 

This point we are done with installing server side components. Future post for MBAM 2.5 would be related to client side of MBAM and how to start using the application.

This concludes part 5