MVP Jörgen Nilsson did a great post the other day over at https://4sysops.com/archives/monitoring-laps-with-configuration-manager/ where he showcased how one could monitor LAPS with the help of CI's in ConfigMgr to make sure it's installed and running properly. Continuing on the LAPS theme and ways ConfigMgr can help us improve security and maintain control I would like to talk a little about how we can remove non authorized members of the local administrator group with the help of Configuration Items/Baselines in ConfigMgr. For those who are unfamiliar with LAPS (Local administrator password solution) you can learn more here: https://technet.microsoft.com/en-us/mt227395.aspx [...]
Todays News is all about Petya - but the way it gets onto PCs and spreads across the network is actually old news. In short, Petya does 3 things: Encrypt your files, Steal credentials, spread to other machines. It takes advantage of the "Shadow Broker Vulnerability" MS17-010. If you have patched your machine, you will not be hit with the SMB exploit. How ever it also use Mimikatz like capabilities to steal credentials from the local machine and copy it self to other machines $Admin share. A kill-switch has been described as simple as creating a file called C:\Windows\perfc (without [...]
Understand the MBAM installation process and how to use PowerShell to install features.
I have seen several blog posts on how to unlock a BitLocker encrypted drive from Windows PE, using the recovery password stored in the Microsoft Bitlocker Administration and Monitoring (MBAM) SQL Server database. What's the problem with these solutions? All of these have one thing in common: they query the SQL database directly, requires changing SQL Server configuration and granting access to the database directly. Why is this a problem? Well, in my opinion this is a bad design approach, as the core purpose of implementing BitLocker volume encryption and MBAM is to secure our data from being compromised. By [...]
Lately I have been doing some Secunia integrations with System Center 2012 R2: Configuration Manager (SCCM/ConfigMgr 2012). When you are setting up the connector between Secunia CSI and WSUS one of the first things the wizard is asking you to do is to Configure a WSUS Self-Signed Certificate, the WSUS signing certificate is required to create and install local packages. Without it, only packages from Microsoft Update will be installed. How-ever this time I got this error when trying to 'Automatically create and install certificate' during the Connector Wizard: An error occurred when creating the WSUS Signing Certificate Now this [...]
What you will be able to after reading this blog: Get the latest information about "your" Signature- & Anti Virus reports in Windows Defender and make it into a text file. How to automate it, so it will run every day and give you a status report with time and date. Being able to look at what time and date the latest updates have been completed. First of all, we have to create a folder/directory where the status reports can be stored in. Open up PowerShell in administrative mode and run this script only by copy-paste: [crayon-59c91a43ec149014502902/] Now that the [...]
First, let’s define a managed application. In essence it’s a special policy that enable you to control settings in the application or browser like data encryption, can the user save the document as a new file etc. To successfully deploy a managed application you need to mix the application deployment with an application management policy. Configuration Manager will automatically discover if the application can be managed and will show an additional page in the wizard when you create the deployment. It’s worth noting that not all applications can be managed. They have to have the Intune App SDK built-in or [...]
While this is not a newly discovered hack, I feel that we can not stress the importance of using Bitlocker to encrypt our hard drives. If you like me encounter customers that still runs their computers unencrypted, and don’t see the need for encryption. just use the following guide to show them how easy it is to activate the local administrator account and reset its password. Step 1 Show the customer that the local administrator account is disabled. (or that you don’t know the password). Step 2 Boot from any bootable media, such as the original installation media, Ultimate Boot [...]
How do I secure my clients with Endpoint Protection using the deploy Task Sequence.
Windows 8 comes with the option to pre-provision the disk for use with BitLocker, allowing only the used-space to be encrypted, thus reducing the encryption time a lot. Problem occur when enterprises want to use the Microsoft Bitlocker Administration and Monitoring (MBAM) toolkit from the Microsoft Desktop Optimization Pack (MDOP) to store BitLocker recovery keys, and track compliance. MBAM 2.0 sp1 does not support used-space encryption as per the release notes, forcing enterprises to either drop MBAM or perform full encryption of the disk, which can be a time consuming task depending on disk size and CPU performance. After spending [...]
In the previous blog post i used file and registry settings for my Configuration Item. Another way to define your Configuration Item setting are scripts. And in CM2012 we have 3 scripting options: JScript PowerShell VBScript (The same goes for the use of scripts in Detection Methods when we create Application Deployment Types.) Since the new colour fashion in scripting today is blue, i guess the popular choice would be PowerShell. On a serious note – PowerShell is now everywhere, just ask my buddy Kaido Järvemets. And in this example i will be checking for a setting on the [...]
This example will show you a way to get compliance data from your clients regarding the System Center Endpoint Protection 2012 Client. Now, I'm aware that we through CM2012 reports and console views already have good tools to monitor the client states in regard to SCEP - but lets say you have another antimalware product and would like some compliance info from the clients inserted into CM2012 that you then can use to create reports etc. The principals are the same. First of all you will need to create configuration Items in the CM2012 Console - these items will hold [...]
Ok so this SCEP Update has been released some time ago, but i have seen and heard some confusion on how to get this Update installed properly into the ConfigMgr environments. http://support.microsoft.com/kb/2828233 The KB2828233 update itself is a server update and you need to install it on your Primary Site servers as you do with the SP’s, CU’s and other Hotfixes. What it will do on the server is that it will: Install itself as an Update to Endpoint Protection to the local EP Client on the server. Create a Server Update Package in ConfigMgr in the Packages folder “Configuration [...]
In ConfigMgr 2012 SP1 you might run into the Automatic Client Upgrade feature being greyed even if you are a full administrator. In this example I have a group called ConfigMgr Administrators that has been assigned Full Administrator rights but are still not able to enable the Automatic Client Upgrade settings. To fix the issue log in with the account that installed the primary site server. In the Administration workspace, select Security, Administrative Users and open the properties for the ConfigMgr Administrators group. Click Add, Security Scope and select All Security Scopes. Click OK and all users in the ConfigMgr [...]
A huge thanks to all NIC 2013 attendees, once again you proved that Norway is a perfect place to host the Nordic Infrastructure Conference. Two great days with some A-Class speakers. As promised here is my slide deck from my 3rd. party software update session. During my session, I discussed how to prepare your environment for 3rd. party patch management and demonstrated two different solutions. Download Slide deck System Center Updates Publisher Download the complete SCUP 2021 guide here Checkout the SCUP videos Checkout the PatchMyPc catalog here: Check out the “scupdates” catalog here: Secunia Download Secunia PSI, a freeware [...]
RBA or Role Based Administration is one of the many new features in ConfigMgr 2012. It’s a very powerful feature and has already helped lots of customers minimizing the need for having multiple primary sites. One annoying fact in RTM is that all collections (users and devices) shows up when running a report. This has changed in Service Pack 1 which makes the RBA feature even more powerful. In this example I have a user (DskAdmin) who is member of the Desktop Admins group in Active Directory. Desktop admins must all be granted Application Administrator permissions and allowed to work [...]
A few years ago I wrote a blog posts on Microsoft SCUP and Secunia CSI 5.0. Back then my conclusion was that Secunia had a superb security database but required a custom agent and didn’t have an easy Configuration Manager Console integration. With the latest release of Secunia CSI those “obstacles” are removed and the solution looks very promising. In this, my first test drive of the product, I will see how quickly I can install the solution and start patching my environment. The installation CSI requires that you first install the CSI administrator console and then the CSI SCCM [...]
I guess everyone knows that you can’t enable BitLocker on a machine from a Task Sequence if there is a CD in the CD drive… The workaround is quit simple, just run a script to eject the cd drive before running the “enable BitLocker” step. Well the other day this script, a vbs, I use, was removed by Forefront.. I guess the heuristic scan evaluated the content of the script to be unsafe, and quarantined it.. This is obviously not good, as it’s needed by the task sequence… So I thought, maybe there is a way to eject the CD [...]
Role based Security in ConfigMgr. 2012 is much different from ConfigMgr. 2007. The new version ships with predefined security roles like Administrator, Infrastructure Administrator etc. One role is missing though - the Reporting User role. Create the Reporting User role Open the ConfigMgr. Console, navigate to the Administration workspace and select Security, Security Roles Select the Read-Only Analyst role and click Copy on the ribbon. This role comes very close to our reporting only role. Name the Role Reporting User. Go thru all the security settings and remove all settings except Run Report. Click OK and save the custom role. [...]
Forefront Endpoint Protection 2010 (FEP 2010) allows you to consolidate desktop security and management in a single solution, because it is built on System Center Configuration Manager 2007. That means in many cases you can use your existing client management infrastructure to deploy and manage your endpoint protection. My colleague Kent Agerlund and I have made a Forefront Endpoint Protection 2010 installation and configuration guide for Configuration Manager 2007 guide which will give you all the information you need to implement FEP 2010 into your existing Configuration Manager 2007 environment. The guide can be downloaded here:
In the SCCM Admins guide to preparing your environment for Bitlocker Drive Encryption post series, I walked you through how to prepare your environment for Bitlocker in order to enable the backup of the Bitlocker recovery password and the TPM owner password hash, to Active Directory. But what will happen if: 1. You join a stand-alone machine which already had Bitlocker enabled before the domain-join 2. You unjoin a Bitlocker enabled machine from one domain and join it to another domain, which could be a domain in the same forest or another forest. 3. You migrate the computer account of [...]
In part 1 and Part 2, I talked about the requirements for Bitlocker and walked you through how to extend your Active Directory Schema if you run Windows Server 2003 SP1/SP2 Windows Server 2003 R2 domain controllers. We then sat the permission so that a Windows 7 machine was able to write its own TPM owner password to Active Directory. Today we are going to put the configuration made in part 1 and 2 to the test and enable bitlocker on a Windows 7 machine. Then we are going to install the Bitlocker Recovery Password Viewer for Active Directory tool [...]
In part 1, I talked about the requirements for Bitlocker and showed you how to extend your Active Directory Schema if you run Windows Server 2003 SP1/SP2 Windows Server 2003 R2 domain controllers. We then sat the permission so that a Windows 7 machine was able to write its own TPM owner password to Active Directory. Today I am going to walk you through how to configure the Group Policy settings for Bitlocker which is required, in order to enable the backup of the Bitlocker recovery password and the TPM owner password, to Active Directory. You will need either a [...]
Permissions required to create and modify a query in Configuration Manager is: Read Create Modify However if you have configured folders in the Query object you might end up with this error. The error message states that you don’t have permissions to create the query – but that’s not true. The query is created just not in the folder you expected. Instead the query is created in the root of the Query object. To fix this you need to assign Manage Folder permissions to the Query object. Then it works as expected.