Wednesday, December 12, 2012

SHA-1 checksums for files

hash-1

To obtain the hash, you’ll need a utility that calculates SHA-1 checksums for
files – fortunately Microsoft has a free download called the File Checksum Verifier
Utility
. Run fciv.exe from the command line on your reference PC to obtain
the desired checksum:

Tuesday, December 11, 2012

SCCM Task Sequence rebuild not adding computer back into AD

Overview: I am trying to image a computer and it is not joining the 'Contoso' domain
I restructured a sub OU, what changes need to be made to add the computers to the renamed OU?

Resolution: Reset the FQN for each renamed OU in the MDT DataBase.  The task sequence references the MDT database during the step.

SCCM "Closing the allow unknown computer support to take control"

SCCM-unknown

Applies To: System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3

Unknown computer support is an operating system deployment feature in Configuration Manager 2007 R2 that allows unmanaged systems to be discovered and receive operating system deployment.
http://technet.microsoft.com/en-us/library/cc161877.aspx

~But why is it showing up in my SCCM task sequence? ...


This is not an error, it was an informational message just saying that the Task Sequence Availability Checker did not need to add the machine to a collection for task sequences to be available at the next step. This is because we have advertised the task sequences to the unknown computer collections. Any machines that boot up and request task sequences that do not have a record in SCCM will be able to start running one of those advertised task sequences.

We are using non-integrated WDS which means we can’t use the unknown computer support on PXE service points. However, the issue here isn’t to do with unknown computer support anyway, it’s to do with known computers and task sequences not being available to them. That’s why we created the task sequence checker tool to add machines to the right collection at boot time.

Advertising task sequences without mandatory schedules to all machines is out of the question, it would take just one person to think “that task sequence didn’t run on that computer properly, I know I’ll right click and rerun on the advertisement” to rebuild every machine in the company! Obvious no no.

Friday, December 7, 2012

SCCM DCM Creation and KPI

Microsoft Security Compliance manger

Possible to import Backed up GPO's and then export as DCM baseline for compliance.  For computers not on the domain and able to receive a GPO can use teh local policy tool that is included with the SCM tool to import teh Group policy backup instead.

 

 

Verify that bitlokcer is enabled on the C drive

Option Explicit On Error Resume Next Dim objWMI, obj, colTPM

Set objWMI = GetObject("winmgmts:\\.\ROOT\CIMv2\Security\MicrosoftVolumeEncryption") If Err <> 0 Then Script.Quit End If

Set colTPM = objWMI.ExecQuery ("Select * from Win32_EncryptableVolume") For Each obj in colTPM If ( UCase(obj.DriveLetter) = "C:" And obj.ProtectionStatus = 1 ) Then WScript.Echo "BitLocker Enabled on C Drive" WScript.Quit End If Next

SCCM DCM What is it?

What is Desired Configuration Management (DCM)?

DCM is a feature in SCCM that will provide a framework for assisting organizations in both defining and enforcing corporate policies and standards for system configurations, whether related to the operating system or an application installed on the system.

Feature include authoring and scheduling, model-based design leveraging Service Modeling Language (SML) (a component of Microsoft's Dynamic Systems Initiative) which makes the features we're about to discuss possible.

Some of the key scenarios that drove the features Microsoft delivered in the final release of DCM include:

Regulatory Compliance - demonstrating regulatory compliance in system configurations. Not only deploying a compliant standard system configuration, but being able to periodically prove adherence to these policies.

Pre and post change configuration - Verify that no unplanned changes took place during the implementation of a planned change.

Monitoring for "drift" - Verify that new systems are built in accordance to the planned role in your infrastructure, and monitoring for human error and misconfiguration in day-to-day administration. Ensuring corporate policies are implemented in base machine builds and maintained over time.

Streamline Support - Incorporating DCM reporting into the troubleshooting process to drive down time to resolution and overall support costs.

The bottom line - DCM monitors your systems actual configuration against a "desired configuration" model and identifies policies that have drifted outside this policy.

DCM Components

3 key concepts: Configuration Items, Configuration Baselines, and Configuration Packs.

The smallest unit of measure in the DCM model is the Configuration Item (CI). Configuration Items represent a desired object or setting or value on a client or within an application. Configuration items can include registry values, objects on the file system (files, folders) and attributes (firewall settings, NTFS permissions), as well data retrieved via scripts. The Configuration Items fall into one of the following categories:

Application CI - Settings within an application like MS Word, Exchange, or SQL Server.

OS CI - Representing a specific operating system object or setting.

General CI - General settings related to corporate policies like corporate security policy, Sarbanes-Oxley, etc.

These configuration items are reusable, and can be grouped into multiple, logical collections of settings known as a Configuration Baselines, which represent your base unit of management in DCM. Within the configuration baseline, you can define mandatory, optional and prohibited configuration items.?

Configuration Baselines will generally be constructed to map to machine roles (a type or class of system), such as Domain Controller, Exchange 2003 Server, SQL Database Server. Creating all the configuration items for configuration baseline for something like Exchange is time consuming and the use of Configuration Packs comes in. Configuration Packs are pre-defined configuration baselines (templates so to speak) created by Microsoft and 3rd parties representing best practice configuration for common OS and server applications. Configuration packs are designed to be used as a starting point for your own corporate baseline, and then modified to meet your organizations requirements.

Configuration packs templates are best served using the Solution Accelerator Microsoft Security Compliance Manager

Apendix: systemcentercentral.com

Adobe Reader Error Opening a PDF

Adobe-EULA

"Before proceeding you must first launch Adobe Acrobat and accept the End User License Agreement"

To analyze, filter to only AcroRd32.exe process using Process monitor. Then exclude all “SUCCESS” results.

Note the key:

HKLM\SOFTWARE\Adobe\Adobe Acrobat\10.0\AdobeViewer\EULAAcceptedForBrowser NAME NOT FOUND

Confirm the key is not present in Regedit; create a DWORD called “EULAAcceptedForBrowser” & set the Value Data to 1

NOTE: relating to a bug; if "CR" is in the folder or file name : http://forums.adobe.com/message/3791868

Thursday, December 6, 2012

1E NOMAD overview

What is Enterprise View?

http://www.1e.com/helparchive/NightWatchman%20and%20WakeUp/v6.0/User_Guide/User-Guides/Enterprise%20View%20Users%20Guide.pdf

Enterprise View is aimed at personnel who want a quick overview of their network and how the 1E products are working to bring them environmental and cost savings. Enterprise View is a management dashboard, providing at-a-glance overviews of the energy consumption and computer-related information that 1E is gathering on your network.

How does Enterprise View operate?

Enterprise View provides a web-based portal onto the 1E databases. The portal lets you choose from a number of pre-defined tiles to display significant PC and Server information in a handy, summarized format.

NOMAD 1E not responding to a package status request

Overview: During a SCCM task sequence a specific application is to be installed.  The task sequence is designed to use a NOMAD cache to poll the source.  The sequence fails as no available cache is available.

How to troubleshoot?

On the NOMAD cacheing server Open regedit and check the package status details.

Select the sub folder that corresponds to the cached item and review the details on the right.  You should check the following item are present and correct

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\1E\NomadBranch\PkgStatus\LDC002FE]
"Percent"="100.000"
"Version"="2"
"CachePriority"="1"
"CacheToFolder"="D:\\NomadBranchCache"
"ReturnStatus"="Completed Successfully"
"AlreadyCached"="0"

Also check the logs for specific behaviour. C:\ProgramData\1E\NomadBranch\LogFiles

The log should state "CacheStatus: (ELD)  pkgID="LDC002FE"(0) local=100.000%
verifiedUTC=09/04/2012

PXE-E32: TFTP Open Timeout

SYMPTOM

When the PXE client comes up with the PXE copyright message and
completes the DHCP phase, but then displays:

TFTP....

After a
while, the following error message is displayed:

PXE-E32: TFTP open timeout

Depending on the PXE client's system setup boot device list
configuration, the PC then either stops or tries to boot from the next boot
device in the system setup boot device list.

CAUSE 1

The "PXE-E32" error indicates that the PXE did not get a reply from the TFTP server when sending a request to download its boot file. Possible causes for this problem
are:

1. There is no TFTP server
2. The TFTP server is not running
3. TFTP and DHCP/BOOTP services are running on different machines, but the next-server (066) option was not specified

RESOLUTION 1

Make sure that a TFTP server is set up and running. When the TFTP service is running
on a different machine than the DHCP or BOOTP service, you need to add option
066 (next-server) to the DHCP/BOOTP server configuration, and set this option's
value to the IP address or "resolvable hostname" of the TFTP server. When option
066 (next-server) is not defined, the PXE client assumes that the TFTP service
is running on the same machine from which it received its DHCP/BOOTP
configuration information.

CAUSE 2

This problem occurs after you apply security update MS08-037.  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
953230

MS08-037: Vulnerabilities in DNS could allow spoofing


RESOLUTION 2

Windows Server 2008 R2


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
      (http://support.microsoft.com/kb/322756/            )

How to back up and restore the registry in Windows


To work around this problem if you do not require Windows Deployment Services to use a static port range, you can configure Windows Deployment Services to dynamically query WinSock for available ports instead of using a port range.
To do this, follow these steps:

  1. Start Registry Editor. To do this, click Start

    Collapse this imageExpand this image , type regedit in the Start Search box, and then press ENTER.



    Collapse this imageExpand this image



    If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.

  2. Locate and then click to select the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDSServer\Parameters


  3. Right-click UdpPortPolicy, and then click Modify.

  4. In the Value data box, type 0, and then click OK.

  5. On the File menu, click Exit to exit Registry Editor.

  6. Restart Windows Deployment Services.



WDS logging can be enabled by editing the value of this registry key and setting it to
1:

HKLM\SOFTWARE\Microsoft\Tracing\WDSSERVER\EnableFileTracing

This then logs to %WINDIR%\tracing\WDSServer.log

One thing which can go wrong with TFTP is that WDS tries to use a temporary range of UDP ports, if any of these are already in use instead of nicely failing the connection and trying again on another port it simply borks, and fails, silently (unless you enable
the log...)

The logging in question is:

[8436] 12:01:36:
[698808][WDSPXE] [WDSPXE][UDP][Ep:10.10.0.11:4011] Sent To:10.10.0.114:68
Len:1024
[8436] 12:01:36:
[d:\longhorn\base\ntsetup\opktools\wds\wdssrv\server\src\udphandler.cpp:369]
Expression: , Win32 Error=2
[8436] 12:01:36: [WDSTFTP][UDP][Ep=0]
Registration Failed (rc=2)
[8436] 12:01:36:
[d:\longhorn\base\ntsetup\opktools\wds\wdssrv\server\src\ifhandler.cpp:238]
Expression: , Win32 Error=2

Oddly it seems that under "normal" operation
you get a lot of these:

[9488] 12:42:17:
[d:\longhorn\base\ntsetup\opktools\wds\wdssrv\server\src\udpendpoint.cpp:811]
Expression: , Win32 Error=5023