SCCM: How to convert Package to Application using Package Conversion Manager (PCM) on SCCM CB

PCM does not support SCCM Console newer than SCCM 2012 SP1. Jason Sandys published and article for SCCM R2. I used the same approach for SCCM CB (1607) and it seems to be working fine.

 

Step-by-step from Jason is here: http://blog.configmgrftw.com/package-conversion-manager-and-configmgr-r2-sp1-or-sp2/

SCCM: WSUS re-installation

I recently found a badly broken 2012 R2 WSUS in one of my Clients environment. After some troubleshooting I decided to re-install WSUS to save time.

Here are several points to remember during re-installation.

1. Not everything will be uninstall with WSUS

– Windows Internal Database (should be unchecked in Feature List during uninstallation or uninstalled using directions: https://technet.microsoft.com/en-us/library/dd939818(v=ws.10).aspx)

– Content of C:\Windows|WID should be cleared before the new install (otherwise you may have an error message “Synchronization in progress. Please cancel synchronization and rerun postinstall again.”  after the new WSUS will be installed

– you may decide to clean \WSUS folder created for the old WSUS

2. If you will use PowerShell for WSUS installation and wsusutill won’t be able to configure WSUSContent folder for you you may have an error saying Content folder cannot be accessed. In this case you may decide to add the content folder location to XML configuration script, the process is described here: https://gyorgybalassy.wordpress.com/2013/08/10/installing-wsus-on-windows-server-2012/

Unfortunately in my case postinstall failed regardless giving me weird: “System.InvalidOperationException — Client found response content type of ‘text/html; charset=utf-8’, but expected ‘text/xml’”. I tried to unistall MMC cache for WSUS, uninstall WID and WSUS, nothing helped.

Finally I uninstalled WSUS, WID, IIS, cleaned abovementioned directories, reboot the server and installed the WSUS back (enabled HTTP Activation under WCF for .Net 4.5 and  patched the server with the latest WSUS Updates). This time it successfully started.

SCCM: Windows 10 changes Default Application set for Adobe .pdf files

I am helping to create/deploy a Windows 10 image in one of my Customers environment. There is a requirement to have Adobe Reader DC in a Gold Windows 10 image.

I am preparing the Gold Image with MDT 2013 Upd 2 and deploy it with SCCM (build 1606).

One of issues we faced is a Software Association for Adobe Reader .pdf files: Even though Adobe Reader setup was customized with Customization Kit and Adobe Reader was set as default Application for PDF files after imaging we observe Microsoft Edge set itself as a default app for PDFs .

I googled the issue and found I am not alone… Unfortunately the most common advice is to start Reader and configure it as default app in GUI (for example here is Adobe guide: https://helpx.adobe.com/acrobat/kb/not-default-pdf-owner-windows10.html). Work fine I guess for non-enterprise environment, but not suitable for my case. In addition it will set association for the current user only (http://www.winhelponline.com/blog/edge-hijack-pdf-htm-associations/)

Assoc command described here: https://support.microsoft.com/en-us/kb/184082 does not seem to be working in Windows 10. I mean even though assc .pdf  shows correct association Edge is still the default app

I finally found a way to manipulate association with DISM command (https://technet.microsoft.com/en-us/library/hh824855.aspx)

So, here is the solution I am using:

1. On a reference machine with Adobe Reader installed (but not set as a default App for PDF) export default application configuration to a .XML file using dism command: “DISM.exe /Online /Export-DefaultAppAssociations >your.xml”

2. Open the XML file in Notepad and delete unnecessary lines before XML header

3. Browse the XML to see association for .pdf

4. Here is a trick. You need aplicationID of Adobe Reader to be able to replace ApplicationID of EDGE you have in the XML. I right-clicked a PDF document and selected Open With. I see the prefered App is Edge, but the Reader is just after that. So in the XML file I copied the first ID from “OverwriteOfProgIdIs” parameter to ProgId parameter. Hopefully the explication is clear. Anyway, my line for .pdf association looks like:

<Association Identifier=”.pdf” ProgId=”AppX86746z2101ayy2ygv3g96e4eqdf8r99j” ApplicationName=”Adobe Reader” ApplyOnUpgrade=”true” OverwriteIfProgIdIs=”AppXk660crfh0gw7gd9swc1nws708mn7qjr1″ />

After that I I import the XML file back to Windows using:

“Dism.exe /Online /Import-DefaultAppAssociations:your.xml”

Please note, even that won’t change association for the current user. But, all new users will get it set properly.

So I created an additional application in my MDT to import the pre-created XML and inserted the Application Deployment step in my TS and re-generated the image. As soon as the image is deployed all domain users should have Adobe Reader as a default app for PDFs.

Note: I guess I could use offline servicing to inject XML into the image during the image creation and it would help with association for “Administrator”, but I guess online approach  is easier and cleaner.

 

You can also try a per-user GPO as described here: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html

SCCM: OSD to a KNOWN computer using media – There are no task sequences available for this computer.

 

At one of my Customer sites I migrated SCCM 2012 to SCCM CB and tried to deploy an OSD TS to a collection containing test machines.  I added a test machine manually using its MAC address and add it to a collection where the TS was deployed.

As soon as I boot the machine using generated SCCM Boot Media i got a message:

“There are no task sequences available for this computer.”

SMSTS.Log file showed the machine as “KNOWN”, but TS was not available for it. ^%&^%%

Resolution: I removed the machine from SCCM database and re-added it manually again. I think the migrated account contained a GUID from the old SCCM and probably that was an issue. Not sure for 100%, but it works now.

SCCM: Windows 10 Service Plan. How to remove unnecessary languages and editions

I am in North America and only need en-us version of Windows 10 Enterprise Edition.

By default SCCM will put a multitude of languages and Editions in your Service Plan causing enormous size of Service Plan package.

Here is way how to limit it to Windows 10 Enterprise en-us only.

1. Limit Sync on WSUS used by your SCCM (Ideally before you even enable Upgrade option in your SCCM SUP properties):

2. Enable Upgrade option in properties of your SCCM SUP and sync updates if it is not done yet

3. Go to Windows 10 Servicing- Service Plans and start New Service Plan Wizard

4. Add English as Language filter and the following four lines in Title filter

5. Press ok in Search test page and click preview to see how it will be filtered. You should be able to see the version you need. In my case I see two

6. finish the Wizard. You should have a service plan ready for upgrade your Win10 machines to build 1607 (in my case)

Ideas are from comments to Kent Agerlund’s post here: http://blog.coretech.dk/kea/windows-10-servicing-in-configmgr-1511/

SCCM: SCCM needs update to use servicing feature for Windows 10 1607

Microsoft published a note: Update your ConfigMgr 1606 SUP servers to deploy the Windows 10 Anniversary Update.

It looks like SCCM servicing feature won’t work with KB and manual steps when use it for upgrade to W10 1607 (Anniversary Ed and following builds).

 

Workaround – use OSD.

SCCM: Proper SQL Installation prior SCCM Setup

Great article from Steve Thompson!

https://stevethompsonmvp.wordpress.com/2016/07/25/installing-and-configuring-sql-server-for-configuration-manager/

SCCM: Replace Collection ID with Collection Name in report

 

One of my Customers asked me to create a customized report for his environment. A standard SCCM report for Software registered in Add or Removed Programs for a specific collection fit perfectly as a base, but I wanted to replace Collection information in the report (originally it is Collection ID, but I guessed the Customer would prefer a Collection Name).

My knowledge of SQL reporting is limited, but with help of Sherry Kissinger I ended up with the following result:

SELECT arp.DisplayName0, Count(Distinct arp.ResourceID) AS ‘Count’, arp.Publisher0, arp.Version0, col.collectionid, COL.Name as CollectionName
FROM fn_rbac_Add_Remove_Programs(@UserSIDs)  arp
JOIN fn_rbac_FullCollectionMembership(@UserSIDs)  fcm on arp.ResourceID=fcm.ResourceID
JOIN v_Collection COL ON fcm.CollectionID = COL.CollectionID
WHERE fcm.CollectionID = @CollID
GROUP BY DisplayName0, Publisher0, Version0, col.collectionid, col.name
ORDER BY Publisher0, Version0

That gave me the report I looked for (of course Collection ID column can ber removed now and some other will be added):

 

Top 10 Free tools

 

here is a snip from Redmond Mag, just for memory.

Certificates: The Do’s and Don’ts of PKI

This is a copy of Andrzej Kaźmierczak’s blog post: http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/.

 

DON’T install PKI without a detailed plan. Ask yourself what you need it for, what features will you use and would it be scalable enough in the future.

DO use Windows Server Enterprise Edition for Active Directory users enrollment. UPDATE: This only applies to Windows Server 2008 R2 or earlier, as for Windows 2012 or later you can use Windows Server Standard Editions.

DO use a CAPolicy.inf file during installation. There you can define attributes such as basic constraints extension, renewal key length and period, CRLs period, etc.

Server naming and CA (Certification Authority ) naming should be standardized. DO create naming convention which additionally includes naming of GPOs, templates and accounts related to PKI. Root CA shouldn’t follow the pattern and be named differently than other servers in organization.

DON’T change CA server name after ADCS role installation. It is possible to rename server and reconfigure infrastructure, but not recommended. Enrolled certificates will stop working.

DON’T use Root CA to issue certificates directly to the end users.

DON’T install CA on a domain controller. It is technically possible, but not recommended. CA should run on a separate machine.

For high availability DO failover clustering. Only one CA instance can be running at a time. Microsoft ADCS role can act as active-passive using failover feature of Microsoft Windows operating system.

DO create CPS (Certificate Practice Statement) and CP (Certificate Policy). Structure of those two documents should be based on the RFC 3647 recommendations. This allows subscribers and relying parties comparison with other, similar documents issued by other organizations.

DO create multi-tiers architecture. For huge organizations, depending on Active Directory structure and amount of forests and domains, DO use 2 or 3-tier architecture.

In 3-tier architecture, subordinate CAs located in the second tier, are called Policy CAs. Those CAs should only enroll for other CAs and no users. DO put in CAPolicy.inf file for Policy Issuing CA following section:
[BasicConstraintsExtension]
Pathlength = 1
Critical = true
After installation run following command:
certutil –setreg Policy\CAPathLength 1
This “Pathlength=” setting specifies the length of the path, the maximum number of CA certificates that may be issued as subordinated to the Policy CA. Pathlength with value set to „1” means that establishment CA two (or more) tiers below Policy CA is not possible.

DON’T domain join Root CA or Subordinate CA. Let those most important, top-level CAs stay in workgroup.

DON’T use online Root and Policy CAs, especially if it’s private keys are not protected by HSM (Hardware Security Module). Offline CAs hard drives or virtual disk files should be placed in a secure vault until a CA certificate needs to be issued or a new CRL needs to be issued and published.

If using HSM that are located in distant server room, DON’T restart CA server or certsrv service. You may find out that you need to insert operator’s cards set into HSM to start the service again. Sometimes it needs involving many people.

If not using HSM, CA’s keys are generated with software CSP. DO use at least 4096b keylength for Root CA.

DO change default system accounts. Local administrator should have its name changed, the default Enterprise andDomain Administrators group permissions for CA should be taken away, and Domain Admins group should bedeleted from the local administrators group on all systems belonging to the PKI.

DO use long and complex local administrator password and DO make sure it is kept in safe place.

DON’T leave default AIA (Authority Information Access) URLs with the CA hostname in issued certificates.  Default value is %windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt. The part „%%1_” in CA certificate will be replaced by „<CAservername>_” which will reveal internal naming convention and structure. „%%1_” should be deleted. It is important to remember that during renewal process because .crt file will be generated with %%1_ prefix, so it has to be manually deleted after renewal operation.

If implementing in organizations, DO use templates OID to differentiate company’s policy objects from default Microsoft policy objects tree. You should request PEN (Private Enterprise Number) from IANA organization (Internet Assigned Numbers Authority). Templates OID should be created with PREFIX (got from IANA) and individually created numbers for template structure.

DO customize templates, DON’T use default ones. Use organization name prefixes with templates names, customize them and add OID created with IANA’s PREFIX.

After ADCS installation DO use following commands to publish CRLs and .crts to the Active Directory:
certutil -dspublish -f "name_of_root_ca_cert.CRT"  RootCA
certutil -dspublish -f "name_of_ca_crl.CRL"
UPDATE: As HTTP is recommended path to publish CRT and CRL there is no need to use CDP and AIA with LDAP and to publish them to AD.

DO make CDP (CRL Distribution Point) redundant. Include in CDP and publish CRLs to both LDAP and HTTP. Make sure that at least one HTTP is accessible from Internet, WAN or partner’s network. It is required if you want to use certificates outside your intranet. UPDATE: DO NOT use LDAP in your CDP path at all – use only HTTP and make sure HTTP location is highly available, highly consider using split-brain DNS scenario.

If however, you decide to distribute CRL using Active Directory, DO bear in mind AD replication delays.

DO implement OCSP. Online Certificate Status Protocol reduces CRL usage (bandwith) and is more reliable. End-users workstations cache CRL in local user profile, so user’s certificate revocation may become effective when cached CRL validity period is over. Unlike this CRL weakness, OCSP uses delta CRL, so to work efficiently I suggest setting Active Directory Certificate Services Delta CRL time to minimum period (30 minutes):
certutil -setreg CA\CRLDeltaPeriodUnits 30
certutil -setreg CA\CRLDeltaPeriod "Minutes"
OCSP should be available from both Internet and intranet.  Keep in mind that despite the revocation of the certificate, thepreferred method for removing user access to resources is disabling AD account.

DO use PKI repositories. Those are places to keep PKI related data. It can be a public web folder for all with CRLs and CA’s certificates or private folder for internal users only with CP, CPS, user’s .crt certificates, user’s regulations. CRLs and CA’s .crts as well.

Microsoft ADCS default repository is C:\Windows\System32\certsrv\CertEnroll. To that directory are published CRLs and CA’s .crt certificates. As mentioned before, CDP and AIA should be published redundantly – with HTTP protocol. DON’T publish CertEnroll folder directly to the Internet. Instead create a copying script which copies *.crt and *.crl to another machine and folder and create task schedule to trigger it every, let’s say, 5 minutes. When in another folder, publish to Internet with your reverse proxy, for example Microsoft Forefront Threat Management Gateway UPDATE: Microsoft TMG is discontinued. Be careful on credentials that are provided to run script. You can use this simple code below to create batch file:
xcopy C:\Windows\System32\certsrv\CertEnroll\* \\10.10.10.10\Repository\* /Y /Q

DO role separation. In simple scenario these should be: PKIBackupOperators, PKITemplateAdmins, PKIAuditors, PKICertAdmins, PKICAAdmins.

In some cases DO set private keys archivization. Thanks to that you will be able to recover old keys used to secure data in the past.

DO set KRA (Key Recovery Agent) and DRA (Data Recovery Agent). Those two are one of the most important accounts that help recover important data and must be protected with increased caution. KRA can restore lost private key. DRA is a user granted the right to decrypt data encrypted by other users.

DON’T write down your user’s certificate password/PIN and stick it to monitor or hide under the keyboard.

Whenever possible, DO use tokens or smartcards for users and special purpose accounts (Enrollment Agents, etc). Without them private keys are generated by software CSP and kept in Windows registry! Whoever has access to workstation and knows where and how to look, may find these interesting things. To protect from that situation use smartcards which lets keys be generated by hardware CSP and if FIPS-3 compliance, never leave the smartcard.

DO take into account above when disposing user’s hard drives, especially CA hard drives. If not on smartcard, user’s private key is still on that hard drive.

DO make sure that system time on CAs machines is set correctly. The best way (but not cheap) is to use NTP (Network Time Protocol).

DO renew the CA certificate with a supply of time so that certificates issued by the CA have shorter life time than the remaining life time of the CA certificate.

DO enable all auditing events for the CA when configuring Microsoft ADCS:
certutil -setreg CA\AuditFilter 127
Also, enable ‘Audit Object Access’ within Group Policy (for ‘Success’ and/or ‘Failure’ as required) in order for any Cert Services events to be logged.

DO health check of PKI infrastructure. If using Microsoft ADCS, use tool PKIView. Moreover, PKI events are logged inSecurity event log on CA server. Use event viewer to check for events especially those red and yellow ones.

If needed to increase level of logging, DO change value „3” to „4” in following registry path:
HKLM\CurrentControlSet\Services\certsrv\configuration\Subordinate CA\Loglevel

DO create CA backup, including private key, CA certificate, certificate database and certificate database log, CAPolicy.inf file and exported CA templates. Make copy of folder „Database” including certpkxp.dat, edb*.log and<CAname>.edb files. Also export settings of registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

DO make sure that system backup is done regularly. Backups should be protected with password and kept in safe place (vault).

DON’T consider internally issued certificates as a qualified certificates. Qualified certificate is issued to a person acting on his or her own behalf by Trusted Third Party CA. Qualified certificates can be used to authenticate to government organizations.