Casey Robertson at myITforum.com

SCCM–How to Report on Safeboot / McAfee Endpoint Encryption

I posted this on the myITForum SMS mailing list and thought it might be helpful.  A question was asked about reporting on systems using Safeboot and verifying their encryption state – this was my answer:

Here you go Suzzi (we use the same product). I’d recommend using your own naming conventions for the class but the meat of it is there. And yes, Inventory Manager helps a lot with this kind of stuff. It only gives us the lock state (yes it’s encrypted or no it’s not) but you could add more reg keys as needed. Also attached is a SQL query you could use to report on Safeboot (Endpoint Protection) in your enterprise (changing the name of the view that your MOF edit creates for Safeboot). It takes into account the name change from Safeboot to McAfee Endpoint Protection. The reg keys did NOT appear to change (thankfully). As always…test, test, test J

-Casey

SMS_DEF.mof edit:

//==================================================================

// REPORT : Win32Reg_IM_SafeBoot_Encryption_State

//==================================================================

#pragma deleteclass("Win32Reg_IM_SafeBoot_Encryption_State",NOFAIL)

[SMS_Report(TRUE), SMS_Group_Name("SPS SafeBoot Encryption State"), SMS_Class_ID("INVENTORYMANAGER|SafeBoot_Encryption_State|1.0")]

class Win32Reg_IM_SafeBoot_Encryption_State : SMS_Class_Template

{

[SMS_Report(TRUE), key] string InstanceKey;

[SMS_Report(TRUE)] uint32 LockState;

};

Configuration.mof edit:

//==================================================================

// Register : Win32Reg_IM_SafeBoot_Encryption_State

//==================================================================

#pragma namespace("\\\\.\\root\\cimv2")

#pragma deleteclass("Win32Reg_IM_SafeBoot_Encryption_State",NOFAIL)

[DYNPROPS]

Class Win32Reg_IM_SafeBoot_Encryption_State

{

[key] string InstanceKey;

uint32 LockState;

};

[DYNPROPS]

instance of Win32Reg_IM_SafeBoot_Encryption_State

{

InstanceKey = "KeyName";

[PropertyContext("Local|HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SbFsLock|LockState"),

Dynamic, Provider("RegPropProv")] LockState;

};

SQL Query for Reporting:

SELECT DISTINCT
                      a.ResourceID, a.Name0, a.Resource_Domain_OR_Workgr0, a.User_Name0, a.Manufacturer0, a.Model0, a.LastScanDate, a.LastHWScan, a.SafeBootInstalled,
                      CASE WHEN SafeBootInstalled = 'YES' THEN sp.ProductVersion WHEN SafeBootInstalled = 'NO' THEN 'N/A' END AS 'SafeBootVersion',
                      CASE WHEN LockState0 = 0 THEN 'NO' WHEN LockState0 <> 0 THEN 'YES' ELSE 'Not Found' END AS 'IsEncrypted'
FROM         (SELECT DISTINCT s.ResourceID, s.Name0, s.Resource_Domain_OR_Workgr0, s.User_Name0, comp.Manufacturer0, comp.Model0, sw.LastScanDate, hw.LastHWScan, 'YES' AS SafeBootInstalled
                       FROM          v_R_System AS s INNER JOIN
                                              --v_GS_BATTERY AS b ON s.ResourceID = b.ResourceID INNER JOIN
                                              v_GS_SoftwareProduct AS sp ON s.ResourceID = sp.ResourceID INNER JOIN
                                              v_GS_LastSoftwareScan AS sw ON s.ResourceID = sw.ResourceID INNER JOIN
                                              v_GS_WORKSTATION_STATUS AS hw ON s.ResourceID = hw.ResourceID INNER JOIN
                                              v_GS_COMPUTER_SYSTEM AS comp on s.ResourceID = comp.ResourceID
                       WHERE     
                       --(b.Availability0 IS NOT NULL) AND
                       (sp.ProductName LIKE 'SafeBoot%' or sp.ProductName LIKE 'McAfee Endpoint%')
                       UNION
                       SELECT DISTINCT s.ResourceID, s.Name0, s.Resource_Domain_OR_Workgr0, s.User_Name0, comp.Manufacturer0, comp.Model0, sw.LastScanDate, hw.LastHWScan, 'NO' AS SafeBootInstalled
                       FROM         v_R_System AS s INNER JOIN
                                             --v_GS_BATTERY AS b ON s.ResourceID = b.ResourceID INNER JOIN
                                             v_GS_LastSoftwareScan AS sw ON s.ResourceID = sw.ResourceID INNER JOIN
                                             v_GS_WORKSTATION_STATUS AS hw ON s.ResourceID = hw.ResourceID INNER JOIN
                                             v_GS_COMPUTER_SYSTEM AS comp on s.ResourceID = comp.ResourceID
                       WHERE    
                       --(b.Availability0 IS NOT NULL) AND
                       (NOT EXISTS
                                                 (SELECT DISTINCT s1.Name0
                                                   FROM          v_R_System AS s1 INNER JOIN
                                                                          --v_GS_BATTERY AS b ON s1.ResourceID = b.ResourceID INNER JOIN
                                                                          v_GS_SoftwareProduct AS sp ON s.ResourceID = sp.ResourceID
                                                   WHERE     
                                                   --(b.Availability0 IS NOT NULL) AND
                                                   (sp.ProductName LIKE 'SafeBoot%' or sp.ProductName LIKE 'McAfee Endpoint%') AND (s1.Name0 = s.Name0)))) AS a LEFT OUTER JOIN
                      v_GS_SoftwareProduct AS sp ON sp.ResourceID = a.ResourceID AND (sp.ProductName LIKE 'SafeBoot%' or sp.ProductName LIKE 'McAfee Endpoint%') LEFT OUTER JOIN
                      v_GS_SPS_SafeBoot_Encrypti0 AS e ON e.ResourceID = sp.ResourceID

SCCM SQL Query–Patch Supersedence Report

I wanted a way to input a patch KB article and find out if the patch superseded another patch or was superseded by another.  For parameters I used the ArticleID field aka the KBNumber.

select        cir.FromCIID [New CI],
            info.BulletinID [New BulletinID],
            info.ArticleID [New ArticleID],
            info.Title [New Title],
            info.InfoURL [New InfoURL],
            info.DatePosted [New DatePosted],
            cir.ToCIID [SUPERSEDED CI],
            info2.BulletinID [Superseded BulletinID],
            info2.ArticleID [Superseded ArticleID],
            info2.Title [Superseded Title],
            info2.InfoURL [Superseded InfoURL],
            info2.DatePosted [Superseded DatePosted]
           
from v_CIRelation cir
           
left join v_UpdateInfo info on cir.FromCIID = info.CI_ID
left join v_UpdateInfo info2 on cir.ToCIID = info2.CI_ID

           
where RelationType = 6

((info.ArticleID = @KBNumber) OR (info2.ArticleID = @KBNumber))

order by info.BulletinID, info.ArticleID

Going to get this blogging thing going again

My goal is two posts per week – even if it’s just a simple query… we’ll see how it goes.  Trying out Windows Live Writer too!

-Casey

SQL Query to Enumerate USB drives by Domain

--Enumerate USB Drives--

select    sys.Name0 [System Name],
        sys.Resource_Domain_or_Workgr0 [Domain],
        sys.Operating_System_Name_and0 [O/S],
        disk.Description0 [Description],        
        disk.InterfaceType0 [Bus Type],
        disk.Model0 [Model],
        disk.Name0 [USB Drive Name],
        disk.Size0 [Size],
        disk.DeviceID0 [DeviceID]
from
v_R_System sys
join v_GS_DISK disk
    on sys.ResourceID = disk.ResourceID

where InterfaceType0 = 'USB' and Resource_Domain_or_Workgr0 IN ('@Domain')

order by Resource_Domain_or_Workgr0,sys.Operating_System_Name_and0,sys.Name0

Configuration Manager 2007 and Patch Compliance Issues

Here at my company ConfigMgr 2007 is used as the enterprise approved security update system.
All Windows-based servers and workstations are required to run the ConfigMgr client and patches
are applied accordingly.

I recently encountered an issue that gave me pause though.  I was somewhat blindsided by an
issue with a patch under security bulletin MS09-004...particularly the SQL portion of the patch
concerning clustered SQL servers.  MBSA and Windows Update will both report the patch as missing
on a clustered system.  However, ConfigMgr has no knowledge whatsoever of these clustered versions
of the patch.  What gives?

Well, after doing more research I discovered that if a patch is flagged for user interaction in
WSUS and by Microsoft, it will not sync to ConfigMgr's repository and hence will never show up
in any patch reports - it's as if it simply does not exist.

This causes a major problem.  Not so much from the implementation standpoint because at least
you can still manually install the patch (although this can be inconvenient depending on the number
of clusters you have).  The major issue is that now during audits, our designated enterprise patch
tool can't even tell me that a patch is missing or even applicable.  This seems like a major hole
in how ConfigMgr works.  Couldn't it at least tell me if the patch is applicable even if it cannot
deploy it?  Could it flag it as such?

I'm curious to find out how you have addressed this in your environment.  I'm considering DCM or
other methods to look for the patch install directory or related files but this is basically a
workaround and would fall outside of the built-in patch reports.  In my test environment I also
tried hacking a bunch of fields in the SUSDB database to make these patches show up in ConfigMgr,
to no avail.  I welcome any responses!


-Casey Robertson

Using SQL pivots for SCCM data queries

This is probably elementary for the SQL gurus out there but I learned something new yesterday and thought I would share it.  Have you ever had multiple row entries that you wanted to roll up into a columnar format?  This situation arose the other day when a poster on the myITforum mailing list was trying to take multiple rows from the view v_AgentDiscoveries to report on SCCM client discovery metrics.  By default, the data is listed like this:

This is great - all of our data is there.  But what if we want a single line for each ResourceID?  Pivot tables to the rescue - the SQL version that is.  Here is a screen grab of the query (I have also attached the code to this post).

So there you have it - the PIVOT function!  I was always a bit foggy on pivot tables in Excel but it was nice to find this functionality built into SQL.  Not that the online documentation states that the PIVOT function is only available in SQL 2005 and above so as always, please test test test!

Thanks and happy querying.

What to do if your server won't print

Ran into an issue last night that I had never seen before.  One of our Citrix servers simply stopped printing.  If you have worked with Citrix for any length of time you know that printing is one of the big pain points but in this case it actually was not a Citrix problem.  This server would not print to local or networked printers, via Citrix or otherwise.  Multiple reboots did not help.  Nor did reinstalling print drivers.  We kept getting errors about drivers being "missing or corrupted" regardless of what we installed.  Thanks to Google search (every system engineer's favorite tool) we finally tracked down a fix that did the trick.  Turns out it was a driver issue of sorts but at the O/S level, specifically the UNIDRV.dll and UNIDRVUI.dll files which are the low level .dll's responsible for handling manufacturer print drivers and their interaction with the O/S.  Here's how to fix it (courtesy of http://khuzaimi.blogspot.com/2008/05/printer-driver-files-missing-or-corrupt.html)

1) Go to "C:\%windir%\Driver Cache\i386" folder, extract the sp file specific to your O/S - in this case sp4.cab for Windows 2000 Server - to a folder.

2) Double click the folder, copy unidrv.dll and unidrvui.dll to a new folder on your desktop.

3) Install the utility (MoveOnBoot), then use the utility to delete the unidrv.dll and unidrvui.dll files from the "C:\%windir%\system32\spool\drivers\w32x86\3" folder.  (Alternatively you can utilize safe mode reboots to accomplish the file deletion/copying but it requires network and console access.)

4) Restart your computer after you have deleted those two files using the MoveOnBoot utility.

5) Copy the clean unidrv.dll and unidrvui.dll that you copied before and replace into the "C:\WINDOWS\system32\spool\drivers\w32x86\3".

6) Restart your computer again.
 

HP Server Updates Catalog for SCCM 2007 - Released!

It's about time!  I have been waiting for months for HP to release their updates catalog for SCCM 2007 since it was announced last fall.  This should significantly improve the server updates process for IT shops that are heavily invested in HP platforms.  

See the details here:

Hewlett-Packard Server Updates Catalog for System Center Configuration Manager 2007

http://h18013.www1.hp.com/products/servers/management/integration/catalog.html

SCCM and SQL 2008

Welcome to my 'tech' blog

Greetings!  My name is Casey Robertson.  I am a systems engineer with specializing in enterprise management tools, specifically SCCM 2007.  For years I have made half-hearted attempts at personal blogs, Facebook or Facebook-like social sites(jury's still out) without much success (readership) or consistency.  So rather than trying to be all things to all people I'm going to blog about what I spend most of my time on - for better or for worse that means 'work'.  

Don't be offended if the occasional non-tech post pops up.  More than likely I will keep these to simple Twitter post since I don't have a ton of time for long missives. So without any further ado, apologies or caveats thanks for stopping by and I hope you will come back soon.

 -Casey

P.S.  Thanks to Rod Trent, intrepid leader of myITforum for getting this up and running for me.