It has been quite busy here, putting new procedures into play, acting upon those procedures and developing auditing processes to report on those procedures. I thought I would take some time to post a few articles on one of those areas in which I had a good deal of input in all areas - Laptop Encryption.
As part of our compliance readiness effort, we have been put a significant effort into ensuring that any data which may be on our laptops is properly encrypted. In addition I was tasked with creating methods for reporting the status of encryption and creating remediation processes for those which may be or may fall out of compliance.
In this series, I'm going to concentrate only on those areas in which I used capabilities of SCCM to help with the end-game reporting.
One of the first steps in accomplishing our overall goal was to ensure that I could validate our laptop counts. The key is to capture all possible objects, while not duplicating the objects during the reporting phase. Chassis type is the logical choice for differentiating between computer object types. There is a nice write-up on the various chassis types here: http://msdn.microsoft.com/en-us/library/aa394474%28v=VS.85%29.aspx.
After reviewing the article above, I determined that the chassis times I would need to flag on were: 8, 9, 10, 12, 14 and 21. Chassis type 21 is how the Lenovo port replicator is identified. After producing a query which listed the computer names, OS types and chassis types, I added a SELECT DISTINCT statement to validate that docking stations and the like were indeed counted in addition to the laptops themselves.
Here is the query: (Please excuse the length - I like my queries readable)
-- Query to identify laptop chassis types
-- Retrieve the system name, OS type, mfg and chassis type
SELECT DISTINCT
v_R_System.Netbios_Name0,
v_R_System.Operating_System_Name_and0,
v_GS_SYSTEM_ENCLOSURE.Manufacturer0,
-- Remove this column and the comma above to remove
-- the extra records caused by the docks
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0
FROM
v_R_System INNER JOIN v_GS_SYSTEM_ENCLOSURE ON
v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
WHERE
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 12 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 14 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 21
-- Sort by system name to validate that system and dock are both counted
ORDER BY
v_R_System.Netbios_Name0
The next piece which was needed was a collection dedicated to laptop-type computer objects so I created a collection query as a subcollection of the "All Windows Workstation or Professional Systems" collection. In addition, I limited the membership query to that collection as well. Once this collection was created, I validated that the same number of systems were being reported in both the SQL query above and the collection.
Here is the collection membership query for the "All Windows Workstation or Professional Laptops" collection:
SELECT
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
FROM
SMS_R_System INNER JOIN
SMS_G_System_SYSTEM_ENCLOSURE ON
SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId
WHERE
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "8" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "9" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "10" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "12" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "14" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "21"
That is all for Part 1. In Part 2, I will go into detecting and reporting on encryption status.
As always, if anyone finds error in my methods or has a more efficient way of doing these things, please feel free to post a comment or email me directly.
--- Cheers!