Roger Zander at myITforum.com

Network Access Accounts are evil…

Most of the System Center Configuration Manager Environments do have a Network Access Account defined and I’ve found many that are using a privileged account for that (some with Domain Admin as NAA)…
It’s time to explain why Network Access Accounts (NAA) are evil.

What is a NAA doing ?

The Network Access Account is used by client computers when they cannot use their local computer account to access content on distribution points. For example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain. (https://technet.microsoft.com/en-us/library/hh427337.aspx)

So it’s only there to authenticate against the DP’s if the System Account is not valid. For that reason, the account must just be a Domain User and nothing else. It does not need to have any special rights, it must just be a valid account.

What is now the problem with an NAA ?

When a CM12 Agent is joined to a Site, one of the first policies it gets is the NAA. The Policy is stored in the WMI Namespace “root\ccm\policy\Machine\ActualConfig” in the Class “CCM_NetworkAccessAccount”. With the following PowerShell, you can dump the NAA’s (there can be more than one):

Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"

The result will look like:
NetworkAccessPassword : <PolicySecret Version="1"><![CDATA[E600000001000000D08C9DDF0115D1118C7A00C04FC297EB0100000084634746C4A
CAD42BF62321AB60FD667000000000200000000001066000000010000200000004C1
F2CBCE7813F4FBB4195391FC1C36552FAE0BE1F2699BD8F7DE7082E79DEA60000000
00E8000000002000020000000D48AB5F8132C94035373AA9144AACEA17D7DE378E3B
9B4CBA8D30CF241C46CF0100000001BA268A390F4D108A482DD1414FA2C214000000
0641BCEFB43B525C54E279AB52583F440671C446970E393630853BCF3EB72F6E7895
436888D11B3C14D3578A3890866039D8CB5E85B84C5046D54063BDE45C6B5]]></PolicySecret>

NetworkAccessUsername : <PolicySecret Version="1"><![CDATA[E600000001000000D08C9DDF0115D1118C7A00C04FC297EB0100000084634746C4
ACAD42BF62321AB60FD66700000000020000000000106600000001000020000000B
2228B890D478889DC5E7BD2129AD78E8FEDA750928E366AA3AA0AB8A013F7320000
00000E80000000020000200000004EF3230113F278B03BB8623887F1817F1F8A1BB
0C82FDD6B3A95D34FD52A56A510000000B444E88362956E2C5D3AFBAB14F9EAC140
0000006D6BC523E04FEDEBBD347246A003AAC28EF18B84C8C0237BDFF4F3DB9B839
58FB6448A47BF035C9FD48A86E1A7B6455028C96325499BF75EE8052CEB98071F92]]></PolicySecret>

As you see, the Username and Password is “encrypted” and should be save for “normal” users….
But: The CM Agent must be able to decode the strings… and if you know how the CM Agent is doing that, then you know how to decode the Username and Password. I will not publish any details here, but it’s possible with a few lines of code (e.g. PowerShell) to get the values in clear text.

That means: every machine with a CM12 Agent that is attached to a CM Site has that Username and Password… and bad Guys can take that Username and Password if they have access to the machine (I have to mention that you need local Admin rights to get the details…). Or they can assign the CM Agent on a machine to your CM12 Site and they will get a Username and Password for your Domain ….

What can be done to reduce the risk?

1) Never use a privileged Account as NAA; Use a NAA that is Domain User only with disabled Interactive logon is the recommended option. (https://technet.microsoft.com/en-us/library/hh427337.aspx)

2) Manually approve each CM12 Agent or at least trust only Agents from your Domain (Default value). Do not auto approve all Agents.
image

3) Do not use a NAA (see next section…)

Is is possible to NOT use a NAA?

Yes, a NAA is only there to authenticate against the DP’s if the Machine is not in the Domain (e.g. during OSD). If you enable anonymous access on your DP’s, authentication is no longer required on the DP and the NAA is not required.image
Enabling Anonymous access on the DP’s has some side effects that you must be aware of:

Pros:

  • No authentication Problems during OSD, from Workgroup or untrusted domains
  • Windows Installer Source update can be used in untrusted domains or workgroups (msiexec does not need to authenticate to get the files from the DP)
  • You can auto approve all your CM Agents (No Risk, because no NAA)
  • No NAA required

Cons:

  • Everyone has access to the content of your DP’s (if they know the URL).
  • You cannot Audit access on the DP, you just get the IP of the Agent but no Username.

What is recommended ?

There is no true or false, you have to discuss this with your security officer…

I prefer the „anonymous” access on the DP’s because it makes processes simpler (no locked NAA Accounts or other authentication problems during OSD ) and you can enable auto approval for all Agents…

Posted: May 08 2015, 03:01 PM by rzander | with no comments
Filed under:
Import RuckZuck Applications to Configuration Manager 2012

RuckZuck for Configuration Manager is a new Applications-as-a-Service (AaaS) Solution to import Software from the RuckZuck repository into System Center Configuration Manager 2012 R2.

The created Applications do not require RuckZuck or any other tools as prerequisite and you can modify the installations scripts (PowerShell) to customize the installations.

Be aware that importing software from RuckZuck does not automatically grant you a license for that product. 

Requirements:
- System Center Configuration Manager 2012 R2
- Internet Connection
- .NET Framework 4.5

Setup:
- Install “RZ4ConfigMgrSetup.exe” as Admin on the CM12 Server or a Device with the CM12 Console installed.
- After installation, notepad will open a config file. Please specify an UNC path (with write access !) on “CM12ContentSourceUNC”. Dependent of you Infrastructure, other settings must be configured as well (e.g. SQL Server and DB Name of the CM Database).
- You have to restart the CM12 Console after Installation.

Usage:
A Console-Extension on the Application Node allows to import software with a few clicks…
image

You can choose from hundreds of Applications from the RuckZuck repository
image

The tool will automatically create an Application in CM12,
image

… downloads the source from the manufacturers web page, creates deployment types, collections and deployments…
image

… all fully automated. You only have to assign the App to your Distribution Points and you are done. The Application will be available in the Application Catalog.

with the saved time, you can help to improve the repository by providing feedback (e.g. Issues with apps) or you can create new Software entries

 

Note: the Software is as is without warranty and support.

RuckZuck, a Software Package Manager for Windows

RuckZuck is a new Software Package Manager for Windows with a simple graphical User-Interface.

RZInstall

RuckZuck has it’s own Repository but it does not store binaries of the Software, just the links to where the software can be downloaded.
It detects installed Software based on entries an “Add-Remove Programs” and provides Updates if newer version exists in the repository.

Users can create new Software-Entries for their favorite tools ( How to create and upload new Software ), so the Repository can grow in the future…

This is the first release of the tool, discussions and features can be placed on ruckzuck.codeplex.com.

Prerequisites to run the tool:
- Microsoft .NET Framework 4.5
- Powershell 4


Posted: Dec 15 2014, 03:18 PM by rzander | with no comments
Filed under:
How to use Collection Variables outside of Task-Sequences

Out of the box, Collection and Device Variables are only usable from within Task-Sequences. To get the Variables outside of Task-Sequences, you can install an additional WMI Provider (https://gallery.technet.microsoft.com/ConfigMgr-Collection-1650d5bc) that provides the Variables and Values in a separate WMI Class (root\ccm\clientsdk:EXT_CollectionVariables )

Example to get all Variables assigned to the local device:

Get-WMIObject -Namespace 'root\ccm\clientsdk' -Class 'EXT_CollectionVariables'

Example to get the value of a specific Variable

(Get-WMIObject -Namespace 'root\ccm\clientsdk' -Class 'EXT_CollectionVariables' -Filter "Name='Country'").Value

By using the WMI Provider, you can now use ConfigMgr Variables in PowerShell installation Scripts…


Note: The WMI Provider is as is without support or warranty; .NET Framework 4.5 is a prerequisite

Posted: Nov 06 2014, 06:02 PM by rzander | with no comments
Filed under: , , ,
FREE Inventory Solution

Initially it was planned to create a Solution to store status Information from SmartHome Devices… But during testing, I always used data from my PC and realized that inventory a PC isn’t a big challenge… The solution is published as “Thingtory” (no, there is no political background !) on Codeplex (https://thingtory.codeplex.com/).

A few Key-Features:

A DEMO Environment is published on http://thingtory.azurewebsites.net/. You have to register to get an Access-Key. The Key is required to protect your data so other users will not see your data.

A simple Reporting allows to browse the inventory database and export data as XML Dataset (can be imported in Excel)

image

Note: this is just a case study… but you are free to extend it based on your wishes….

Collection Query findings

Collection Queries can be created easily from the Configuration Manager Console without deep knowledge of WQL or SQL… But have you ever checked how long the Collection Evaluator requires to execute the Query ?

An example: the following Rule should get all Machines with a specific Software installed where the Software itself can be x86 or x64:

image

CollEval took 153s ( 2min 33s ) to evaluate the rule ( in an environment with ~15’000 Devices ).

The Problem with this Rule is that two big tables with a lot of records per device are joined.

In this case it would make sense to create two individual queries on the Collection, one for x86 and one for x64.  A Query that references only one of the two big tables takes about 2s in this environment. So for two queries you will end up in ~4s.

Another Option would be to use “Installed Software” instead of “Installed Applications” because “Installed Software” contains x86 and x64 Software in one Table:

image

this Rule took only 2s

“Installed Software” is not enabled by default, you have to enable this inventory class in the AssetIntelligence section.
If you want to have a single Query Rule for x86 and x64 “Installed Applications” then you can use  a sub-select statement:

image


select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select  SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId FROM SMS_G_System_ADD_REMOVE_PROGRAMS where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "SoftwareA") or SMS_R_System.ResourceId in (select  SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId FROM SMS_G_System_ADD_REMOVE_PROGRAMS_64 where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "SoftwareA")

This Query took also 2s

Conclusion:
There are many ways to get the Result, but the time that CollEval requires to execute a Query can vary (in the scenario here from 153s to 2s ).

Posted: Aug 27 2014, 02:49 PM by rzander | with no comments
Filed under:
Unattended ConfigMgr2012 Setup

How much effort do you need to setup a System Center Configuration Manager 2012 R2 Site…

It’s just one Command !!!

If you have Windows Management Framework 5.0, just enter “install-package cm12r2” or with chocolateycinst cm12r2

Prerequisites:
- Server 2012 R2 (Domain joined)
- .Net Framework 3.5.1 installed !!!
- Fast internet connection (it will download ~4GB of data)
- 3 hours (dependent of the internet connection)
- more than 10GB free Disk space on drive C:

What does it do:

The Package cm12r2 will install the following dependencies:
- cm12r2.iis (Installation and configuration of IIS and other required Windows Features )
- cm12r2.adk (download and installation of ADK8.1 with the features required for Cm12)
- cm12r2.sql2012 (download and install SQL Server 2012 SP2 EVAL)
- cm12r2.cm (download and installation of System Center Configuration Manager 2012 R2 EVAL)

At the end you should have a fully functional ConfigMgr2012 Site.

Note: All the sources are downloaded directly from Microsoft. The setup is for evaluation only, do not use this in a productive environment !!

Posted: Jul 04 2014, 11:27 AM by rzander | with no comments
Filed under: ,
MSI UpgradeCode as Detection Method in CM12

Configuration Manager 2012 has a built-in Wizard to use the MSI Product Code in the Detection Method but there is no option to check for the Upgrade Code of a Windows Installer Package. 

The Product Code is a GUID that “normally” changes with different versions or languages where the Upgrade Code identifies a Product across Languages and Versions. So it may be helpful (sometimes) to use the Upgrade Code in a Detection Method if it doesn’t matter what version or language is installed.

Product Code:  http://msdn.microsoft.com/en-us/library/aa370854(v=vs.85).aspx
Upgrade Code: http://msdn.microsoft.com/en-us/library/aa372375(v=vs.85).aspx

The Installed Upgrade Codes (x86 and x64) are stored in the Registry:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
UpgradeCodes

But to make it more challenging, the Upgrade Codes are "scrambled" (no idea why !?), so you cannot just search for a key...

To "Scramble" your Code, just take the first 8 Characters and read it from right to left (reverse), then the same with the next 4 Characters , then again with 4 characters and for the rest always take 2 characters and reverse the content:

image

With PowerShell you can use the following example to get the "scrambled" key:

$UpgradeCode = '{35265AC6-8855-4970-9275-C1E3EDDB46F1}'

$code = @( 8, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2 )
$string = $UpgradeCode -creplace '[^0-F]'
$pos = 0
$result = '' 

#Decode
for($i=0; $i -le $code.Length ; $i++)
{ $arr = $string.substring($pos, $code[$i]) -split "";
[array]::Reverse($arr);
$result = $result +($arr -join '').replace(' ','');
$pos = $pos + $code[$i] }

$result

You can then use the resulting key to create a detection rule to measure if the key exists or you can use a custom script in the detection method to check if the Upgrade Code exists:

$UpgradeCode = '{35265AC6-8855-4970-9275-C1E3EDDB46F1}'

$code = @( 8, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2 )
$string = $UpgradeCode -creplace '[^0-F]'

#Decode
for($i=0; $i -le $code.Length ; $i++)
{ $arr = $string.substring($pos, $code[$i]) -split "";
[array]::Reverse($arr);
$result = $result +($arr -join '').replace(' ','');
$pos = $pos + $code[$i] }

#Test if key exists
if(Test-Path `
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
UpgradeCodes\$result)
{ $true } else { $null }

Posted: Jun 24 2014, 04:02 PM by rzander | with no comments
Filed under: ,
Chocolatey Applications in Configuration Manager 2012

Do you want to pimp your Configuration Manager Application Catalog in your Demo or Lab Environment with some (~200) nice looking Applications…

image

… then download and import the ChocoApp application Archive and import it into Configuration Manager 2012.

The Applications are imported from the chocolatey.org Package-Repository. They use the Chocolatey command to download and install the applications. The Apps do not have any content because chocolatey will load the content directly over the Internet.


To make the Applications available in the Application Catalog, you have to create a deployment for these “ChocoApps”… This can be done by PowerShell or you can use “ChocoDeploy” to create a deployment to the “All Users and user Groups” Collection.

Just copy ChocoDeploy.exe and ChocoDeploy.exe.config to the “Microsoft Configuration Manager\AdminConsole\Bin” directory on the Site Server und start it from there.


Note: There is no warranty or Support, use at your own risk.

Posted: May 28 2014, 11:14 AM by rzander | with no comments
Filed under: ,
PowerShell scripts in Collection Commander

With the release of Collection Commander V1.0.0.6, PowerShell commands are now all stored as files in the “PSScripts” Directory next to the executable….
image

The PS1 Files can be moved into subfolders to have an organized structure of the files…

image

The PowerShell Command Console will load all the Files and Folders and generates a menu structure that is identical to the folder structure…

image

The latest version contains already a set of PowerShell examples but if you have some scripts to share, send me a note ore post the PS code on cmcollctr.codeplex.com.

Posted: Jan 31 2014, 03:52 PM by rzander | with no comments
Filed under: , ,
Monitor Inventory WMI Provider updated

The Project moved from Sourceforge to https://monitordetails.codeplex.com/.

The new version of the WMI Provider does now also report the

- diagonal Size (in inch)
- horizontal size (in cm)
- vertical size (in cm)

You can extend Configuration Manager 2012 Hardware Inventory to collect the WMI Class "Win32_MonitorDetails" ....

Posted: Jan 09 2014, 09:31 AM by rzander | with no comments
Filed under: , ,
Client Center for Configuration Manager stable release

Client Center for Configuration Manager is now available as stable release (version 1.0.0).

A Windows Installer setup is available for x64 and x86. There is also a browser based version that can be hosted on an internal IIS server.

Or you can use the Click-Once edition which will automatically updates to the latest version.

Note: .NET 4 and WinRM are required to use the tool.

Posted: Dec 23 2013, 12:33 PM by rzander | with no comments
Filed under: , ,
PowerShell to cleanup expired "Client Operations" tasks

Deleting old, unused Client Operations tasks in the Configuration Manager 2012 Console is a pain because you cannot delete multiple items; you have to delete one by one....

The following PowerShell Command will cleanup all expired "Client Operations" Tasks (Adminconsole node Monitoring\Client Operations).
Replace xxx with your SiteCode and run the command on the site server.

Get-WmiObject -namespace "root\sms\site_xxx" SMS_ClientOperationStatus -Filter IsExpired=1 | % { ([wmiclass]"root\sms\site_xxx:sms_ClientOperation").DeleteClientOperation($_.ID )  }

Posted: Nov 26 2013, 12:59 PM by rzander | with no comments
Filed under: ,
Stable release for Collection Commander

Collection Commander for Configuration Manager 2012 has now a stable Version (Build V1.0.0.3) which is available as WindowsInstaller (MSI) package.

Change log:
- MSI Setup
- UI Improved
- CM12 Console integration
- New Powershell code snippets
- Client Center Integration

If you miss some functions, please place a note on https://cmcollctr.codeplex.com/discussions (with the corresponding Powershell command if available).

Posted: Oct 15 2013, 07:54 PM by rzander | with no comments
Filed under: , , ,
Configure WinRM by using CM12 Settings Management

Configuring WinRM (Windows Remote management) over GPO is a common scenario, but what to do if your Systems are not member of a Domain ?….
Compliance Settings in Configuration Manager 2012 can monitor and remediate configurations; why not using this technology to track the WinRM settings on your systems.

I’ve prepared a Baseline that monitors and remediate some basic WinRM settings:
image

You can download the Baseline example here: WinRM Configuration.zip

Posted: Jun 21 2013, 03:41 PM by rzander | with no comments
Filed under:
More Posts Next page »