Screen Shot 2017-07-21 at 11.47.52 AM

Sponsored Post

BitLocker disk encryption technology has been a part of the Windows operating system since Windows Vista. It didn’t really hit its stride until Windows 8.1, and now, with Windows 10, it’s almost perfect (in terms of compatibility and manageability).

Bottom line as to why you should use it—it just works. It can be enabled during the imaging process from both MDT and ConfigMgr, or enabled via script and controlled by Group Policy. The decryption and recovery keys can be stored in Active Directory or the Microsoft BitLocker Administration and Monitoring (MBAM) product. There are also several decryption methods, such as TPM unlock, smart card requirements or PIN requirements. All in all, it’s very versatile and totally manageable.

This post assumes that you are running Windows 10 Creators Update on a device that has a TPM module. Also, the ConfigMgr options assume at least version 1702. If you are not running any of these requirements, all features may not be available.

Decryption Methods and Combinations

There are several methods to unlock a BitLocker drive. All the methods are a combination of USB key, password (or PIN) and the TPM module. The TPM module stores the decryption key and only releases it on boot of the disk. The USB method stores the decryption key on a USB drive that must be inserted in the machine at boot. This method can also utilize a smart card. The password method is exactly what it says: the user must type a password to unlock the disk. These three methods can be used in these combinations:

  • TPM only
  • TPM + password
  • TPM + USB
  • TPM + password + USB
  • USB only
  • Password only

Enable During ConfigMgr Task Sequence

Enabling BitLocker is done with two task sequence steps. First, you must Pre-provision BitLocker. This must be done after you have partitioned the disk and before you apply the operating system.

image001

Since the drive has no data at this point, this step runs very fast. This step also assumes that you have a TPM chip, so I recommend keeping the bottom check-box enabled. This step also does not set the protection method. That is done with the second step.

image003

Because BitLocker has already been provisioned, this step also runs very fast. It also gives you most options detailed above, expect for TPM + password + USB. If you want this option, you must configure it from Group Policy. Also, the ConfigMgr step only gives you a PIN option instead of a password. This step will automatically escrow the recovery key into Active Directory, but it will not do anything with MBAM. This step is good for basic BitLocker deployments. The other drawback to this step is setting a PIN. This would be a standard value for all devices imaged using this task sequence, so you would want users to change it after imaging.

The “Pre-Provision BitLocker” step does not have to be used in conjunction with the “Enable BitLocker” step. You can use the pre-provision step with the “manage-bde” command utility or the BitLocker PowerShell cmdlets for more advanced options.

No ConfigMgr? No Problem

If you do not have ConfigMgr, or your devices are already deployed, you must use a script to enable BitLocker. Microsoft provides a good one that can be downloaded here. You can execute this script from Group Policy or deploy via ConfigMgr.

Once the script is activated, you can configure the options for BitLocker from Group Policy. The Group Policy settings for BitLocker are located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

There are a lot of advanced options for BitLocker available in Group Policy. I suggest looking at them and deciding what is best for your organization. I am going to hit the highlights.

The most important setting is called “Choose how Bit locker-protected operating system drives can be recovered.” The setting enables the escrow of recovery keys to Active Directory.

image005

Once this policy is enabled, you have the option to check the “Save BitLocker recovery information to AD DS for operating system drives”. Also, I would consider checking the box for “Do not enable BitLocker until recovery information is stored to AD DS for operating system drives,” as it will prevent the drive from encrypting until the recovery information is stored in AD.

Note that this same setting exists for fixed and removable drives, as well.

At the root of the BitLocker section, there are three different drive encryption methods and cipher strengths for different operating system families. I suggest setting those, most importantly for Windows 10 1511 and later.

image007

XTS-AES encryption is only available with Windows 10 1511 and later. I recommend using this algorithm, as it has much better performance than AES-CBC, an older technology considered easier to attack. Because XTS-AES only works on 1511 and up, you may want to leave removable drives at AES-CBC for compatibility.

Viewing Recovery Keys

To view BitLocker recovery keys, you need the BitLocker Recovery Password Viewer from RSAT. This tool adds an additional tab called “BitLocker Recovery” when you view a computer object from Active Directory Users and Computers. It will show you the recovery password for the computer.

If you do not have the computer name, it also adds a “Find BitLocker recovery password” option to the context menu. From this menu, you can type in the password ID displayed on the screen of a locked computer.

Securing Your Organization

Securing Windows endpoints with BitLocker and other measures in a large organization is a challenge because you have so many computers and so little time. Adaptiva offers technology that can automate security configuration management across the company. It can identify violations to security and compliance policies, including Microsoft and third-party security applications, and automatically remediate them. It has built-in checks for BitLocker, but can do a great deal more.

Download this Adaptiva Client Health key features data sheet if you would like to learn more:

Happy BitLocker-ing!

TinneyMatt Tinney is CEO, Windows Management Experts.

Save

Save

2017-06-12-bios-uefi-myitforum

If you have started a Windows 10 migration in your corporate environment, you’ve probably heard about MBR2GPT.exe, the tool that helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). While the tool was introduced in the Insider Preview versions, it is officially supported in Windows 10 1703 (also known as the Creators Update). MBR2GPT.exe is the only Microsoft-supported way to convert a production disk (one with data already on it) from MBR to GPT without data loss. The tool can be run from an administrative command prompt after an in-place upgrade to Windows 10 1703, or in the Windows PE (WinPE) environment. Furthermore, older versions of Windows 10 (v1511 and v1607) can be converted using the tool if booted into WinPE.

If a drive is protected with BitLocker encryption, then you will need to suspend BitLocker before converting. After conversion, delete the existing protectors (PIN, Password, Certificate, etc.) and recreate them to resume encryption. If you are using third-party disk encryption, you need to work with your ISV. It’s the only sure way to determine the minimum requirements to successfully convert disk partitions without triggering a device lock or brick while keeping the drive encrypted.

How Does It Work?

Converting within Windows

To start the conversion within Windows, open an administrative command (or PowerShell) prompt. To see the full list of command line switches that can be passed to the tool, type mbr2gpt.exe /? Or mbr2gpt.exe /help.

mbr2gpt-01
(Tap or click for larger view)

The correct syntax to run the conversion tool within a Windows session is

mbr2gpt.exe /convert /allowFullOS

mbr2gpt-02
(Tap or click for larger view)

If you simply want to validate the disk (run a check without converting), then just replace the /convert switch with /validate.

mbr2gpt.exe /validate /allowFullOS

mbr2gpt-03
(Tap or click for larger view)

Converting within WinPE

To convert disk layout in WinPE, use a Run Command Line action with the following syntax:

cmd.exe /c mbr2gpt.exe /convert /disk:<disknumber>

mbr2gpt-04
(Tap or click for larger view)

What If I’m Refreshing or Replacing the PC?

If you’re re-installing Windows to the current disk, or if you’re replacing the drive or computer, you will not be using the MBR2GPT.exe tool. If the system is booted in UEFI mode before the Format and Partition Disk step happens in the Install Operating System group, the Task Sequence engine will happily format the disk for GPT. If you have created a sequence that restores user data, it will still be able to be restored.

What Are the Limitations?

The first and perhaps most important limitation is that MBR2GPT.exe is not the same thing as “BIOS to UEFI”. MBR2GPT.exe is a tool to convert partition layout while BIOS to UEFI is the process of converting a system’s firmware mode from BIOS to UEFI.

While MBR2GPT.exe can be run from the full OS, or in WinPE, it should be run before the conversion of BIOS to UEFI during an in-place upgrade and most preferably in WinPE. If the tool is run after the firmware mode is converted, and for some reason is unsuccessful with the conversion, the device will essentially be bricked until the PC is manually converted back to BIOS mode.

If you are performing a PC refresh or replace, the PC should be converted before the “Format and Partition Disk” step runs in the Install Operating System Group. It is possible to do this later in the sequence, but this route is more reliable. This is because this group has two Format and Partition actions with variables on them that read whether the PC is in BIOS mode or UEFI mode and formats and partitions the disk accordingly. As you can see below, the top image depicts what the Task Sequence engine will do to the disk if the PC is running in BIOS mode, and the bottom image shows what it will do to the disk if it is in UEFI mode. The most important takeaway is that BIOS mode means the disk will be formatted in MBR layout, and UEFI means it will be formatted in GPT layout.

mbr2gpt-05
(Tap or click for larger view)
mbr2gpt-06
(Tap or click for larger view)

Legacy versions of Windows aren’t officially supported. If you successfully convert the partition type into GPT layout, you’ve stepped out of the realm of support. Typically, “not officially supported” means it can likely be done, but it isn’t well tested internally, so you’re on your own if something goes wrong or if you have questions. It would be better to upgrade the system to a version of Windows that is supported.

Once the disk layout has been converted, you cannot undo it. Furthermore, if the layout was performed during an in-place upgrade, you will not be able to go back to a previous version of Windows. I was able to test and validate this limitation in all three major PC vendors (Dell, Lenovo, HP).

To use the tool, the disk to be converted needs to have less than four partitions (meaning three partitions is the maximum). In testing the conversion tool, it was noted that Dell models create an extra recovery partition during an in-place upgrade, which can cause the conversion tool to fail if you hit the limit of partitions before the upgrade runs. To get around this, I deleted all recovery partitions, leaving the PC with only two partitions. During the in-place upgrade, the Dell PC created a third partition (as expected) that didn’t cause the conversion tool to fail. The HP and Lenovo models I tested did not create extra partitions during the in-place upgrade.

If you are going to use one sequence to handle all hardware models, ensure that you are supplying the correct driver package for the model running the upgrade and that the engine can read and process the variable. If the variable you set on your driver package is incorrect, setup.exe will not use it. While the discussion about why you need to provide driver packages during an in-place upgrade is a bit off topic, it is important to note. It matters because some of the vendor models that I tested failed the MBR2GPT.exe conversion later in the in-place upgrade when I did not also provide driver packages to them. This may not be true for every vendor model, but it happened consistently enough in my testing to be deemed important to take note of.

How Do I Check What Partition Type My Disks Are Using?

Open an administrative command prompt and type the following:

diskpart

select disk <disk number>

list part

sel part <partition number>

detail part

If the disk is using MBR partition type, it will display 07 for the type in the detail part command as pictured below on this Windows 7 PC.

mbr2gpt-07
(Tap or click for larger view)

diskpart

list disk

Any disk with an asterisk under GPT in the table is in GPT layout as pictured on this Windows 10 PC.

mbr2gpt-08
(Tap or click for larger view)

Troubleshooting

When the MBR2GPT.exe tool is run, it creates four logs in the %windir% directory (C:\Windows). The four logs are setuperr.log, setupact.log, diagerr.xml, and diagwrn.xml with setuperr.log having the most detailed information. In the example below, I ran the tool and saw in setuperr.log that it failed because there are too many partitions.

mbr2gpt-09
(Tap or click for larger view)

A full list of error codes for the tool can be found on TechNet under the Return Codes section here docs.microsoft.com. Note that these error codes are specific to the tool itself and shouldn’t be confused with error codes that the Windows 10 setup or the Task Sequence engine may throw.

Real-World Applications

If you would like readymade sequences that handle both MBR2GPT.exe and BIOS to UEFI for both PC refresh/replace and in-place upgrade scenarios, I have created a document that walks through the setup of both scenarios on Adaptiva’s SCCM Academy. The community solution is free, and includes two Task Sequences that can be imported into your environment. It’s up to you to provide all the dependencies (1703 Boot Image, Vendor Tools for BIOS to UEFI, etc.). However, these are working sequences that I have run against all three vendors in my lab, and they could save you days of works.

You can download the Secure 10: BIOS to UEFI 2017 Update Document and Task Sequences from: http://www2.adaptiva.com/l/139131/2016-07-18/j7lfk.

Happy migrating!

https://drive.google.com/file/d/0B9QRmfO509o6WFF2WXdfd2xTOWs/view

resources-ami-castoAmi Casto is the technical evangelist for Adaptiva. If you have questions or problems using these task sequences, tweet her at @adaptivaami.

Screen Shot 2017-04-12 at 10.22.26 AM

If you are an IT professional responsible for maintaining thousands or millions of Windows endpoints, questions like this may be keeping you up at night:

  • Are you sure all your applications—security, in-house and third-party—are current, configured correctly and running successfully?
  • Do you know if all your Windows endpoints are operating within company policies for privacy, security and regulatory compliance?
  • If you discover a security breach or vulnerability, do you a have the ability to quickly find out which machines are affected, and automatically remediate them across a global enterprise?

When you combine SCCM with Adaptiva Client Health™, you can rest easy.  Adaptiva Client Health lets SCCM handle those things quickly, easily and automatically. Some of the largest companies in the world, including many in the Fortune 500 and Global 1,000, are using Client Health. One international bank runs 800,000 health checks on its endpoints daily to instantly detect and remediate possible issues.

Client Health At-a-Glance

When SCCM 2012 was released, Microsoft included a tool called CCMEval (a.k.a. SCCM Health Checks). It includes pre-defined health checks and remediations aimed at maintaining the health of SCCM client agent itself.

While Adaptiva Client Health comes with over twice as many pre-built health checks and remediations as SCCM, static checks are just a tiny fraction of what Adaptiva Client Health does. This table provides a quick look at what Adaptiva adds to SCCM.

Screen Shot 2017-04-12 at 10.38.04 AM

Custom Health Checks and Remediations

While SCCM Health Checks are limited to a pre-defined set of checks and remediations, Adaptiva Client Health provides a visual WorkFlow Designer and Engine. Workflows are easy to build and simple to deploy. Adaptiva Client Health can quickly detect, troubleshoot and remediate issues across hundreds of thousands of systems—all automatically. This table shows some basic capabilities, but the possibilities are limitless and can be infinitely more powerful.

Screen Shot 2017-05-01 at 3.06.31 PM

Summary

For smaller companies concerned only with the health of the SCCM client itself, and running Microsoft security technologies exclusively, the native SCCM Health Checks may meet your limited needs. For companies looking to maintain the health and security of all settings and applications, as well as Windows itself, Adaptiva Client Health gives SCCM true global health automation. Adaptiva also gives administrators the flexibility to easily create their own checks and remediations as new endpoint health, security and compliance issues arise. Also, if a company is using third-party security software, Adaptiva can ensure your endpoints are properly secured.

For more information about how Adaptiva Client Health can help you rest easy, request a free product demo.

Screen Shot 2017-04-12 at 10.22.47 AMBill Bernat is the director of product marketing at Adaptiva.

training

Tomorrow, Friday, August 14th, there will be free online training event for Windows 10 in the Enterprise hosted by Microsoft Technical Evangelist Simon May.

 

The methods for provisioning and managing devices are changing rapidly with Windows 10.   There are opportunities to drastically rethink the way devices receive compliance settings, software, and updates which allow IT organizations to be far more agile than they have been. Improvements to Azure AD Domain Join, Microsoft Intune, and a slew of other cloud technologies also have the potential for changing the way IT challenges had been overcome in the past.

 

Check this session out for everything you need to get your IT organization ready for Windows 10 in the enterprise. Simon will talk about changes to deployment, servicing, and new features that IT departments will want to be on top of.

 

Register for the live online Windows 10 Jumpstart training with Simon May

 

While many enterprises have traditionally had a slow (or very slow) approach to testing and deploying new operating systems, Microsoft hopes to shatter that old paradigm with Windows 10.  Incredibly significant engineering investments have been made to enable highly successful in-place upgrades to Windows 10 from Windows 7 and Windows 8.1.  This means that starting to test and deploy the new operating system no longer requires full wipe and reloads, and business areas can identify devices for production pilots with minimal effort.

I hope that helps,

 

 

Nash

 

 

Hi All, Today I’m pleased to inform that the new beta version (v0.02) of the System Center 2012 R2 Configuration Manager Dashboard (CM12R2Dashboard) has been released. Overview The System Center 2012 R2 Configuration Manager Dashboard (CM12R2Dashboard) enables SCCM administrators and support team to monitor SCCM environment to take the right decision at the right time. It can provide status on client activity, client health, deployments, content status and much more and has been designed to provide clear information to support teams, SCCM administrators and managers. The CM12R2Dashboard is totally customizable allowing it to show the information that is required by the customer. It can determine, based on customized parameters, when the information is in a Warning or Critical states by changing the information background colour. It can run on Windows 7+ and Windows 2008+ with at least PowerShell 3.0 (recommended 4.0) and .Net Framework 4 and depends on the installation…

Read the complete blog: http://thedesktopteam.com/blog/raphael/system-center-2012-r2-configuration-manager-dashboard-updated/

Over the past few weeks I have been busy updating the System Center 2012 R2 Configuration Manager HealthCheck Toolkit (CM12R2HealthCheck) to the version 0.03 and today I’m pleased to say that is has been released. What is the System Center 2012 R2 Configuration Manager HealthCheck Toolkit? The System Center 2012 R2 Configuration Manager HealthCheck Toolkit (CM12R2HealthCheck) has been created to check for problem and/or misconfiguration in the SCCM environment and, when possible, will provide you with some solutions for problems. This version contains a series of bug fixes, performance improvements as well as new functionality. We also would like to add the following notes/requirements: We have tested this tool on a single primary site and single primary site with secondary sites. We do expect it to work on a CAS environment, however, we have not been able to test. We have run the tool remotely as well locally on the…

Read the complete blog: http://thedesktopteam.com/blog/raphael/confimgr-2012-r2-health-check-toolkit-beta-03/

reportin

SCCM 2012 Hardware Inventory Report

Unveil your Hardware Data

This SCCM 2012 hardware inventory report let you see all your hardware in a single view. No longer need to browse multiple built-in reports. Use it to quicky find a specific machine having particular specification (Disk, Cpu, Serial number…).

This report easily return valuable information to your management team :

How many computers our company owns ? How many DELL Optiplex 780 ?
Which computers are still running Windows XP or Windows 2003 ?
What’s the serial number of computer XYZ ?
We urgently need to update a specific hard drive firmware, which computer has the affected model ?

We split this SCCM 2012 hardware inventory report into 5 sections:

Details, System, Processor, Disk and Video Controller.

 

Continue to read the complete blog post here : http://www.systemcenterdudes.com/sccm-2012-hardware-inventory-report/

In part 1 of this SCCM 2012 R2 Installation Guide blog series, we planned our hierarchy, prepared our SCCM 2012 R2 Server and Active Directory.

In part 2, we installed and configured SQL in order to install SCCM 2012 R2.

In part 3, we installed a stand-alone SCCM 2012 R2 Primary site.

In the next 16 parts, we will describe how to install the numerous Site Systems roles available in SCCM 2012 R2. Role installation order is not important, you can install roles independently of others.

This part will describe how to install SCCM 2012 R2 State Migration Point (SMP).

Role Description

The State Migration Point stores user state data when a computer is migrated to a new operating system.

This is not a mandatory Site System but you need a State Migration Point if you plan to use the User State steps in your Task Sequence. These steps integrates with User State Migration Tools (USMT) to backup your user data before applying a new operating system to a computer.

 

Site System Role Placement in Hierarchy

The State Migration Point is a site-wide option. It’s supported to install this role on a child Primary Site, stand-alone Primary Site or Seconday Site. It’s not supported to install it on a Central Administration site.

Beginning with SCCM 2012 R2, the State Migration Point can be installed on the site server computer or on a remote computer. It can be co-located on a server that have the distribution point role.

SCCM 2012 State Migration Point Installation

  • Open the SCCM console
  • Navigate to Administration / Site Configuration / Servers and Site System Roles
  • Right click your Site System and click Add Site System Roles
  • On the General tab, click Next

Continue to read the complete blog post here : http://www.systemcenterdudes.com/how-to-install-sccm-2012-state-migration-point/

migration

Hi All, last week, i was helping a customer with their migration from SCCM 2012 R2 to SCCM 2012 R2 CU4. There were already many things that had happen, collection migration, etc.. but the consultant that was performing the migration, wasn’t able to finish the job, so, i was called in. During the migration, we migrated couple of clients to test the migration script/GPO and we noticed the application catalog (probably the most used feature for them) wasn’t returning any result, however, when my user was logged on, i was able to see the applications that were deployed to “All users” collection. Looking at the logs, i saw on the policy logs, that the user policy was always with “0” assignments and so, it was not bringing anything to the Application Catalog. I tried to reset the policy, reinstall the client but none of those things worked. Looking further, on…

Read the complete blog: http://thedesktopteam.com/blog/raphael/sccm-2012-application-catalog-and-migration/

A question came up on the myITforum mssms email list this morning about the average package and application size of everyone’s ConfigMgr environment.

I look at the package size data all the time in the console, so I knew it was buried in SQL somewhere, I just had to find it. Low and behold v_PackageStatusRootSummarizer had what I needed, SourceSize represented in KB.

I threw that together in a quick SQL query and created a quick way to gather the average size of all your package types!

select pkg.PackageType [Type Number],
   case pkg.PackageType
   when ‘0’ then ‘Package’
   when ‘3’ then ‘Driver Package’
   when ‘4’ then ‘Task Sequene’
   when ‘5’ then ‘Software Update Group’
   when ‘257’ then ‘OS image’
   when ‘258’ then ‘Boot image’
   when ‘8’ then ‘Application’
   end [Type Name], AVG(psrs.SourceSize)/1024 [Avg size in MB],
   count(*) [Count]
from v_PackageStatusRootSummarizer PSRS join
v_package pkg ON psrs.PackageID = pkg.PackageID
group by pkg.PackageType
order by PackageType

and the results!

Type Number Type Name Avg size in MB Count
0 Package 105 803
3 Driver Package 315 25
4 Task Sequene 0 46
5 Software Update Group 639 12
8 Application 277 205
257 OS image 7546 5
258 Boot image 304 3

Originally posted at http://www.potentengineer.com/calculating-the-average-size-of-all-package-types-in-configmgr

 

 

Hi all Are you looking to be the SCCM automation hero? Look no further with my SCCM & PowerShell automation course I’ll be delivering a 3 days online course next July. The next course is scheduled to happen on 08, 09 and 10 July 2015 In this class, you’ll learn how to use Windows PowerShell to automate the deployment and management of a SCCM 2012 R2 environment What you’ll see/learn* – Overview of Automation, PowerShell and WMI – PowerShell, the basics – Tools & Resources – Deploying and Managing sites – Deploying and managing site system roles – Administrative Tasks – Assets and Compliance Tasks – Software Library Tasks – Console Extension – custom scripts and custom forms – Client Management (including Remote Management) *it may be subject to change During this course, you’ll have remote access to a lab environment where you will be able to learn while using….

Read the complete blog: http://thedesktopteam.com/blog/raphael/becoming-a-sccm-automation-hero-sccm-powershell-automation-course/

Hi All, when i was preparing the presentation for the thedesktopteam workshop day last year (http://thedesktopteam.com/blog/raphael/workshop-day-5th-april-2014-london/), i created few scripts to add requirements to a existing application/deployment type. by the time, i tought that this was too advanced for what i wanted to deliver on that workshop and because work related stuff, i never had a change to publish it. Few days back, i was speaking with Rick and he told me that it was impossible to achieve some of the requirements via script/powershell and i said it was possible and i had a script for it. what he was trying to do is to add a OS requiement for an application. to clarify my answer, the ConfigMgr console is also a “script” language. of course, it probably uses c# or c++, but it is a compiled script, so if they can, any other scripting language also can do, we…

Read the complete blog: http://thedesktopteam.com/blog/raphael/sccm-2012-add-cmdeploymenttypeglobalcondition/