Tag Archives: SCCM

Tracking Bitlocker Status using SCCM 2012

Posted on by
Reply

Following this guide will let you track Bitlocker information on Windows 7 computers using the resource explorer feature of SCCM. It uses compliance settings to do so, however not in the normal way you might use compliance settings.

Overview

We are going to use Desired Configuration Management to run a script on target machines. The script will run on a regular schedule and place Bitlocker data into a new WMI class named SCCM_Bitlocker. Then, we will SCCM extend hardware inventory so that it collects data from this new class.

Compliance Rules Setting

First, we will need to create a configuration baseline, a configuration item and two compliance rules.

Configuration Item

  1. Open the SCCM console on your site server.
  2. Go to Assets and Compliance -> Compliance Settings -> Configuration Items.
  3. Click the “Create Configuration Item” button on the ribbon.
  4. On the ‘General’ screen, enter the name “Bitlocker Information” then click ‘Next’.
  5. On the “Supported Platforms” screen, select the following items then click ‘Next’: 
    Windows Vista
Windows 7
Windows 8
Windows Server 2008
Windows Server 2012
  6. On the “Settings” screen, click the button labeled “New”.
  7. On the ‘Create Setting’ screen, enter the following information: 
    Name: Bitlocker WMI Provider
Setting type: Script
Data type: String
  8. Still on the ‘Create Setting’ screen, click the ‘Add Script…’ Button.
  9. On the ‘Edit Discovery Script’ screen, change the Script language to ‘VBScript’ then paste the following script into the ‘Script’ field. 
    'Record-BitlockerToWMI.vbs
'Sherry Kissinger, 2010
'http://social.technet.microsoft.com/Forums/en-US/configmgrgeneral/thread/5c9f9681-e665-4b3f-a83a-b554be65a921
'Extended by Connor Humphries. 2013. tyedyehumps@gmail.com. winventures.wordpress.com.
'Extended by John Puskar. 2013. johnpuskar@gmail.com. windowsmasher.wordpress.com.
'v22

Set WhShell = CreateObject("Wscript.Shell")
'on error resume next
dim gstrObjects(26,12)
dim gtempnum

function getData(WshShell, numVolumes, strings)
        '--------------------------
        'Run the Manage-bde.wsf, and put all the information into oExec to pull out later
        '--------------------------
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        If objFSO.FileExists("c:\windows\system32\manage-bde.wsf") Then
                Set oExec = WshShell.Exec("cscript //Nologo c:\windows\system32\manage-bde.wsf -status")
                drive = ""
                drivename = ""
                i = 0

                While Not oExec.StdOut.AtEndOfStream
                        '-------------------
                        'For each line returned from oExec, check what's in it, and add to an array
                        '-------------------
                        line = oExec.StdOut.Readline()
                        if ucase(left(line,6)) = "VOLUME" then
                                'if drive <> "" then
                                '       targetmif.writeline("   End Group")
                                'end if
                                i = i + 1
                                numVolumes = i
                                drive = mid(line,8,2)
                                line = oExec.StdOut.Readline()
                                drivename = line
                                line = ""
                                                strings(i,0) = drive
                                strings(i,1) = drivename
                                strings(i,12) = Now
                        end if

                        if drive <> "" and trim(line) <> "" then
                                parts = split(line,":")
                                Select Case replace(trim(parts(0))," ","_")
                                        Case "Size"
                                                strings(i,2) = trim(parts(1))
                                        Case "BitLocker_Version"
                                                strings(i,3) = trim(parts(1))
                                        Case "Conversion_Status"
                                                strings(i,4) = trim(parts(1))
                                        Case "Percentage_Encrypted"
                                                strings(i,5) = trim(parts(1))
                                        Case "Encryption_Method"
                                                strings(i,6) = trim(parts(1))
                                        Case "Protection_Status"
                                                strings(i,7) = trim(parts(1))
                                        Case "Lock_Status"
                                                strings(i,8) = trim(parts(1))
                                        Case "Identification_Field"
                                                strings(i,9) = trim(parts(1))
                                        Case "Key_Protectors"
                                                Set WshShellTwo = CreateObject("Wscript.Shell")
                                                Dim TPM, strLine
                                                Dim Flag
                                                Dim oExecTwo
                                                Dim strCommand
                                                keys = ""
                                                strCommand = "cscript //Nologo c:\windows\system32\manage-bde.wsf -protectors -get " & drive

                                                Set oExecTwo = WshShellTwo.Exec(strCommand)
                                                Flag = false
                                                Set TPM = oExecTwo.StdOut
                                                        While Not TPM.AtEndOfStream
                                                                strLine = TPM.ReadLine
                                                                If InStr(strLine, "Protectors") Then
                                                                        Flag = True
                                                                End if
                                                                If Flag Then
                                                                        If strLine = "" or strLine = vbNull Then
                                                                                keys = keys
                                                                        Else
                                                                                If keys = "" or keys = vbNull Then
                                                                                        keys = Replace(strLine,"ERROR: ","",1,-1,1)
                                                                                Else
                                                                                        keys = keys & VBCrLf & Replace(strLine,"ERROR: ","",1,-1,1)
                                                                                End If
                                                                        End If
                                                                End if
                                                        Wend
                                                strings(i,10) = keys
                                        Case "Automatic_Unlock"
                                                strings(i,11) = trim(parts(1))
                                End Select
                        End If
                Wend
        Else
                Dim drive, drivename,size, bitLockerVersion, conversionStatus, percentageEncrypted
                Dim encryptionMethod, protectionStatus, lockStatus, identificationField
                Dim keyProtectors, automaticUnlock

                drive                                   = 0
                drivename                               = 1
                size                                    = 2
                bitLockerVersion                = 3
                conversionStatus                = 4
                percentageEncrypted             = 5
                encryptionMethod                = 6
                protectionStatus                = 7
                lockStatus                              = 8
                identificationField             = 9
                keyProtectors                   = 10
                automaticUnlock                 = 11

                numVolumes = 1
                strings(1,drive)                                = "All Drives"
                strings(1,drivename)                    = ""
                strings(1,size)                                 = ""
                strings(1,bitLockerVersion)     = "BDE Feature not installed"
                strings(1,conversionStatus)     = "Fully Decrypted"
                strings(1,percentageEncrypted)  = "0%"
                strings(1,encryptionMethod)     = "None"
                strings(1,protectionStatus)     = "Protection Off"
                strings(1,lockStatus)                   = "Unlocked"
                strings(1,identificationField)  = "None"
                strings(1,keyProtectors)                = "No key protectors found."
                strings(1,automaticUnlock)              = ""
        End If
End Function

Function CreateBitlockerWmiNamespace
        Dim wbemCimtypeSint16
        Dim wbemCimtypeSint32
        Dim wbemCimtypeReal32
        Dim wbemCimtypeReal64
        Dim wbemCimtypeString
        Dim wbemCimtypeBoolean
        Dim wbemCimtypeObject
        Dim wbemCimtypeSint8
        Dim wbemCimtypeUint8
        Dim wbemCimtypeUint16
        Dim wbemCimtypeUint32
        Dim wbemCimtypeSint64
        Dim wbemCimtypeUint64
        Dim wbemCimtypeDateTime
        Dim wbemCimtypeReference
        Dim wbemCimtypeChar16

        wbemCimtypeSint16 = 2
        wbemCimtypeSint32 = 3
        wbemCimtypeReal32 = 4
        wbemCimtypeReal64 = 5
        wbemCimtypeString = 8
        wbemCimtypeBoolean = 11
        wbemCimtypeObject = 13
        wbemCimtypeSint8 = 16
        wbemCimtypeUint8 = 17
        wbemCimtypeUint16 = 18
        wbemCimtypeUint32 = 19
        wbemCimtypeSint64 = 20
        wbemCimtypeUint64 = 21
        wbemCimtypeDateTime = 101
        wbemCimtypeReference = 102
        wbemCimtypeChar16 = 103

        'Create data class structure
        Set oServices = oLocation.ConnectServer(, "root\cimv2")
        Set oDataObject = oServices.Get
        oDataObject.Path_.Class = "SCCM_BitLocker"
        oDataObject.Properties_.add "Drive", wbemCimtypeString
        oDataObject.Properties_.add "DriveLabel", wbemCimtypeString
        oDataObject.Properties_.add "Size", wbemCimtypeString
        oDataObject.Properties_.add "BitLocker_Version", wbemCimtypeString
        oDataObject.Properties_.add "Conversion_Status", wbemCimtypeString
        oDataObject.Properties_.add "Percentage_Encrypted", wbemCimtypeString
        oDataObject.Properties_.add "Encryption_Method", wbemCimtypeString
        oDataObject.Properties_.add "Protection_Status", wbemCimtypeString
        oDataObject.Properties_.add "Lock_Status", wbemCimtypeString
        oDataObject.Properties_.add "Identification_Field", wbemCimtypeString
        oDataObject.Properties_.add "Automatic_Unlock", wbemCimtypeString
        oDataObject.Properties_.add "Key_Protectors", wbemCimtypeString
        oDataObject.Properties_.add "ScriptLastRan", wbemCimtypeString
        oDataObject.Properties_("Drive").Qualifiers_.add "key", True
        oDataObject.Put_
End Function

Function createWMI(stringarr, numVolumes, run)
        '------------------
        'Create the WMI Namespace
        '------------------
        CreateBitlockerWmiNamespace

        '------------------------------
        'Add Instances to data class
        Set oServices = oLocation.ConnectServer(, "root\cimv2")

        For j = 1 To numVolumes

                Set oNewObject = oServices.Get("SCCM_BitLocker").SpawnInstance_
                        oNewObject.Drive = "C:"
                        oNewObject.Drive = stringarr(j,0)
                        oNewObject.DriveLabel = stringarr(j,1)
                        oNewObject.Size = stringarr(j,2)
                        oNewObject.BitLocker_Version = stringarr(j,3)
                        oNewObject.Conversion_Status = stringarr(j,4)
                        oNewObject.Percentage_Encrypted = stringarr(j,5)
                        oNewObject.Encryption_Method = stringarr(j,6)
                        oNewObject.Protection_Status = stringarr(j,7)
                        oNewObject.Lock_Status = stringarr(j,8)
                        oNewObject.Identification_Field = stringarr(j,9)
                        oNewObject.Key_Protectors = stringarr(j, 10)
                        oNewObject.Automatic_Unlock = stringarr(j,11)
                        oNewObject.ScriptLastRan = stringarr(j,12)
                        oNewObject.Put_
                run = stringarr(j,12)
                'Uncomment the following lines to for troubleshooting interactively
'                WScript.Echo stringarr(j,0) & ", " &_
'                                         stringarr(j,1) & ", " &_
'                                         stringarr(j,2) & ", " &_
'                                         stringarr(j,3) & ", " &_
'                                         stringarr(j,4) & ", " &_
'                                         stringarr(j,5) & ", " &_
'                                         stringarr(j,6) & ", " &_
'                                         stringarr(j,7) & ", " &_
'                                         stringarr(j,8) & ", " &_
'                                         stringarr(j,9) & ", " &_
'                                         stringarr(j,10) & ", " &_
'                                         stringarr(j,11) & ", " &_
'                                         stringarr(j,12)
                Next

End Function

'----------------
' Main Function
'----------------
'Removes Existing SCCM_Bitlocker if exists
On Error Resume Next
Set oLocation = CreateObject("WbemScripting.SWbemLocator")
Set oServices = oLocation.ConnectServer(, "root\cimv2")
set oNewObject = oServices.Get("SCCM_BitLocker")
oNewObject.Delete_
'Again just in case
Set oServices = oLocation.ConnectServer(, "root\cimv2\SMS")
Set oNewObject = oServices.Get("SCCM_BitLocker")
oNewObject.Delete_
On Error Goto 0

dim runtime
getData WhShell, numVolumes, gstrObjects
createWMI gstrObjects, numVolumes, runtime
  10. Still on the ‘Create Setting’ window, click the “Compliance Rules” tab.
  11. On the ‘Compliance Rules’ tab, click ‘New’.
  12. On the ‘Create Rule’ screen, enter the following information then click ‘OK’ to save the setting: 
    Name: Script Return State
Rule Type: Existential
The setting must comply with the following rule: The specified script does not return any values
Noncompliance severity for reports: Warning
  13. Still on the ‘Create Setting’ window, again click “New” to create another settings.
  14. On the ‘Create Rule’ screen, enter the following information then click ‘OK’ to save the setting:
    >Name: WMI Updated
    Rule Type: Value
    The value returned by the specified script: ‘Begins with’
    The following values: WMI
    Noncompliance severity for reports: Warning
  15. On the ‘Create Setting’ screen, click ‘OK’ to save the new setting.
  16. On the ‘Create Configuration Item Wizard’ window, on the ‘Settings’ screen, click ‘Next’.
  17. On the ‘Compliance Rules’ screen, click ‘Next’.
  18. On the ‘Summary’ screen, click ‘Next’.
  19. On the ‘Completion’ screen, click ‘Close’.

Configuration Baseline

  1. Open SCCM console on a site server.
  2. Navigate to Assets and Compliance -> Compliance Settings -> Configuration Baselines.
  3. Click the ‘Create Configuration Baseline’ button on the ribbon.
  4. On the ‘Create Configuration Baseline’ screen, enter the following information then click ‘OK’: 
    Name: Bitlocker Information Escrow
Configuration Data: Add -> Bitlocker Informtion
  5. Right click the new Baseline and choose ‘Deploy’.
  6. On the ‘Deploy Configuration Baselines’ screen perform the following operations then click ‘OK’ to deploy.
    1. Choose a collection
    2. Change the schedule to ‘Simple Schedule’
    3. Change the field ‘Run Every’ to 1 Days.

Adding the Hardware Inventory Classes

First, we need to add the WMI class SCCM_Bitlocker to the CAS by running the compliance script manually. Then, we can add the class to hardware inventory via the SCCM GUI.

  1. RDP to the CAS server.
  2. Open notepad and save the script detailed in a previous step as C:\Install_Files\bitlocker-wmi-provider.vbs.
  3. Open a command prompt as Administrator and run the following command: 
    cscript C:\Install_Files\bitlocker-wmi-provider.vbs
  4. Open a powershell script and run the following command. It should output bitlocker information for the CAS server (probably indicating that bitlocker is diabled). If you get no response back, then there is a problem with the bitlocker-wmi-provider script.: 
    gwmi sccm_bitlocker
  5. Open SCCM console on the CAS.
  6. Navigate to Administration -> Client Settings.
  7. Right click on the ‘Default Client Settings’ and select ‘Properties’.
  8. Select ‘Hardware Inventory’ from the left pane.
  9. Click the button labeled ‘Set Classess …’.
  10. On the ‘Hardware Inventory Classes’ window click the button labeled ‘Add’.
  11. On the ‘Add Hardware Inventory Class’ window click the button labeled ‘Connect’.
  12. On the ‘Connect to Windows Management Instrumentation (WMI)’ window, enter the name of your cas server and click ‘connect’.
  13. On the ‘Add Hardware Inventory Class’ window, search for the class named SCCM_Bitlocker and check the box next to the class, then click ‘OK’.
  14. On the ‘Hardware Inventory Classes’ window, make sure that the SCCM_Bitlocker class is selected, then click ‘OK’. The newly added class should be at the top of the list.
  15. A new class should appear named ‘SCCM_Bitlocker’. Check the next to this new class then click ‘OK’.

You can confirm that the data is inventoried by right-clicking a device and choosing ‘Start’ -> ‘Resource Explorer’.

Further Reading

The following links were pages that gave me a lot of help in getting this process rolling.

System Center Endpoint Protection Setup Help

Posted on by
Reply

So we decided to switch from using McAfee Enterprise Agent with VirusScan 8.8 to System Center 2012’s Endpoint protection. The guide System Center 2012 Configuration Manager – Part 6. Adding the Endpoint Protection Role, configure Alerts and custom Anti-malware Policies. provides great and simple instructions for setting up your environment. Items outside of that guide which may prove helpful and discussed here are –

  • Automatic McAfee unistall failing on XP Machines
  • Queries to setup various collections for different Anti-malware Policies
  • Modification of Anti-Malware Settings
  • Location of logs if ADR’s aren’t working.

Automatic McAfee unistall failing on XP Machines

Sometimes McAfee doesn’t want to uninstall off of XP machines, to fix this an uninstall script is required. A version for VirusScan 8.8 follows. The original can be found here

REM McAfee Removal Script

REM  ECHO Removing AntiSpyware
"C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS
"C:\Program Files (x86)\McAfee\VirusScan Enterprise\scan32.exe" /UninstallMAS

REM Kill McTray & Trusted Validation
ECHO Klling procesess

taskkill.exe /f /t /im mctray.exe
taskkill.exe /f /t /im mfevtps.exe

ECHO Removing VirusScan 8.8

msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q

ECHO Remove McAfee Agent
"C:\Program Files\McAfee\Common Framework\frminst.exe" /forceuninstall /silent
"C:\Program Files (x86)\McAfee\Common Framework\frminst.exe" /forceuninstall /silent
"c:\Program Files\Network Associates\Common Framework\frminst.exe" /forceuninstall /silent

REM Remove McAfee Registry Keys
ECHO Removing Registry Keys

REG DELETE HKLM\SYSTEM\CurrentControlSet\services\McShield /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\services\McTaskManager /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mfeapfk /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mfeavfk /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mfebopk /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mfehidk /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mferkdet /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mfetdik /f
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\mfevtp /f
REG DELETE HKLM\SOFTWARE\McAfee /f

Queries for Collection Setup

Looking around it was hard to find any examples of the queries people used in SCCM to setup their collections for Endpoint Protection.

Following are examples for doing this.

Members acquired via Name

  1. Create a new Collection.
  2. Provide a Name “SCCM Servers” and a Limiting collection “All Computers.”
  3. Click OK.
  4. At the Membership Rules stage Click “Add Rule” -> Query.
    Collection
  5. Then Name it “SCCM Servers” and click Edit Query StatementQuery
  6. Then when the Query Statement Properties window opens go to the Criterion tab and click the star.
    Statement
  7. Then the Criterion Properties windows opens click Select to choose what to search in.
    Properties
  8. Under “Attribute Class” Select “System Resource” then under “Attribute” Select “Name”, then click OK.
    Properties - Copy
  9. Under “Operator” select “upper case is like” then for value enter the name  like %SCCM-%, click OK
    Properties - Copy (2)
  10. Then click OK through the rest of the collection creation
  11. This should now populate with computers with names containing whatever string you specified

This same process can be used to create a bunch of different types of queries, and a valuable part of this tool is the “Value…” button on the criterion properties window. Clicking on this button provides information that SCCM has already found to base your selection off of.

Criterion Properties and/or Query Language

The following outline a few steps to implement other collection query creations. The first example highlights the quick query collection creation using my already constructed queries. The information needed to do this with any of the other examples is present.

SQL 2008 Servers – Creates a collection of computers with SQL 2008 installed on them

  1. For Fast Creation repeat steps 1-5 from “Members acquired via name”
  2. Then click “Show Query Language”
    Show Query
  3. Then copy and paste the information int the [Source Code] tags to create the filter
  4. click OK through rest of process.
  5. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft SQL Server%2008%") and SMS_R_System.Obsolete = 0 and SMS_R_System.Client = 1

Hyper-V Machines

  1. Repeat Steps 1-6 of “Members acquired via name”
  2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
  3. Under “Attribute Class” Select “Server Feature” then under “Attribute” Select “Name”, then click OK.
  4. Under “Operator” select “is equal to” then for value enter the name  like “Hyper-V”, click OK
    Properties - Copy (3)
  5. Then click OK through the rest of the collection creation
  6. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVER_FEATURE on SMS_G_System_SERVER_FEATURE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVER_FEATURE.Name = "Hyper-V"

Active Directory OU -This will populate a collection which will be made up of computers in the stated active directory OU.

  1. Repeat Steps 1-6 of “Members acquired via name”
  2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
  3. Under “Attribute Class” Select “Server Resource” then under “Attribute” Select “System OU Name”, then click OK.
  4. Under “Operator” select “is equal to” then for value enter the name  like “CHEMISTRY/DEPARTMENTAL COMPUTERS/OTHER LABS”, click OK
  5. Then click OK through the rest of the collection creation.Properties - Copy (4)
  6. >select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "THENAMEOFYOURDOMAIN/DEPARTMENTAL COMPUTERS/OTHER LABS"

XP Machines with McAfee Agent Installed

  1. This was actually something I found that worked and just copy and pasted it into the query language. It seems that it checks if McAfee is installed then checks the operating system to determine whether or not it’s an XP machine.
  2. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_R_System.ResourceId in (select SMS_R_System.ResourceID from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "McAfee Agent") and SMS_G_System_OPERATING_SYSTEM.Caption like "Microsoft Windows XP Professional" and SMS_R_System.Obsolete = 0 and SMS_R_System.Client = 1

IIS Servers – This creates a collection based of servers with the IIS server feature installed.

  1. Repeat Steps 1-6 of “Members acquired via name”
  2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
  3. Under “Attribute Class” Select “Server Feature” then under “Attribute” Select “Name”, then click OK.
  4. Under “Operator” select “is equal to” then for value enter the name  like “IIS Management Console”, click OK
  5. Then click OK through the rest of the collection creation.IIS Server Query
  6. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVER_FEATURE on SMS_G_System_SERVER_FEATURE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVER_FEATURE.Name = "IIS Management Console"

SharePoint Server – These are helpful in populating a collection of Sharepoint Servers

  1. File Path
    1. Repeat Steps 1-6 of “Members acquired via name”
    2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
    3. Under “Attribute Class” Select “Process” then under “Attribute” Select “Name”, then click OK.
    4. Under “Operator” select “is equal to” then for value enter the name  like “WSSADMIN.EXE”, click OK
    5. Then click OK through the rest of the collection creation.
    6. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FilePath = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft SharePoint 2010 Products\\"
  2. Process
    1. Repeat Steps 1-6 of “Members acquired via name”
    2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
    3. Under “Attribute Class” Select “Process” then under “Attribute” Select “Name”, then click OK.
    4. Under “Operator” select “is equal to” then for value enter the name  like “WSSADMIN.EXE”, click OK
    5. Then click OK through the rest of the collection creation.Sharepoint Process
    6. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_PROCESS on SMS_G_System_PROCESS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_PROCESS.Name = "WSSADMIN.EXE"
  3. Service
    1. Repeat Steps 1-6 of “Members acquired via name”
    2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
    3. Under “Attribute Class” Select “Process” then under “Attribute” Select “Name”, then click OK.
    4. Under “Operator” select “is equal to” then for value enter the name  like “WSSADMIN.EXE”, click OK
    5. Then click OK through the rest of the collection creation.Sharepoint Service
    6. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVICE.Name = "SPAdminV4"

File Servers

    1. Repeat Steps 1-6 of “Members acquired via name”
    2. Then the “Criterion Properties” windows opens click Select to choose what to search in.
    3. Under “Attribute Class” Select “Server Feature” then under “Attribute” Select “Name”, then click OK.
    4. Under “Operator” select “is equal to” then for value enter the name  like “File Server”, click OK
    5. Then click OK through the rest of the collection creation.File Servers
    6. select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVER_FEATURE on SMS_G_System_SERVER_FEATURE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_SERVER_FEATURE.Name = "File Server"

Modification of Anti-Malware Settings

After creating all of those collections you eventually reach a point where you apply Anti-Malware settings to machines. This can be confusing if you first think you have to create them yourself, luckily SCCM has pre-made settings for certain types of machines. The only problem is these settings are applicable to single function machines but not something running ISS and SQL. So following is how to create the settings for ISS, then how to modify the settings for machines with multiple functions.

Standard Anti-Malware Settings Deployment – Machine running ISS

  1. Open SCCM go to Assets and Compliance -> Endpoint Protection -> Anti-malware Policies.
  2. Right Click “Antimalware Policies” .
  3. Click “Import”.
  4. Select the appropriate Policy i.e. “FEP_Default_ISS.xml”.
  5. Then the “Create Antimalware Policy” window will open.
  6. Name the Policy “Endpoint Protection ISS 6-7”.
  7. Click on “Scheduled Scans”, you may want to enable scans how ever the default is disabled.
  8. Click on “Definition Updates”.
  9. Click on “Set Source” – This is where the client will look for definition updates, most likely in a production network multiple sources should be set so that if one system fails there are backups.
  10. Click OK.
  11. Right Click the newly created policy.
  12. Click “Deploy”
  13. Select your collection of machines runing ISS.
  14. Now the Endpoint client will apply these settings to those systems overriding the default settings. However if other policies are applied to the same collection the policies with the lowest priority will have higher precedence

Customized Anti-Malware Settings Deployment – Machine with ISS and SQL

  1. Follow Previous steps creating a new ISS policy however naming it “Endpoint ISS and SQL”
  2. Right Click the “Antimalware Policies”
  3. Click “Import”
    Import Policy
  4. Select “FEP_Default_SQL2008.xml”
  5. Click on “Exclusion Settings”
  6. Clcik on “Set” next to excluded processes
    Now we need to copy all of the settings here that are exclusive to SQL and then add them to our already created ISS policyExcluded
  7. The special processes are
    SQL Processes

    "%ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe"
"%ProgramFiles%\Microsoft SQL Server\MSRS10.SSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe"
"%ProgramFiles%\Microsoft SQL Server\MSAS10.SSQLSERVER\OLAP\Bin\MSMDSrv.exe"
  8. Cancel out of the “Create Antimalware Policy” window for SQL
  9. Go to the “Set” excluded processes for the “Endpoint ISS and SQL” and add the processes
  10. Then click OK and now our policy is hybridized

For other policies the contents of “excluded files and folders” must also be copied.

Location of Logs

Some helpful information when dealing with System Center Configuration Manager is the name and location of logs applicable to what you are dealing with. These can be found on your SCCM server C:\Program Files\Microsoft Configuration Manager\Logs. While working on Endpoint the Automatic Deployment  Rule log was quite helpful this file is named ruleengine.log.

System Center Configuration Manager (SCCM) 2012 PKI Certificate Setup with XP Machines

Posted on by
Reply

This post is about setting up SCCM 2012 in HTTPS mode. Mainly though, this is a post on making sure the certificates issued by the Certificate Authority (CA) are issued properly.

To do the bulk of the work for setting up SCCM in  HTTPS this blog post by Marius Sandbu SCCM 2012 and PKI is an excellent resource and one that I recommend following. It also includes the setup for the Certificate Authorities something quite helpful in this process.

The Microsoft Technet Documents also provide a great resource Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority. It’s a great resource that provides steps for where Sandbu leaves off, namely at setting up the certificates for the distribution point.

However what I mainly wanted to focus on was something that didn’t seem to be documented thoroughly; the Group Policy affecting our PC’s to cause them to auto-enroll for certificates from the CA. Our network contains both Windows 7 and Windows XP machines. Something we discovered about Windows XP machines is that they don’t like certificates with SHA256 encryption or higher. Now this isn’t a problem if you want to setup your CA with a lower encryption, but otherwise it’s  a problem. XP Machines attempt autoenrolling SHA256 certificates. When an XP machine requests a SHA256 certificate, the CA issues one but the XP machine can’t install it. This causes a loop, and can result in thousands of bad certificates issued per hour. 

Microsoft released a hot-fix to fix this problem Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

This allows XP machines to accept the higher encrypted certificates. The next step is making sure that our Group Policy doesn’t cause XP machines without this HotFix to enroll for Certificates. The key is WMI Queries.

Goals of this Project

  1. Create a Group Policy Object (GPO) to apply Auto-Enrollment.
  2. Create WMI Filters.
  3. Apply WMI Filters to GPO.

Create a Group Policy Object (GPO) to apply Auto-Enrollment

  1. Open Group Policy Management.
  2. Right click on the OU you will be applying the GPO to and create a new GPO.
  3. Name it something like “Certificate Auto-Enrollment for Windows 7 & Above
  4. Click on the GPO object and go to the Details tab and Disable it. (This way it doesn’t start doing anything till we’re all done).
  5. The next step is to right click the GPO object and click Edit.
  6. Then a window titles “Group Policy Management Editor” will open and we want to navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies.
  7. Then we want to right click on Certificate Services Client – Auto-Enrollment and click Properties.
  8. Then the Properties window will open and you will want to set the configuration model to Enabled and place a check mark in the first two boxes “Renew…” and “Update…” then click apply.
  9. After this you close this window and the GPO Editor window and your GPO has the right settings.
  10. Now Repeat steps 1-9 instead naming the GPO “Certificate Auto-Enrollment for XPs with HF”.

Create WMI Filters

These WMI filters are used to apply the GPO’s to certain objects so that we don’t see any errors in certificate issuing.

  1. In the Group Policy Management window scroll down to WMI Filters.
  2. Right click on the WMI Filters and click new.
  3. Then the “New WMI Filter” window will open.
  4. Give your filter a name like “Win7 & Up” and a description about what it does
  5. Then click add and paste in ” SELECT * FROM Win32_OperatingSystem WHERE Version like "6.%" ".
  6. Now Repeat steps 1-3.
  7. Then name it “WinXP with HF” and give it a description.
  8. Then click add and paste in “SELECT * FROM Win32_QuickFixEngineering WHERE HotFixID = "KB968730"" (This identifies if the PC has the hotfix installed).

Apply WMI Filters to GPO

  1. In the “Group Policy Management” window go back to our GPOs.
  2. Click on the GPO.
  3. Go to the bottom of the window where it says “WMI Filtering” and apply the appropriate filter.
  4. Go to the “Details” tab and enable the GPO.
  5. Repeat this for the other GPO.

After this PCs should begin Auto-Enrolling for certificates and you shouldn’t have any problems with your XP machines mishandling things.