OSD Wizard Updates (0.95 release)

I’ve worked my way through a series of additional features for OSD Wizard (a ConfigMgr/ SCCM Task Sequence front-end/ modern HTA) this week – namely the introduction of run-time “modes” – Default, Set-Description, ExportOU, Test. With these modes you can now:

  • Set AD Computer Account description mid-Task Sequence using OSD Wizard/ Web Service as opposed to using a separate script with RunAs credentials
  • Perform a compatible OU export using the OSD Wizard script itself (and automate/ schedule this if so desired), rather than performing this manually
  • Fully test OSD Wizard outside of a Task Sequence environment (without the need for the SMS TS Environment COM Object) – including the ability to spoof platform information/ properties.

Grab a copy of the latest release here: https://gitlab.com/chrismbradford/osd-wizard

Introducing OSD Wizard – A PowerShell Front-End / HTA for ConfigMgr Task Sequences

When I first started working with SCCM/ ConfigMgr a few years ago I ran into several issues with upstream teams trying to deploy Task Sequences to devices that were untested (i.e. there were no drivers), power was not plugged in, the user supplied hostname was duplicated in target domain etc. This generated unnecessary Incidents, and delays in getting devices out to users. I became increasingly frustrated at the lack of ConfigMgr built-in capabilities to address these issues, so I turned to vbScript to write a HTA / front-end to address these issues. vbScript is now, several years later, a dying technology, so over time I have re-written the vbScript/ HTA in PowerShell, leveraging WPF and XAML to generate a user interface.

OSDWizard UI

OSD Wizard is a PowerShell script with a WPF/ XAML-based UI built for use within System Center Configuration Manager (SCCM / ConfigMgr) Task Sequences – it has two key purposes, the second of which is optional:

  1. Reduce “human error” factors during early stages of Operating System Deployment
  2. Enable location (network) derived automation for multi-language environments

You can read through the details of the project, download and review the source code (and even contribute!) via GitLab, here: https://gitlab.com/chrismbradford/osd-wizard

ConfigMgr Windows 10 Enterprise 1703 Stuck at “Just a moment”

I ran into an issue when testing Windows 10 Enterprise 1703  in the lab, when deploying via ConfigMgr Current Branch – essentially after image deployment the machine would reboot and just show a blue screen with “just a moment.”

I came across this post which led to the solution – a modification to the Unattend.xml:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>1</ProtectYourPC>
                <SkipMachineOOBE>true</SkipMachineOOBE>
                <SkipUserOOBE>true</SkipUserOOBE>
            </OOBE>
        </component>
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideLocalAccountScreen>true</HideLocalAccountScreen>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>1</ProtectYourPC>
                <SkipMachineOOBE>true</SkipMachineOOBE>
                <SkipUserOOBE>true</SkipUserOOBE>
            </OOBE>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="wim:c:/temp/install.wim#Windows 10 Enterprise Evaluation" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

 

Vulnerability scanning for MS17-010 / 4013389 / WannaCry using OpenVAS in a Docker Container

For instructions on how to install Docker on Ubuntu see my post here: https://www.cb-net.co.uk/linux/installing-docker-on-ubuntu-16-04-lts-16-10/

Updated 31/05/17 to include Ping Host and NMAP (NASL wrapper) tests due to feedback around reliability of results without these tests enabled.

Following on from my previous post around MS17-010 / 4013389 vulnerability patching assurance I thought I’d share a more robust scanning and reporting tool that is simple to deploy and use, OpenVAS. The deployment/ configuration of which is made even simpler through the availability of a Docker Image.

Assuming you have an Ubuntu 16.04 server/ client with the docker engine installed, use the following commands to get OpenVas up and running:

docker pull mikesplain/openvas:9

docker run -d -p 443:443 --name openvas mikesplain/openvas:9

# *** Alternatively *** use the host machines IP address rather than the docker0 interface/ a NAT'd address as above.

docker run -d --net host -p 443:443 --name openvas mikesplain/openvas:9
Next, browse to https://<machine IP> and login, using default credentials of admin / admin :

Now, from the top menu, browse to Configuration > Scan Configs

Click the “sheep” (clone) button next to empty

Hit the spanner icon at the top of the window:

Name the Scan Config “MS17-010 Vulnerability Check” or something else meaningful:

Scroll down to “Windows : Microsoft Bulletins” and hit the spanner icon next to this:

Search for 4013389 (the relevant MS ID), enable all instances for the scan and click save:

As per comments via this post, also enable the Port Scanners | Ping Host and NMAP (NASL wrapper) tests.

Click Save, then click save again.

Now browse to: Scans > Tasks

Click the “Pink Wand” icon: New > Advanced Task Wizard

Name the task and select the new scan config you just created. Specify IP, subnet etc you want to scan. Hit “Create” to start the scan for this specific vulnerability.

Check the reports as the scan progresses, anything identified needs to be patched, or hardened/ isolated if it is older than those O/S editions that this patch was released for.

Happy hunting…

MS17-010 Vulnerability Checking with PowerShell and Nmap

There have been several MS17-010 PowerShell scripts that have emerged over the last week or so, I wanted to call out a couple in particular, aimed at assurance/ understanding vulnerability within a network rather than the remediation/ clean-up.

The first uses Nmap to identify individual IPs/ hostnames that are vulnerable to MS17-010 exploit: https://gist.github.com/iwikmai/65b8a5b882e782d78fc5f466dfd2cde4

Using Nmap is important as simply installing the patch itself without a reboot is not enough to protect against this vulnerability. This script uses Nmap to confirm that this exploit is no longer available on a per-target basis, rather than simply looking for an installed hotfix.

The second script is good for checking that machines have the patch itself installed: https://github.com/kieranwalsh/PowerShell/blob/master/Get-WannaCryPatchState/Get-WannaCryPatchState.ps1

No doubt you’ll come across scripts that help you deploy the patch and even decrypt/ clean-up WannaCry itself – certainly lots of interesting reads in recent days.

Microsoft Local Administrator Password Solution (LAPS)

Managing local Administrator passwords on computers can be painful, especially in a large estate. Good practice is for each device to have its own, unique, local Administrator password to stop “lateral movement” of malware / reduce risk – in practice, few organisations actually achieve this.

I recently came across a Microsoft solution geared towards addressing  this problem – the Local Admin Password Solution:

The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

In terms of supported operating systems, at time of writing requirements are very flexible in respect of DCs and target Operating Systems:

Active Directory:
> Windows 2003 SP1 and above

Managed machines:
> Windows Vista with current SP or above; x86 or x64
> Windows 2003 with current SP and above; x86 or x64 (Itanium not supported)

For more information, and, to download the tool itself click here: https://www.microsoft.com/en-us/download/details.aspx?id=46899

ConfigMgr : Adding KMDF 1.11 (KB2685811) to Build and Capture Taks Sequences

Download the KMDF 1.11 driver for X86 and X64 architectures using this link: https://support.microsoft.com/en-us/kb/2685811

Extract the MSU files using the commands:

mkdir C:\Temp
mkdir C:\Temp\Windows6.1-KB2685811-x86\"
mkdir C:\Temp\Windows6.1-KB2685811-x64\"

expand –f:* kmdf-1.11-Win-6.1-x86.msu "C:\\Temp\Windows6.1-KB2685811-x86\\"
expand –f:* kmdf-1.11-Win-6.1-x64.msu "C:\\Temp\\Windows6.1-KB2685811-x64\\"

Create a ConfigMgr package (not Application) as indictaed below:

Package name: Microsoft KMDF 1.11 Hotfix

Folder structure / contents:
\X86\Windows6.1-KB2685811-x86.cab (extracted from downloaded MSU, as above)
\X64\Windows6.1-KB2685811-x64.cab (extracted from downloaded MSU, as above)

Ensure content for this package is distributed to all of your DPs prior to continuing.

Now we will modify your “Build and Capture” Task Sequence.

Create a new folder/ group just prior to the “Setup Windows and Configuratipn Manager” task:

kmdf

Below, I have detailed actions for x64 architecture, replace X64 with X86 for 32-bit.

This group will contain two actions:

Run Command Line: Create Temp Folder
Command: cmd.exe /c mkdir %OSDSystemDrive%\Temp
Package: No Package

Run Command Line: Inject KMDF 1.11 x64
Command: cmd.exe /c X:\windows\system32\dism.exe /ScratchDir:%OSDSystemDrive%\Temp /Image:%OSDSystemDrive%\ /Add-Package /PackagePath:%_SMSTSMDataPath%\Packages\M010038D\X64\Windows6.1-KB2685811-x64.cab
Package: Microsoft KMDF 1.11 Hotfix

This driver will now be injected automatically everytime you re-create your master image via the Buld and Capture Task Sequence.

Journey to the Surface (Pro) and Back – A Surface Pro 4 Review

My wife would be the first today that I am a “geek.” New hardware, new devices, new technology trends – I’m there, working in IT for many years technology is both my work life and home life and I love it.

So, when Microsoft announced the original Surface series I was thrilled at the idea of a what looked to be a “useful” iPad. I appreciate my definition of useful will be different to your definition, so take that statement with a little salt.

Continue reading “Journey to the Surface (Pro) and Back – A Surface Pro 4 Review”

ConfigMgr : Multilanguage Office 2016 Click-to-Run (C2R)

Download office using the following configuration.xml file – make sure you include ALL languages you will want to use across devices in your environment – don’t worry though as we’ll use this to stage more streamlined versions as required – the idea here is that you create one source to rule them all – i.e. a single source with all language packs pre-downloaded. More info on how to download here: http://www.cb-net.co.uk/microsoft-articles/34-configmgr/2118-configmgr-deploying-office-2016-click-to-run-during-osd

<Configuration>
  <Add OfficeClientEdition="32" Branch="Current">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
	  <Language ID="fr-fr" />
	  <Language ID="de-de" />
	  <Language ID="es-es" />
	  <Language ID="pt-pt" />
	  <Language ID="pl-pl" />
	  <Language ID="ro-ro" />
	  <Language ID="ru-ru" />
	  <Language ID="tr-tr" />
    </Product>
  </Add>
  <!--  <Updates Enabled="TRUE" Branch="Current" /> -->
  <!--  <Display Level="None" AcceptEULA="TRUE" />  -->
  <!--  <Property Name="AUTOACTIVATE" Value="1" />  -->
</Configuration>

Now create this dynamic PowerShell script – we’ll call this during OSD or package deployment specifying a argument for the secondary language you need. This script should be named “_Install.ps1” and should be in the root of the package you create, along with the contents of the downloaded Office C2R.

Param(
  [string]$language
)
# Build dynamic XML file text - needed as without specifying the SourcePath Office install hangs
$currentLocation = Split-Path -Parent $MyInvocation.MyCommand.Path;
If ($language) {
$text = @"
<Configuration>
  <Add SourcePath=`"$currentLocation`" OfficeClientEdition=`"32`" Branch=`"Current`">
    <Product ID=`"O365ProPlusRetail`">
      <Language ID=`"en-us`" />
	  <Language ID=`"$language`" />
    </Product>
  </Add>
  <Updates Enabled=`"TRUE`" Branch=`"Current`" />
  <Display Level=`"None`" AcceptEULA=`"TRUE`" />
</Configuration> 
"@
}
Else {
$text = @"
<Configuration>
  <Add SourcePath=`"$currentLocation`" OfficeClientEdition=`"32`" Branch=`"Current`">
    <Product ID=`"O365ProPlusRetail`">
      <Language ID=`"en-us`" />
    </Product>
  </Add>
  <Updates Enabled=`"TRUE`" Branch=`"Current`" />
  <Display Level=`"None`" AcceptEULA=`"TRUE`" />
</Configuration> 
"@
}
# Output XML file
$text | Out-File 'dynamic_configuration.xml'
# Execute setup, using dynamic XML file
start-process -wait -WindowStyle hidden setup.exe -argumentlist "/configure dynamic_configuration.xml"

You can call this from within a ConfigMgr 2012 R2 SP1 Task Sequence using the “Run PowerShell Script” step, configured as below – note I use a TS variable to pass “fr-fr” or “de-de” to the dynamic XML file creation. You could simply type the language needed and work out the logic to get the right package to the right machines a different way.

  • Name: Run Script: Install Microsoft Office C2R (MUI)
  • Script name: _Install.ps1
  • Parameters: -language %OSDSecondaryUILanguage%
  • Execution Policy: Bypass

ConfigMgr : Deploying Office 2016 Click to Run during OSD

Click to run offers a relatively pain-free way of packaging Office 2016, but it does present some challenges when deploying via SCCM or similar enterprise tools. Follow the steps below to enable deployment of Office 365 via SCCM 2012 – I’ve tested this against Windows 7, 8.1 and 10 – YMMV.

 

1. Download and install the Office 2016 Deployment Tool from: https://www.microsoft.com/en-us/download/details.aspx?id=49117

 

2. In the same directory as your new setup.exe create new file named configuration.xml – contents:

<Configuration>
  <Add OfficeClientEdition="32" Branch="Current">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
  </Add>
  <!--  <Updates Enabled="TRUE" Branch="Current" /> -->
  <!--  <Display Level="None" AcceptEULA="TRUE" />  -->
  <!--  <Property Name="AUTOACTIVATE" Value="1" />  -->
</Configuration>

3. Download Office 2016 using a command prompt in the Office 2016 Deployment Tool directory, via the following command: setup.exe /download configuration.xml

 

4. Within SCCM create a new package or application from contents of new “Office” folder within the directory you executed the command from

 

5. Create a PowerShell script “_Install.ps1” within the root folder of the Office 2016 package/application – contents below – and call this scritp from a “Run PowerShell Script” task within your Task Sequence.

# Build dynamic XML file text - needed as without specifying the SourcePath Office install hangs
$currentLocation = Split-Path -Parent $MyInvocation.MyCommand.Path;
$text = @"
<Configuration>
  <Add SourcePath=`"$currentLocation`" OfficeClientEdition=`"32`" Branch=`"Current`">
    <Product ID=`"O365ProPlusRetail`">
      <Language ID=`"en-us`" />
    </Product>
  </Add>
  <Updates Enabled=`"TRUE`" Branch=`"Current`" />
  <Display Level=`"None`" AcceptEULA=`"TRUE`" />
  <!--  <Property Name=`"AUTOACTIVATE`" Value=`"1`" />  -->
</Configuration> 
"@
# Output XML file
$text | Out-File 'dynamic_configuration.xml'
# Execute setup, using dynamic XML file
start-process -wait -WindowStyle hidden setup.exe -argumentlist "/configure dynamic_configuration.xml"