SCORCH 2016 + SCOM 2016 IP + TLS 1.2

If you happen to use Microsoft System Center Orchestrator (SCORCH) 2016 & the System Center Operations Manager (SCOM) Integration Pack and disable TLS 1.0 on SCORCH and SCOM, you will get the following error when testing the IP connection to SCOM:

“Failed to connect.  Please verify your settings”.

If you re-enable TLS 1.0 on SCORCH and SCOM, the SCOM IP will connect successfully.  I currently have a ticket open with Microsoft Support and they have acknowledged this bug.  I will update this post with any updates as I get them.

(8/6/18) The fix:

  1. Go into Local Group Policy Editor.  Go to Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options
  2. Set System cryptography: Use FIPS compliant algorithms for encryption, hashing and signed to Enabled
  3. Reboot SCOM/SCORCH servers after you make this change.  This change needs to be done on all SCORCH management and runbook servers and all SCOM servers.
  4. Re-test connection from SCOM 2016 IP.  It should succeed this time.

Another fun error I was getting while testing the SCOM IP connection was:

“Missing sdk binaries.  Install System Center 2016 Operations Manager Console first”

After messing around with installing the SCOM 2012 console and uninstalling and re-installing the SCOM 2016 console several times and publishing DLLs to the GAC folder, the fix for this was:

1.  Uninstall SCOM console from management server and all runbook servers.

2. Uninstall SCOM IP and confirm it from Add/Remove program on all management and runbook servers.

3. Register and deploy the latest SCOM IP.

4. Install SCOM console only if you need to use OperationsManager Module commands in PowerShell scripts

  • Soli Deo Gloria

Bypassing Choose Privacy Settings Screen – Windows 10

This was a fun one to track down.  When we did in-place upgrades on Windows 8.1 to Windows 10 1703, we never got this “Choose privacy settings for your device” screen.  However, going from 8.1 to 1803, this screen will appear once for the first user who logs in with local administrative rights (even though we define certain privacy settings through GPO):

Trying to track this down was hard, but I was inspired by this post on Reddit.

The first stab I tried was logging in as a regular user, running ProcMon and then trying to filter on the registry write operations, but even then, it was too much noise (60K+ events).  I then tried another approach.  When you click the Accept button, there’s a UAC prompt that comes up with a title of “User settings: OOBE”.  I made note of the word “OOBE” and cancelled it making changes. I ran Process Explorer as admin logged in as a regular user, then switched over to logging in as an administrator until I got the privacy screen, switched back to the regular user and then did a search for “OOBE” in the process list.  One of the processes that came up was svchost.exe and it had the following key open:

HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\Stats

I drilled around in this parent key and found this setting:

HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\PrivacyConsentStatus

Ah ha!  It was set to REG_DWORD 2, so I set it to 1 and tried logging in again as an administrator.  No prompt to set privacy settings!  I deleted the whole PrivacyConsentStatus key and the prompt still did not show up.  I went back and set PrivacyConsentStatus to 2, logged off and back on, privacy settings page showed back up, I clicked the Accept button on the privacy page and then went back to this registry key to see the results.  PrivacyConsentStatus was set back to 1 and a new entry called PrivacyConsentSID was created with a REG_SZ value with my user account SID.  I deleted PrivacyConsentSID and it seemed to have no effect on the system.

The fix is simple: copy the following into a REG file and then fire it towards the end of OSD

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE]
"PrivacyConsentStatus"=dword:00000001
  • Soli Deo Gloria

Get Any Edition of Windows 10 Without Access to VLSC

This is a neat little trick I found on the Internet.  If you don’t have access to VLSC and still need to get access to the Enterprise or Education editions of Windows 10, you can use the Media Creation Tool to download them.

Run the following.

MediaCreationTool1803.exe /Eula Accept /Retail /MediaArch x64 /MediaEdition Enterprise

<insert valid Win 10 KMS>.  You can find generic KMS keys here: https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys

Now you can extract the image you want out of the ESD file as a WIM file.  Number 3 is currently the Enterprise SKU:

dism /Get-WimInfo /WimFile:install.esd

dism /export-image /SourceImageFile:install.esd /SourceIndex:3 
/DestinationImageFile:install.wim /Compress:max /CheckIntegrity

Remove pid.txt under sources and check licensing status of machine with the following command after installing the OS:

slmgr /dli

– Soli Deo Gloria

Reset the State of Software Center

I recently had to pull Firefox out of Software Center and then made a new Firefox application.  Both the old Firefox and the new Firefox were listed on a particular machine even though I had retired and deleted the old Firefox application.  No matter what I did, the old software persisted!  After some reading: it appears that SCCM tracks Software Center events in WMI.  Even if you remove and reinstall the SCCM client, the “ghost software” remains.  I was able to finally clear off the software icon by doing a complete policy reset using the following WMIC command on the client and then waiting:

WMIC /Namespace:\\root\ccm path SMS_Client CALL ResetPolicy 1 /NOINTERACTIVE

  • Soli Deo Gloria

Dell XPS 13 9350 – The Path to Windows 10

Attempts to do an in-place upgrade on a XPS 13 9350 Windows 8.1 to Windows 10 resulted in lockups around 71%.  The issue appears to be the WiFi driver or more specifically BCM.sys.  If this driver is removed before the Windows 10 upgrade: the upgrade goes flawlessly.

First step is to get a copy of the Windows Development Kit or WDK from Microsoft to obtain the devcon executable.

Next, go into the device manager and get the VEN/DEV id:

Now we remove it!

devcon /r remove "PCI\VEN_8086&DEV_7110"

Now proceed on with the rest of your task sequence.

  • Soli Deo Gloria

A Tale of Two Site Codes

This was an interesting problem.  We are cutting over clients to a new SCCM server with a new site code.  Around 100 clients kept going back to the old site code.  Peeking in LocationServices.log, it kept saying “Group Policy Registration set site code”.  Say what?  We don’t have any GPO like that.

After doing some Googling, I stumbled on this article: https://henkhoogendoorn.blogspot.com/search/label/GPRequestedSiteAssignmentCode and sure enough: GPSiteAssignmentCode was defined!  Someone in the past had made a GPO setting the site code, nuked it, but unfortunately it tattooed the computers forever leaving the old site code.

Solution?  PSEXEC, a list of computers in computers.txt, Notepad++ (to trim trailing spaces) and reg delete:

reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\SMS /f

Then you can do something like psexec @computers.txt -c ccm.bat where ccm.bat holds your ccmsetup command line.

  • Soli Deo Gloria

Bomb Out Task Sequence if Laptop is Not Connected to Ethernet

You would think this would be an easy thing to do in Powershell, but I couldn’t find anything. This WMI code will look for an active Ethernet connection and return errorlevel 0 if it finds an active Ethernet connection and 1 if it does not:

wmic.exe nic where "NetConnectionStatus=2" get NetConnectionID | find "Ethernet"

This has to be put into a batch file and then fired as part of the task sequence.

Why do this?  Well, we want to push Windows 10 through Software Center, however, we don’t want user’s with laptops doing this over the WiFi network.

  • Soli Deo Gloria

 

Update BIOS Using PowerShell and SCCM

https://github.com/adamleinss/PowerShellBIOSUpdate

This is a quick and dirty script for PSADT (http://psappdeploytoolkit.com/) to deploy BIOS updates relating to Intel’s Meltdown/Spectre vulnerability.

PSADT is designed to be used in SCCM deployments, however, it is agnostic enough that it should be able to be used with any software management solution such as PDQ Deploy.

Main drivers in this script:

  • Get-WmiObject Win32_ComputerSystem
  • Get-WmiObject Win32_BIOS

Using a Lenovo M900 as an example:

PS C:\_PUBLIC_REPO> Get-WmiObject Win32_ComputerSystem


Domain              : XXXXXXXXX
Manufacturer        : LENOVO
Model               : 10FM0026US
Name                : XXXXXXXXX
PrimaryOwnerName    : ACME
TotalPhysicalMemory : 8478724096

PS C:\_PUBLIC_REPO> Get-WmiObject Win32_BIOS


SMBIOSBIOSVersion : FWKT86A  
Manufacturer      : LENOVO
Name              : FWKT86A  
SerialNumber      : XXXXXXX
Version           : LENOVO - 1860

Stepping through the code:

$FirmwareUpdateRan = 'FALSE'

Set initial status of $FirmwareUpdateRan to FALSE

$ComputerModel = (Get-WmiObject Win32_ComputerSystem).Model

Set $ComputerModel to 10FM0026US as given for the M900 example above.

$BIOSVersion = (Get-WmiObject Win32_BIOS).Name

Set $BIOSVersion to FWKT86A as given for the M900 example above.

if (($ComputerModel -eq '10FM0026US') -and ($FirmwareUpdateRan -eq 'FALSE') -and ($BIOSVersion -lt 'FWKT86A'))

Once we run one at least one block of firmware update code, $FirmwareUpdateRan will be set to TRUE. Setting this flag will prevent the restart prompt later on if we didn’t run any update code. $BIOSVersion should compared against the version of the BIOS you want to update to. Easiest way of getting this is just running Get-WmiObject Win32_BIOS on the test computer after you run the current BIOS update.

{ $Response = Show-InstallationPrompt -Message 'Executing BIOS update...please close all apps' -ButtonRightText 
'Cancel' -ButtonLeftText 'Continue' -Timeout 600
if ($Response -eq 'Cancel') { exit 12345 }

Show a prompt to end user. The majority of the BIOS updates will force a reboot right away without any warning, thus we display a message to the end user and allow them to cancel it.

New-Item -Path HKLM:SOFTWARE -Name ACMEDesktop -Force
Set-ItemProperty -Path HKLM:SOFTWARE\ACMEDesktop -Name MeltdownFirmwareFix -Value "Yes" -Type String

This is useful for satisfying the detection rule for SCCM. There’s no clean way of determining whether there is a failure of the BIOS update, other than running a compliancy report in your software/hardware inventory reporting tool to make sure the update happened.

set-location $dirfiles\M900

Lenovo’s flash utility doesn’t accept absolute paths: we have to run it from the current directory, so we use set-location to force the location folder.

start-process flash.cmd -ArgumentList '/quiet' -Wait -PassThru

Run the BIOS update

Show-InstallationRestartPrompt -Countdownseconds 600 -CountdownNoHideSeconds 60

This is only shown if the BIOS update didn’t force a reboot. Currently, I only found the T460S and Yoga S1 laptops do not force a reboot. Since reboot isn’t forced, we force one with a 10 minute countdown.

Suspend-BitLocker -MountPoint C: -RebootCount 1 -Confirm:$false

Suspends BitLocker for one reboot, otherwise laptop will go into recovery mode. Note this command is supported for Windows 8 and later only. For Windows 7 you will need to use manage-bde: Manage-bde.exe –protectors –disable c:. I didn’t see any -rc option, so you will need to do something such as a scheduled task to turn it back on.

  • Soli Deo Gloria

SCCM PKI Fun with Certificates

This was fun problem to sort out.  I was asked to jump in and fix a SCCM server already built to work with PKI.  Attempts to get clients registered with the server would end up with bizarre error messages like this:

RegTask: Client is not registered. Sending registration request
RegTask: Reply for registration was empty. Error: 0x8000ffff

I worked on the problem for about 8 hours at work, then went home and setup PKI in my home SCCM lab in about 30 minutes.  I decided I needed to enlist Microsoft PSS on this issue.

After working with Microsoft for about 2.5 hours: they tracked the problem to the certificate on the management point bound to IIS being “too new”.  Essentially, SCCM has legacy code in it that only understands certificates based on the CSP templates (Windows XP/Server 2003) and not KSP/CNG templates (Windows Server 2008 and later).

This is explained in more detail here:

https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=66

The funny part is I was actually using a CA template I had found on the production distribution points that were already up and working, but I guess using the wrong certificate template on DPs doesn’t matter, but using the wrong one on the MP does matter for client registration at least!

I had no access to the CA server, so I couldn’t snoop around on the properties of said certificate templates and they were named “2012 or later IIS”.  Of course the management server is running Windows Server 2012 R2, so why wouldn’t I pick that template?

In the end, you have to use the command line to see the cryptographic provider of the certificates (this doesn’t show up in the GUI):

certutil -repairstore my *

It seems that other people are annoyed by this and according to Microsoft the ability to use CNG or more “modern” certificate templates is coming in a newer build of SCCM:

https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/17451757-support-v3-and-newer-certificate-templates-for-htt

  • Soli Deo Gloria