Posts

Posted on

A Tale of Two Site Codes

This was an interesting problem.  We are cutting over clients to a new SCCM server with a new site code.  Around 100 clients kept going back to the old site code.  Peeking in LocationServices.log, it kept saying “Group Policy Registration set site code”.  Say what?  We don’t have any GPO like that.

After doing some Googling, I stumbled on this article: https://henkhoogendoorn.blogspot.com/search/label/GPRequestedSiteAssignmentCode and sure enough: GPSiteAssignmentCode was defined!  Someone in the past had made a GPO setting the site code, nuked it, but unfortunately it tattooed the computers forever leaving the old site code.

Solution?  PSEXEC, a list of computers in computers.txt, Notepad++ (to trim trailing spaces) and reg delete:

reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\SMS /f

Then you can do something like psexec @computers.txt -c ccm.bat where ccm.bat holds your ccmsetup command line.

  • Soli Deo Gloria
Posted on

Bomb Out Task Sequence if Laptop is Not Connected to Ethernet

You would think this would be an easy thing to do in Powershell, but I couldn’t find anything. This WMI code will look for an active Ethernet connection and return errorlevel 0 if it finds an active Ethernet connection and 1 if it does not:

wmic.exe nic where "NetConnectionStatus=2" get NetConnectionID | find "Ethernet"

This has to be put into a batch file and then fired as part of the task sequence.

Why do this?  Well, we want to push Windows 10 through Software Center, however, we don’t want user’s with laptops doing this over the WiFi network.

  • Soli Deo Gloria

 

Posted on

Update BIOS Using PowerShell and SCCM

https://github.com/adamleinss/PowerShellBIOSUpdate

This is a quick and dirty script for PSADT (http://psappdeploytoolkit.com/) to deploy BIOS updates relating to Intel’s Meltdown/Spectre vulnerability.

PSADT is designed to be used in SCCM deployments, however, it is agnostic enough that it should be able to be used with any software management solution such as PDQ Deploy.

Main drivers in this script:

  • Get-WmiObject Win32_ComputerSystem
  • Get-WmiObject Win32_BIOS

Using a Lenovo M900 as an example:

PS C:\_PUBLIC_REPO> Get-WmiObject Win32_ComputerSystem


Domain              : XXXXXXXXX
Manufacturer        : LENOVO
Model               : 10FM0026US
Name                : XXXXXXXXX
PrimaryOwnerName    : ACME
TotalPhysicalMemory : 8478724096

PS C:\_PUBLIC_REPO> Get-WmiObject Win32_BIOS


SMBIOSBIOSVersion : FWKT86A  
Manufacturer      : LENOVO
Name              : FWKT86A  
SerialNumber      : XXXXXXX
Version           : LENOVO - 1860

Stepping through the code:

$FirmwareUpdateRan = 'FALSE'

Set initial status of $FirmwareUpdateRan to FALSE

$ComputerModel = (Get-WmiObject Win32_ComputerSystem).Model

Set $ComputerModel to 10FM0026US as given for the M900 example above.

$BIOSVersion = (Get-WmiObject Win32_BIOS).Name

Set $BIOSVersion to FWKT86A as given for the M900 example above.

if (($ComputerModel -eq '10FM0026US') -and ($FirmwareUpdateRan -eq 'FALSE') -and ($BIOSVersion -lt 'FWKT86A'))

Once we run one at least one block of firmware update code, $FirmwareUpdateRan will be set to TRUE. Setting this flag will prevent the restart prompt later on if we didn’t run any update code. $BIOSVersion should compared against the version of the BIOS you want to update to. Easiest way of getting this is just running Get-WmiObject Win32_BIOS on the test computer after you run the current BIOS update.

{ $Response = Show-InstallationPrompt -Message 'Executing BIOS update...please close all apps' -ButtonRightText 
'Cancel' -ButtonLeftText 'Continue' -Timeout 600
if ($Response -eq 'Cancel') { exit 12345 }

Show a prompt to end user. The majority of the BIOS updates will force a reboot right away without any warning, thus we display a message to the end user and allow them to cancel it.

New-Item -Path HKLM:SOFTWARE -Name ACMEDesktop -Force
Set-ItemProperty -Path HKLM:SOFTWARE\ACMEDesktop -Name MeltdownFirmwareFix -Value "Yes" -Type String

This is useful for satisfying the detection rule for SCCM. There’s no clean way of determining whether there is a failure of the BIOS update, other than running a compliancy report in your software/hardware inventory reporting tool to make sure the update happened.

set-location $dirfiles\M900

Lenovo’s flash utility doesn’t accept absolute paths: we have to run it from the current directory, so we use set-location to force the location folder.

start-process flash.cmd -ArgumentList '/quiet' -Wait -PassThru

Run the BIOS update

Show-InstallationRestartPrompt -Countdownseconds 600 -CountdownNoHideSeconds 60

This is only shown if the BIOS update didn’t force a reboot. Currently, I only found the T460S and Yoga S1 laptops do not force a reboot. Since reboot isn’t forced, we force one with a 10 minute countdown.

Suspend-BitLocker -MountPoint C: -RebootCount 1 -Confirm:$false

Suspends BitLocker for one reboot, otherwise laptop will go into recovery mode. Note this command is supported for Windows 8 and later only. For Windows 7 you will need to use manage-bde: Manage-bde.exe –protectors –disable c:. I didn’t see any -rc option, so you will need to do something such as a scheduled task to turn it back on.

  • Soli Deo Gloria
Posted on

SCCM PKI Fun with Certificates

This was fun problem to sort out.  I was asked to jump in and fix a SCCM server already built to work with PKI.  Attempts to get clients registered with the server would end up with bizarre error messages like this:

RegTask: Client is not registered. Sending registration request
RegTask: Reply for registration was empty. Error: 0x8000ffff

I worked on the problem for about 8 hours at work, then went home and setup PKI in my home SCCM lab in about 30 minutes.  I decided I needed to enlist Microsoft PSS on this issue.

After working with Microsoft for about 2.5 hours: they tracked the problem to the certificate on the management point bound to IIS being “too new”.  Essentially, SCCM has legacy code in it that only understands certificates based on the CSP templates (Windows XP/Server 2003) and not KSP/CNG templates (Windows Server 2008 and later).

This is explained in more detail here:

https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=66

The funny part is I was actually using a CA template I had found on the production distribution points that were already up and working, but I guess using the wrong certificate template on DPs doesn’t matter, but using the wrong one on the MP does matter for client registration at least!

I had no access to the CA server, so I couldn’t snoop around on the properties of said certificate templates and they were named “2012 or later IIS”.  Of course the management server is running Windows Server 2012 R2, so why wouldn’t I pick that template?

In the end, you have to use the command line to see the cryptographic provider of the certificates (this doesn’t show up in the GUI):

certutil -repairstore my *

It seems that other people are annoyed by this and according to Microsoft the ability to use CNG or more “modern” certificate templates is coming in a newer build of SCCM:

https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/17451757-support-v3-and-newer-certificate-templates-for-htt

  • Soli Deo Gloria
Posted on

Your System Administrator has blocked this Program

This was an interesting one.  I was converting some computers over from an older domain to a new one and was getting this logged in as a non-admin user when trying to change the domain membership:

Attempts to do a runas on Command Prompt ended up with this even more bizarre error message:

At first I thought it was the OS being corrupted on the computer, but I encountered this error on more and more computers.  If I logged in as a user with administrator rights, everything worked fine.

After digging for a while, I figured this had to be a UAC policy as we don’t use AppLocker.

The issue: https://msdn.microsoft.com/en-us/library/cc232762.aspx

ConsentPromptBehaviorUser

Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: “ConsentPromptBehaviorUser”

0x00000000
This option SHOULD be set to ensure that any operation that requires elevation of privilege will fail as a standard user.

0x00000001
This option SHOULD be set to ensure that a standard user that needs to perform an operation that requires elevation of privilege will be prompted for an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

The previous IT staff (who are no longer here) had set a policy disabling UAC elevation.  Doing so causes all kinds of crazy error messages like this one.  Why would they do that?  Well, the one guess I can come up with is that they didn’t want help desk calls from people encountering a UAC prompt. Of course, this also interferes with any IT staff attempting to do any work as all attempts to elevate to admin are blocked.

Some users had admin rights and some didn’t…the ones that didn’t were the ones where this issue was popping up on.  Thankfully, this policy isn’t set in the new domain.

  • Soli Deo Gloria
Posted on

0x80004005: An error occurred while retrieving policy for this computer

Started a new job recently and one of the techs was having a problem imaging a laptop with a recently replaced motherboard.  We would PXE boot the laptop and then WinPE would bomb out in 10 seconds stating “0x80004005: An error occurred while retrieving policy for this computer”.

Nothing interesting was found on the SCCM side, however when I finally found the SMSTS.LOG in X:\Windows\temp\SMSTSLOG, I didn’t even have to open the file to figure out the problem: it was dated 2016!  Yup: it was a date and time issue.  If your computer skews too far from the current date and time, SCCM won’t talk to your computer.

You can use the commands date and time within cmd (hit the F8 key…you did enable this functionality, right?) to set the correct date and time.

  • Soli Deo Gloria
Posted on

Create a Custom Installer Using Powershell

We run a program called QATRAX which doesn’t come as a MSI file for installing it.  The program has many sins: one of them being that it can only be installed to C:\program files\traxstar (it’s a x86 program) and it has to have write access to this folder.  Attempts to use a re-packager to convert this to a MSI file have failed, because all repackagers detect it should really go in C:\program files (x86), but of course that won’t work.

The program was made in the 1990s, so figuring out what files it copies to to system is quite easy.  You can use a tracing utility such as Process Monitor to watch for install changes.

# copy qatrax support files
copy-item *.dll C:\windows\syswow64 -Force

We could add registry entries using Powershell code line-by-line, but doing a registry export to a REG file and then import it is far easier in my opinion.

# import qatrax registry settings
regedit /s qatrax.reg

One thing to note is that we need to create an uninstall string manually so it shows up in Programs and Features as being installed.  This will also report back to WMI that the program is really installed to help with software inventory.  You should be able to get this from a system with the software already installed.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QATrax]
@=""
"DisplayName"="QATrax"
"UninstallString"="C:\\Program Files\\TraxStar\\uninstall.exe TRAXSTAR"

The program also has no native way of switching between dev and prod environments, so I wrote another wrapper that overwrites the values in the registry with certain IP addresses depending on which environment the user wants to be in.

# set everyone full-control to traxstar registry key. this is a hack to allow
# switching between dev and prod environments
$acl = Get-Acl 'HKLM:\SOFTWARE\Wow6432Node\TraxStar Technologies LLC'
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path 'HKLM:\SOFTWARE\Wow6432Node\TraxStar Technologies LLC'

Make a folder in C:\program files

# create install folder (and yes, traxstar has to be in the x64 folder even though it's
# x86 or it will break
mkdir "C:\program files\traxstar\traxclient"

Grant everyone rights to write to this folder

# qatrax requires write access to its own folder
icacls 'C:\program files\traxstar\traxclient' /grant:r everyone:f

Copy files to C:\program files

# copy qatrax files to program install folder
copy-item qatrax.exe "C:\program files\traxstar\traxclient"
copy-item traxlaunch.exe "C:\program files\traxstar\traxclient"
copy-item uninstall.exe "C:\program files\traxstar"
copy-item *.log "C:\program files\traxstar\traxclient"

Build out the start menu

# create start menu items
mkdir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QATrax"
icacls *.lnk /grant:r everyone:RX
copy-item *.lnk "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QATrax"

  • Soli Deo Gloria
Posted on

PowerShell Code to Find Default Printer

Here’s some code to query what computers have a certain default printer with PowerShell:

$PrinterNameSeek = "\\XXXXXXX01\XX_OFFICE_CLR_01"

$DefaultPrinterObject = Get-WmiObject -Query " SELECT * FROM Win32_Printer WHERE Default=$true"
$DefaultPrinterName = $DefaultPrinterObject.Name.ToUpper()

write-host $DefaultPrinterName

if ($DefaultPrinterName -eq $PrinterNameSeek)

{

write-host $env:COMPUTERNAME
write-host $env:username

out-file \\XXXXXX\logs\$($env:COMPUTERNAME).$($env:username).XX_OFFICE_CLR_01.txt

}

This will need to be run as the end user to use $env:username, but if your ExecutionPolicy doesn’t allow it, you can remove it.

After running this for a few days: you can do a “dir *.* > list.txt” and then import this into an Excel spreadsheet using the import data from text file feature.

  • Soli Deo Gloria