Powershell: Enable virtualization and Credential Guard in an instant (Lenovo laptops)

Windows 10 Credential Guard is currently another hot topic considering cyber security. Credential Guard is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.

To be able to enable Credential Guard in Windows, you need to have virtualization enabled on the CPU in the BIOS. Virtualization is rarely enabled by default, and as such you will need to enable it manually (F1, enter BIOS, modify the setting) or better yet, find a solution to do so remotely and automatically.

I have created following script in Powershell, that initially enables virtualization in the BIOS (Note: We only use Lenovo laptops, hence this is made for Lenovo laptops only) and then apply the registry-keys to enable Credential Guard. All steps are logged into c:\Windows\EnableCredentialGuard.log

The script can be targeted to the proper Windows 10 versions through SCCM collections (I this example I only target W10 1607 and 1703, as these Windows 10 versions no longer require the Isolated User Mode feature when enabling Credential Guard, as it’s now embedded into the Hypervisor)

When deploying powershell script from SCCM, remember to create the program with a command line like this: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File .\CredentialGuard\Enable-VirtualizationCredentialGuard.ps1

Snip of the logfile when everything succeeds:

Powershell: Users and passwords about to expire

So, it’s that time of year; people heading back and forth on vacation and meanwhile their Active Directory password expires. People tend to miss the default notification popping up in Windows and have done so since forever.

So how about getting an annoying email every day, 7 days prior to the actual expiration? The main goal here is to avoid having users ending up with expired password, and thus causing troubles for the user and generating calls to helpdesk.

Here’s how I do using Powershell: (Some of the body text is in danish because lazy, and my syntax highlighter is on vacation too. Just copy/paste the code directly into your PS ISE, save the script and schedule it to run through Task Scheduler and you’re set. 🙂

Preview of the email being sent. Also in danish because lazy.

Powershell: Monitor LAPS

LAPS is Microsoft’s “Local Administrator Password Solution” and is a hot topic when talking about cyber security and what measures to take, when fighting the cyber criminals. Read more about LAPS here.

This is just something short and sweet, and a very simple powershell script to monitor and read all computer objects in specified OUs in Active Directory, read the relevant attributes of the object, and if LAPS attributes are empty (hence no LAPS active), then list the objects in a list and send it as an email.

You can run the script on a schedule using Task Scheduler, and this way monitor which computers in your Active Directory that’s missing LAPS.

Preview of the email being sent:

Dynamic Stamps in Adobe Acrobat

This is a tad offtopic, but it took me a while to figure out how to make a dynamic stamp in Adobe Acrobat, as when inserted, prompts the user for input and automatically puts the input on top of the stamp. So here goes: (this requires Adobe Acrobat Pro or the ability to make/edit forms in pdf)

  1. First off, open Adobe Acrobat and go to Comment -> Annotations -> Stamp drop down -> Custom Stamps -> Create Custom Stamp (This is the easy part, so I only touch this briefly)
  2. Browse to your file containing the stamp (I have stamps made in the pdf format. For this I made the stamp in Illustrator)
  3. Give it a name and a category and click OK

With above in place, you now have a new stamp-file located at AppData\Roaming\Adobe\Acrobat\11.0\Stamps. It’s given a random generic name like “PSrfwCzHqxg6fYZmnjYV0D.pdf”.  So far, so good.

Now go ahead and open and edit this file in Adobe Acrobat Pro and:

  1. Select Tools -> Forms -> Edit
  2. Go to Tasks -> Add New Field -> Button and insert the button somewhere in the blank page
  3. Right Click the new button and select Properties
  4. Go to the Action page, and select Run a JavaScript in the Select Action option.
  5. Click Add and paste following two lines of code into the window and click OK and Close

JavaScriptButtonProperties

Now click the new button with the JavaScript action you just made, and take notice of the template IDs in the popup:

javaScriptWarning

#9a6csAl0hXSlWeY-OYTDiD
#WZtYwuwFlm9eAFnYXvCOGA
#y2fXxVRn8AcGrHnfA2BJdD

Above IDs will be used when creating the text field on the stamp. The text field created in the following steps, is where the input from the prompt goes.

  1. Tasks -> Add New Field -> Text Field
  2. Right Click the new text field and select Properties
  3. Go to the Calculate page and insert a Custom calculation script
  4. Insert below script and make sure to your template IDs from above is correct
  5. Place the text field where desired and save the stamp file

Now, when the stamp is inserted from Adobe Reader / Adobe Acrobat following window pops up and the net result is my stamp with my input on top of it.

InsertStamp Stamp

Bulk assigning O365 licenses, and then some… using Powershell

Managing our O365 licenses got me an idea to write one of my first Powershell scripts.

The script is tailored to our environment, but can be altered to fit any needs without much hassle. The script looks for users in specified OUs and compare them to what users in O365 that are assigned a license. All users in the specified OU are being assigned the specified license. If a license is assigned to a user, who does not exist in the specified OUs, the license is automatically removed. This way I’m always on top of who is using our licenses.

The script does the following for you in details:

  • (#2) Connects to O365 through Powershell (pre-req for that can be seen here: https://technet.microsoft.com/en-us/library/dn975125.aspx)
  • (#3) Reads what license you want to assign your users in the process. Change this to fit your needs and replace tenantname with your O365 tenant.
  • (#4) Reads what conditions you have for filtering what O365 users that needs a license. I’m excluding my Office 365 Admin and a few others, as I don’t wanna mess with the license for those users.
  • (#5) Reads the OUs containing user who needs a O365 license. You can specify several OUs if needed.
  • (#6) Assign the location and license for each user found in OUs. You can filter additionally in this step if needed.
  • (#7) Remove the O365 license, if user is not found in specified OUs. Change this to fit your needs and replace tenantname with your O365 tenant.

 

 

WSUS maintenance for ConfigMgr

So it was my turn to face problems. I had neglected the obstacle for months excusing myself that everything was still working wonders, until today.

Following screenshot was the reality of my WSUS console when trying to run the server cleanup wizard:

wsuserror

Add so the struggle to solve the problem began and following is the facts and solution:

  • I’m using WSUS running on the internal database in Windows (WID), so I downloaded and installed SQL Server 2014 Management Studio on my server running WSUS
  • Connected to \\.\pipe\microsoft##WID\tsql\query in the Connect to Server window

studioconnecting

  • Ran the following two SQL scripts. My WSUS DB was so bloated that the reindex script from the scripting guys didn’t cut it. When that happens, the deal usually is that you have to delete updates manually directly in the DB.
    Fortunately for me, I found below script to my aid. The script runs the stored procedure EXEC spGetObsoleteUpdatesToCleanup and then deletes the updates. Beware, running these scripts may take several hours depending on the specs of the server and the amount of updates)
  1. DeleteObsoleteUpdates
  2. WSUSreindex

This is a snip of the two scripts showing directly in Management Studio, saved for later use as .sql.

studioscripts

Lesson learned:

Maintaining the SUSDB is important, and is not just something you setup and leave even though running it integrated with ConfigMgr.

**Will update this post on how I’m going to automate this in the future.

Deploying software targeting user AND machine context

So, are you ever in need of deploying software targeting computers , but also in need of pushing config files belonging to the same software targeting the users profile?

You can do that using ConfigMgr, and this is how I do it.

In this example I was messing around with Ad Block for IE. To avoid some annoying first run popups, you have to make sure some config files exists in the users profile. You can push those files directly to the logged on user (or any user logging on the same computer) immediately after installing the targeted software.

  • First, create the ad block (or whatever software you’d like) as a package in configmgr. This is pretty standard, and is not explained in this post.
  • Secondly, create another package consisting of the files going into the users profile. The files for Ad Block is automatically created during the first run of IE after the installation, and consists of following files:

adblockfiles

  • Thirdly, create a batch script running following command and put it next to the files going into the users profile: xcopy “%~dp0Files\*.*” “%userprofile%\AppData\LocalLow\Adblock Plus for IE\” /E /S /Y /Q. Notice I have the files in a sub folder to the actual .cmd:

adblockfiles2

  • Distribute to the distribution point as usual and create a program running the CopyFiles.cmd running in user context:

adblockfiles3 adblockfiles4

  • Edit the program running the software created in the first step and make the following changes:

adblockfiles5

  • Finally, deploy both the program running the actual software, and the program copying the files to the users profile to the same collection of computers. The program running the copy of the files, can be deployed as available:

adblockfiles6

All of above will result in the actual software being installed (system context) AND the files being copied into the logged on users profile (user context) in one go.

How to flash BIOS during OSD (Lenovo ThinkPad laptop)

In this blog post I will go into details about how I flash the BIOS of our Lenovo ThinkPad series during OSD using ConfigMgr.

First off you obviously need to download the latest BIOS from the Lenovo support site: http://support.lenovo.com/dk/en/. In this example I’m flashing the BIOS of a ThinkPad T450s.

Go ahead and locate and download the BIOS Update Utility for Windows. The most recent version as of now for T450s is 1.21:

T450BIOS

When downloaded, extract the content to your source file library. In this case I have a folder structure equal to this: D:\Pkgsource\Applications\Lenovo\BIOS\T450S\1.21

The content of the 1.21 folder should be looking like this:

T450BIOS2

Next, mind the highlighted file: FlashBIOS.cmd. Create this file manually with following content (I exit the script with exitcode 0, as the BIOS update itself might return exitcodes seen as failures. Some might dislike this approach, but you can also translate the actual exitcode into zero using whatever method you prefer):

“%~dp0WINUPTP.exe” -s
exit 0

T450BIOS3

With this in place, go ahead and create a package in ConfigMgr with above content and distribute the package to your distribution points (I’m not going into details on this one, as this is pretty standard).

My packages in ConfigMgr looks like this (I have highlighted the package used in this example):

T450BIOS4

Next we will be using the package in our task sequence in a step of Run Command line. This is done somewhere after the step of Setup Windows and Configuration Manager like this (I put BIOS updates in the end of my task sequence as they require reboots):

T450BIOS5

As updating the BIOS to this specific version is a onetime operation, you would want to add following conditions to the Options tab:

T450BIOS6

This will make sure that the step is only run when a Lenovo Thinkpad T450 is being deployed AND when the BIOS is not already the most recent version (no need to run the step again, if the same laptop should be reinstalled in a near future)

You can run following powershell commands to display the computermodel and what BIOS version that currently is installed:

Get-WmiObject Win32_Computersystem

Get-WmiObject Win32_BIOS

T450BIOS7

Enjoy 🙂

Update 1602 for System Center Configuration Manager Current Branch

So, Update 1602 is out for SCCM Current Branch and I just updated my environment.

The new 1602 update is available from within the SCCM console, browsing: Administration > Cloud Services > Updates and Servicing. Right Click the update and select Install Update Pack.

1) Click next on the general page.

1

2) Select the desied features to be included.

2

3) Options for Client Update. I decided to test the new SCCM client on a selected test collection at first.

3

4) Finish the wizard and accept the license terms.

4

5) Go watch CMUpdate.log and wait for following line in the log: INFO: Successfully dropped update pack installed notification to HMan CFD box which translates into installation is complete.

6

Notes from the field:

  • I ran the pre-requisitecheck on the 1602 update before installing. Doing so required me to restart the SMS_EXECUTIVE service on the site server before the actual installation would continue. The status in the console was stuck on Installing, but nothing happened until the restart of the service. (CMupdate.log)
  • I decided to test the new client on a pre-production collection. Doing so actually did that the client binaries wasn’t updated (\\Siteserver\SMS_SITECODE\Client). To update the client binaries, you have to go back to the 1602 update in the console and accept the new client for production in Client Update Options. Yet again, I had to restart the SMS_EXECUTIVE service to see any action in CMupdate.log.

5

 

How to renew Apple Push Certificate for Intune (Hybrid SCCM)

It’s that time of year, where I have to renew my Apple Push Certificate for Intune. And like every other year, I keep forgetting how I did previously.

So now it’s time to put it down in writing. Here goes:

  • First off you have to create a signing certificate. You do that directly in the CM console: Administration > Cloud Services > Microsoft Intune Subscriptions. Click Create APNs certificate request in the ribbon and save the .csr file.

RequestApplePushRibbon

  • Secondly you have to upload the request to the Apple Push Certificates Portal: https://identity.apple.com/pushcert/. Go to the portal and renew your existing certificate.

PushPortal

  • Thirdly, upload the signing certificate (.csr) you just created in the first step and your certificate has been renewed. Download the renewed certificate. This is a file with the extension of .pem; MDM_ Microsoft Corporation_Certificate.pem

  • Finally, go back to your CM console: Administration > Cloud Services > Microsoft Intune Subscriptions. Click Configure Platforms in the ribbon, and select iOS in the dropdown menu. Browse to the location of your .pem file and open it.

IntuneSubProperties

  • Done. The certificate has been renewed.