Petya Ransomware – The Attack method and Preventing it

Todays News is all about Petya - but the way it gets onto PCs and spreads across the network is actually old news. In short, Petya does 3 things: Encrypt your files, Steal credentials, spread to other machines. It takes advantage of the "Shadow Broker Vulnerability" MS17-010. If you have patched your machine, you will not be hit with the SMB exploit. How ever it also use Mimikatz like capabilities to steal credentials from the local machine and copy it self to other machines $Admin share. A kill-switch has been described as simple as creating a file called C:\Windows\perfc (without [...]

Primary Site Fault Tolerance makes it in TP1706

Not sure if the ConfigMgr team ever sleeps, month after month new features are released in ConfigMgr Technical Preview. June is no exception, and I must confess this is truly the month I have been waiting for. Among many of the new features we now have support for active/passive site servers. A passive primary site server adds fault tolerance to your site by creating a copy of your primary site server and keeping it in sync. If a disaster occurs, you can manually make the passive site server active. There are a couple of things you need to consider before [...]

By |2017-08-22T09:33:56+01:00June 25th, 2017|Configuration Manager (SCCM)|2 Comments

ConfigMgr and Flexera Software CSI (3. Party Patch Management): Install the CSI Plugin

This is a quick and dirty how-to guide as I have a couple of customer who have asked for the same – how to Install the CSI Plugin in order to Connect the Flexera CSI to your ConfigMgr/WSUS/SUP infrastructure where you get the ability to monitor 3rd party vulnerabilities and remediate any threats by patching or removing software. This is a great management tool addon to your WSUS/ConfigMgr infrastructure and is a must for a complete patch management solution. If you are new to Flexera Software CSI I suggest you go to the following links where you can read up [...]

By |2017-05-14T18:56:16+01:00May 14th, 2017|Configuration Manager (SCCM)|0 Comments

Set Desktop and Lock Screen wallpaper with Intune in Windows 10

This is a quick blog post to show you can set this fairly easily using Intune. Intune requires you to point to a URL for the wallpaper which at first seems a bit odd, but it actually makes a lot of sense when you have solutions like OneDrive. What am I talking about? Well, find a suitable wallpaper and place it on your Sharepoint OneDrive or Personal OneDrive. Then share the wallpaper and create a public viewing link like so   Next, test the link by pasting the URL into your browser and take a look at the result. It [...]

How to manage Bitlocker on a Azure AD Joined Windows 10 Device managed by Intune.

When joining a computer to AAD either manually or by using a provisioning package, Bitlocker will be enabled automatically if your device has the necessary prerequisites. However in the case that Bitlocker is disabled this is how you enable Bitlocker, save the Bitlocker Key Protector to ADD (also known as the recovery key) and recover the key in the case you need it. So this blog post is both for the end-user and IT-pro I guess. In this scenario we have configured a Device Compliance Policy in Intune where we require Encryption of data storage on devices and sent the [...]

Disable Onedrive Updates from a Task Sequence

In order to fully control OneDrive updates I was tasked to find a method to disable OneDrive from doing updates on its own. Given that there is no registry setting or GPO that allow you to disable automatic updates from happening I was forced to look for other methods. The update check is performed by a Scheduled Task that runs once every day If you look in the Scheduled Task manager you will find one or two tasks related to OneDrive. So in order to prevent OneDrive from doing any updates I first tried to delete any tasks related to [...]

By |2017-08-22T10:30:37+01:00April 18th, 2017|Configuration Manager (SCCM)|0 Comments

Getting WSUS sync errors in ConfigMgr 1702

Got a lot of these today on my ConfigMgr 1702 site server. STATMSG: ID=6704 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=CTSCCM01.CORETECH.INTRA SITE=CT1 PID=10584 TID=18504 GMTDATE=ti apr 11 20:00:03.729 2017 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0    SMS_WSUS_SYNC_MANAGER    11-04-2017 22:00:03    18504 (0x4848) Synchronizing WSUS server ctsccm01.coretech.intra ...    SMS_WSUS_SYNC_MANAGER    11-04-2017 22:00:04    29196 (0x720C) sync: Starting WSUS synchronization    SMS_WSUS_SYNC_MANAGER    11-04-2017 22:00:04    29196 (0x720C) sync: WSUS synchronizing categories    SMS_WSUS_SYNC_MANAGER    11-04-2017 22:00:12    29196 (0x720C) sync: WSUS synchronizing categories, processed 2 out of 2 items (100%)    SMS_WSUS_SYNC_MANAGER    11-04-2017 22:00:13    29196 (0x720C) Sync failed: UssInternalError: SoapException: Fault occurred~~at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, [...]

By |2017-04-11T22:23:14+01:00April 11th, 2017|Configuration Manager (SCCM)|4 Comments

Windows 10: Upgrade the edition with Intune in the new Azure Portal

Most professional PC’s delivered today is delivered with Windows 10 Pro (out of the box) which is a really good Operating System, covering most use-cases. However in the world of BYOD and CYOD (Bring your Own / Choose your Own Device) companies, enterprises, goverments, schools etc. often want to upgrade to either Enterprise or Education since these editions of Windows 10 are more feature rich and has a couple of enhancements compared to Pro. Luckly, changeing the SKU does not involve a reinstallation or an major upgrade of the OS. And from Windows 10 1607 (Anniversary Update) you could go [...]

Windows 10 1703 Creators Update: First impressions

Windows 10 creators update is out and I wanted to create a quick blog of the initial experience installing and enrolling it into one of my Azure Active Directory (AAD) test tenants. The initial installation is more or less the same as before, but we know for a while that Microsoft will improve the OoBE (Out of Box Experience) where it now has a new nicer flow and UI. It’s very interesting to see how Microsoft is investing in these types of features and it tells us (in my opinion) how Microsoft looks at the future of Device/Windows deployment and [...]

A couple of nice little OSD tweaks in ConfigMgr 1702

ConfigMgr 1702 have a wealth of new features and client management improvements. This one might not be the reason you upgrade, but it’s still nice and worth a blog post. With 1702 you can customize your task sequence information and control what’s being displayed to the end-user. in this example you should notice a few changed in software center. Looking at my Upgrade task sequence, I now have information about download time/size and restart. when I start the task sequence, I have interesting information from my IT department telling me why the company is upgrading to Windows 10 All of [...]

Android for Work in Configuration Manager 1702

Android for Work support was introduced in Intune standalone in late 2016. With the latest release of Configuration Manager current branch we also have AFW support in hybrid environments. In order to configure AFW a few things to you need to ensure first: Have a couple of Android devices with Android 5.0 or higher Create a Google account to be used as the Android for work admin account Configure Android for Work In the ConfigMgr console navigate to Administration workspace / Overview / Cloud Services / Microsoft Intune Subscriptions and click Configure Platforms / Android For Work. Notice the dialog [...]

By |2017-03-27T08:38:21+01:00March 27th, 2017|Configuration Manager (SCCM)|1 Comment

Cloud Management Gateway with Sub CA

The new Cloud Management Gateway is going to make a big difference in the way we manage endpoints away from home in the future. The feature is a System Center Configuration Manager 1610 pre-release feature. Being a pre-release typically means = a little troubleshooting is required to get the feature working in different environments. In my previous blog post I described an issue with software update scan failing. The troubleshooting steps used in this blog post, are similar what I have described there. In this environment we have a PKI with a Sub CA, and as part of the certificate [...]

By |2017-03-15T10:54:35+01:00March 15th, 2017|Configuration Manager (SCCM), General info|10 Comments

Software Update scan error using Cloud Management Gateway

First, I need to say….the new Cloud Management Gateway feature in Configuration Manager 1610 is awesome. There are a couple of gotchas you need to know about, when creating the service, but once you have overcome those hurdles - you will look like a hero at work, and be known as the person who finally enabled client management on internet based endpoints like road-warriors and colleagues working from home. In the wuahandler.log on the client you might run into Scan failed with error = 0x80240439. If that happens, first step in your troubleshooting should be checking he configuration manager agent [...]

By |2017-03-14T08:13:09+01:00March 14th, 2017|Configuration Manager (SCCM), General info|5 Comments

Q&A from the Flexera & Coretech webinar

Could you please tell me how many days can I use the trial version of Dashboard? Looks very useful for my SCCM infra. Also please let me know how to opt for dashboard after the trial period.First a huge thanks for all attending the webinar, as promised he are a list of the questions that we didn’t have time to answer during the webinar. Q: We already use Flexera for compliance. Is "Patching" included in it OR is it a separate module? A: Patching is integrated in the standard CSI solution. You can either patch using WSUS or integrate with [...]

By |2017-01-26T12:17:24+01:00January 26th, 2017|Configuration Manager (SCCM), General info|0 Comments

Default Site-Boundary-Group and boundaries

The purpose of the Default Site-Boundary-Group is to service clients that are not served by any other boundary group (that being local boundary group or neighbor boundary group). However in ConfigMgr 1610 there has been some confusement around the fact that you can add boundaries to the Default Site-Boundary-Group . I’ve been asked a couple of times if we should add all boundaries to the Default Site-Boundary-Group since the group is automatically configured for Site assignment. My take on that is NO, don’t use the Default Site-Boundary-Group as you don’t really control it. You will also notice that you can’t [...]

By |2017-01-23T13:34:33+01:00January 23rd, 2017|Configuration Manager (SCCM), General info|3 Comments

Error installing WSUS using a remote SQL and non-standard SQL port

Ran into this error earlier today while trying to install WSUS using a remote SQL 2014 SP2 server with non-standard SQL ports. 2016-11-22 20:30:13  Stopping service WSUSService 2016-11-22 20:30:13  Stopping service W3SVC 2016-11-22 20:30:13  Configuring database... 2016-11-22 20:30:13  Configuring the database... 2016-11-22 20:30:13  Establishing DB connection... 2016-11-22 20:31:14  System.Data.SqlClient.SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a [...]

By |2017-08-22T10:29:40+01:00November 22nd, 2016|Configuration Manager (SCCM), SQL|0 Comments

Unlock BitLocker Encrypted Drive From WinPE the Secure Way!

I have seen several blog posts on how to unlock a BitLocker encrypted drive from Windows PE, using the recovery password stored in the Microsoft Bitlocker Administration and Monitoring (MBAM) SQL Server database. What's the problem with these solutions? All of these have one thing in common: they query the SQL database directly, requires changing SQL Server configuration and granting access to the database directly. Why is this a problem? Well, in my opinion this is a bad design approach, as the core purpose of implementing BitLocker volume encryption and MBAM is to secure our data from being compromised. By [...]

The Impact of introducing the Microsoft Enterprise Mobility + Security in the organization

The Impact of introducing the Microsoft Enterprise Mobility + Security in the organization In my work as an advisor and consultant I see organizations adapting to the emerging IT landscape, where user behavior is changing and security risks are increasing. In the midst of this change, I encounter frustrated IT professionals trying to keep up with everything and not having enough time to do so. I encourage my customers to be on top of changes and make sure they stay on top. That message goes beyond IT pros and extends to business owners and managers who can no longer afford [...]

Unknown error creating the Intune connector in Configuration Manager CB

Recently ran into an unknown error while trying to create the Intune connector in ConfigMgr 1602 (and 1606). The error occurred in the “Create Microsoft Intune Subscription Wizard” when trying to Sign in using a Global Admin Azure account. For those of you who do not understand Danish (yet), the error message is something like “An Unexpected error occurred”. The GA Azure account is a “service account” and not used to enroll mobile devices. For that reason the account wasn’t assigned an Enterprise Mobility Suite (EMS) license.  The solution: Assign an EMS license in Azure Active Directory to the Global [...]

Error enrolling devices into Intune & Configuration Manager 1602

Enrolling devices into Intune and & ConfigMgr is normally straight forward until you run into issues. Below is an example where I received an enrollment error (picture 1), clicking Continue leads me to picture 2. As you can see in picture two the Enrollment Update turns from Warning to Checkmark, but only for about 5 seconds then it goes back to a warning.     Troubleshooting mobile devices is slightly different than traditional desktop troubleshooting. The troubleshooting options depends on the device (Android, iOS or Windows). In this example my device was an Android. You can email the log files [...]

Create ConfigMgr Servicing Plans with Excel and PowerShell

Last week I posted one example how to create ConfigMgr Servicing Plans with PowerShell. In this post I will show you how to create Servicin Plans using Excel. Step 1 is to create a table like this If you have that table with necessary information or if needed you can add more data, then simply save it as a CSV file and import the data to PowerShell.   Here is one quick and simple example how to create these Servicing Plans based on a CSV file and if needed create the Device Collections as well. This example also assumes that [...]

By |2016-05-31T21:32:16+01:00May 31st, 2016|Configuration Manager (SCCM)|0 Comments

ConfigMgr cmdlets and Lazy properties

If you have worked with Configuration Manager before, then most probably you know that some of the WMI classes contain lazy properties. Microsoft cmdlets for ConfigMgr queries by default these lazy properties, for example If you query the same Device Collection directly through WMI, then you don’t see RefreshSchedule property value. If you need to query lazy properties, then you can use the .GET() method or [WMI] accelerator. Starting from 1604 cmdlets we have a new parameter called -FAST. Parameter FAST allows us to skip Lazy properties and this should make the queries much faster and should also lower the [...]

By |2016-05-26T17:43:26+01:00May 26th, 2016|Configuration Manager (SCCM)|0 Comments

ConfigMgr Move-CMObject issue and one possible workaround

If you have been following me in twitter, then most likely you already know that the Move-CMObject cmdlet is broken in 1604 release. Here is one quick examples that shows the error message. Microsoft already knows this issue and hopefully they can fix it quickly but meanwhile we need to find a workaround or do something else: 1. Uninstall 1604 cmdlets and go back to older version 2. Replace Move-CMObject with your own custom function - http://cm12sdk.net/?p=1006 3. NEW! Use Invoke-CMWmiMethod   In this blog post I will show one example how to use Invoke-CMWmiMethod cmdlet. In this example Im [...]

By |2016-05-24T15:23:08+01:00May 24th, 2016|Configuration Manager (SCCM)|0 Comments