Innovative Technology Weblog

I recently had to come up with a solution that will enable administrators to build reports for client’s bitlocker status. To do so i found a few articles on the web that pointed me in the right direction, however i didn’t found a complete howto for it so that’s a good reason for me to post a complete one.

To enable bitlocker status reporting in a centralised management environment with SCCM you need to follow some steps because bitlocker is not integrated that far (yet??) in the Windows OS. First, let’s first take a look at the status information that bitlocker provides:

• Volume name, example: C: [OSDisk]
• Disk size, example: 148,75 GB
• BitLocker Version, example: Windows 7
• Conversion Status, example: Fully Encrypted
• Percentage Encrypted, example: 100%
• Encryption Method, example: AES 128 with Diffuser
• Protection Status, example: Protection On
• Lock Status, example: Unlocked
• Identification Field, example: None
• Key Protectors (Note: multivalue), example: TPM, Numerical Password

You can check the above on clients using the commandline tool manage-bde.exe -status on Windows 7 clients. For Vista clients use cscript manage-bde.wsf -status.

Step 1. Modify and deploy SMS_DEF.MOF

We want bitlocker status information to be inventoried to SCCM. A proper way of doing that would be to add the bitlocker class to the SMS_DEF.MOF file on the management point (found in %SCCMinstallpath%\inboxes\clifiles.src\hinv). Make a copy of this file and edit with your favorite app. Add the following lines at the end of the file:

#pragma namespace (“\\\\.\\root\\cimv2\\SMS“)
#pragma deleteclass(“SCCM_BitLocker”,NOFAIL)

[ SMS_Report     (TRUE),
  SMS_Group_Name ("SCCM_BitLocker"),
  SMS_Class_ID   ("CUSTOM|SCCM_BitLocker|1.0") ]
class SCCM_BitLocker : SMS_Class_Template
{
  [SMS_Report (TRUE), key ] string Drive;
  [SMS_Report (TRUE)] string DriveLabel;
  [SMS_Report (TRUE)] string Size;
  [SMS_Report (TRUE)] string BitLocker_Version;
  [SMS_Report (TRUE)] string Conversion_Status;
  [SMS_Report (TRUE)] string Percentage_Encrypted;
  [SMS_Report (TRUE)] string Encryption_Method;
  [SMS_Report (TRUE)] string Protection_Status;
  [SMS_Report (TRUE)] string Lock_Status;
  [SMS_Report (TRUE)] string Identification_Field;
  [SMS_Report (TRUE)] string Key_Protectors;
  [SMS_Report (TRUE)] string Automatic_Unlock;
  [SMS_Report (TRUE)] string ScriptLastRan;
};

You should check the file for errors with mofcomp.exe -check SMS_DEF.MOF. To enable the MOF file on a single client run the following command on the client mofcomp -class:forceupdate %pathtofile%\SMS_DEF.MOF. Copy the edited file back to enable it on your ConfigMgr site. 

Step 2. Install Bitlocker

Create and link a GPO to apply on the bitlocker clients that contain the following settings (or similair based on your own requirements):

Machine | Administrative Templates | System | Trusted Platform Module Services
Turn on TPM backup to Active Directory Domain Services	Enabled
Machine | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating Sytem Drives
Choose how BitLocker-protected operating system drives can be recovered	Enabled
Allow data recovery agent	Disabled
Configure user storage of BitLocker recovery information:	Require 48-digit recovery passwordAllow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard	Enabled
Save BitLocker recovery information to AD DS for operating system drives	Enabled
Configure storage of BitLocker recovery information to AD DS:	Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives	Disabled

Enter the BIOS on your client or use tools like the Dell client configuration utility to turn on TPM, clear the TPM and activate it. After doing this enable bitlocker encryption on the machine. You can use any method to achive this.

Step 3. Add Bitlocker status to WMI & run hw inventory 

Although there are multiple ways of manipulating bitlocker through WMI you still need a script to read, update and store bitlocker status information in the WMI repository (see http://msdn.microsoft.com/en-us/library/aa376409.aspx). This is because Managed Object Format (MOF) files are not installed as part of the Windows SDK and therefore the included classes are not added to the WMI repository automatically by Windows itself.

The script:

• UpdateBitlockerStatus.vbs

Run the script and after that initiate a hardware inventory on the client. After a while you will find 2 new tables and 1 new view in the SCCM site database:

 

Step 4. Create the Report

The most simple report would be a report of the table containing the bitlocker inventory data. By joining other tables/views with SQL queries the possibilities are endless, however i placed that out of scope of this howto . The following tables and views are provided for this:

• dbo.SCCM_BitLocker_DATA
• dbo.SCCM_BitLocker_HIST
• dbo.v_GS_SCCM_BitLocker0

I created a report in SCCM with the following query using the SQL view:

• select * from v_GS_SCCM_BitLocker0

And there it is, the Bitlocker report:

Tested on SCCM R2 with a Windows 7 Enterprise bitlocker client.

Feel free to comment on this post.

Recently I noticed a change in remote support through Microsoft Windows. This is a feature I use a lot when helping family with their issues. Now I have an issue. I cannot get through anymore. Somehow remote support is blocked. I noticed a change. Before, the receiving party had to enter a session password. Now, a 12 digit security code is presented which the helping party needs to enter flawless. I have tried is at least three times with totally different machines and at differert times. Every time a connection was not established.

This time, I did not have endless time to troubleshoot. So I decided to make a quick escape through an internet service. I found TeamViewer 5 to be an easy to use replacable. For home use it’s free. It uses two simple codes to identify the session. For now, I stick with this. Because there is nothing more frustrating for a helpdesk like me than not seeing what happens on the other side, I guess…

Howto deploy a Federated Search Connector in Windows 7

Yesterday we had a kickoff for an Early Adopter Windows 7 Community @ Microsoft in the Netherlands.
One of the presentations was about Federated Search and how this nice option will make our work much easier.

Some people were wondering howto deploy a Federated Search Connector in an Enterprise Environment, but nobody seems to know the answer. Reason for me to find out how to do this.

As for most solutions, it is not the only or the best solution, but because I like Group Policy Preferences (GPP) so much I developed a way to deploy a search connector using GPP.

In this example I will deploy the Youtube connector.
(Look for more connectors on : http://www.sevenforums.com/tutorials/742-windows-7-search-federation-providers.html)

On an admin PC just doubleclick on the downloade file, this will install the Search Connector on your PC, in fact it will install it in your user profile.

Now we need 2 files from your profile, first look up C:\USERS\<YOUR USERNAME>\LINKS\YOUTUBE.LNK
Before you copy this file right click it, choose properties and change the targetlocation to : C:\Users\%USERNAME%\Searches\Youtube.searchConnector-ms

Now copy this file to for example your NETLOGON share.

After that copy the file C:\USERS\<YOUR USERNAME>\SEARCHES\Youtube.searchConnector-ms to the NETLOGON share.

We’ve got the files that we need to deploy it to our users.

Logon to your domain controller (or the machine that you use to manage Group Policy) and open the Group Policy Management Console.
N.B. To manage Group Policy Preferences you need a Windows Server 2008 (R2), Windows Vista or Windows 7 machine.

Open your User policy and expand the User Configuration node.
Now go to Preferences -> Windows Settings -> Files.

Add these 2 files :

If you close the file screens, the preference screen will look like this (except for my domain name )

Now the only thing you have to do is wait until the user policy is refreshed ( a user does not have to take any action and will see the search provider automaticly)
And if you cant wait, just use the good old GPUPDATE.

Thats it for now, please enjoy.

Regards,

Erik

I received this article from a college: Roel Janssens and I published it here with his permission.

The Virtual Hard Disk file format is getting more and more important for Microsoft (for example think Windows Azure) and with the introduction of Windows 7 Microsoft offers for the first time native VHD support. Working in Windows XP, Windows Vista and Windows Server 2003 you could mount a VHD with vhdmount, but the possibilities now have expanded and a lot more is going to happen in the future.

During TechEd 2008 Mark Russinovich gave a very interesting presentation called “Inside Windows 2008 R2 Virtualization Improvements and Native VHD Support”. The first hour has some nice enhancements in Hyper-V 2.0 and the last quarter Mark live demonstrates what Windows 7 is currently capable of regarding VHD.
http://www.microsoft.com/emea/teched2008/itpro/tv/default.aspx

All steps and findings in the following story are tested and confirmed working under Windows 7 Ultimate build 7000 and Windows Server 2008 R2 build 7000.

Advantages

There is no need to install additional programs when you want to create, attach or detach a VHD, this is all default built in within Disk Management. When you are working on Windows Server 2008 R2 this is an easy way to transfer data between the parent and child partition, you can see it as a “VHD Stick”. A requirement for a child partition is that a SCSI Controller is available, otherwise you can’t live (hot) attach a VHD.

Besides working in Disk Management you now have the option to install Windows 7 inside a VHD and boot from it. After that it is also possible to make differencing VHD’s based on that installation and boot from them. Some advantages and possibilities that this offers are:

- The installation of a new Operating System no longer requires you to redesign how your partitions are arranged. All that is added is one big VHD file and one boot entry. If you want to get rid of the installation those are all you have to delete.

- Differencing VHD’s make it possible to easily and safely test an upgrade to for example a new build of Windows 7. Do you like the upgrade then you can merge the differencing VHD, otherwise throw away the differencing VHD and continue to work where you left of in the original installation.

Disadvantages

Microsoft originally set the target of maximum 10% performance loss when Windows 7 is installed inside a VHD compared to a bare metal installation. They have done good work on this part because tests show that this loss is about 1 or 2 %. There is always some noise inside those tests so you can say that it nearly approaches a bare metal installation. My own experiences during the last weeks are the same; you almost never feel you are working inside a VHD.

The boot loader of Windows Vista isn’t compatible with VHD entries; if you look at those entries from within Vista you will see some ‘unknown’ parameters. If you also have Vista on your system and for some reason it starts up in Vista Repair then all boot entries referencing a VHD will be lost! Therefore it is wise to regularly make a backup of you Boot Configuration Database with bcdedit /export, that way you can always go back.

An option that has disappeared when booted from a VHD is the option to hibernate your machine. With power management you now only have the options of Sleep and Shut Down (this also happens when you enable the Hyper-V role on Windows Server 2008). Time will tell if Microsoft is going to develop or support hibernation when working with VHD’s.

Installation Windows 7 inside a VHD

To install Windows 7 inside a VHD you need at least 20GB free disk space. For now the installation is only supported on internal disks, so no external USB drives yet. In the following procedure we are going to install Windows 7 inside a 20GB VHD which we create in the directory c:\vhd. If you have an existing fixed size VHD (for example one created with Hyper-V Manager) you can use that one and skip step 05.

01 boot from Windows 7 DVD or USB
02 Shift-F10 for a command prompt
03 dir C: (of D: E: etc.) to see where your VHD-directory has gone
04 diskpart
05 create vdisk file=c:\vhd\win7.vhd type=fixed maximum=20000
06 select vdisk file=c:\vhd\win7.vhd
07 attach vdisk
08 exit
09 setup
10 install Windows 7 on the new 20GB Unallocated Space (ignore the warning)

After the installation there will be a new boot entry created where the system default will boot from. Start a command prompt with Administrator credentials and type bcdedit /v to see the newly created entry:

As you can see the two entries ‘device’ and ‘osdevice’ don’t reference a partition (e.g. with Windows Vista), but a physical file somewhere on your computer. The funny thing is when you are booted inside this installation you can look for this file with Windows Explorer; this is somewhat strange to understand when looking at it. Something else that changes is the location of the pagefile; it can’t exist within a VHD so Windows will automatically select another location for it.

Create differencing VHD

A differencing VHD is a disk that only saves the differences compared to his parent. This way you can quickly and easily test something without modifying your current installation. Currently Microsoft only supports placing both the parent and the differencing disk on the same volume, but this might change in the future. Parent disks are only used for read only operations while differencing disks perform more write operations, I can imagine placing them on separate disk subsystems optimized for read or write operations.

You can only create a differencing VHD when the parent you want to create a differencing disk from is not in use at that moment (so you can’t be booted inside your parent VHD). Following procedure again makes use of the boot functionality of the Windows 7 DVD, but you can also use a separate Windows Server 2008 installation and use Hyper-V Manager from there to create a differencing VHD. You don’t have to specify a size; this is specified by the parent.

01 boot from Windows 7 DVD or USB
02 Shift-F10 for a command prompt
03 dir C: (or D: E: etc.) to see where your VHD-directory has gone
04 diskpart
05 create vdisk file=c:\vhd\win7-diff.vhd parent=c:\vhd\win7.vhd
06 exit

99 No need to reboot right now, you can continue the next procedure at step 03

Now a differencing VHD is created with the previous Windows 7 installation as parent. The initial size of the differencing VHD will be very small, but this will grow during usage. When booted from within this differencing VHD and looking at it from within Windows Explorer you will see it’s size is the same as that from the parent. When you look at the VHD from another Operating System you will the normal size again.

Create additional boot entry

To be able to boot from previous differencing VHD you have to add an additional boot entry. You can do this from within a working Window 7 installation or again after booting from the Windows 7 DVD. The following steps can be done immediately after creating the differencing VHD.

01 boot from Windows 7 DVD or USB
02 Shift-F10 for a command prompt
03 bcdedit /v
04 bcdedit /copy {identifier-of-Windows7} /d “Windows 7 diff”
05 bcdedit /v
06 bcdedit /set {identifier-of-Windows7-diff} device vhd=[locate]\VHD\Win7-diff.vhd
07 bcdedit /set {identifier-of-Windows7-diff} osdevice vhd=[locate]\VHD\Win7-diff.vhd
08 bcdedit /v

In step 03 you have to look for the entry of Windows 7, you can Copy and Paste this identifier and use it in step 04. In step 04 the entry “Windows 7” will be copied to a new entry named “Windows 7 diff”. In step 05 you have to look for the new entry “Windows 7 diff” and Copy & Paste the identifier in step 06 and 07. In step 06 and 07 the correct parameters for ‘device’ and ‘osdevice’ will be filled in. Check the newly created “Windows 7 diff” entry with bcdedit /v

Take care of above notation, because there are some inconsistencies with the entry that is used for a normal VHD. With a normal VHD ‘device’ uses the notation device file= and with a differencing VHD we have to use device vhd=. With a normal VHD a drive letter is used, with a differencing VHD the word locate is used. A drive letter should have worked here also, but I did not manage to get that to work.

I don’t know if above inconsistencies are in fact well over thought choices by Microsoft, but I have the feeling that this is because of using beta software. With bcdedit /? /formats you get a little more information but it doesn’t give an explanation about the difference between the formats. I tried many other combinations but above screenshot is the only one found 100% working.

Merge differencing VHD

If you tried something out in a differencing VHD and you are satisfied with the result then you can merge this information in the parent VHD. You might have created a long differencing VHD chain, you can specify the depth to which you want to merge.

01 boot from Windows 7 DVD or USB
02 Shift-F10 for a command prompt
03 dir C: (or D: E: etc.) to see where your VHD-directory has gone
04 diskpart
05 select vdisk file=c:\vhd\win7-diff.vhd depth=2
06 merge vdisk depth=1
07 exit

In step 05 you have to select the differencing VHD with a depth greater than or equal to the depth of step 06. In this example we merge one level back.

Delete above experiments

Are you ready testing and do you want to get rid of the obsolete boot entries? Start a command prompt with Administrator credentials and delete them with bcdedit /delete {identifier-of-entry-to-be-deleted} Delete the physical VHD file(s) from your hard drive and everything is gone without leaving a trace.

Links

Virtual Hard Disk Image Format Specification
http://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc

Inside Windows 2008 R2 Virtualization Improvements and Native VHD Support
http://www.microsoft.com/emea/teched2008/itpro/tv/default.aspx