Innovative Technology Weblog

I recently had to come up with a solution that will enable administrators to build reports for client’s bitlocker status. To do so i found a few articles on the web that pointed me in the right direction, however i didn’t found a complete howto for it so that’s a good reason for me to post a complete one.

To enable bitlocker status reporting in a centralised management environment with SCCM you need to follow some steps because bitlocker is not integrated that far (yet??) in the Windows OS. First, let’s first take a look at the status information that bitlocker provides:

• Volume name, example: C: [OSDisk]
• Disk size, example: 148,75 GB
• BitLocker Version, example: Windows 7
• Conversion Status, example: Fully Encrypted
• Percentage Encrypted, example: 100%
• Encryption Method, example: AES 128 with Diffuser
• Protection Status, example: Protection On
• Lock Status, example: Unlocked
• Identification Field, example: None
• Key Protectors (Note: multivalue), example: TPM, Numerical Password

You can check the above on clients using the commandline tool manage-bde.exe -status on Windows 7 clients. For Vista clients use cscript manage-bde.wsf -status.

Step 1. Modify and deploy SMS_DEF.MOF

We want bitlocker status information to be inventoried to SCCM. A proper way of doing that would be to add the bitlocker class to the SMS_DEF.MOF file on the management point (found in %SCCMinstallpath%\inboxes\clifiles.src\hinv). Make a copy of this file and edit with your favorite app. Add the following lines at the end of the file:

[edit] Make sure to replace any fancy double quotes with normal quotes after copying because otherwise compiling or parsing will fail. Or download this file: bitlocker_mof.

You should check the file for errors with mofcomp.exe -check SMS_DEF.MOF. To enable the MOF file on a single client run the following command on the client mofcomp -class:forceupdate %pathtofile%\SMS_DEF.MOF. Copy the edited file back to enable it on your ConfigMgr site.

Step 2. Install Bitlocker

Create and link a GPO to apply on the bitlocker clients that contain the following settings (or similair based on your own requirements):

Enter the BIOS on your client or use tools like the Dell client configuration utility to turn on TPM, clear the TPM and activate it. After doing this enable bitlocker encryption on the machine. You can use any method to achive this.

Step 3. Add Bitlocker status to WMI & run hw inventory

Although there are multiple ways of manipulating bitlocker through WMI you still need a script to read, update and store bitlocker status information in the WMI repository (see http://msdn.microsoft.com/en-us/library/aa376409.aspx). This is because Managed Object Format (MOF) files are not installed as part of the Windows SDK and therefore the included classes are not added to the WMI repository automatically by Windows itself.

[update: A handy colleague wrote a powershell version of the script for adding the bitlocker status into WMI with some nice enhancements. All credits go to Daniel Last.]

The scripts (use only one):

• VBS version: UpdateBitlockerStatus.vbs
• Powershell verion: Bitlocker_Status.ps1 Bitlocker_Status_v1.1.ps1 [update]

Run the script and after that initiate a hardware inventory on the client. Note that the powershell version of the script already triggers a hardware inventory. Additionally, the powershell script need to be run with the powershell execution policy to be set to RemoteSigned. Do this using the following cmdlet: Set-ExecutionPolicy RemoteSigned

[edit] You could trigger the inventory in the vbscript by adding this line: WshShell.Run “WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “&Chr(34) & “{00000000-0000-0000-0000-000000000001}” & Chr(34) & ” /NOINTERACTIVE”,,true

After a while you will find 2 new tables and 1 new view in the SCCM site database:

Step 4. Create the Report

I created a report in SCCM with the following query:

SELECT     v_R_System.Name0 AS Computername, v_GS_SCCM_BitLocker0.Bitlocker_Status0 AS [Bitlocker Status],
v_GS_SCCM_BitLocker0.BitLocker_Version0 AS [Bitlocker Versie], v_GS_SCCM_BitLocker0.Conversion_Status0 AS [Converstion Status],
v_GS_SCCM_BitLocker0.Drive0 AS Drive, v_GS_SCCM_BitLocker0.DriveLabel0 AS DriveLabel, v_GS_SCCM_BitLocker0.Encryption_Method0 AS [Encryption Method],
v_GS_SCCM_BitLocker0.Identification_Field0 AS [Identification Field], v_GS_SCCM_BitLocker0.Key_Protectors0 AS [Key Protectors],
v_GS_SCCM_BitLocker0.Percentage_Encrypted0 AS [Percentage Encrypted], v_GS_SCCM_BitLocker0.Protection_Status0 AS [Protection Status],
v_GS_SCCM_BitLocker0.ScriptLastRun0 AS [Script Last Run]
FROM         v_GS_SCCM_BitLocker0 INNER JOIN
v_R_System ON v_GS_SCCM_BitLocker0.ResourceID = v_R_System.ResourceID

And there it is, the Bitlocker report (note: old screenshot based another query but more or less similar):

Tested on SCCM R2 with a Windows 7 Enterprise bitlocker client.

Feel free to comment on this post.

Regards,
Douwe van de Ruit

Hi i’m Douwe van de Ruit, a new blogger at buit.org and right now i have some nice things to share about the upcoming System Center Configuration Manager.next. Microsoft released Beta 1 last Tuesday so i downloaded it from the Microsoft connect site and kicked it in a virtual testlab to dig through the new features and changes. I will show some new features from which i have great expectations. I will stick to the headlines only because covering all newly or changed features will be to much for a blogpost.

While installing SCCM.next i found out that the procedure was very similar to the way SCCM 2007 is installed. But when i started the Admin console i finally saw the “Outlook-styled” console for SCCM that is inline with consoles used for OpsMgr and VmMgr!

A good example of “do more with less” will be client settings, all settings are simplified by consolidating them in just one, simple and faste editable setting-interface:

So the interfacelifted GUI is a big change included in SCCM.next. But what about functionality and features? Well, Googling on vNext will return 3 main focus areas where Microsoft would deliver changed functionalities:

1. User centric application management  – Empowering Administrators to define intent, and end users flexible access to the right application at the right time
2. Infrastructure simplification – Simplify management infrastructure, processes and administrative overhead
3. Simplify Client Management – Daily tasks, model based configuration management and improvements over existing capabilities

User centric comes with so called user device affinity rules as you like, which can be used to define user’s devices and priorize them in a way that some deployments can depend on these affinity rules. Additionally, it will allow admins to create definitions of the relationship between the users and their applications in a way that the admins don’t have to worry about where that user is and what device it’s using .  They can trust the system that the user will have the right application at the right time in the right place suitable for the device they are on. Just a screenshot that relates to the user centric management functionality:

Just looking at the interface already shows that all administrative tasks just got easier and smarter and will achieve better overall performance in using ConfigMgr for all tasks. Infrastructure and Client Management simplifications will take more investigation to find out significant improvements as opposed to SCCM 2007. However, i do know that distribution points in SCCM.next will support scheduling and throttling. Imagining a branch office with a considerable amount of clients, you normally would create a secondary site if there was a concern about content distribution bandwidth consumption during office hours. With SCCM.next now you’re not bound to secondary sites because you can use distribution points with scheduling and throttling capabilities using the newly added ”Rate Limits” tab in distribution point settings.

By simplified client management Microsoft introduces the “Custom Client Setting”. With this feature you can create custom client agent settings which you can apply to collections containing devices, users or both. On top of the custom client settings you will still be able to configure the top-level client agent settings. The need for an extra Primary site will become unneccesary if the only reason would be driven out of other Client settings. Very nice.

To summarize some more new stuff i (quickly) found:

• added distribution groups for administrative purpose
• SCCM.next is 64 bit only
• SQL 2008 required
• added more than 300 extra SQL tables in the site database
• changed the term “Advertisements” into “Deployments”
• added Global Conditions settings which can be used to divide device types based on various parameters
• SQL Reporting service replaces standard reporting
• the “inboxes” system is still in use (and not transformed into SQL based communication as introduced before as a “wanna have”)
• “Create Report” function crashes in my test lab
• Help function returns white pixels
• SCCM 2007 DCM and Assett Intelligence nodes are integrated into a “Assets and Compliance” tab
• New System roles: Software Catalog Web Service Point, Software Catalog Web Site Point, Mobile device enrollment proxy point, Mobile device enrollment point

Nice stuff so far :-)

Recently I noticed a change in remote support through Microsoft Windows. This is a feature I use a lot when helping family with their issues. Now I have an issue. I cannot get through anymore. Somehow remote support is blocked. I noticed a change. Before, the receiving party had to enter a session password. Now, a 12 digit security code is presented which the helping party needs to enter flawless. I have tried is at least three times with totally different machines and at differert times. Every time a connection was not established.

This time, I did not have endless time to troubleshoot. So I decided to make a quick escape through an internet service. I found TeamViewer 5 to be an easy to use replacable. For home use it’s free. It uses two simple codes to identify the session. For now, I stick with this. Because there is nothing more frustrating for a helpdesk like me than not seeing what happens on the other side, I guess…

Last Tuesday at the Microsoft Tech•Ed Europe 2009 conference in Germany, Microsoft Business Division President Stephen Elop announced that Microsoft Exchange Server 2010 is now available worldwide to help businesses reduce costs, protect communications and delight e-mail users. Along with Windows 7 and Windows Server 2008 R2, Exchange Server 2010 is part of a generation of solutions designed for increased business productivity and cost savings.

 In today’s challenging economic environment, innovative use of new information technologies can result in improved operational efficiency and reduced costs. The combination of cost savings coupled with improved productivity and innovation is defined as “the New Efficiency.”

 Elop also announced the release of Forefront Protection 2010 for Exchange Server, which helps Exchange Server customers further safeguard business information.

 “Exchange Server 2010 customers are already reporting cost savings of up to 70 percent thanks to a simplified high-availability model and support for lower-cost storage. Customers are also seeing productivity gains of more than 20 percent with a universal inbox that delivers e-mail, voice mail, instant messaging and text messaging consistently across virtually any device,” Elop said. “Together with Windows 7 and Windows Server 2008 R2, the combined cost savings and improved productivity helps customers generate long-term business success.”

 According to a commissioned study of technology early adopters conducted by Forrester Consulting on behalf of Microsoft Corp., a customer can see a payback period of less than six months when upgrading to either Exchange Server 2010* or Windows Server 2008 R2.**

 Customers such as Bank of America Corp., Carnival Cruise Line, Global Crossing, Lifetime Products, Morgan Keegan & Co. Inc., NEC Philips, Subaru Canada Inc. and Telekom Austria Group are deploying Exchange Server 2010 and report impressive results with the new server.

 “We have increased storage eightfold at 25 percent of the cost with Exchange Server 2010 and our employees are seeing a reduction of unwanted e-mail by more than 70 percent, freeing us up to focus on more important client issues,” said Steve Derbyshire, operations director, NEC Philips.

 Organizations including Automatic Data Processing Inc., BMW, Baker Tilly, the City of Miami, Energizer, Getronics and Pella Corp. are deploying Windows 7 and report gains in efficiency for both business users and IT. Customers report improved user productivity and easier information access, reduced costs with streamlined management, and reduced risk through better security and increased desktop control. Supporting detail is available in recent total cost of ownership studies and analyst survey reports at http://www.microsoft.com/windows/enterprise/products/windows-7/default.aspx.

 Businesses are seeing equally significant results from Windows Server 2008 R2, with customers including Continental Airlines Inc. (U.S.), Chester Zoo (U.K.), Combell Group NV (Belgium), FinPro (Finland), Wacom Europe GmbH (Germany) and Wortell (Netherlands) noting cost savings through server consolidation, reduced power consumption and improved service levels.

 “With Windows Server 2008 R2, we’ve been able to dramatically reduce costs in our IT infrastructure while simplifying management,” said Phil Morris, IT manager, North England Zoological Society/Chester Zoo. “By virtualizing our environment with Windows Server 2008 R2 Hyper-V, we have reduced the number of servers in our environment by 80 percent while maintaining the high availability our retail staff, researchers and management team need.”

 “Windows Server 2008 R2 brings many efficiencies to our customers, including enabling new virtualization scenarios,” said Bill Laing, corporate vice president for the Windows Server and Solutions Division at Microsoft. “We’ve added the next generation of hypervisor and the new ability to perform Live Migration of virtual machines. Many customers are already seeing tangible results since deploying Windows Server 2008 R2 with Hyper-V.”

 Elop said more than 45,000 partners are trained on Windows Server 2008 R2 and Exchange Server 2010, with several partners announcing new services and solutions today, including Advanced Micro Devices Inc., Avanade, Dell Inc., EMC Corp., Kaspersky Lab, Symantec Corp. and Unisys Corp.

 Exchange Server 2010 and Forefront Protection 2010 for Exchange are available now for trial at http://www.thenewefficiency.com, along with more information about Windows 7, Windows Server 2008 R2 and partner solutions.

Howto deploy a Federated Search Connector in Windows 7

Yesterday we had a kickoff for an Early Adopter Windows 7 Community @ Microsoft in the Netherlands.
One of the presentations was about Federated Search and how this nice option will make our work much easier.

Some people were wondering howto deploy a Federated Search Connector in an Enterprise Environment, but nobody seems to know the answer. Reason for me to find out how to do this.

As for most solutions, it is not the only or the best solution, but because I like Group Policy Preferences (GPP) so much I developed a way to deploy a search connector using GPP.

In this example I will deploy the Youtube connector.
(Look for more connectors on : http://www.sevenforums.com/tutorials/742-windows-7-search-federation-providers.html)

On an admin PC just doubleclick on the downloade file, this will install the Search Connector on your PC, in fact it will install it in your user profile.

Now we need 2 files from your profile, first look up C:\USERS\<YOUR USERNAME>\LINKS\YOUTUBE.LNK
Before you copy this file right click it, choose properties and change the targetlocation to : C:\Users\%USERNAME%\Searches\Youtube.searchConnector-ms

Now copy this file to for example your NETLOGON share.

After that copy the file C:\USERS\<YOUR USERNAME>\SEARCHES\Youtube.searchConnector-ms to the NETLOGON share.

We’ve got the files that we need to deploy it to our users.

Logon to your domain controller (or the machine that you use to manage Group Policy) and open the Group Policy Management Console.
N.B. To manage Group Policy Preferences you need a Windows Server 2008 (R2), Windows Vista or Windows 7 machine.

Open your User policy and expand the User Configuration node.
Now go to Preferences -> Windows Settings -> Files.

Add these 2 files :

If you close the file screens, the preference screen will look like this (except for my domain name )

Now the only thing you have to do is wait until the user policy is refreshed ( a user does not have to take any action and will see the search provider automaticly)
And if you cant wait, just use the good old GPUPDATE.

Thats it for now, please enjoy.

Regards,

Erik