SCCM – Application installation summary report

This post will describe how to create an application installation summary report in SCCM. This is a great tool to have when you’re for example doing a health check of your applications and different versions of them. The report is built in Microsoft SQL Server Report Builder and you can see the final result on the pictures down below (press on the pictures to maximize).

I will now describe the different pieces of the report so you can make it fit in your environment:

Add the following datasets to the report, just make sure it is applicable to your environment:

ApplicationCount

ExpandComputerName

ExpandApplicationName

Next step is to create the layout as shown in the picture below. When the layout is done put in the data from the datasets and the two expressions you can see under the picture.

View of the report in Microsoft SQL Server Report Builder.

In the first expression we get the application name from the list search or the wildcard search:

In the second expression we join the computers within each software version result:

Last step is to save the report and try it out.

The report gives you a choice of choosing an application from a drop-down list (where all the applications in your environment will show up) or through a wildcard search. It will then show the selected application (and/or the specific version of your choice) in a list with parameters such as how many computers the application is installed on and the names of the computers.

List of all the applications in your environment.

Wildcard search that overrides the application list search.

A list with the computers that have the application installed.

The view of the report run in Internet Explorer.



DirectAccess with Teredo Protocol requires ICMP traffic to be allowed

With Microsoft DirectAccess (DA) you have three different protocols that you can utilize, with 6To4 and Teredo being the primary ones and IPHTTPS being the fallback if both primary fail/are not configured correctly (6To4 is attempted before Teredo). One thing that is different with Teredo protocol is that the DirectAccess server will send a one-time Ping (ICMP) to any DA-configured address that the DirectAccess client is trying to connect to (link).

Example of this with Netscaler Load Balancing:
In a real-life case, a customer was load balancing internal websites on a Netscaler and wanted these websites to be accessible through DA, but it was not working for unknown reasons – until we figured out the ICMP requirement and added an exclusion to this on the Netscaler. By default when we configure a Netscaler we set it up to block most ICMP traffic (http://shouldiblockicmp.com/).

Below is an example Access-Control-List (ACL) on Netscaler that will allow ICMP traffic (by default a Netscaler will not have any ACLs configured and allow all traffic, in which case this is not needed). Replace ”192.168.50.55” with the IP of your DA server, and ensure the ACL Priority is a lower value than your Deny ACLs (if you have any).
add ns acl A-DA-ANY_ICMP ALLOW -sourceIP = 192.168.50.55 -protocol ICMP -priority 100
apply ns acls

The ICMP message is of Type 8, Code 0, which you can specify in the ACL if you want to create a more specific ACL rule. Picture taken from Wireshark trace:

In case you are not fronting your internal servers with a load balancer (such as Netscaler) and you are using Windows Firewall on your internal hosts, you might need to allow ICMP traffic in your Windows Firewall for these hosts.

Is Teredo used in my environment/scenario?
One way to check if Teredo is being utilized in your DA setup is to logon to your DA server and run below command. If there is a Teredo Interface showing, then it is at least configured, and then you can check how much, if any, traffic is being passed through it (‘Bytes In’, ‘Bytes Out’). As we see in this picture, Teredo is being utilized.

Disabling 6To4 or Teredo can be done either on the DA server or the DA clients by disabling the relevant Network Interfaces (Teredo, for example), or by disabling the DA Clients to use specific protocols using the DirectAccess GPO Settings (see link further down).

To get a better understanding of the three protocols possible with DirectAccess, and their advantages/disadvantages, I recommend below blog posts:
Richard Hicks: DirectAccess IPv6 Transition Protocols Explained
Richard Hicks: Disable 6to4 IPv6 Transition Protocol for DirectAccess Clients
Microsoft Technet: DirectAccess and Teredo Adapter Behaviour

If you have any questions or feedback on above content, feel free to email me at rasmus.kindberg@xenit.se.



OS deployment using same MAC address for multiple clients

OS deployment using the same staging dock for multiple clients is a bit of an issue, and there are many different solutions to the problem but all have their downsides.

I did a quick search and found two probable candidates to tackle.

  1. UUID staging
    The idea is to exclude staging docks using a registry value (new in 1610) and stage using only UUID. This way the MAC address is totally irrelevant and OSD is handled using only UUID. The downside is that many Prestage tools use MAC and the UUID Guid is longer and therefore more prone to mistakes.
  2. Ethernet MAC release/Wifi renew
    This method prompts the user at the end of the task sequence to disconnect the ethernet adapter and then resumes using Wifi. The downsides here is that the task sequence no longer becomes unattended and therefore can take longer time. This also requires the use of extra filtering in task sequences and therefore extra maintenance.

With that said I came to the following solution.
On the Site create a SQL job that runs every 30/60 minutes and removes the MAC association and clears the PXE flag.

This allows users to stage their clients using the same Ethernet adapter (USB or docking station) without changing the current pxe routine/application or task sequence.
As with all staging dock solution some consideration must be taken of when the job is scheduled to run so that MAC address association is not wiped before PXE is initated.
If staging is done once a day/week the schedule can be configured to a daily job and thus the afforementioned consideration becomes a non-issue.

UUID staging
https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2015/08/27/reusing-the-same-nic-for-multiple-pxe-initiated-deployments-in-system-center-configuration-manger-osd/

Ethernet MAC Release/Wifi renew
https://gallery.technet.microsoft.com/scriptcenter/Enable-multiple-SCCM-OS-861e42bb



XenMobile 10.6 – Mycket nytt i senaste versionen

 

Citrix släppte i dagarna en ny version av XenMobile, 10.6, vilken innehåller flera efterlängtade funktioner och fixar. Bland nyheterna finns bland annat stöd för personliga kalendrar, virtuella smartkort och hantering av systemuppdateringar för iOS. För första gången på länge har det även kommit en uppdatering till Enterpriseversionen av Secure Mail och Secure Web.

Nyheter i klienten:

  • Derived Credentials (iOS) – I samarbete med Intercede kan Citrix nu erbjuda enroll med hjälp av certifikat. Läs mer på: http://docs.citrix.com/en-us/xenmobile/server/authentication/derived-credentials.html
  • Personlig kalender – Din personliga kalender (från Google/Apple) finns nu tillgänglig i Secure Mail, vilket även låter dig se när det blir krockar mellan din personliga och din arbetskalender
  • Per-app VPN för Android – Möjlighet att även för Android definiera vilka appar som skall gå genom VPN och vilka som går direkt mot internet
  • Stöd för Exchange Active Sync 16
  • Stöd för appar utvecklade med Xamarin Android och OkHttp

 

Nyheter på serversidan:

  • Uppdateringspolicy för iOS – Nu finns det (äntligen) stöd för att forcera uppdateringar av iOS
  • Windows 10 Unified Endpoint Management – Stöd för att identifiera och spåra förlorade enheter som kör Windows 10
  • Stöd för Windows Information Protection
  • Bättre stöd för Azure Active Directory – Azure AD kan nu användas som IdP för XenMobile
  • Bättre rapportering – Rapporter över användning har blivit utökade samt fått stöd för att exportera rapporter till pdf
  • Stöd för 2-faktorsautentisering för macOS – Enrollkoder kan nu skapas även för macOS
  • Möjlighet att välja flera plattformar för enroll – Hanteringen av enrollkoder blir lättare då det nu kan skapas en kod som gäller för samtliga plattformar

 

Utöver detta tillkommer ett antal buggfixar och förbättringar, samt några lite mindre synliga funktioner. För en full lista av ändringar, se:

http://docs.citrix.com/en-us/xenmobile/server/whats-new.html

samt

http://docs.citrix.com/en-us/xenmobile/server/fixed-issues.html

 



Hantera macOS-enheter med hjälp av XenMobile

Att hålla koll på macOS-enheter i ett företagslandskap kan vara allt annat än smidigt. Leverans av certifikat, hantering av rättigheter och låsning av förlorade enheter behöver speciallösningar för att kunna fungera i ett landskap som är baserat på Microsoft AD. Många företag väljer idag att exempelvis rulla ut klientcertifikat manuellt på varje dator, då det är knepigt att sköta detta centralt, och släpper ofta ut helt omanagerade mac:ar till användare.

Något som dock ofta missas är att XenMobile sedan i höstas är kapabelt till att managera inte bara mobiltelefoner utan även alla enheter som kör macOS. Om XenMobile redan används i miljön är det inget stort steg att börja managera även mac:ar, och om inget MDM-verktyg används alls i dagsläget så börjar det nog bli dags att fundera på det. Exakt vad som kan kontrolleras kan ni se här, men det innefattar allt från AirPlay Mirroring till Exchange och LDAP.

  • Om XenMobile redan är konfigurerat för iPhones så behöver vi bara sätta upp policies innan klienterna läggs upp i systemet. Här nedan skapar jag en policy för utrullning av certifikat från en Microsoft CA:
     
  • När alla profiler väl är uppsatta är det endast att surfa in mot rätt URL: https://ServerFQDN:8443/zdm/macos/otae och logga in:

    Idag finns tyvärr inget stöd för tvåfaktor (man får en ruta för en kod, men det finns inget sätt att skapa en) men detta ska dock finnas i nästa release av XenMobile som kommer snart.
  • Efter detta kommer ett antal rutor där man behöver godkänna installation av profiler. Ni som någon gång enrollat en iPhone känner kanske igen dessa:

  • Avsluta med ditt lösenord:
  • Och när rutan nedan kommer upp så är enheten registrerad i systemet och redo att ta emot kommandon:
  • En titt i MDM-konsolen visar även att vi har enheten tillgänglig där:

Om XenMobile redan används för manageraing av mobila enheter är det alltså inte svårare än att lägga upp policies och sedan registrera sina datorer, så är de sedan managerade och skyddade precis som mobiltelefonerna.

Denna funktionalitet missas ofta när man väljer EMM-verktyg, och är inte heller helt självklar att ha i tankarna även efteråt, men om ni liksom jhag någon gång suttit och svurit över problemen med att managera mac:ar så är jag övertygad om att detta underlättar åtminstone lite.



Provisioning services – Activate SMB2 for better security and performance

When installing Provision Services 7.x and below on a Windows 2008 R2 or Windows 2012 R2 – The Provisioning installer will disable SMB2 and only allow SMB1 on the server.
NOTE: SMB2 will still be enabled with a new install of PVS 7.13 (Thanks Andrew Wood).

Verify which SMB protocols are enabled on Windows 2012 R2 by running the following powershell command:

View-SMB-Protocols
SMB 1.0 (or SMB1) – Used in Windows 2000, Windows XP and Windows Server 2003 R2 is no longer supported and you should use SMB2 or SMB3 which has many improvements from its predecessor. Another big reason is to prevent the security-hole that the WannaCry/Wcry/WannaCrypt0r-ransomware utilizes to infect and spread if you have not installed the security patch MS from Microsoft released 14th of March 2017.

Here’s a very brief summary of what changed with each version of SMB:

  • From SMB 1.0 to SMB 2.0 – The first major redesign of SMB – Windows Vista (SP1 or later) and Windows Server 2008
    • Increased file sharing scalability
    • Improved performance
      • Request compounding
      • Asynchronous operations
      • Larger reads/writes
    • More secure and robust
      • Small command set
      • Signing now uses HMAC SHA-256 instead of MD5
      • SMB2 durability
  • From SMB 2.0 to SMB 2.1 – The version used in Windows 7 and Windows Server 2008 R2
    • File leasing improvements
    • Large MTU support
    • BranchCache
  • SMB 3.0 – The version used in Windows 8 and Windows Server 2012

SMB2 has a requirement to utilize Oplocks. Enabling Oplocks will not cause any failures so long as the write cache is not stored on the Provisioning Server.
SMB2.1 introduced leasing and is more flexible and results in significant performance improvement in a high latency network.

If the write cache is on the PVS server then this would happen:

  1. You have two PVS servers, PVS1 and PVS2.
  2. The write cache for targets is hosted on \\FileSRV01\store
  3. A target device is connected to PVS1 and PVS1 becomes unavailable.
  4. The target device fails over and connects to PVS2.
  5. PVS2 cannot connect to the write cache file because PVS1 still has the exclusive OPlock to the file. Eventually, the OPlock will timeout and PVS2 will be able to connect to the write cache file, but there will be a delay.
    Cache-on-Server

To activate SMB2 and disable SMB1 on Windows 2008 run the following PowerShell command:

To activate SMB2 and disable SMB1 on Windows 2012 run the following PowerShell command:

A reboot is required to activate the new settings. As always, perform any changes in a test scenario first, before deploying into production. This is important since Windows XP and Windows 2003 utilizes SMB1 and will not be able to communicate with servers over SMB where SMB1 has been disabled.

If you have any questions or feedback about above, feel free to leave a comment below!



Skapa SpamAssassin-signaturer för blockering av ransomeware-kampanjen Torrentlocker/Crypt0l0cker

Just nu pågår en ransomware-kampanj som försöker infektera privatpersoner och företag genom bluff-mail (spam). Myndigheten för samhällsskydd och beredskap har gått ut med signaturer som kan användas för att identifiera och blockera kampanjen på följande länk: Signaturer för pågående ransomware-kampanj.

Signaturerna innehåller tre länkar till ZIP-filer som ligger hos Dropbox, men även ämnesraden för bluff-mailen:

Dropbox URL:er
hxxps://dl.dropboxusercontent.com/s/5h76l6uqdp7vtvk/753941.zip?dl=0
hxxps://dl.dropboxusercontent.com/s/h8jyb5xkh6dqoyf/197067.zip?dl=0
hxxps://dl.dropboxusercontent.com/s/jv3vtf14gxgz6sa/394216.zip?dl=0

Två exempel på phishing-mailen:

”Från: Skickat: den 16 mars 2017 11:06
Till: förnamn.efternamn@domän.se
Ämne: Faktura / Betala din faktura / Se din faktura / Detta är din faktura

Hallå
Info: hxxps://dl.dropboxusercontent[.]com/s/snzrpnvtd1fchxi/862751.zip?dl=0
(+ flertalet andra Dropbox länkar)


Från: ” Datum: 16 mars 2017 11:08:23 GMT
Till: Ämne: Faktura

Betala din faktura: hxxps://dl.dropboxusercontent.com/s/jv3vtf14gxgz6sa/394216.zip?dl=0

Vänliga Hälsningar
Namn

Med hjälp av denna informationen kan man skapa en regel i SpamAssassin:

Man kan göra regeln enklare att läsa genom att skapa en kontroll per ämnesrad och länk:

Den officiella dokumentationen för hur man skriver SpamAssassin-regler återfinns här: https://wiki.apache.org/spamassassin/WritingRules



NetScaler user authentication to backend with cookies

A system one of my co-workers are load balancing and configuring AAA/SSO uses cookies for authentication. The username is inserted using a cookie, for example ”username=simon”. It’s very easy to first of all identify this cookie and modify it to another value, which makes it insecure.

The idea we got was to stop exposing the cookie to the user and only add it so that the backend sees it using a rewrite. The second thing we also want to do is remove this cookie so even though the user has the cookie, it will never be sent to the backend.

The solution is quite simple and looks like this:

From my initial tests, this will remove all cookies named ”username” (case insensitive) and add a new one with values from NetScaler AAA. If the user isn’t sending any Cookie-header at all, we’ll add one as well.

Seems to work very well!

Have you done this in any other way? Feel free to post how you did it.



Windows Login prompt with Single Sign-On XenApp

Lately some customers reported they didn’t get Single Sign-On all the way into the desktop when logging in via the browser to StoreFront. Single Sign-On worked partly with automatic login to the StoreFront desktop/application view, but whenever they tried to start a new session the users faced a Windows login prompt. Citrix have released a relatively new article with a variety of things to test when facing problems with Single Sign-On for XenApp/XenDesktop.

Windows Login Prompt

I usually apply settings for Citrix Receiver using GPO and applying them to user level. The problem was immediately solved by applying Citrix Receiver settings to the computer level instead.

Citrix Receiver Authentication Settings



Convert SCCM schedule to readable format

Reading SCCM Maintenance Windows is not an easy thing to do from WMI as they are stored as 16 char hex values

To get the schedule hex values simply run the below line, but the result might not be easy to understand

A server might return the following values.

Now, how do we read this? The easiest thing is to run Convert-CMSchedule but that unfortunately only works if the configuration manager console is installed.
Another way to do is to invoke a wmi method from a site server using the SMS_ScheduleMethods class.

None of these are portable, so I created my own function to decode these. The below function returns the same data as Convert-CMSchedule but is free from any module as it converts the hex to a readable format.

The function also accepts valuefrompipeline

 

The script is reverse engineered from https://msdn.microsoft.com/en-us/library/cc143505.aspx