Create Pilot Collection Console Extension for ConfigMgr 2012 R2

I recently started working on my first ConfigMgr Console Extension (aka. Right Click Tool).  For my first foray into this new territory I decided to tackle something that myself and my colleagues deal with on a regular basis, Pilots.  No, not pilots that fly airplanes.  Pilot deployments.  The thing you do before deploying something to Production.

So today I’m releasing my Create Pilot Collection Console Extension for ConfigMgr 2012 R2.  The purpose behind this tool is to support some internal business processes wherein we as packagers are required to deploy larger scale deployments to a smaller “pilot” collection first.  I would imagine that your company has similar requirements as well.

This tool was built using Sapien PowerShell Studio 2015 and was designed to provide a quick and easy way of generating a random sampling of “Pilot Members” for your pilot deployments.

Create Pilot Collection - Main Screen

CREDIT

I’d like to thank Nickolaj Andersen (http://www.scconfigmgr.com) for writing and providing me with the Invoke-ToolInstallation.ps1 script to handle the installation of the Console Extension.  It’s been modified from his original version so I’ll provide a write-up on leveraging this script in a follow-up blog post.

Download

You can download the Console Extension from the TechNet Gallery.

I’ve included the PowerShell Studio Project Files if you would like to tinker and modify for your own use.

Install

To install the Console Extension, extract the .zip file you downloaded to a directory of your choice.  From an Administrative PowerShell Console, run the Invoke-ToolInstallation.PS1 script from the extracted directory.

NOTE: If you currently have the ConfigMgr Console open, you’ll need to close and re-open it.

Usage

To launch the tool, open your ConfigMgr console, and find a collection you wish to use as your “Base” collection.  This would typically be the collection you use for your final (Production) deployment.

The tool can be accessed from the Ribbon or the Right-Click Context Menu as shown below.

Right-Click MenuRibbon Icon

There are only two items you need to fill in.  The Pilot Collection Name and the Percentage of the original (base) collection to use as your pilot members.  The User Interface will update as you type to tell you how many members will be added to your new collection.

Create Pilot Collection - Main Screen

When you are finished, click the button, sit back and relax.  Once your collection is created you can deploy whatever you want to it.

NOTE: Large collections may take several minutes to process and add members.

Advertisements

Back to Blogging

I wanted to drop a quick note on here to everyone who continues to visit my blog.  I’ve been absent for the past nine months or so from the blogging scene due to an insanely busy life in and out of work.

In November my wife and I welcomed our second child (little girl) into the world and we recently just moved into our 4th home.  On top of that, my company underwent an extremely significant change that required a good majority of my time for the past 7 months.

With that said, things have finally calmed down enough to where I can start investing time into developing new solutions, and sharing my experiences with you all.  With this renewed focus on new technology and solutions, I felt it was also a good time for a new look for the blog.  It’s not a radical change but I think it gets the job done.

I am preparing a blog post for a new ConfigMgr Right Click Tool I recently developed so look out for it and more content in the coming weeks!

Yours Truly,

Dustin

Using a BitLocker Data Recovery Agent to unlock a BitLocker encrypted drive

This blog post is a follow-up to my first post on BitLocker, MBAM and Data Recovery Agents (DRA).

In this post we’ll cover actually USING the BitLocker DRA to recover/unlock a BitLocker Encrypted drive using the BitLocker DRA Certificate.

 

Installing a BitLocker DRA Private Certificate

Before you can actually unlock a drive using the DRA certificate, you must install the Private (.pfx) certificate file on your system. My recommendation is to install it under a local account (not a domain account) however to avoid a potential issue with Credential Roaming.

  1. Log into the system using a local (Administrative) account – again, this is to avoid the Private certificate from roaming with individual users and installing on multiple systems.
  2. Locate the BitLocker DRA (.PFX) private certificate file (obtained from your Certificate Authority) and double-click on it.
  3. Follow the wizard and provide the password for the private key (should be provided by your Certificate Authority also).

  4. Click Next thru the rest of the wizard pages.
  5. Delete the .PFX certificate file from the machine.

One other recommendation on this, I’d suggest that you keep track of who has this certificate and where it’s installed. When you have to renew the certificate this will make things much easier to go back thru and update the locally installed private certs.

 

Unlocking a BitLocker Encrypted Drive with a BitLocker Data Recovery Agent

Now that we have the Private (PFX) certificate installed, we can proceed with unlocking BitLocker encrypted drives. Unlocking a BitLocker Encrypted drive starts at the Command Prompt (Elevated) where we can then leverage the manage-bde.exe utility to work with BitLocker Drive Encryption.

  1. At the (elevated) Command Prompt, type manage-bde –protectors –get <drive letter> where <drive letter> is the drive you wish to unlock. You should see an output similar to below (Image credit: TechNet).

  1. Take special note of the Certificate Thumbprint highlighted above. That long string is your certificate ID which you will use to actually unlock the drive.

NOTE: It IS possible to have more than one Certificate listed here if your company uses more than one DRA cert for BitLocker. You may have to try each one until you get one to work

  1. To unlock the drive, type manage-bde –unlock <Drive Letter>: -Certificate –ct <Certificate Thumbprint>


 

Conclusion

That’s pretty much all there is to it. Recovering a BitLocker encrypted drive with a BitLocker DRA Certificate is pretty simple once it’s all setup. Of course I still would recommend using MBAM or Active Directory recovery methods as your primary recovery method (they are a lot easier) however this will hopefully give you that ‘warm & fuzzy’ feeling knowing that you can always unlock a BitLocker encrypted drive.

BitLocker, MBAM and Data Recovery Agents (DRA)

I’ve been using the Microsoft BitLocker Administration and Monitoring (MBAM) software from the Microsoft Desktop Optimization Pack (MDOP) for the past couple of years and I love it. It makes enforcement, reporting and key recovery for systems fairly simple once the pre-requisites have been met (i.e. TPM Enabled and Activated). In this post, I’ll be discussing a lesser known method of securing your BitLocker encrypted drives with Data Recovery Agents (DRA).

Data Recovery Agents – What are they?

A Data Recovery Agent, or DRA, is an account typically based on a Smart Card or Certificate which can be used for Encrypting and Decrypting a file or folder (EFS) or an entire drive (BitLocker). In our case we will be discussing a BitLocker DRA.

Why would I use a Data Recovery Agent when I have BitLocker

Honestly, most people don’t. MBAM already handles key escrow, enforcement, key recovery and reporting for the BitLocker environment and does a very good job at it. However, I’ve seen a few issues during implementation that prompted me to take a closer look at managing our overall BitLocker environment, outside of just what MBAM provides. Here are a couple of scenarios I’ve seen which has caused us issues in recovering drives:

  • MBAM cycles a new key but escrow back to the server fails.
  • Helpdesk or end user manually encrypts drives with BitLocker but MBAM doesn’t get installed.

There may be other instances in which MBAM is unable to escrow keys however the above were the ones I saw most. So, just how do we solve this issue? There are numerous ways we could look at this from a process perspective, but I want to reduce the amount of human error and interaction wherever possible. Some ideas are:

  • Required deployment of MBAM to all systems – This could cause unwanted prompts for compliance on end user systems and doesn’t solve issues where MBAM simply fails to connect back to the server.
  • Store everything in Active Directory – Again, you still need a connection to AD for this and in a large environment this can significantly increase the size of your DB (your AD team may not like this).
  • Implement processes for your Help Desk to validate that keys are being escrowed – This becomes cumbersome and unsustainable.

By implementing a BitLocker Data Recovery Agent, you always have an additional recovery method available just in case MBAM either isn’t there or (gasp!) fails to properly escrow a key. I use this as my failsafe, my life preserver, my backup because telling a user, manager or heaven forbid an executive that their data is lost because something “just went wrong” (and they forgot to make a backup or stopped the backup software) is not the most pleasant part of our job.

How do I create a BitLocker Data Recovery Agent

I’ll be the first to admit this, but I’m not well versed at managing a PKI infrastructure so instead of diving into the details and (possibly) getting it wrong, I’d suggest you reach out to your PKI team and request a certificate that can be used as a Data Recovery Agent for BitLocker. What they should provide you is two certificate files. A public .CER certificate which will be deployed to all your systems, and a private .PFX certificate which allows you to decrypt systems that were encrypted and have the DRA installed.

Setting up the BitLocker Data Recovery Agent

To configure and deploy the BitLocker Data Recovery Agent, we will leverage Group Policy. I use the same GPO that I use for configuring MBAM. The following steps will guide you in setting up your BitLocker DRA Certificate and other required/recommended settings for using a BitLocker DRA.

1 Edit the Group Policy Object that will apply to client machines.  
2 Expand Computer Configuration > Policies > Administrative Templates > Windows Components> BitLocker Drive Encryption  
3 Enable the setting Provide the unique identifiers for your organization. For BOTH the BitLocker identification field and Allowed BitLocker identification field use ‘MyCompany‘.

NOTE: The value you enter here is CASE SENSITIVE! Make sure it’s typed EXACTLY the same in both locations.

4 Expand Computer Configuration > Policies > Administrative Templates > Windows Components> BitLocker Drive Encryption >Fixed Data Drives  
5 Enable the policy Choose how BitLocker-protected fixed drives can be recovered and configure it EXACTLY as shown in the screenshot

Perform the same steps for Operating System Drives and Removable Data Drives

6 Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption


Right-Click it and select Add Data Recovery Agent

7 On the Welcome screen of the Add Recovery Agent Wizard, click Next.  
8 Click on the Browse Folders button and select the exported Certificate retrieved from your CA. (Make sure this is a .CER file which only contains the Public Key and NOT the .pfx file which contains the private key)
9 Click Next and Finish the wizard. You should then see the certificate of the DRA is listed.

http://technet.microsoft.com/en-us/library/dd875560(v=WS.10).aspx

Conclusion

This post concludes with you (hopefully) having a BitLocker DRA certificate installed in your environment which should provide you with an additional recovery method for your BitLocker encrypted drives. If you haven’t quite gotten that ‘warm and fuzzy’ feeling yet, stay tuned for my follow-up article on Using a BitLocker Data Recovery Agent to unlock a BitLocker encrypted drive.

WMI Module v1.0 Released!

The PowerShell WMI Module was developed to make it easier to create custom WMI Namespaces and Classes.

This module was inspired by Jason Sandys
System Center Universe presentation on WMI Manipulations and Manifestations

The module has been uploaded to TechNet Script Gallery. Get it here!

Module Functions

Get-WMINamespace

This function returns an object containing the Namespace requested.

Example: Get-WMINamespace –Namespace ‘Namespace1’

Get-WMIClass

This function returns an object containing the WMI Class requested.

Example: Get-WMIClass –Namespace ‘Namespace1’ –ClassName ‘Class1’

New-WMINamespace

This function creates a new WMI Namespace and returns the WMI Namespace object using Get-WMINamespace.

Example: New-WMINamespace –Root ‘Root’ –Name ‘Namespace1’

New-WMIClass

This function creates a new WMI Class and returns the WMI Class object using Get-WMIClass.

Example: New-WMIClass –Name ‘Class1’ –Namespace ‘Root\Namespace1’

Add-WMIClassProperty

This function adds a single WMI Class Property to your custom WMI Class. Use this function multiple times to add multiple properties.

Examples:

Add-WMIClassProperty Namespace $namespace
ClassName $className
PropertyName “Default”
PropertyType ‘String’
IsKey

 

Add-WMIClassProperty Namespace $namespace
ClassName $className
PropertyName “IsEnabled”
PropertyType ‘String’

 

Keyboard Stops Working on Windows 8.1 System

This morning I came into my office to find myself with a lovely little surprise. I sat down and logged in as usual, however, once at my Windows 8.1 Update desktop, the keyboard stopped working. Windows Key, all individual characters function keys, etc. Nothing worked. Not exactly what I wanted to deal with on a Monday morning.

Ok, no worries, I have other systems I can use to troubleshoot with. I grabbed my Surface Pro 2 (also running Windows 8.1 Update)… Same issue. Again, not what I wanted to deal with on a Monday morning. So, I grabbed my Windows 8.1 laptop (yes, I have many many devices to test with). Logged in and…. Thank The Lord! The keyboard works!

Ok, on to Bing to search out for possible solutions since all of these systems were working last Friday. I found a number of entries from last year with the initial release of Windows 8.1 however many of them suggested changing a BIOS setting related to UEFI. Considering the fact that my desktop wasn’t running in UEFI mode, I quickly ruled that out as a possible solution.

At last after a few minutes of searching (and countless attempts at reinstalling drivers), I came across this Microsoft Community entry:

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/system-makes-clicking-noise-while-typing/4d3dba7d-9bff-49d5-81d4-498ab5f05496

 

Ok, so I wasn’t running Windows 7, but I decided to check it out anyways. I went to the Charms menu > Change PC Settings> Ease of Access > Keyboard on each of my Windows 8.1 (Update) systems. Sure enough, the Filter Keys setting was enabled on the two systems that working.

Side Note, on the systems with this setting enabled, they were also emmiting a “clicking” sound each time I pressed a key”

Disabled that setting and BAM!, keyboard started working again. I was able to reproduce this issue on multiple devices as well so it’s not an isolated incident.

ConfigMgr2012 PowerShell Module v1 Released!!!

Today I’d like to announce the v1 release of my own custom PowerShell Module for use with ConfigMgr 2012 R2.  This module was developed over the course of the last year (as I’ve had time) to address some shortcomings in earlier versions of the ConfigMgr PowerShell Cmdlets.  Namely bugs when creating Script-Based Deployment Types.  In addition, I recently demo’d the functionality of this module at the Central Texas Systems Management User Group.

Overview

  • Credits
  • Download the Module
  • Module Functions

Credits

I have to give credit to a few people for some of the functions in this module.  Some of the functions were pulled from other existing modules or derived from blog posts and organized into this module to cut down on the references I needed to have.

 

Download Now

I’ve created a new project in CodePlex to host the installer, source code, documentation etc.  Please head on over to https://configmgr2012module.codeplex.com/ to download the module.  If you’d like to contribute, you may contact me at dustinhedges AT outlook DOT com or sent me a message on the blog.

 

Module Functions

This release of the module contains 20 functions.  All of these functions have been tested on Configuration Manager 2012 R2.  My testing was limited to specific functionality so there may be bugs.  Please submit any feedback or issues via Codeplex.

  • Add-SCCMDependencyGroup
  • Add-SCCMDeploymentType
  • Add-SCCMEnhancedDetectionMethod
  • Add-SCCMRequirementRule
  • Copy-SCCMDependencyGroup
  • Copy-SCCMRequirementRule
  • Get-SCCMApplication
  • Get-SCCMApplicationObject
  • Get-SCCMAuthoringScopeID
  • Get-SCCMDeployment
  • Get-SCCMGlobalCondition
  • Import-SCCMAssemblies
  • New-SCCMApplication
  • New-SCCMApplicationObject
  • New-SCCMDeploymentType
  • New-SCCMDeploymentTypeReturnCode
  • New-SCCMEnhancedDetectionMethod
  • New-SCCMGlobalConditionsRule
  • Save-SCCMApplication
  • Save-SCCMApplicationObject