#HASMUG16 Automate Securing Windows 10 – It starts with UEFI -Compelling events

hasmug-2016-oct-speaking
Shaun Cassells speaking at HASMUG 2016 about getting to Windows 10 with UEFI and Secure Boot

Today I had a wonderful time speaking at HASMUG.  One of the biggest issues is getting to Windows 10 securely which starts with UEFI configured and Secure Boot enabled.  I will write a blog post about the need for that security shortly.  This post are the links to resources about compelling events to go to Windows 10.

Windows 10 Compelling events

I am going to skip all the obvious reasons like W10 is better than previous versions.  Lots of posts on that elsewhere.

Windows 7 goes End of Life (EOL) Jan 14 2020 (less than 38 months)

TL;DR

Like the end of XP support you will have to migrate soon.  Better get off Windows 7 before it goes EOL Jan 14 2020.  How long did you W7 project take … 2 years?  You need to start in January 2017… in 3 months.

Products Released Lifecycle Start Date Mainstream Support End Date Extended Support End Date
Windows 7 Service Pack 1 2/22/2011 1/13/2015 1/14/2020

cvoiesoxyaay-hk

Microsoft Modern Lifecycle Policy

TL;DR

Previously you would do a major OS upgrade every 5-7 years (NT > 2000 > XP > W7).  With the Modern Lifecycle you are now doing a full OS upgrade at least once per year.   Microsoft is talking about 4 OS updates cadence a year by 2018.  1E can make the change from W7 to W10 an automated process with SCCM.  And every current branch afterwards.

Details

Came into effect Aug 25th 2016.  Short version: The official verbiage that Microsoft only supports supported versions (usually less than 1 year time frame) and you must be paying money to get support.  Much faster than the old 5 + 5 Model.  Change is coming fast and furious.  What is this Change Control you speak of?

  1. Customers must stay current as per the servicing and licensing requirements published for the product or service.

    • Nothing surprising here, except almost always less than 1 year now.  Just look at LifeCycle dates.
  2. Customers must have the rights to use the product or service.

    • You have to own / pay for it.  This is usually now monthly SAAS models versus perpetual
  3. Microsoft must currently offer support for the product or service.

The FAQ document defines Staying Current:

To stay current, a customer must accept all servicing updates and apply them within a specific timeframe, per the licensing and service requirements for the product or service. The requirements may be found under the Notes column when searching by offering on theMicrosoft Product Lifecycle Search page.

What happens if a Roll-up Patch breaks apps… how do I Stay Current?

Generally, customers may contact Microsoft for support for products within their lifecycle if they encounter an issue with an updated product in their environment. If a customer rolls back a patch due to an issue related to it, Microsoft will work to fix the problem so the customer can stay current. If a customer calls about something unrelated, Microsoft will help them install the patch and then will try to resolve the new issue.

Microsoft Applications that are relevant to this post

  • Microsoft System Center Configuration Manager (SCCM) Current Branch
  • Windows 10 servicing model
  • Office 365 (O365) – Online Services support Policy

References

Windows 10 Embracing Silicon Innovation

TL;DR

All new hardware only supports Windows 10 and will not support Windows 7 nor 8.1

Details

At the release of Windows 10 (1507) Microsoft partnered with all the silicon manufacturers to reduce cost and increase innovation.  Okay…so?  Well they did it by stating that all future silicon will NOT support Windows 7 or 8.1 operating systems.  Also that Intel Skylake (6xxx) CPUs would be the last silicon to support Windows 7 or 8.1.  This is a big deal as in the past year AMD and Intel have released new silicon.

Future silicon platforms including Intel’s upcoming 7th Gen Intel Core (Kaby Lake) processor family and AMD’s 7th generation processors (e.g. Bristol Ridge) will only be supported on Windows 10, and all future silicon releases will require the latest release of Windows 10.
Read more at https://blogs.windows.com/business/2016/08/11/updates-to-silicon-support-policy-for-windows/#yIdxcdjvkSkH55HT.99

Wow, no longer able to downgrade.  You are going to W10 if you buy new hardware.  You’re welcome.

1E

Are you ready to go to windows 10?  A free assement tool for hardware, software, and security. – https://www.1e.com/intelligence

1800 – on average applications an enterprise manages

https://www.1e.com/resource-center/software-usage-report/

1E Nomad

How 1E Nomad Works – A Video

1E Nomad reduces the need for servers and network impact

This CoreTech Article is great at showing measured real world network savings by 1E Nomad.

This means not only do we only use available bandwidth via ReverseQOS but we also only elect a single master to go across the WAN on SCCM deployment (unlike Peer Cache which only shares after a client has everything).  Great for Azure hosted or Cloud DPs to save tons of money (Transfer data once if not already locally available – no servers)

Comparing BIOS to UEFI Solutions

https://www.1e.com/blogs/2016/10/18/comparing-bios-uefi-solutions/

Preparing for Windows 10 and UEFI at Microsoft Ignite: Full Presentation

https://www.1e.com/blogs/2016/10/18/preparing-windows-10-uefi-microsoft-ignite-full-presentation

1E Support Policy is 30 days after OS or SCCM CB releases (requires customer login)

https://1eportal.force.com/apex/SupportforMicrosoftRapidReleaseCycle?sfdc.tabName=01r61000000hng0

View from the Stage

Advertisements

Microsoft Oct 26th 2016 announcement rumors

bm_lp_rio_v3Microsoft has announced an event to take place at Microsoft Stores around the world on Oct 26th 2016.  The price drops of at least $150 for Surface Pro 4 and Surface Books and end of life for the Microsoft Band.  I hope we get to see some new and excited products.

Office Hub rumors with HoloShell, HomeHub, UWP File Explorer, and more.   An Amazon Echo competitor?

The Nintendo NX announcement on Oct 20th means console changes are happening again.  Project Scorpio was teased for 2017 announcement.

Windows 10 Redstone 2 … 14951 is out for Windows Insiders today.  Not likely as the builds have been coming really fast and we haven’t done any bug smashing yet.

Surface Desktop (Desktops aren’t dead yet?) for some reason we need something fixed again to a desk again.  Project Cardinal is the code name floating around.

Conflicting news about a delay of Surface Pro 5 and Surface Book 2 until next year.

Surface Phone?   I only hear rumors that they exist but that would be sold more places than Microsoft Stores.

Project Centennial push for older Win32 games and apps.. possibly but that doesn’t sounds like something you can buy.

Microsoft Band is dead in 2016.  So no MS band 3.

I will unfortunately miss the 9 am CT Austin Domain store reveal as I will be flying to LAX at that time.  Should be fun.  So many projects going on at MS.  Will be nice to see some transparency.

 

ConfigManagerErrorCode. A pratical use for Missing / Bad Drivers after Windows 10 OSD

 

While working through a TechNet / Docs page recently I spotted a new (no idea how long it has been there) property in a ton of classes.

ConfigManagerErrorCode

At first I thought it was related to Microsoft System Center Configuration Manager (SCCM) 2012 Current Branch (CB).  Nope, apparently it is an attribute added to tons of WMI CIM and Win32 classes.  Very useful to figure out why things are not functioning correctly with details.   An oversimplified version is show in the Windows GUI…

clql3m4ucaehwbs

..but ConfigManagerErrorCode provides details.  Okay great, I found a property I didn’t know about.  How does this help anyone?

Doing Windows 10 Operating System Deployment (OSD) at scale and for Windows Insiders I frequently find post migration driver issues.  Too much time is spent guessing on what those errors are.  The example below is about finding devices that do not have drivers in functioning status.

Example of using ConfigManagerErrorCode to find Machines with Device Driver issues

The PNP Entity class is populated with the same information you find in Device Manager (devmgmt.msc) – https://technet.microsoft.com/en-us/library/cc754081(v=ws.11).aspx (See the picture above).  Which is great if you are logged in and have free time.

Win32_PNPEntity class allows you to query a machine remotely either via PowerShell (below) or via SCCM CB Hardware Inventory Classes (HINV) further down.  Good news SCCM gathers this class and property by default.

Win32_PNPEntity https://msdn.microsoft.com/en-us/library/aa394353(v=vs.85).aspx

Where any driver does not equal 0 for ConfigManagerErrorCode means we have driver issues.  Look at the Link above, search for ConfigManagerErrorCode, to translate all non-zero values.  I found a ton with status 28.  And then went out to the OEM for the drivers.

PowerShell for PNP devices with issues

Get-WmiObject Win32_PNPEntity | Where-Object{$_.ConfigManagerErrorcode -ne 0}

windows-live-writer-back-to-basics-finding-drivers-and-cer_9669-dev004_thumb

PowerShell for PNP Devices that are not available

Great but what about machines where the device is not available?

Get-WmiObject Win32_PNPEntity | Where-Object{$_.Availability -eq 11 -or $_.Availability -eq 12 -or $_.Availability -eq 19 -or $_.Availability -eq 20}

Great now let’s make this readable output

#For formatting:
    $result = @{Expression = {$_.Name}; Label = "Device Name"},
              @{Expression = {$_.ConfigManagerErrorCode} ; Label = "Status Code" },
              @{Expression = {$_.Availability} ; Label = "Availability" }

#Checks for devices whose ConfigManagerErrorCode value is greater than 0, i.e has a problem device.
Get-WmiObject -Class Win32_PnpEntity -ComputerName localhost -Namespace Root\CIMV2 | Where-Object {$_.ConfigManagerErrorCode -gt 0 -or $_.Availability -eq 11 -or $_.Availability -eq 12 -or $_.Availability -eq 19 -or $_.Availability -eq 20 } | Format-Table $result -AutoSize

SCCM CB Collection

Cool. This means I can quickly get a report on nonfunctional or available PNP devices in seconds.   Creating a collection in SCCM CB is just as easy.  Here is the same query in WQL.  This is used for a Collection membership query.

Select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_System.Name,
SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainOrWorkgroup,
SMS_R_System.Client

From SMS_R_System inner join SMS_G_System_PNP_DEVICE_DRIVER on 
SMS_G_System_PNP_DEVICE_DRIVER.ResourceID = SMS_R_System.ResourceID

Where SMS_G_System_PNP_DEVICE_DRIVER.ConfigManagerErrorCode != 0 or 
 SMS_G_System_PNP_DEVICE_DRIVER.Availability in (11,12,19,20)

Parting Thought

I wrote a post about SMART hard drive queries a while ago.  The Win32_DiskDrive class also has the ConfigManagerErrorCode property with useful details

Reference Information

Device Manager Error Codes

https://support.microsoft.com/en-us/kb/310123

SCCM Just for Reference (not what we are talking about today)

About Configuration Manager Errors (SCCM Errors) https://msdn.microsoft.com/library/hh442812.aspx

Classes with ConfigManagerErrorCode

Class Link
CIM_AggregatePExtent
CIM_AggregatePSExtent
CIM_AlarmDevice
CIM_Battery
CIM_BinarySensor
CIM_CacheMemory
CIM_CDROMDrive
CIM_Controller
CIM_CoolingDevice
CIM_CurrentSensor
CIM_DesktopMonitor
CIM_DiscreteSensor
CIM_DiskDrive
CIM_DisketteDrive
CIM_DiskPartition
CIM_Display
CIM_Fan
CIM_FlatPanel
CIM_HeatPipe
CIM_InfraredController
CIM_Keyboard
CIM_LogicalDisk
CIM_MagnetoOpticalDrive
CIM_ManagementController
CIM_MediaAccessDevice
CIM_Memory
CIM_MultiStateSensor
CIM_NetworkAdapter
CIM_NonVolatileStorage
CIM_NumericSensor
CIM_ParallelController
CIM_PCIController
CIM_PCMCIAController
CIM_PCVideoController
CIM_PhysicalExtent
CIM_PointingDevice
CIM_PotsModem
CIM_PowerSupply
CIM_Printer
CIM_Processor
CIM_ProtectedSpaceExtent
CIM_Refrigeration
CIM_Scanner
CIM_SCSIController
CIM_Sensor
CIM_SerialController
CIM_StorageExtent
CIM_StorageVolume
CIM_Tachometer
CIM_TapeDrive
CIM_TemperatureSensor
CIM_UninterruptiblePowerSupply
CIM_USBController
CIM_USBDevice
CIM_USBHub
CIM_UserDevice
CIM_VideoController
CIM_VolatileStorage
CIM_VoltageSensor
CIM_VolumeSet
CIM_WORMDrive
Win32_1394Controller
Win32_Battery
Win32_Bus
Win32_CacheMemory
Win32_CDROMDrive
Win32_CurrentProbe
Win32_DesktopMonitor
Win32_DiskDrive
Win32_DiskPartition https://msdn.microsoft.com/en-us/library/aa394135(v=vs.85).aspx
Win32_Fan
Win32_FloppyController
Win32_FloppyDrive
Win32_HeatPipe
Win32_IDEController
Win32_InfraredDevice
Win32_Keyboard
Win32_LogicalDisk
Win32_MappedLogicalDisk
Win32_MemoryArray
Win32_MemoryDevice
Win32_MotherboardDevice
Win32_NetworkAdapter https://msdn.microsoft.com/en-us/library/aa394216(v=vs.85).aspx
Win32_ParallelPort
Win32_PCMCIAController
Win32_PnPEntity https://msdn.microsoft.com/en-us/library/aa394353(v=vs.85).aspx
Win32_PointingDevice
Win32_PortableBattery
Win32_POTSModem
Win32_Printer
Win32_Processor
Win32_Refrigeration
Win32_SCSIController
Win32_SerialPort
Win32_SMBIOSMemory
Win32_SoundDevice
Win32_TapeDrive
Win32_TemperatureProbe
Win32_USBController
Win32_USBHub
Win32_VideoController
Win32_VoltageProbe
Win32_Volume https://msdn.microsoft.com/en-us/library/aa394515(v=vs.85).aspx

Google Search Terms

Configurationmanagererrorcode Configuration Manager Error Code ConfigManagerError Code WMI Driver Error code

ThanksAgain.com points at Airports

TAlogoI travel a lot.  A long time ago I realized the rewards programs were great for doing nothing as I travel a lot.   Most people know the airline, car, hotel, and train travel programs. ThanksAgain is one more for Airports.

Note: The website encourages you to download the app.  I registered straight from the website.

Once everything is registered you’ll get emails like

Hi Shaun,
You have earned 25 miles with your transaction listed below.
Amount: $9.65
Date: 10/06/2016
Merchant: Uber

Thanks Again

Earn Points in Over 100 Airports and 1000s of Merchants

Life as a frequent traveler is complicated enough. That’s why we’ve made earning points with Thanks Again® refreshingly simple. All you have to do is download our multi-airport app, enroll your Visa®, MasterCard® or American Express® credit or debit card(s) and use it to shop, park or dine in and around our more than 100 participating airports.

That’s it! It’s EASY, FREE and SECURE and you’ll automatically accumulate points above and beyond what you’ve already been earning from your existing airline and hotel loyalty programs.

Don’t want to download the App? Click “Register” above to get started.

When you’ve accumulated enough points to redeem for that long-awaited getaway, choose from a varying array of reward options including cash back, airline miles, hotel points, TSAPrecheck and other airport perks.

Collect SMART hard drive status in ConfigMgr inventory

smartdrive2002c-large

Recently while working through preflight checks for Windows 10 (W10) Redstone 1607  deployment we realized there were some spinning platter drive failures.  To help identify potentially failing machines we were looking for the Hard Drive Smart status field.  Turns out it is not gathered by default in SCCM.  The following walks you through it.

WIN32_DiskDrive contains this info under the status field.  It does not appear to be enabled by default (might just be the environment I am looking at)

I would suggest ensuring that the following are enabled
• Caption
• Status
• Capabilities (Optional to see if bit 10 is set – SMART enabled)

PowerShell example

$wmi = gwmi -class win32_diskdrive
foreach($drive in $wmi){$drive.caption + “: ” + $drive.status}

WMIC Example

WMIC DiskDrive GET Caption,status

System Center Configuration Manager (SCCM) Current Branch (CB)

This status field is NOT collected by default in SCCM.  To have the Hardware Inventory Gather this information in your environment you must enable this class in Client Settings

  1. Open SCCM Console
  2. Select Administrator node (bottom Left)
  3. Select Client Settings (middle left)
  4. Select the Client Settings you want to modify.
    1. Best Practice is to create a policy and not use the Default Client Settings.  As this is my lab I did use Default Client Settings
    2. If you create a new one than you need Hardware Inventory
  5. Select Set Classes
  6. usmt-estimate-step
  7. Filter on Win32_DiskDrive
  8. Expand out the class then select Status field
  9. Ok
  10. Ok

If you changed the Default Client Setting it will automatically be sent out to every client in the environment.  The v_GS_Win32_DiskDrive view will be updated with the Status Field.  Use the Reference section below to understand what these values mean.  I also found this field is not being read but not sure where it is ConfigManagerErrorCode

Reference

Win32_DiskDrive class

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394132(v=vs.85).aspx

Status

Data type: string
Access type: Read-only
Qualifiers: MaxLen (10), DisplayName (“Status”)

Current status of the object. Various operational and nonoperational statuses can be defined. Operational statuses include: “OK”, “Degraded”, and “Pred Fail” (an element, such as a SMART-enabled hard disk drive, may be functioning properly but predicting a failure in the near future). Nonoperational statuses include: “Error”, “Starting”, “Stopping”, and “Service”. The latter, “Service”, could apply during mirror-resilvering of a disk, reload of a user permissions list, or other administrative work. Not all such work is online, yet the managed element is neither “OK” nor in one of the other states.

This property is inherited from CIM_ManagedSystemElement.

Values are:

OK (“OK”)

Error (“Error”)

Degraded (“Degraded”)

Unknown (“Unknown”)

Pred Fail (“Pred Fail”)

Starting (“Starting”)

Stopping (“Stopping”)

Service (“Service”)

Stressed (“Stressed”)

NonRecover (“NonRecover”)

No Contact (“No Contact”)

Lost Comm (“Lost Comm”)

 

USMT Estimate when really small should be set to a value of 1 during an SCCM OSD TS

Problem: USMT Estimate tool rounds to a value of Zero if the value is less than 1 meg

Background

I have been playing with the User State Migration Tool (USMT) Estimate switch recently.   USMT Estimate has been around since 2008 at least.   I found a scenario where the size returned may be less than 1 meg but above zero.  However, the USMT estimate return apparently rounds down to zero and may cause issues.

SCCM TS

During an OSD TS in SCCM you run a variation of the following command line

ZTIUserStateEstimate.wsf /USMTMigFiles001:MigApp.xml /USMTMigFile002:MigUser.xml

This populates a SCCM TS variable

%USMTEstimate%

Check out the free 1E.com tool called TSEnv2.exe to read and modify variables on the fly (even hidden or protected ones)

Solution

Add a Set Taks Sequence Variable step to the TS just after the USMT Estimate step

usmt-estimate-step

  1. Task Sequence Variable = USMTEstimate
  2. Value = 1

usmt-estimate-step

On the Options Tab create a quick logic test.

  1. Add Condition
  2. Task Sequence Variable
  3. Variable = USMTEstimate
  4. Less than
  5. Value = 1

usmt-estimate-step

This will sort the issue of very small USMT data being dropped.  True it does force every machine to have at least one bit of backed up data but that is a minor concern if you have 1E Nomad Peer backup Assistant or SCCM State Migration Points everywhere.

 

Great Reference

Great script from Jason Sandys to add it to your HINV – http://blog.configmgrftw.com/collecting-usmt-estimates-using-configmgr/