Tag Archives: microsoft

SCEP 2012 R2 – Updated ADMX Template for the February Update – KB3041687

The revised February update for Microsoft Endpoint Protection products is out (KB3041687) and brings with it a couple of changes to registry keys introduced in the first February update.

This update deprecates the DisableGenericReports subkey and adds a new DWORD called SubmitSamplesConsent to the following place:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

This new key will allow configuration of sample submissions to Microsoft for analysis.

I have added these updates to my ADMX template for SCEP 2012 R2, which can be downloaded from GitHub.

Notes from KB3036437

Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.

Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:

MAPS Configuration

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

DWORD name: SpyNetReporting
DWORD values:

  • 0 – Off
  • 1 – Basic Membership
  • 2 – Advanced Membership

Sample Submission

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

DWORD name: SubmitSamplesConsent
DWORD values:

  • 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
  • 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
  • 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
  • 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.

Microsoft Dynamics AX 2012 – Importing and exporting users with PowerShell

Over the past couple of months I’ve occasionally been working with Microsoft Dynamics AX 2012 and moving model and data sets between different environments.

Once of the downsides to this is overwriting the user and role memberships at the destination. To combat this, I had two options, the AX Data Import/eXport Framework (DIXF), or the AX PowerShell module. I think you can guess which one I went for!

Unfortunately the AX module need to be loaded in a wonderfully manual way and there are a lot of features not provided. The cmdlets even have a horrible lack of support for the very things that make PowerShell so great, like pipelining!

Even lacking these things, it’s still PowerShell, so I soldiered on. It took a little while and some features still have to be implemented, but the two scripts allow users to be imported and exported to/from a CSV, which is good enough to release for a first version.

The two scripts can be downloaded from GitHub.

There are also some features I’ll implement if I get the time, such as complete overwrite on import and support for importing/exporting user data from remote servers.

SCCM 2012 R2 – Problems with SCEP 2012 R2 and Group Policy Results

We ran into an issue yesterday with Group Policy Results when using SCEP 2012 R2, the problem exactly follows this particular issue on the TechNet Forums, but appears to affect a couple of extra registry keys.

It’s really unfortunate that this still isn’t fixed in SCCM 2012 R2, having also been an issue in 2012, as the post describes.

To resolve the problem, I used my existing SCEP Group Policy ADMX template in creating a GPO to replicate the default settings pushed out to clients with SCCM, which solves the problem, as the exceptions and settings we push out to standard clients aren’t any different from the Microsoft recommended settings.

In the GPO I had to specify the exclusion settings and also the default threat actions, which are specified in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction

Previously these settings were defined as REG_DWORD, but need to be REG_SZ, as shown below:

ThreatSeverityDefaultAction

SCCM 2012 R2 – Updating and configuring HP ProBook 650 G1 BIOS in a task sequence

This post is mostly a follow up to my guide on updating other HP ProBook BIOS in a task sequence. If you haven’t read that, this might not be of too much use to you!

The Problem

When updating a HP ProBook 650 G1 BIOS, I ran into a couple of small issues. This mostly related to an undocumented switch being required for the HPBIOSUPDREC tool. The BIOS update would always cause the computer to perform an unexpected reboot, which would break the task sequence.

The command line I was using was:

HPBIOSUPDREC.exe -s -pBIOSPW.bin -fL77_0120.bin

This would cause the BIOS to update, but then the computer would reboot without returning an exit code to SCCM, causing the task sequence to fail. Searching around, I found this post on the HP support forums, which pointed me in the right direction. Thanks

The Solution

The correct command line to update the HP BIOS for the ProBook 650 G1 is as follows:

HPBIOSUPDREC.exe -s -r -pBIOSPW.bin -fL77_0120.bin

This -r switch appears to be undocumented, which is a shame really, but this prevents the reboot without exit code. The command now returns a correct exit code and lets SCCM reboot the computer gracefully.

Putting it into Practice

In the SCCM package, I’ve placed both the HPBIOSUPDREC tool and the BIOS binary file. The task sequence runs it as shown below:

650G1-1

650G1-2

The WMI query makes sure it only runs on the selected/supported HP ProBook 640 G1 and 650 G1’s we have in our environment. There’s no danger in making this query less specific, as the update tool will only flash machines that the update is applicable to. I have also added the exit codes 273 and 282, which are exit codes for “BIOS is already same version” (273) and BIOS installed is newer than the one set to install (272).

SCEP 2012 R2 – Group Policy ADMX Template: Updated

A quick followup to my earlier post on the SCEP 2012 ADMX template, I was working today with our Citrix environment and needed to remove visibility of the SCEP client interface.

Fortunately, there is an option in the SCCM Endpoint Protection policies, so I know the functionality to do this is there. This doesn’t seem to have been an option in Forefront Endpoint Protection (FEP) 2010, otherwise it would have been in the original policy template.

The value for this is “UILockdown” and is found next to the other UX configuration settings for SCEP:

HKLM\Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\UILockdown
(1 for disabled, 0 for enabled)

I’ve updated the ADMX template to make this new setting visible, the changes I’ve made to the template are here for the ADMX and here for the ADML.

The files can be downloaded here. I’ll also continue to update the template as I find other settings that weren’t present in FEP 2010.

SCCM 2012 R2 – Updating and configuring HP ProBook 6470b/6570b BIOS in a task sequence – Part 3

If you’ve come to this post directly, it’s probably useful for you to read through both part 1 and part 2! If however you’ve already got that under your belt, read on…

As a recap, you’ll remember that I decided to set up two packages for the configuring and updating of the BIOS. Just in case you want a reference for the BIOS update portaion of the structure, here it is again.

SCCMSources\OSD\Packages
    BIOSUpdate\HP Probook
        BIOSPW.bin              (Encrypted BIOS password)
        HPBIOSUPDREC.exe        (New BIOS update utility)
        hpqFlash.exe            (Old BIOS update utility)
        ProBook6x70bBIOS.cab    (HP Probook 6x70b BIOS file)

Updating the BIOS

This time, most of the hard work is actually done in the Operating System Deployment (OSD) task. The task needs to be set up to call the BIOS flash tool (Either HPBIOSUPDREC.exe or hpqFlash.exe (depending on the BIOS you need to flash). For the 6x70b’s, hpqFlash.exe is the one to use! The call to the BIOS flash tool follows the following syntaxes.

hpqFlash

hpqFlashhelp

As you can guess, the most interesting command line switches to me are -s -p and -f. Please note, I have not tested and am not 100% sure of the other switches. I can imagine -a could be especially dangerous, so please take care!

HPBIOSUPDREC

HPBIOSUPDREChelp

You can see that the switches are exactly the same here, minus the microcode update switch. This is good, as it will make things easier if we automate the selection of flashing tool to use in the future.

biosupdateprops

This is run in the SCCM task sequence, just after the reboot for configuring the BIOS, but again before provisioning or enabling Bitlocker. Again, there should be a “Restart Computer” task directly after this to finalise the update procedure. As you can see, hpqFlash is called directly with the BIOS password and the cab file to install, as well as the silent switch.

biosupdateopts

As per the BIOS configuration task, it is based on the computer model name, so that we dont try to flash an incompatible BIOS. If inconsistencies were found that required a different BIOS for the same model, a seperate task could be created with an additional WMI query to obtain another identifying value. You may also see that an additional success code is added (273) this is the code returned by hpqFlash if the BIOS is already up to date and no action is taken. This allows the task sequence to continue as normal if the BIOS is already up to date.

Again, I hope this has been a helpful guide on your path to automating some of the more annoying parts of the imaging process, usually left as manual tasks. As I’ve said before, please let me know if you’ve got a better way of doing things, or have found some innacuracies with my posts and I’ll sort it out.

SCCM 2012 R2 – Updating and configuring HP ProBook 6470b/6570b BIOS in a task sequence – Part 2

If you’ve come to this post directly, you may want to read through part 1! If not, read on…

In this part, we’ll cover putting the files we’ve got together in a couple of packages and putting them into a task sequence. We’ll also be using WMI to query the computer model, so we don’t try updating the BIOS on a machine it certainly won’t work on.

I’ve set up the files I need in the following hierarchy, and spread the BIOS configuration and update over two packages. You may decide to do it differently.

SCCMSources\OSD\Packages
    BIOSConfig\HP ProBook
        BiosConfigUtility.exe   (BIOS configuration utility - x86)
        BiosConfigUtility64.exe (BIOS configuration utility - x64)
        BIOSPW.bin              (Encrypted BIOS password)
        ProBook6x70bConfig.cfg  (BIOS configuration settings)
        ProBook6x70bConfig.cmd  (BIOS configuration command file)

SCCMSources\OSD\Packages
    BIOSUpdate\HP Probook
        BIOSPW.bin              (Encrypted BIOS password)
        HPBIOSUPDREC.exe        (New BIOS update utility)
        hpqFlash.exe            (Old BIOS update utility)
        ProBook6x70bBIOS.cab    (HP Probook 6x70b BIOS file)
NOTE: “SCCMSources” is my network share I store the SCCM source files to use as the content location for applications and packages. I then have “OSD\Packages” to differentiate these packages as being primarily for OSD task sequences. Hopefully the “BIOSUpdate” and “BIOSConfig” folders will eventually house many folders for different types of laptop, but at the moment it’s a bit bare.

Configuring the BIOS

Most of the magic for configuring the BIOS is done in the file “ProBook6x70bConfig.cmd” (shown below).

This batch file picks the correct version of BiosConfigUtility to run (x86 or x64), then runs it with the configuration file. It runs it first, attempting to get access to the BIOS using a blank password, then set the password along with the configuration. If this completes successfully (exit code 0), that’s it!

However if it fails for some reason (i.e. there’s a BIOS password set) It then runs the second command, which attempts to set the configuration, using the current password. I’ve yet to properly test a parameterized version of this, to allow the configuration to be specified outside of the batch file.

biosconfigprops

This is run in the SCCM task sequence, at the beginning, before provisioning or enabling Bitlocker, but after formatting the drive, so that on the reboot that occurs directly afterward, using an “Restart Computer” task, the boot image can be successfully staged to the hard disk.

biosconfigopts

The options base the running of this task on the computer model name, so that we dont try to configure an incompatible BIOS or some other crazy situation. It’s not too clear in the image, but I’m using the single character wildcard “_” in the model – “SELECT * FROM Win32_ComputerSystem WHERE Model LIKE “HP ProBook 6_70b””

Hopefully this has covered everything that’s needed for yourself to go forth and configure the HP ProBook BIOS in an unattended way! As with most of my posts, please let me know if you’ve discovered improvements or inaccuracies and I’ll attempt to right them!

Read on, where I cover the flashing of the BIOS in part three.