Migrating User Data Using USMT: MECM OSD Deployment

We have been doing migration’s from some old Windows 8.1 devices to Windows 10, We couldn’t do a direct upgrade as the devices where going from 32 to 64bit and needed to reformat the disk to UEFI.

We needed to migrate the users data as to limit the manual work for each device so decided to use User State Migration Tool (USMT).

It’s been a few years since I had to use USMT so thought it would be good to do a post on using USMT.

First I went through the Microsoft USMT documentation.

https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/refresh-an-existing-computer-with-a-new-version-of-windows

https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-technical-reference

https://docs.microsoft.com/en-us/windows/deployment/usmt/understanding-migration-xml-files

We are using MECM 2002 and have installed ADK 1903 which has USMT version 10.

Since the disk is going to be wiped and reformatted we wont be able to save the state to a local partition so we will need to use the state migration point to save content too.

First step is to install and configure state migration point in MECM.

Open the MECM console and go to Administration > site configuration > server and site system roles and select or add the server that will be used as the state migration point

Set the max free space in MB, GB or percentage. we also need to set the boundary group that this state migration point will be associated with.

This slideshow requires JavaScript.

Once the role has been installed we can start to create the task sequence to wipe and reload the device.

We won’t go through creating the TS from scratch in this post.

First step is to check is the capture state task. USMT6By default USMT will use the MigApp.xml and MigDocs.xml to set what will be copied.

To view the xml files you can go to the Windows ADK install location the default location is:

C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool\amd64

USMT8

USMT16We will be using the default xml but you can create custom xml’s to customize what files and setting need to be copied and restored.

To set the custom xml select customize how user profiles are captured and click on the files button to add in the xml files. USMT7Once the TS is setup we just need to deploy to a collection so that devices can be added and pick up the wipe and reload TS. USMT9Once deployed either wait for the TS to be picked up or run the client action machine policy and app deployment evaluation. USMT10USMT11We can check the smsts.log file to view what is happening we can see below that the files are being downloaded for the USMT package. USMT12Once the scanstate kicks off you can see the xml files that are used in the log. USMT13USMT14We can check the USMT folder on the state migration point to see if data is being copied. USMT15Once the image is applied, we can check the restore state task in the smsts log. The command will call the loadstate and cause use the default or custom xml files. USMT19USMT20USMT18When the TS has fully finished we can logon to Windows we should see that the devices is running Windows 10 and also has the file and settings migrated.USMT17

 

 

 

 

Export GPO assignments using PowerShell

Recently we wanted to do a review of all our Active Directory Group policy objects (GPO’s), we wanted to see what GPO’s where not assigned or what OU they where assigned, so that we could try to consolidate or remove unused GPO’s.

There was a couple of hundred in each domain, so I didn’t want to have to check each one manually.

There is a PowerShell command that you can run to list all GPO’s but it doesn’t show assignments

GPO1

To get more information on the GPO we can run the command Get-GPOReport which let’s you create either a HTML or XML report.

In this case I want to use an XML as I want to pull information from the xml report, the only issue is getting data directly from a XML report is a bit difficult.

GPO2To read an XML report in PowerShell you can use the typecast to XML by using [xml] in front of the variable which should make querying the content easier. GPO3The only part of the XML that I really want currently is the LinksTo, as this shows where the GPO is assigned. GPO4Once I had all this information I was then able to create the full script. I will put the script up on GitHub since it easier for people to copy the script file.

https://github.com/TheSleepyAdmin/Scripts/tree/master/ActiveDirectory/GPO

Below is the script running GPO5This is what the export will look like.GPO6

 

 

 

 

 

MECM 2002 Cloud Management Gateway Configuration

I have been looking at setting up MECM cloud management gateway (CMG) for a while but haven’t been able to, due to the need for PKI or Azure AD joined.

With the recent release of MECM 2002 this has added a new feature,  that allows token based authentication. I decided to do a test deployment in my lab to see how this would work before deploying to our production environment.

With a CMG we can manage clients that don’t regularly connect back to the cooperate network which has become more of a priority recently.

There is a cost for running the VM’s in Azure that will be used as the CMG and for outbound data transfers. Johan Arwidmark has done a good real world cost estimates for a CMG.

https://deploymentresearch.com/real-world-costs-for-using-a-cloud-management-gateway-cmg-with-configmgr/

First step should be to have a read of the docs for planning a CMG

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway

To use token base authentication require MECM 2002, so that is a pre-requisites for deploying a CMG in this way.

https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token

There will be some required permission in Azure also for deploying the CMG.

  • Account that has Global Admin and Subscription Owner roles.
  • Content filter rules to allow outbound access (If there is a proxy or Firewall filtering traffic)

There will also be a requirement for a cert to be applied to the CMG, it is  recommend to have a third party cert as it should automatically trusted by clients.

From looking through the documents below are the required URL https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/internet-endpoints#cmg-connection-point

*.cloudapp.net

*.blob.core.windows.net

login.microsoftonline.com

Once all pre-requisites have been confirmed we can start to configure the CMG. We will need to pick a unique cloud service name as this will be required later, easiest way to check if the name you have select is unique is to logon to Azure go to cloud services (classic)

CloudService

Once the cloud service has been checked,  then we need to configure the Azure services.

Logon to the MECM console and go to Administration > Cloud services > Azure services.

Click configure Azure servicesCMG1

Give the service a name and select cloud management CMG2

We need to configure a server and client applications CMG5Give the applications a name and sign in to Azure using a account with the required permission CMG3CMG4I just left user discovery enabled. CMG6Click next to finish configuring the Azure services. CMG7Once finished the Azure service should now be showing CMG8The Azure AD tenant should also show with both application we just created. CMG9

 

Once this has all been configured we can now start to setup the CMG.

To start the configuration go to Administration > Cloud services > Cloud Management Gateway

Click Create Cloud Management GatewayCMG10

Select AzurePublicCloud and sign in. (If the subscription ID doesn’t show it might be the account you are using is not an owner of the subscription.)CMG11

Now we need to configure the cloud services, this is where we will use the name we checked earlier.

  • Select the cert file, this needs to be a PFX with the private key (I am using one created on my internal CA but in production I will be using a third party CA like digicert or godaddy)
  • The cert name will be automatically set the deployment services name so this is why we should confirm the name before hand so we can generate the cert with the same name.
  • Select the region the CMG will be configured in
  • Either select a existing or create a new resource group (I chose new one to keep the CMG separate from my other Azure resources)
  • Select the required amount of VM’s this can go up to 16 (for high availability it recommend to configure 2 VM’s at least)
  • Tick the required security authentication I just ticked Enforce TLS 1.2
  • I also ticked using CMG and cloud distribution point

CMG12I left the alerting as default CMG13Just follow the wizard to complete. CMG15

Once completed the CMG should show as provisioning started 

This slideshow requires JavaScript.

We can also logon to Azure to verify the cloud service has been created. CMG18

After the CMG has been configured we then need to install the Cloud management connection point to connect MECM to the CMG.

Go to Administration > site configuration > servers and site system roles, Add the Cloud management gateway connection point to the primary site server in MECM

This slideshow requires JavaScript.

After the role has been configured we need to configure a few steps on the site server, management point and software update point (if installed and configured)

Open the management point properties and tick the allow configuration manager cloud management gateway traffic. (If the tick box for is greyed out there is an additional step required.) 

Go to Administration > site configuration > sites, then configure the primary site to use configuration manager generated certificate in communication security. Once this is done go back to the management point and the tick box should now be available.

CMG27

CMG23CMG24To allow the software update point to communicate with the CMG, tick the allow configuration manager cloud management gateway traffic. CMG26After this has been configured the clients should now pick up a the CMG as a internet based management point in the network tab of client agent properties. CMG25

Once the client moves off the internal network and does a location lookup we should see that the connection type will change to internet from internal. CMG29

We can also check the location services log to see if the CMG is being picked up. CMG28

Connect Windows Admin Center to Azure

In this post we will be going through connecting Windows Admin Center to Azure to allow management of Azure VM’s. To install WAC see previous post.

The Azure integration allows the management of Azure and on-prem servers from a single console.

First step is to register WAC with Azure, Open the WAC admin console and go to settings tab. AZ1

Go to the Azure in the  gateway settingsAZ2Copy the code and click on the enter code hyperlink and enter the codeAZ3AZ4

Sign-in using an admin account on the Azure tenant. AZ5AZ6

Now go back to WAC and click connect to finish the registration AZ7

Once WAC is registered it require admin application permission to be granted to the application registration in Azure AZ8

Now that the registration is completed we can now add Azure VM’s to WAC go to add and select Azure VMAZ9

Select the subscription (if there are multiple subscription in your tenant),  resource group  and VM that will be added. AZ10

Once the Azure VM is added, to allow management there will need to be management ports opened to allow a connection between WAC and the Azure VM. If you are using a site to site VPN you can just allow the ports over the VPN connection.

I have a public IP associated with my VM and I will be modifying my network security group to allow the ports from my public IP.

I wont be going through configuring an NSG as this was covered in a previous post. AZ15

On the VM itself you need to enable winrm and allow port 5985 through the windows firewall if enabled. This can be done by running the two command below from an admin PowerShell session.

winrm quickconfig
Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

Once the NSG is configured we should then be able to connect to the VM. AZ12

Below shows the overview of the VMAZ14We can also now connect to the VM using integrated RDP console in WACAZ13

WAC also allows us to manage services, scheduled tasks, backups, check event logs and other admin task, along with connecting using remote PowerShell directly from WAC.AZ16

 

 

Export folder permission using PowerShell

Recently we where moving folder and shares from one server to another. We need to confirm that the folder and permissions were the same on both the old and new share.

To do this I used PowerShell to export the pre and post move permissions and compare the results.

The two commands to get most of the information will be Get-ChildItem and Get-Acl.  The only part of the scripts that will need to be changed is the the export file name to give it a custom name.

Below is the link to full script I will be using.

https://github.com/TheSleepyAdmin/Scripts/tree/master/General/Folder%20Permission

To run the script there will be two mandatory parameters and the command should look like the below. (If you want to look up all subfolders also then just change line 14 and add -Recurse to Get-ChildItem command)

.\Get-FolderPermissions.ps1 -FolderPath \\lab-host01\sources -ExportPath D:\Scripts\Folder_Permissions\Export

I ran the script and changed the exported csv name to pre and post to be used to compare.
Per1
Below is what the export should look like.
Per2
Per3
Once the pre and post export are done we can use compare-object to find any differences.
Just need to update the import-csv paths, I was moving to a share that would have the same FQDN so if that is not the case you can removed the FolderPath from the compare-Object property otherwise all result will not match.
Below is the link to the script I used.
Per4Per5
Below is the export results showing the difference between the pre and post move Per6

MECM check for all updates that are required but not deploy SQL Query

Recently we had an issues where some software updates where missed during regular patching cycle, I wanted to have an automated report to list all updates that where required on more than one system but no deployed.

First I checked the Microsoft SQL views for software updates

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager

The three tables I used where,

V_UpdateComplianceStatus: This table is used to the get status code for updates. Status of 2 means the update is required.

v_UpdateInfo: This table is used to get information on each update

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager#v_updateinfo

v_Update_ComplianceSummary: This table is used to get compliance of each update to see how many devices are missing the updates.

https://docs.microsoft.com/en-us/configmgr/develop/core/understand/sqlviews/software-updates-views-configuration-manager#v_update_compliancesummary

select distinct
UI.DatePosted as ‘Release Date’,
UI.articleid as ‘ArticalID’,
UI.Title,
Update_Required=(case when UCS.Status=2 then ‘Yes’ end),
CS.NumMissing,
Updates_Deployed=(case when UI.IsDeployed=0 then ‘NotDeployed’ end),
UI.InfoURL as InformationURL

from V_UpdateComplianceStatus UCS
join v_UpdateInfo UI on UI.CI_ID=UCS.CI_ID
join v_Update_ComplianceSummary CS on CS.CI_ID=UCS.CI_ID
WHERE UCS.Status=2 and UI.IsDeployed=0
order by NumMissing desc

Below is what the query return looks like in SQL Management Studio.missing1To confirm the query is working we can create a  search filter for all software updates to make sure they match.missing2Last step was to create a weekly email report using SQL Server Reporting Services (SSRS).

To create a new report (MECM reporting point role will need to be installed for this) go to Monitoring > Reporting > Reports.missing3I created a custom Reports folder to keep any report I created.

Right click on reports and click create reportmissing4

Give the report a name and a folder path the report will be stored. missing5Follow the report wizard to finish the report creation. missing6missing7Once the report wizard completed the report builder should load. missing8First create a new dataset. Right click on Datasets > Add Datasetsmissing9

Give the Dataset a name, Use a dataset embedded in my report, Data source and select the MECM data source and query type as text. Last part is to copy the query to the query field.missing10Once that click ok and the dataset should show under datasets. missing11

Next we create a table for the report view. missing12Select the dataset we create.missing13I just wanted to use all values so drag all row to the value box.missing14Next just go through the rest of the wizard. Once completed you should see something similar to the below. I  added a text box at the top for a tile and added in some grey filling on the table. missing16Now save the report and we can run from the MECM console to see what the report will look like. missing17Last step is to create subscription to send a the weekly report missing18Select report delivered by Email and put in the required detail and report to be included.(Email settings need to be configured in SSRS before you can select email as a deliver option)missing19Set the schedule that is required and complete the wizard. missing20The report should now be sent out weekly as a csv file.

 

 

Windows Admin Centre 1910

I have previously looked at Window Admin centre (WAC) tech preview and wanted to configure the latest full release, to see what changes have been made and do a proof of concept to see if this will be useful if it is deployed to our production environment.

PowerShell version 5.1 is required on servers that will be added to WAC and will need Window Management Framework (WMF) 5.1 installed, some will require additional steps also. See list below for required pre-req before they can be managed in WAC.

https://www.microsoft.com/en-us/download/details.aspx?id=54616

Windows Admin Centre uses SMB for some file copying tasks, such as when importing a certificate on a remote servers.

Once all pre-req are confirmed, we can go ahead and download Windows Admin centre.

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-admin-centerhttps://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/overview#download-now

Once the MSI is downloaded run and following the installation Admin1Accept the terms.Admin2Admin3

I used the default settings but you can enable WinRM over https if you have certificates that have server authentication set. If you want to look at configuring WinRM over https see following link: https://support.microsoft.com/en-us/help/2019527/how-to-configure-winrm-for-httpsAdmin4

I will use default port 443 and generate a self signed cert, if you have a certificate authority you can generate a cert that can be used for gateway. Admin5Admin6Admin7

Once the install is completed you can access the Windows Admin Centre URL using https://servername.

Admin8To add a server click Add. Admin9Admin10Click search active directory and put in the server name. Admin11

Once the server is added it will show in the admin console. To connect click on the server and connect. Admin12When connecting to servers, to allow single sign on there is an additional command that need’s to be run. If this is not done you will see the below warning when connecting.

Admin13

I updated the command to run on all servers in AD, as I didn’t want to have to run on each individually.

$Servers = Get-ADComputer -Filter “OperatingSystem -like ‘Windows Server*'”
$WAC = “LAB-WAC”
Foreach ($Server in $Servers){
Set-ADComputer -Identity $Server -PrincipalsAllowedToDelegateToAccount (Get-ADComputer $WAC)
}

Admin16The above command adds the admin server to the below attribute. Admin14Once this has been done when you click connect it should now use SSO. Admin15

We can now manage the servers from a central console without having to logon individually to each server. In the next post we will go through the different options and settings in Windows Admin Centre.

Configure Azure ATP

In this post we are going to go through configuring Azure Advanced Threat Protection (Azure ATP), ATP  is a cloud tool that can be used to detect security issue with on-premises active directory.

https://azure.microsoft.com/en-us/features/azure-advanced-threat-protection/#security

Azure ATP is available as part of Enterprise Mobility + Security 5 suite (EMS E5), and as a standalone license. You can acquire a license directly from the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model.

Azure ATP uses agent sensor installed on domain controllers or as standalone deployment that used port mirroring to monitor and analyzes user activities and information across your network.

We will be using the agents in this post since I can installing software on my DC if you have a policy that restrict agents installed on DC then you can use standalone deployment.

To configure Azure ATP first step it to setup an ATP workspace.

Go to https://portal.atp.azure.com/ and use your Azure AD logonATP0Once the workspace has been created we need to configure the on-premises connection account. ATP1Put in details for the domain account, I used a service account that has read access to AD so that I could restricted the logon to the account to only be used for ATP ATP2Once AD details are added next step is to download and install the sensor agent. Go to sensors and download the setup exe and copy the access key as this will be required during the install. ATP3Copy the installer to the DC and run. ATP4Select required language. ATP5Deployment type will be sensor I am running on VMware and this will generate the below warning which will redirect to a guide to disable IPv4 TSO Offload. ATP6This is where we need to put in the access key so that the sensor is associated to the correct workspace. ATP7The agent should now start to install. ATP8ATP9Once the agent has install it can take some time for it to respond in Azure ATP.ATP10Now the agent should start to notify of any suspicious activity that run’s like reconnaissance on SMB,  DNS and other malicious reconnaissance.

We can also create HoneyToken account that will be dummy account that can be used to attracted attackers and will automatically generated an alert as they should never be used.

Go to Entity tags >Honeytoken and select the account that will be used as the HoneytokenATP13We can also add sensitive account and group, there are default groups/ accounts that are considered sensitive by default like Administrators, Domain admins, Enterprise admins…, a full list of these can be found in the below link.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/sensitive-accountsATP14If we now logon with the HoneyToken account it will then alert the activity by this account. ATP15We can also run reports or schedule reports for schedule reports. To run a report go to the reporting blade and change the date to the range you want and click download. ATP16Below is an example of the modification to sensitive groups. ATP17To scheduled reports go to configuration and scheduled reports. ATP18ATP19

 

 

Check Scheduled task for run as account PowerShell

Recently I needed to check for all scheduled task running on servers using a certain account as the password needed to be updated.  To search for these scheduled task I used schtask.exe

https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks

I wanted to integrate this with PowerShell so that I could do some connection tests, loop through a list of devices and output the results to CSV.  Below is the script I created it has three mandatory parameters for the computer list, run as account and export path.

## Set script parameter
param(
[parameter(Mandatory = $true)]
[String]$CompList,
[parameter(Mandatory = $true)]
[String]$RunAsAccount,
[parameter(Mandatory = $true)]
[String]$ExportLocation
)
## Get list of device to check
$comps = Get-Content $CompList

## Loop through each device
foreach ($comp in $Comps){
Write-Host “Testing connection to $($comp)” -ForegroundColor DarkGreen
$TC = Test-Connection $comp -Count 1 -ErrorAction SilentlyContinue

if ($TC){
Write-Host “Checkig $($comp)” -ForegroundColor Green

## Check scheduled task for specified run as account
$schtask = schtasks.exe /query /V /S $comp /FO CSV | ConvertFrom-Csv | Select-Object HostName,TaskName,Status,”Next Run Time”,”Run As User” |
Where-Object {$_.”Run As User” -contains $RunAsAccount}
if ($schtask){

## Export results
Write-Host “Task found exporting to results to $($ExportLocation)”
$schtask | Export-Csv “$ExportLocation\ScheduledTaskExport.csv” -NoTypeInformation -Append
}
else {
Write-Host “No task found with run as account”
}

}
else {
Write-Host “$($comp) not responding Exporting failures to log file located in $($ExportLocation)” -ForegroundColor Yellow
$comp | Out-File “$ExportLocation\FailureReport.log” -NoTypeInformation -Append
}
}

To run the script supple the three parameter like below. I used Check_RunAsAccount as the scrip name.

.\Check_RunAsAccount.ps1 -CompList D:\Scripts\Task_Scheduler\Complist.txt -RunAsAccount test1 -ExportLocation D:\Scripts\Task_Scheduler\

SCk1SCk4Once the script has completed there will be a result csv and if there are any non responding devices there will be a second csv.SCk5The export result will look like the below. SCk2

 

Configure Azure Arc for servers

Azure Arc for servers is a tool that can be used to add on-prem physical / virtual servers or servers running in other cloud providers to Azure, this allow these servers to be centrally organised and to be connected to Azure services like Azure policy or log analytics.

Azure Arc for servers is in public preview, so this should not be used on production system until there is a full release version. Currently the only support OS version’s are below.

  • Windows Server 2012 R2 and newer
  • Ubuntu 16.04 and 18.04

If there is a content filter or proxy, the URL’s in the below link will  need to be white-listed all traffic will go over HTTPS (Port 443)

https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview#networking-configuration

To add a server to Azure Arc, logon to the Azure portal.

Go to All services > Machines – Azure ArcArc13

Click on create machine – Azure ArcArc1There are two options add machines using interactive script or add machines at scale. In this post we will be using the scripted method. Arc2

Select the subscription, resource group and region. When selecting  the operating system we can chose between Windows or Linux. Windows will create a PowerShell script and Linux will create a Linux .sh script.Arc3

As this feature is currently preview it will ask you to register before completing the download. Arc4Arc5Once the registration is completed, we can either copy the command or click download to get a copy of the PowerShell script. Below is how the script should look the only difference would be the Azure specific setting like resource group, tenantid…Arc6Once the script has run and the connect command has completed it will request that we connect to the device login site https://Microsoft.com/devicelogin and put in the authentication code. Arc7Arc8

Once completed go back to the PowerShell windows that the script was run from and we should see successfully onboarded to Azure resource.Arc9After a few minutes the device should show in Azure Arc. Arc10We can now apply Azure policies .Arc11

There are some additional steps required to configure the servers to integrate with Azure log analytics.

First step is to install the MMA (Microsoft Monitoring Agent) agent, to download the agent go to Log Analytics workspace and select the require workspace > Advanced settings

Arc14

Select the required connection source, then OS version. We will also need to take note of the workspace ID and Primary Key which will be used during the agent install to connect to the log workspace.Arc15

Go through the agent install.Arc16

Select Azure connect the agent to Azure Log Analytics (OMS).Arc22

To connect to Azure log analytics put in the workspace id and key.Arc18

Once the install has finished we can check the agent in control panel > All Control Panel Items > Microsoft monitoring agent.Arc20

We should now be able to query log from the server in Azure Arc for servers. Arc21