Archives for March 2014

The msi peeping tom tool ORCA

So I guess that most people working with any kind of deployment has needed to look into a msi file at some time. Microsoft has released a really basic and wonderful tool called ORCA. It will allow you to look into and edit msi files ad a really low level. So how do I download it. Well Microsoft has made it available in the Windows Software Development Kit (SDK) for Windows 8. [Read more…]

Getting the computername in Powershell

Update 2015-07-03:

So I got two comments from Paul Wiegmans. These were mainly that the functions delivered different hostname vs netbios version. And that I had missed a good function. And I’m so used to that since windows limits the Netbios computername to 16 characters, where the last one is a reserved character so I forgot to test for longer versions.

Updated blogpost with all the glory:

Last weekend my company and a couple of customers had an event in the Swedish village of Åre. To cut to the chase we had both speakers from Knowledge factory, TrueSec and Microsoft at the event. And during Bruce Payette‘s presentation I noticed that he used hostname instead of $env:computername as I and other use. So I talked a little with him about it, and decided to write a blog entry about it. So we discussed a couple of options mostly using $env, the .NET method and hostname.exe. I also decided to test the speed of a couple of ways. Lets start with the speeds and go from there.

[Read more…]

Powershelling the Kernel32 function GetComputerName

I was writing a blogpost on different ways of accessing the computer name running the script. So I thought well the old way of accessing it through Kernel32.dll should be possible. After looking through how to do it a lot I created a function that returns the computername or $Null. According to P/invoke one of the definitions of GetComputerName is as follows.

[Read more…]

USB booting Specops Deploy / OS (x86)

This is a basic x86 bootstick that should be able to boot both UEFI and bios computers. I also have a version of the blog for those that really don’t like to be one version behind, USB booting Specops Deploy / OS (x64 UEFI).
[Read more…]

USB booting Specops Deploy / OS (x64 UEFI)

Since I’m moving all my systems at home away from x86, simply creating a x86 usbstick was a bit to easy. I therefor thought it would be more fun to create a x64 UEFI boot. Im not really sure if this is required, but it will allow computers that cant read NTFS (from UEFI boot) to still boot the installation. I have also written a simple x86 instruction.
[Read more…]

How can I link a GPO to the Computers Container

Well. The easy and correct answer is you cant. The computer container is a container and not an organizational unit. Why not you may wonder. [Read more…]

Deploying Bitlocker protected Workstation using Specops Deploy / OS

For one of my customers I was looking up the correct way of activating BitLocker while using Specops Deploy / OS. So after a little searching on google I understood that I will be in uncharted territory. Well after looking around how my customer currently implemented BitLocker I was able to solve it. This solution is not dependent on any manual changes to the MDT, so its a clean Deploy / OS solution.

Changes to installation group policy

So lets open up our installation GPO, and go straight down to the Specops Deploy / OS parts. Now edit the installation policy and go to the Custom MDT Properties and add the following variables:

Variable Name Value Description
DoNotCreateExtraPartition NO Allows the installer to create required partitions on the drive.
BdeInstallSuppress NO Setting this to anything but YES will start the BDE installation

After doing that all required changes to the installation policy is done.

Save the numerical recovery password to the Active Directory.

Most customers want to be able to access the drive if/when the computer/TPM chip dies. So we need to store the numerical recovery password in another location. So the regular choices are:

  • Manual, risking to forget and getting into trouble.
  • Store in share, better but still more complex than required
  • Store in AD, safe secure and redundant.

So how do we make sure the clients store the recovery password in the AD. Well first of are you running an active directory schema of 2008 or later you are practically done. Otherwise you could extend the Schema to include the Bitlocker parts, or as I would suggest extend the schema with Windows 2012R2. See link below for more information if you dont want to extend schema to Windows 2008 or later. Windows will store the recovery password in an object called ms-FVE-RecoveryInformation that is located below the computer object. This helps in cleanup as when the computer is deleted so is all the keys.

So now we have extended the schema. We still need to instruct our workstations to save the password to the AD. Well here I would suggest going the Group Policy route mostly because I really likes GPOs.

So lets fire up our Group Policy Management Console (gpmc.msc).
Create a new GPO for the Bitlocker settings or select another GPO.
Edit the selected GPO

You are now facing two different places to edit depending on if you are deploying Vista or later.

Window Vista

  • Location: Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption
  • Setting: Store BitLocker recovery information in Active Directory Domain Services
  • Value: Enabled

Window 7 or later

  • Location: Computer Configuration\Policies\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives
  • Setting: Choose how BitLocker-protected operating system drives can be recovered
  • Value: Enabled

Dont forget to check the box that says Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.

Start the installation

So after being bored for a while looking at a screen doing nothing, the install is complete. We login to the client and open a cmd windows as administrator so we can check the progress. And what do you know, it is encrypting the drive as I am writing this.

Command line windows showing that encryption has started.

Sources:

Backing Up BitLocker and TPM Recovery Information to AD DS

 

 

Is your execution policy Unrestricted for the entire machine?

Sometimes I see customers that for simplicity set the Powershell Execution Policy to Unrestricted. Well, I often wonder why, the usual reply is because it just doesn’t work otherwise. Well I say its time reconsider. Powershell allows for a much more granular solution using scopes. Did you know that there are 5 different scopes for the Execution policy?

Scope
Process
CurrentUser
LocalMachine
UserPolicy
MachinePolicy

So armed with this knowledge we can allow the current process to run as unrestricted while maintaining a rather secure machine around it. But if there were options to the scope what different execution policies are there? Well there are 7, well kind of.. [Read more…]

Voice dialing setting lost in IOS 7.1 (iPhone 5)

*UPDATE*

As Jordi pointed out in the comments. If you enable Siri, then Voice dialing option will be available. For more information see the link that Jordi sent https://discussions.apple.com/message/25141341#25141341

*OLDER UPDATE*

iPhone 5s seems to be unaffected. Also according to a comment I received the problem may just be both ways, he cant turn it on. But still its a nuisance.

*Old article*

So I have always liked being on the cutting edge in software. It helps as when my customers ask me things I have already hit that myself. But this time it hit me harder than usual.

One thing I have hated with IOS is the voice dialing and that it gets turned back after each update. But I do the regular thing and disable it. But this time things had changed.. I could no longer find it. Nor the menu where it was, well Apple had made it more accessable, Passcode lock is now placed directly under General instead of General\Settings. But instead they have removed option to disable Voice Dial.

Screen by screen of IOS 7 and 7.1. Password lock screen missing Voice dial in 7.1.

Screen by screen of IOS 7 and 7.1. Password lock screen missing Voice dial in 7.1.

This might be the final thing that forces me to leave iPhone. I have had problems with pocket calling, but disabling voice dial solves it. Without it I feel forced to switch.

I have verified with an iPhone 5S that they can disable Voice Dial.

Useful WMI(C) commands

Sometimes you need to run WMI queries on older Windows machines or in Preinstallation Environment (WinPE) environments. So with powershell its really easy, Get-WMIObject -Class win32_WhatYouWant. So now you are stuck without Powershell, lets use the old WMIC command instead. WMIC has been available from Windows 2003. [Read more…]