Update CustomSettings.ini file remotely!

Got on a discussion this week with someone how to use PowerShell to update an MDT CustomSettings.ini file over the network. Well a *lot* of CS.ini files.. 🙂

My manager is the Global Ops Manager and now he is asking me to find a way to run [update of customsettings.ini] on about 50 servers worldwide so the other MDT admins don’t have to log onto each server just to add one line.

The example given was to update the AdminPassword in CS.ini. I hope this company is following best practices, and disabling the local Administrator account and/or changing the Password once joined to the domain or connected to SCCM.

Anywho, INI files are a tad bit difficult to modify in Powershell because there are no native PowerShell or .NET functions to perform the action. So instead we need to do some ugly Pinvoke calls to the appropriate Win32 API.

-k

Advertisements

New script – Import Machine Objects from Hyper-V into ConfigMgr

Quick Post, been doing a lot of ConfigMgr OSD Deployments lately, with a lot of Hyper-V test hosts.

For my test hosts, I’ve been creating Machine Objects in ConfigMgr by manually entering them in one at a time (yuck). So I was wondering what the process is for entering in Machine Objects via PowerShell.

Additionally, I was curious how to inject variables into the Machine Object that could be used later on in the deployment Process, in this case a Role.

Up next, how to extract this information from VMWare <meh>.

Dell Latitude XX80 drivers won’t import into MDT Litetouch

TL;DR; Don’t import the Dell ControlVault driver into MDT Litetouch 8443 or older. It will crash the driver import.

Case of the mysterious…

David Landry posted a good question on the MDTOSD forum on http://myITForum.com&#8221;

Just curious what everyone / anyone has done with the Dell driver problem they have with the new Latitude XX80 series laptops. I imported their CAB files into MDT and got error.

It took me a while to narrow down the problem, but I was able to get a stack trace of the error:

System.Management.Automation.CmdletInvocationException: Length cannot be less than zero.
Parameter name: length ---> System.ArgumentOutOfRangeException: Length cannot be less than zero.
Parameter name: length
 at System.String.Substring(Int32 startIndex, Int32 length)
 at Microsoft.BDD.PSSnapIn.InfInfo.CheckDriverFile(String filePath)
 at Microsoft.BDD.PSSnapIn.InfInfo..ctor(String infPath)
...

Looks like CheckDriverFile() function was trying to get a Substring() but the 2nd argument for Length was zero. Not much of a substring…

I opened my trusty Ilspy.exe and revealed:

ilspy

Some further analysis reveals that the Dell ControlVault driver was the culprit, and I was able to dig down and find the file “Current_Version”. Current_Version has no File Extension, so it would cause the CheckDriverFIle() function to fail.

[cv_fw_copy]
bcmLynx_1.otp ;CV Firmware binaries
bcmLynx_7.otp
clearscd.bin
current_version
sbiLynxA0_1.otp
[...]

There is nothing technically wrong with the Dell Driver here, this is valid file. Additionally, this is the first time I have come across this bug in MDT, in the past 4 or so years this code has been active. It’s just an interoperability bug.

I have sent e-mail to both Microsoft and Dell. I’m hoping to qualify for the new Microsoft Bug Bounty program, but I’m not holding my breath. ;^)

 

New Sample for MDT (Custom Actions)

MDTLTIPSSampleAction

MDT Litetouch Action Property Page Sample

Fancy Example

Background

MDT has several pre-defined pages for common task sequence editing tasks. You’ve seen them in the MDT Litetouch Task Sequence Editor, under General, Disks, Images, Settings, and Roles.

They help abstract the ugly command line and scripting code behind the scenes for the user.

Recently I had an idea for a super-wiz-bang property page type for MDT Litetouch, and asked “are there any MDT LTI samples out there?”. I knew Config Mgr had a SDK Sample and I’ve been using it for a while now to create SCCM Task Sequence Actions pages.

The answer came back “There was an MDT Litetouch SDK, but not anymore.” (Long story for another day)

“Someone should create a sample!” I said!

“Cool Keith, when you figure it out, can you share the results? :)” For those of you who wonder, how does one become a Microsoft MVP? This, so here we go.

The Basics

C#

MDT Task Sequence Action Pages are simply C# Windows Form Control Library, with some standard API interfaces so it can be called from the Litetouch Wizard Host. The MDT team designed the API to closely resemble the System Center Configuration Manager Action Page API.

  • There are entry points for when the control is initialized.
    • Use this opportunity to load the UI elements with the saved data from the PropertyManager (aka TS.xml)
  • There are entry points for when the “OK” and “Apply” buttons are pressed.
    • Use this opportunity to save the UI elements with to the PropertyManager

There are several dependent classes required by the sample, they are contained in the ‘c:\program files\Microsoft Deployment Toolkit\bin\Microsoft.BDD.Workbench.dll’ assembly, so you will need add this reference to your project.

Anything else you want to add in the control, can be done if you know the correct C# code to get the job done.

Registration

Once you have created the DLL Library, we will need to add it so MDT Litetouch console knows about it.

First off, copy the DLL to the ‘c:\program files\Microsoft Deployment Toolkit\bin’ folder.

Secondly, we’ll need to add an element to the actions.xml file.

<action>
	<Category>General</Category>
	<Name>Install PowerShellGet Action</Name>
	<Type>BDD_MDTLTIPSSampleControl</Type>
	<Assembly>MDTLTIPSSampleAction</Assembly>
	<Class>MDTLTIPSSampleAction.MDTLTIPSSampleControl</Class>
	<Action>powershell.exe -Command  Install-Package -Force -ForceBootStrap -Name (New-Object -COMObject Microsoft.SMS.TSEnvironment).Value('Package')</Action>
	<Property type="string" name="Package" />
</action>

For this sample, I included a PowerShell libary module with two functions, one to register the new control, the other to remove the control. Easy!

The Sample

The sample in this case is pretty small.

There is one TextBox (as shown above), that prompts the user for the name of a PowerShell Package.

The package name get’s added to the TS.XML, along with the command, in this case it calls PowerShell.exe with the cmdlet Install-Package. We use COM to connect to the SMS environment space to get the package name and go.

You can use the build.ps1 script to compile the sample, and create PowerShell library to install the control within MDT Litetouch.

Future

Well I created this sample, because I have some ideas for some MDT LiteTouch (and SCCM) Action controls.

  • Fancy UI for installation of applications through Chocolatey
  • Run scripts and modules from PowerShellGallery.com
  • Other ideas, let me know (comments or e-mail)

Keith

New Tool: Get the Latest Windows 10 Cumulative Updates!

TL;DR – Programmatically get the latest Windows 10 Cumulative Updates!

Got a request from someone on an internal e-mail Distribution list recently, asking how to find out the latest Windows 10 (or Windows Server 2016) Cumulative Update.

Normally you can find these updates by going to this Microsoft KB article, then finding the right Operating System Version. Then you use the KB article number to go to Windows Update, and find the correct download link, then download the file.

I wanted to update this for another project, so I took it as a challenge to code in PowerShell.

New Tool

For this tool, I placed the source code up on GitHub.com, in a new gist. A gist is just a file that can be edited, version controlled, and shared out publicly on the GitHub.com site.

Given a Windows Version (build number), and a couple other search strings, will programmatically determine what the correct download links are for this Windows 10 (or Windows Server 2016).Â

The output can also be piped into BITS so you can just download locally.

Example

Get the links for the latest Windows 10 Version 1703 Updates:

getupdates1.PNG

 

Additionally we can also download the files using the BITS command Start-BITSTransfer

downloadupates1.PNG

 

Source

 

 

 

Decrypting the HP BIOSConfigUtility64.exe password

First off, for those of you who asked, I did leave 1E last week, off to try new things. Thought I’d take some time off during May, and then look for new opportunities. The future is wide open :^)

In the mean time, I did come across this post today about decrypting passwords with the BIOSConfigUtility64.exe utility.

https://www.serializing.me/2016/10/15/hpqpswd-encrypted-passwords-decryption/

And reminded me of some work I did recently at 1E on their BIOS 2 UEFI toolset. The HP tool did set off some red flags for me, the tool was able to take a plaintext password and put the encrypted value in a *.bin file without asking for an encryption key!?!? How did it do that? I figured it was because the tool stored the encryption key for the password within the executable itself. That’s not optimal (it’s unsecure), but not uncommon.

So I spent some time trying to reverse engineer the process, “link -dump /imports” revealed several cryptographic calls like CryptImportKey(), and with some time using trusty WinDBG.exe, I was able to locate the key. I wondered if HP would try to hide the key, but it was there in plain sight. I wrote a test program, but in my case I didn’t write a tool to decrypt the password, I wrote a tool to perform the encryption.  My thoughts were to provide a centralized password storage mechanism for HP, Dell and Lenovo, and I wondered if the HP toolset was a good starting point. 1E didn’t go down that route but the reverse engineering the HP tool was interesting.

It does bring up an interesting ethical dilemma for Engineers like myself. Something that you see on the news whenever someone discovers a new vulnerability in an OS, or Web Browser: Do you keep the vulnerability secret, or do you tell the public, knowing that some Black Hat could use the vulnerability to write an exploit and expose sensitive data?  In my case, I decided not to reveal the exploit, but Duarte chose to reveal it. Who is right?

I guess the only thing I can say is this is a good learning opportunity to discuss security/encryption of secrets like passwords. If you are an IT administrator, be weary of tools that can encrypt data magically without an encryption key, it’s not magic, they are encrypting the data with *something* and it’s possible the key is stored locally in an unsecure fashion. Better to store the passwords in a more secure location, with a more secure encryption, and then convert to the HP Password at the “Last-Minute” when preforming the actual task sequence.

This is a similar problem with other tools that “appear” to encrypt data, but store the data in a manner that *can* be easily extracted. Like the AdministratorPassword field in the unattend.xml file, and the Password in the SysInternals AutoLogon.exe tool. Both tools store passwords in an easily recoverable fashion. I’ve seen too many administrators fall for the illusion that these are secure, they are not.

-k

Hope to see many of you at MMS MOA in May 2017!!! I’ll be there.

Supermicro vs No_Drv

TL;DR – A NO_DRV driver is a driver package that doesn’t contain a driver binary. It uses the driver from another package (typically an in-box Microsoft driver).

Server Woes

One of my servers, a SuperMicro 5038A-IL has been locking up on me. I’ve been able to use the machine for the most part for the past year, but the upshot is that I can’t upgrade the machine from one Windows version to another. 22% of the way through WinRE (or sometimes WinPE), the machine has a hard Freeze, and won’t respond to mouse movement or keyboard. I’ve tried kernel debugging, hardware swaps, nothing works. My experience tells me this is a hardware problem. Time to escalate to SuperMicro support.

Upgrade your drivers

OK I should have seen this one coming, I call up support, and the first thing they ask me to do is make sure I have the latest Network and System Drivers.

  1. WinRE doesn’t use Network, so this isn’t a problem.
  2. System Drivers sure! Let’s download and check to see I have the latest stuff.

ftp://ftp.supermicro.com/driver/Intel_INF/Skylake_Series_Chipset/Chipset_v10.1.2.80.zip

No_Drv

I open the driver package, and take a look. Wait a minute, I don’t see any *.sys files, only *.inf and *.cat files.

sys – These are the compiled drivers, usually written in c/c++.
inf – These are the install files, typically there is at least one of these.
cat – This is the digial signature, signed by Microsoft to verify the source of the driver.

How can there be no driver in the driver package? Let’s look

[Version]
...
CatalogFile=Skylake.cat
...
[INTEL.NTamd64]
...
%PCI\VEN_8086&DEV_191FDesc%=Needs_NO_DRV,PCI\VEN_8086&DEV_191F

[Needs_NO_DRV]
Include=machine.inf
Needs=NO_DRV
Oh, NO_DRV, now I recall, this is an old trick. The device above DEV_191F doesn’t actually require a device driver, it’s transparently handled by Windows. But Windows doesn’t give it a descriptive name, just a generic name. So companies like Intel can provide this pack so you can give some devices more descriptive names in the Device Manager. The intel driver above points to an entry in the machine.inf driver already on the machine.
From:   “PCI Standard ISA bridge”
To:   “Intel(R) C226 Series Server Advanced SKU LPC Controller – 8C56”
That’s all it does, It doesn’t affect the operation of the OS or the hardware. Just the name! Sometimes this is helpful if you need to quickly identify a device, but, yes it’s mostly used for vanity, so I never load them on my machines.
So… I responded to SuperMicro, and confirmed I was using the latest drivers from intel. :^)