Browsed by
Category: SCCM

SCCM 2012 Report Builder Certificate chain error

SCCM 2012 Report Builder Certificate chain error

So you have just installed SCCM 2012 R2 and found the awesome power of SQL Server Reporting Services, and you have given your managers access to the web site to allow them to access the information that they keep asking you about.

After a while you get complaints that not all of the information that they need is available via the website and they want the ability to be able to create their own reports on the website. So you delegate them access to create reports from the console and you go there desk to explain how SQL report builder works and then you get the following error: “The Certificate chain was issued by an authority that is not trusted” or looks like this.

1

You probably received the same error on your computer but you lived with it because we can just make the change on the server and it works.

So the course of this issue is this little option inside the saved connection

2

Ok cool we have identified the why, can’t we just change the TrustServerCertificate to equal true, this does work, for about 5-10 minutes before the SCCM system checks run and revert the setting back.

So to resolve this we just need to export the “ConfigMgr SQL Server Identification Certificate” from the SCCM server and import it onto each of the computers that you plan to have access to update/modify reports.

To do this first we need to export the Certificate from the SCCM server which is a matter of running the MMC console on the SCCM server

3

And adding the local computer certificate snapin

4

And browsing to the Personal Certificate Store

5

And exporting the highlighted certificate as DER

6

Now on the report builder machine we need to import the certificate to the Current User

7

Into the Trusted Root Certificate Authorities

8

Hit yes on the Security Warning

9

And go back to Report Builder and everything will be fixed.

10

Now you can create reports to you hearts content.

Good luck

Steve

Firefox Non-Admin install clean up

Firefox Non-Admin install clean up

So when we were rolling out our managed Windows 7 platform which we had spent a considerable amount of time planning and diligently removed local admin rights from all staff other than IT Staff (you know the guys cause the most issues with local admin, but I digress), I noticed one of our more IT savvy staff members installing the latest version of Firefox onto his computer. On prompting him that he was breeching our policy of installing software he laughed me off and said don’t worry about it, because if you hit no when the UAC prompt comes up you can still install it. To say I was a bit miffed would be an understatement, so I went and did some digging. It appears that Mozilla when they created the installation package they set it so if the user account being used to install doesn’t have access to Program Files it will install it into the user’s profile (c:\%username%\appdata\local\mozilla firefox\) to be precise, so short of black listing the installer every time there is a release there was little we could do.

Fast forward 18 months, 2 Building relocations and 2/3 of the fleet replaced with shiny new laptops to match the activity based working layout. We are finally getting time to sit down and do all of the feature adds that have been deemed nice to have, but not must haves. You know like the upgrade to SCCM 2012, along with a plan to deal with the browser sprawl that has occurred, since we rolled out Windows 7. Let face it the easiest way to combat this would be set up a Baseline in SCCM to detect when a browser other than the supported version of IE has been installed and remediate. But being well almost 2014 and embracing the whole empowerment of the users and all of that fun stuff, how can we set this up for self service, while cleaning up the legacy installs, the update process doesn’t handle the admin rights like the installer so we still have installs all the way back to version 9.

So I saw Sherry Kissinger’s post here which details how to disable the update process for Admin installs of Firefox, which is great and works really well. But it doesn’t handle our use case of per user installs of Firefox. So I had a quick look into the scripts that Sherry was using, and found that by adding in a looping function to step through the sub folders in c:\users looking for the Mozilla Firefox folder, and just created the files to disable the update process so the users don’t get prompted for updates that they can’t complete.

Disable updates of Per User install of Firefox Compliance Baseline

This got me thinking, can we use compliance settings to remediate the per user installs of Firefox, the short answer is yes, but it’s a little bit more complicated than using the remediation task in the compliance settings as we need to be able to install the latest version of Firefox. We can handle this by creating a device Collection using the following Query:

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CI_ComplianceState.LocalizedDisplayName = “FireFox Per User install” and SMS_G_System_CI_ComplianceState.ComplianceStateName = “Non-Compliant”

Of course this is after you have deployed the “FireFox Per User Install” configuration baseline to all of your computers. Then the remediation is as simple as creating an application to deploy to collection to run the attached script which will cycle through all of user profiles, and run the per user uninstall string of “c:\users\%username%\appdata\local\mozilla firefox\uninstall\helper.exe /s” and then clean up the Firefox shortcut for each of the user profiles. Once this is complete we can then execute an admin install of Firefox for the computer and disable the auto update process.

Identify Per user installs of Firefox Configuration Baseline

Good Luck

Steve

How to update BIOS on laptops that have Bitlocker Encrypted drives.

How to update BIOS on laptops that have Bitlocker Encrypted drives.

Download Script from here(updateBios)

Completing an unattended update of computers BIOS was something I never thought I would be championing but with hardware vendors now releasing updates every other month which include performance and stability fixes we have been forced into investigating how to complete this.

So my initial plan was to finally get SCUP up and running and then utilise the BIOS updates that are included in the HP pack. This was great for our desktops and laptops that a.) didn’t have a BIOS password, and b.) didn’t have BitLocker enabled.

So from here we needed to come up with a different route, that could handle bother the BIOS password and BitLocker, what also needed to be taking into consideration is to check to make sure the laptop has AC power connected, as most vendors have put safe guards in place to stop BIOS installing if not connected. Along with the re-enablement of BitLocker encryption after the BIOS has been updated.

So lets get into the code, for simplicity it is all written in vbs, and has been tested on Windows 7 & 8. Below is a break down of the Sub Routines & Functions.

Application Execution

sn = wscript.scriptname ' gets the script name
fn = wscript.scriptfullname 'gets the scripts full UNC Path
fp = replace(fn, "\" & sn, "") 'provides the path of all of the files.
Set objShell = WScript.CreateObject("WScript.Shell")
opt = WScript.Arguments.Item(0) 'returns the Argument that has been entered in at script calling.

if opt = "flash" then 'is the option to Flash turned on
 if power then 'is Power Attached?
  manageBDE ("disable") 'Suspend BitLocker Drive Encryption
  install (fp & "\hpqflash.exe -s -p" & fp & _
   "\pwfile.bin") 'Call the HP Flash applicaiton - Change this to match your Vendor
  writekey "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" _
  , "ReenableBDE", fn & " encrypt" 'Create regkey to unsuspend BDE after reboot
  install ("c:\windows\system32\shutdown.exe -r -f -t" _ 
  " 600") 'Restart the computer change the timeout to match you need
 end if
elseif opt = "encrypt" then 'is the option to encrypt?
 manageBDE ("enable") 'unsuspend BDE
elseif opt = "/?" then
 wscript.echo "Usage of script, to kick off Flashing" _ 
 " call script with the argument "& chr(34) & "Flash" & chr(34)
end if

This is the code that is used to call the Sub-Routines & Functions detailed below.

Checking the AC:

'#################################################
' Function Name: power
' Outputs:
' power (boolen) = TRUE means power is plugged in,
'             FALSE means power it not plugged in
'#################################################
function power
 Set objWMIService = GetObject("winmgmts:\\.\root\wmi")
 Set colItems = objWMIService.ExecQuery("Select *" _
 " From BatteryStatus Where Voltage > 0")
 For Each objItem in colItems
  if objItem.Discharging = FALSE then
   'wscript.echo "AC plugged in"
   power = true

  else
   'wscript.echo "AC NOT plugged in"
   power = false
  end if
 Next
end function

The reason why we use Discharging rather then Charging is that we found if the Laptop was fully charged it would return that it wasn’t charging, but if the AC was plugged in, the laptop isn’t discharging (have a think about it and it makes sense).

Manage BDE (BitLocker Drive Encryption)

'#################################################
' Routine Name: manageBDE
' Inputs:
' switch (String) = options are "Enable" or "Disable"
' checks to see if BitLocker is enabled and if it is it will 
' Suspend if required. it will also report the various 
' states with different exit codes as listed in the script.
'#################################################
sub manageBDE(switch)
 dim nProtStatus, intRC
 strConnectionStr2 = "winmgmts:{impersonationLevel=impersonate," _
    "authenticationLevel=pktPrivacy}!root\cimv2\Security\" _
    "MicrosoftVolumeEncryption"
 Set objWMIBDE = GetObject(strConnectionStr2)
 Set colEnVol = objWMIBDE.ExecQuery("Select * from" _
    " Win32_EncryptableVolume")
 if colEnVol.count > 0 then
  For Each objEnVol in colEnVol
   if objEnVol.DriveLetter = "C:"  then
    intRC = objEnVol.GetConversionStatus(nProtStatus)
    if switch = "disable" then
     select case nProtStatus
     case 0 'fully decrypted
      wscript.quit 663
     case 1 'fully encrypted
      objShell.Run ("c:\windows\system32\manage-bde.exe" _
      " -protectors -disable C:")
     case 2 'Encryption in Progress
      wscript.quit 665
     case 3 'Decryption in progress
      wscript.quit 666
     case 4 'Encryption Paused

     case 5 'Decryption Paused
      wscript.quit 664
     end select

    elseif switch = "enable" then
     select case nProtStatus
     case 0 'fully decrypted
      wscript.quit 663
     case 1 'fully encrypted
      objShell.Run ("c:\windows\system32\manage-bde.exe" _
      " -protectors -disable C:")
      objShell.Run ("c:\windows\system32\manage-bde.exe" _
      " -protectors -enable C:")
     case 2 'Encryption in Progress
      wscript.quit 665
     case 3 'Decryption in progress
      wscript.quit 666
     case 4 'Encryption Paused
      objShell.Run ("c:\windows\system32\manage-bde.exe" _
      " -protectors -enable C:")
     case 5 'Decryption Paused
      wscript.quit 664
     end select
    end if
   end if
  next
 end if
end sub

We ended up using the GetProvisionStatus rather then the GetEncryptionStatus option for this solution to be able to handle if the hard drive is currently in the process of being encrypted, for example when a system is recently been built. When using GetEncryptionStatus WMI reported correctly that BDE was enabled, it just didn’t report that it was currently being encrypted.

Install Sub Routine

'#################################################
' Routine Name: install
' Inputs:
' exestring (string) = command you want to call.
' this Routine will start an application and wait
' until the application has stopped before moveing
' on to the next task in the script. useful for 
'applications that close automaticly with exit code 0
'#################################################
sub install(exestring)
 running = 1
 strComputer = "."
 strCommand = exestring
 Set objWMIService = GetObject("winmgmts:" _ 
 "{impersonationLevel=impersonate}!\\" & strComputer _
 & "\root\cimv2")
 Set objProcess = objWMIService.Get("Win32_Process")
 errReturn = objProcess.Create(strCommand, null, null, _
 intProcessID)
 If errReturn = 0 Then
  'wscript.echo exestring & " : " & intprocessid
  do while running = 1
   Set objProcess = objWMIService.execquery("select *" _
   " from Win32_Process")
   for each objproc in objprocess
    if objproc.processid = intprocessid then
     running = 1
     exit for
    else
     running = 0
    end if
   next
  loop
 Else
 End If
end sub

This routine is something I wrote a few years back to deal with those awesome applications that report exit code 0 immediately on execution for the application. (contact me if you need a routine to handle an executable inside an executable….)

Write RegKey

'#################################################
' Routine Name: WriteKey
' Inputs:
' key (string) = this is the path to the key to update
' vn (string) = this is the new Value name
' v (string) = this is the new Value
' Creates a DWORD value at the KEY path.
'#################################################
sub writekey(key,vn,v) 
 const HKEY_LOCAL_MACHINE = &H80000002
 Set oReg=GetObject("winmgmts:" _
 "{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
 oReg.SetStringValue HKEY_LOCAL_MACHINE,key,vn,v
end sub

This writes a DWORD into the registry in this script we use it to handle the re-enablement of BDE after a restart.

One thing to note is that to complete the HP Bios update from the command line you are required to create a pwfile.bin file by using this application http://ftp.hp.com/pub/caps-softpaq/cmit/softpaq/sp62065.exe when installing the application it displays as HP ElitePad 900 from my experience this file will work for all HP Laptops that utilise the HPQFlash application

I think that pretty much covers it off, we have successfully tried this on multiple HP laptop models to great success.

Good Luck

Steve