Microsoft App-V 4.x versions

Posted on 25/02/2013 by Stephan Wibier

On a quest for App-V versions I came across a nice overview which could come in handy.

The original overview is found HERE. (and an updated version by Aaron Parker: HERE.)

Here is the full list:

Release	Type	Release Date	Desktop Client	Remote Desktop Services (RDS) Client	Sequencer	Management Server	Streaming Server	Link
4.5 RTM	Full	10-1-2008	4.5.0.1485	4.5.0.1485	4.5.0.1485	4.5.0.1485	4.5.0.1485	http://technet.microsoft.com/en-us/library/ee958108.aspx
4.5 Hotfix 2	Patch	12-4-2008	4.5.0.15131	4.5.0.15131	N/A	N/A	N/A	http://support.microsoft.com/kb/959834
4.5 Hotfix 1	Patch	31-10-2008	4.5.0.15051	4.5.0.15051	N/A	N/A	N/A	http://support.microsoft.com/kb/959083
4.5 CU1 Hotfix 1	Patch	1-3-2009	4.5.1.15631	4.5.1.15631	N/A	N/A	N/A	http://support.microsoft.com/kb/969564
4.5 CU1 Hotfix 2	Patch	1-5-2009	4.5.1.15681	4.5.1.15681	N/A	N/A	N/A	http://support.microsoft.com/kb/969774
4.5 CU1 Hotfix 3	Patch	1-6-2009	4.5.1.15981	4.5.1.15981	N/A	N/A	N/A	http://support.microsoft.com/kb/971917
4.5 CU1 Hotfix 4	Patch	1-7-2009	4.5.1.16371	4.5.1.16371	N/A	N/A	N/A	http://support.microsoft.com/kb/973205
4.5 CU1 Hotfix 5	Patch	1-8-2009	4.5.1.16791	4.5.1.16791	N/A	4.5.1.16791	N/A	http://support.microsoft.com/kb/973873
4.5 CU1 Hotfix 6	Patch	1-9-2009	4.5.1.16811	4.5.1.16811	N/A	N/A	N/A	http://support.microsoft.com/kb/974278
4.5 Hotfix 3	Patch	1-9-2009	4.5.0.15341	4.5.0.15341	N/A	N/A	N/A	http://support.microsoft.com/kb/961473
4.5 SP1	Full	1-11-2009	4.5.2.17140	4.5.2.17140	4.5.2.17140	4.5.2.17140	4.5.2.17140	http://support.microsoft.com/kb/976338
4.5 SP1 Hotfix 1	Patch	1-1-2010	4.5.2.18131	4.5.2.18131	N/A	N/A	N/A	http://support.microsoft.com/kb/978480
4.6 RTM English	Full	1-2-2010	4.6.0.1523	4.6.0.1523	4.6.0.1523	N/A	N/A	http://technet.microsoft.com/en-us/library/ee958101.aspx
4.6 RTM All Languages	Full	1-3-2010	4.6.0.20200	4.6.0.20200	4.6.0.20200	N/A	N/A	http://technet.microsoft.com/en-us/library/ee958101.aspx
4.5 CU1	Full	4-3-2010	4.5.1.15580	4.5.1.15580	4.5.1.15580	4.5.1.15580	4.5.1.15580	http://support.microsoft.com/kb/963693
4.5 SP1 Hotfix 2	Patch	1-4-2010	N/A	N/A	N/A	4.5.2.18541	N/A	http://support.microsoft.com/kb/980850
4.5 SP2	Patch	1-5-2010	4.5.3.19480	4.5.3.19480	4.5.3.19480	4.5.3.19480	4.5.3.19480	http://support.microsoft.com/kb/980847
4.6 RTM Hotfix 1	Patch	1-5-2010	4.6.0.10181	4.6.0.10181	N/A	N/A	N/A	http://support.microsoft.com/kb/981787
4.6 RTM Hotfix 2	Patch	1-5-2010	4.6.0.10241	4.6.0.10241	N/A	N/A	N/A	http://support.microsoft.com/kb/983173
4.5 SP1 Hotfix 4	Patch	30-6-2010	4.5.2.19631	4.5.2.19631	N/A	N/A	N/A	http://support.microsoft.com/kb/2267046
4.6 RTM All Lang HF 1	Patch	9-8-2010	4.6.0.30051	4.6.0.30051	4.6.0.30051	N/A	N/A	http://support.microsoft.com/kb/2252568
4.6 RTM Hotfix 3	Patch	27-8-2010	4.6.0.10271	4.6.0.10271	N/A	N/A	N/A	http://support.microsoft.com/kb/2307495
4.6 RTM Hotfix 4	Patch	5-10-2010	4.6.0.10291	4.6.0.10291	N/A	N/A	N/A	http://support.microsoft.com/kb/2432513
4.6 RTM Hotfix 5	Patch	22-11-2010	4.6.0.10311	4.6.0.10311	N/A	N/A	N/A	http://support.microsoft.com/kb/2471081
4.5 SP2 Hotfix 1	Patch	30-11-2010	4.5.3.19901	4.5.3.19901	N/A	N/A	N/A	http://support.microsoft.com/kb/2432506
4.5 SP1 Hotfix 5	Patch	16-12-2010	4.5.2.19911	4.5.2.19911	N/A	N/A	N/A	http://support.microsoft.com/kb/2471145
4.6 RTM All Lang HF 2	Patch	2-2-2011	4.6.0.30091	4.6.0.30091	N/A	N/A	N/A	http://support.microsoft.com/kb/2497486
4.6 RTM SP1	Full	10-3-2011	4.6.1.20870	4.6.1.20870	4.6.1.20870	N/A	N/A	http://support.microsoft.com/kb/2445990
4.5 SP2 Hotfix 2	Patch	28-3-2011	4.5.3.20031	4.5.3.20031	N/A	4.5.3.20031	N/A	http://support.microsoft.com/kb/2507096
4.6 RTM All Lang HF 6	Patch	13-4-2011	4.6.0.30101	4.6.0.30101	N/A	N/A	N/A	http://support.microsoft.com/kb/2517188
4.6 RTM Hotfix 6	Patch	13-4-2011	4.6.0.10331	4.6.0.10331	N/A	N/A	N/A	http://support.microsoft.com/kb/2517187
4.6 SP1 Hotfix 1	Patch	29-4-2011	4.6.1.30051	4.6.1.30051	N/A	N/A	N/A	http://support.microsoft.com/kb/2532192
4.6 SP1 Hotfix 2	Patch	23-6-2011	4.6.1.30081	4.6.1.30081	N/A	N/A	N/A	http://support.microsoft.com/kb/2549352
4.6 RTM Hotfix 7	Patch	28-6-2011	4.6.0.10351	4.6.0.10351	N/A	N/A	N/A	http://support.microsoft.com/kb/2555574
4.6 RTM All Lang HF 7	Patch	28-6-2011	4.6.0.30121	4.6.0.30121	N/A	N/A	N/A	http://support.microsoft.com/kb/2555575
4.6 SP1 Hotfix 3	Patch	26-7-2011	4.6.1.30091	4.6.1.30091	4.6.1.30091	N/A	N/A	http://support.microsoft.com/kb/2571168
4.6 SP1 Hotfix 4	Patch	14-9-2011	4.6.1.30101	4.6.1.30101	N/A	N/A	N/A	http://support.microsoft.com/kb/2586968
4.6 SP1 Hotfix 5	Patch	2-2-2012	4.6.1.30111	4.6.1.30111	N/A	N/A	N/A	http://support.microsoft.com/kb/2645225
4.6 SP1 Hotfix 6	Patch	16-5-2012	4.6.1.30121	4.6.1.30121	N/A	N/A	N/A	http://support.microsoft.com/kb/2693779
4.6 SP1 Hotfix 7	Patch	28-9-2012	4.6.1.30131	4.6.1.30131	N/A	N/A	N/A	http://support.microsoft.com/kb/2744141
4.6 SP1 Hotfix 8	Patch	4-10-2012	4.6.1.30151	4.6.1.30151	4.6.1.30151	N/A	N/A	http://support.microsoft.com/kb/2761558
4.6 SP2	Patch	1-11-2012	4.6.2.24020	4.6.2.24020	4.6.2.24020	N/A	N/A	http://support.microsoft.com/kb/2738315

Security Compliance Manager 3.0

Posted on 24/02/2013 by Stephan Wibier

With the Microsoft Security Compliance Manager (SCM) can help you to create and maintain security baselines using Group Policy Objects or System Center Configuration Manager 2012.

With SCM, you can obtain baseline policies based on security best practices , customize them to the particular needs of your organization and export them to a number of formats for use in different scenarios.

From the Microsoft site:

New! Version 3.0 of the Security Compliance Manager (SCM) tool is now available for download! In addition to key features from the previous version, SCM 3.0 offers new baselines for Internet Explorer 10, Windows 8, and Windows Server 2012! SCM enables you to quickly configure and manage computers and your private cloud using Group Policy and Microsoft System Center Configuration Manager.

SCM 3.0 provides ready-to-deploy policies and DCM configuration packs based on Microsoft Security Guide recommendations and industry best practices, allowing you to easily manage configuration drift, and address compliance requirements for Windows operating systems and Microsoft applications.

And

Overview

The Microsoft Security Compliance Manager takes our extensive guidance and documentation—including the previously stand-alone product-specific security guides—and incorporates it into one tool, enabling you to access and automate all of your organization’s security baselines in a centralized location.

To access the security guidance for Windows client and server operating systems and Microsoft applications, simply download the tool, and select the “Attachments \ Guides” node within each product baseline tree.

Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. This end-to-end Solution Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats—including XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP)—to export the baselines to your environment to automate the security baseline deployment and compliance verification process. Use the Security Compliance Manager to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality.

Key Features & Benefits

Integration with the System Center 2012 Process Pack for IT GRC: Product configurations are integrated into the Process Pack for IT GRC to provide oversight and reporting of your compliance activities.
Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
Centralized Management of Your Baseline Portfolio: The centralized management console of the Security Compliance Manager provides you with a unified, end-to-end user experience to plan, customize, and export security baselines. The tool gives you full access to a complete portfolio of recommended baselines for Windows client and server operating systems, and Microsoft applications. The Security Compliance Manager also enables you to quickly update the latest Microsoft baseline releases and take advantage of baseline version control.
Security Baseline Customization: Customizing, comparing, merging, and reviewing your baselines policy configurations just got easier. Use the customization capabilities of the Security Compliance Manager to duplicate any of the recommended baselines from Microsoft and quickly modify security settings to meet the standards of your organization’s environment.
Multiple Export Capabilities: Export baselines in formats like XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP) to enable automation of deployment and monitoring baseline compliance.
Available policy configuration baselines include Windows Server 2012, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2003 SP2, Hyper-V, Windows 8, Windows 7 SP1, Windows Vista SP2, Windows XP SP3, BitLocker Drive Encryption, Windows Internet Explorer 10, Windows Internet Explorer 9, Windows Internet Explorer 8, Microsoft Office 2010 SP1, Microsoft Office 2007 SP2, Exchange Server 2010 SP2 and Exchange Server 2007 SP3.

So how does this work?

First you have to download SCM. This can be done HERE.

Installation

Kick off the Security_Compliance_Manager_Setup.exe

Prerequisite installation

SQL Express 2008 is required. If there is no instance found you can install a version here.

And off we go!

After you select ‘Finish‘ SCM will start automatically, and will import the first Baselines.

And then the console opens

One of the features I like is the export to ‘SCCM DCM 2007 (.cab)‘ file which you can import in ConfigMgr. Yes this is the old name, but the files are also usable in ConfigMgr 2012 SP1!

So fire up your SCCM 2012 SP1 console, go to Assets and Compliance – Overview – Compliance Settings – Configuration Baselines and ‘Import‘. Click ‘Add‘

You will get a warning that the publisher could not be verified (too bad because it is from Microsoft..)

But it will succeed.

Browse through the settings and find out the best practices Microsoft has in mind J

Now all you have to do is ‘Deploy‘ the baseline to a Collection and see if your environment is healthy according to Microsoft’s Best practices!

System Center 2012 Configuration Manager Configuration Pack

Posted on 23/02/2013 by Stephan Wibier

Compliance Settings for ConfigMgr 2012. Microsoft has provided us with a Configuration Pack for ConfigMgr 2012. This Configuration Pack contains Configuration Items and a Configuration Baseline for our ConfigMgr 2012 environment.

This Configuration Pack monitors following:

Management Point(s);
Site Server(s);
Software Update Point(s).

You can download the Configuration Pack HERE.

From the Microsoft site:

Overview

Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. The System Center 2012 Configuration Manager Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure and reliable Configuration Manager 2012 infrastructure. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2012 site system roles using the desired configuration management component in Configuration Manager 2012. This configuration pack monitors the following site system roles: management points, site server, and software update points. The Configuration Pack can also monitor Windows Server Update Services (WSUS) components on software update points or upstream WSUS servers. To manage your site system roles with this Configuration Pack, import and assign the Microsoft System Center 2012 Configuration Manager Server Roles configuration baseline to a collection which contains your Configuration Manager 2012 site systems. While there is one configuration baseline for all site systems, it evaluates compliance only for roles configured on the site system. For example, if a computer has only the management point role, it will not be evaluated for software update point configurations. To understand in detail what each configuration item will be evaluating, review the properties of that configuration item in the context of the Configuration Manager 2012 Server Role being addressed.

Installation.

After download (HERE) install the MSI package.

That was easy!

In the installation directory you will find several files. That notice that the ConfigMgr2012ConfigPackReview.doc contains all the info about the Configuration Pack. Nice info!

I will put the content of the doc at the end of this post (HERE).

Import the Configuration Pack

Now you have to import the Configuration Pack.

Go to: Assets and Compliance – Overview – Compliance Settings and right-click on ‘Configuration Baselines‘, choose ‘Import Configuration Data‘.

Add, browse to your installation directory and click: CM2012ServerRolesConfigpack.cab

2x Next

And there you are, you have 1 Configuration Baseline and 4 Configuration Items.

You can browse through the configuration items by selecting ‘Properties’. One thing you will notice that all the ‘Remediate‘ options are standard set to ‘No‘. This is actually a good thing, you don’t want anything automatically remediated on you ConfigMgr environment without you knowing about it. But it is possible J

Deploy the Configuration Baseline

Make a collection with your SCCM 2012 site server(s) and deploy the Configuration Baseline.

Pick a collection and select OK.

And now you have to wait until the Baseline has run on the SCCM 2012 server(s).

Here you can choose ‘View Report’. This is the report from my SQL server:

Not much to do here, but at least it is nice and Green 😉

And this is the one from my ConfigMgr site server.

Hm, Non-Compliant, let’s check this out.

And the details:

Under Non-Compliant rules we see that BGB firewall port for Management point should be open. As per the Script the warning is set to generated if BGB port is found closed on MP. The rest of the configuration items report that our server is Compliant.

Oké let’s check this script. It is found under Configuration Items – Microsoft System Center 2012 Configuration Manager Management Point, Properties, BGB firewall port.

Edit

Compliance Rules

Edit

So what this tells us is that the script is generating a Warning when it finds the port used for BGB is closed. But my firewall is disabled so it should not generate this error?

Check the underlying script:

Edit Script:

Option Explicit

Function GetBGBPort()

Const HKEY_LOCAL_MACHINE = &H80000002

Dim strComputer,strKeyPath,oReg,arrSubKeys,dwValue,strValueName,WshShell

strComputer = “.”

strKeyPath = “Software\Microsoft\SMS\NotificationServer”

strValueName=”TCP Listener Port”

Set oReg=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)

Set WshShell = WScript.CreateObject(“WScript.Shell”)

If oReg.EnumKey(HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys) = 0 Then

oReg.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue

End If

If not IsNull(dwValue) Then

If not IsEmpty(dwValue) Then

GetBGBPort = dwValue

End If

End Function

Function FirewallPortIsOpen(iBGBPort)

FirewallPortIsOpen = false

Dim objFirewall, objPolicy, colPorts, objPort

Set objFirewall = CreateObject(“HNetCfg.FwMgr”)

Set objPolicy = objFirewall.LocalPolicy.CurrentProfile

Set colPorts = objPolicy.GloballyOpenPorts

For Each objPort in colPorts

If objPort.Port = iBGBPort Then

FirewallPortIsOpen = true

End If

End Function

Dim iBGBPort

iBGBPort = GetBGBPort()

If FirewallPortIsOpen(iBGBPort) Then

WScript.echo “Port Open”

Else

WScript.echo “Port Closed”

End If

And here you have the culprit. Although my firewall is disabled the script enumerates the current firewall profile to see if the used port is open!

So I opened up the port (standard 10123 TCP) in the firewall policy (Inbound Rule) et voila all green!

System Center 2012 Configuration Manager Configuration Pack

Detailed Summary

Configuration Manager 2012 Configuration Pack

Configuration Baseline: Microsoft System Center 2012 Configuration Manager Server Roles

Included Configuration Items (If these optional application configuration items are detected, they must be properly configured)
- Microsoft System Center 2012 Configuration Manager Site Server
- Microsoft System Center 2012 Configuration Manager Management Point
- Microsoft System Center 2012 Configuration Manager Software Update Point
- Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Configuration Item: Microsoft System Center 2012 Configuration Manager Site Server

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

ConfigMgr Distribution Manager Startup Type
- Title– ConfigMgr Distribution Manager Startup Type
- Description – Verifies the Distribution Manager component startup type is configured correctly. This setting applies to all primary sites, secondary sites, and Central Administration Server.
- Type of provider – Registry value.
ConfigMgr Offer Manager Startup Type
- Title– ConfigMgr Offer Manager Startup Type
- Description – Verifies the Offer Manager component startup type is configured correctly. This setting applies only to primary site servers.
- Type of provider – Registry value.

SMS_EXECUTIVE
- Title– SMS_EXECUTIVE
- Description – SMS_EXECUTIVE registry key should be present on site server.
- Type of provider – Registry key.
- Sync Done
  - Title– Sync Done
  - Description – Script checks status message system for presence of sync done message.
  - Type of provider – Script.
- Sync in Progress: WSUS Server
  - Title– Sync in Progress: WSUS Server
  - Description – Script checks status message system for presence of sync in progress: WSUS server message.
  - Type of provider – Script.
Sync Started
- Title– Sync Started
- Description – Script checks status message system for presence of sync started message.
- Type of provider – Script.
WSUS Configuration Manager Startup Type
- Title– WSUS Configuration Manager Startup Type
- Description – Verifies the WSUS Configuration Manager Component startup type is configured correctly.
- Type of provider – Registry value.
WSUS Sync Manager Startup Type
- Title– WSUS Sync Manager Startup Type
- Description – Verifies the WSUS Sync Manager Component startup type is configured correctly.
- Type of provider – Registry value.

Configuration Item: Microsoft System Center 2012 Configuration Manager Management Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

Background Intelligent Transfer Service (BITS) Server Extensions
- Title– Background Intelligent Transfer Service (BITS) Server Extensions
- Description – Verify that BITS is installed on this IIS server.
- Type of provider – Script.
BGB firewall port is opened
- Title– BGB firewall port is opened
- Description – Verifies that the ‘Big Green Button’ (BGB) firewall port for this Management Point is open.
- Type of provider – Script.
BITS Upload Enabled
- Title– BITS Upload Enabled
- Description –
  Verify that BITS Upload is enabled in IIS.
- Type of provider – WQL query.
IIS Admin Service Start Mode
- Title– IIS Admin Service Start Mode
- Description –
  Verifies the IIS Admin Service is properly configured to auto start.
- Type of provider – WQL query.
IIS Admin Service State
- Title– IIS Admin Service State
- Description –
  Verifies the IIS Admin Service is running.
- Type of provider – WQL query.
IIS Windows Authentication
- Title– IIS Windows Authentication
- Description –
  Verifies that IIS has Windows Authentication enabled.
- Type of provider – Script.
Microsoft Distributed Transaction Coordinator Service State
- Title– Microsoft Distributed Transaction Coordinator Service State
- Description –
  Distributed Transaction Coordinator Service should be running on Management Point.
- Type of provider – WQL query.
Microsoft Distributed Transaction Coordinator Start Mode
- Title– Microsoft Distributed Transaction Coordinator Start Mode
- Description –
  Verifies the MSDTC service is properly configured to auto start.
- Type of provider – WQL query.
Minimum Physical Memory Requirement
- Title– Minimum Physical Memory Requirement
- Description –
  Management Point meets minimum physical memory (RAM) requirements.
- Type of provider – WQL query.
Windows Task Scheduler Service State
- Title– Windows Task Scheduler Service State
- Description –
  Task Scheduler Service should be running on Management Point.
- Type of provider – WQL query.
Windows Task Scheduler Start Mode
- Title– Windows Task Scheduler Start Mode
- Description –
  Verifies the Windows Task Scheduler is properly configured to auto start.
- Type of provider – WQL query.
World Wide Web Publishing Service Start Mode
- Title– World Wide Web Publishing Service Start Mode
- Description –
  Verifies the World Wide Web Publishing Service is properly configured to auto start.
- Type of provider – WQL query.
World Wide Web Publishing Service State
- Title– World Wide Web Publishing Service State
- Description –
  World Wide Web Publishing Service should be running on Management Point.
- Type of provider – WQL query.

Configuration Item: Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

WSUS Control Manager Current State
- Title– WSUS Control Manager Current State
- Description –
  Verifies the WSUS Control Manager Component is running.
- Type of provider – Registry value.
WSUS Control Manager Startup Type
- Title– WSUS Control Manager Startup Type
- Description –
  Verifies the WSUS Control Manager Component startup type is configured correctly.
- Type of provider – Registry value.

Configuration Item: Windows Server Update Services configuration for Microsoft System Center 2012 Configuration Manager Software Update Point

Type – Application

Detection Method – ScriptDiscovery (VBScript)

Settings:

microsoft.updateservices.admindataaccessproxy.dll
- Title– microsoft.updateservices.admindataaccessproxy.dll
- Description – Verify all instances of microsoft.updateservices.admindataaccessproxy.dll.
- Type of provider – File system.
microsoft.updateservices.administration.dll
- Title– microsoft.updateservices.administration.dll
- Description – Check for the existence of microsoft.updateservices.administration.dll.
- Type of provider – File system.
microsoft.updateservices.baseapi.dll
- Title– microsoft.updateservices.baseapi.dll
- Description – Verify all instances of microsoft.updateservices.baseapi.dll.
- Type of provider – File system.
Setup
- Title– Setup
- Description – Setup Registry key should be present.
- Type of provider – Registry key.
SMS_EXECUTIVE
- Title– SMS_EXECUTIVE
- Description – SMS_EXECUTIVE Registry key should be present.
- Type of provider – Registry key.
Windows Server Update Services Start Mode
- Title– Windows Server Update Services Start Mode
- Description – Verifies the WSUS Service start mode is configured correctly.
- Type of provider – WQL query.
WSUS
- Title– WSUS
- Description – WSUS Registry key should be present.
- Type of provider – Registry key.
WSUS Control Manager Startup Type
- Title– WSUS Control Manager Startup Type
- Description – Verifies the WSUS Control Manager Component startup type is configured correctly.
- Type of provider – Registry value.

ConfigMgr 2012 Compliance Settings

Posted on 23/02/2013 by Stephan Wibier

Compliance Settings in SCCM 2012 SP1. This was called ‘Desired Configuration Management’ in SCCM 2007. Compliance Settings consist of ‘Configuration Items’ and ‘Configuration Baselines’. There is another node here: ‘User Data and Profiles’. This one is not a Compliance Setting but Folder Redirection from within the ConfigMgr Console…(hmm well that’s what GPO’s are for, aren’t they?)

The Compliance Settings help you to assess the compliance of Users and/or Devices for all kind of configurations in your organization. For instance: right OS version, updates, hotfixes, applications, application settings, prohibited applications etc.

The Configuration Items do all the magic. They can be of various kinds:

Windows;
Mobile Device;
Mac OS X.

And can query through various ways. Configuration Items can also remediate non-compliant settings if you like!

Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must or like to have. You can import this configuration data from Microsoft System Center Configuration Manager Configuration Packs which can contain best practices that are defined by Microsoft and other vendors, into ConfigMgr. You can create new configuration items and configuration baselines yourself for your own applications.

After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them.

Configuration items: A collection of settings, values, and criteria that defines what is compared, checked, or evaluated on a target system.

Configuration baselines: Contains one or multiple configuration items. Configuration items must be part of a configuration baseline to be assigned for evaluation on a collection of systems.

To use Compliance Settings in your environment there are a few steps you have to take:

Enable Compliance Settings on your clients;
Reporting Services must be installed as a site role.

Enable Compliance Settings on your clients.

Go to: Administration, Client Settings

Edit or Create ‘Client Device Settings‘

Select ‘Compliance Settings‘

And select ‘Enable compliance evaluation on clients‘ to Yes

Then deploy the Client Device Settings to a collection.

Reporting Services must be installed as a site role.

The Reporting services point is installed.

Now you can Add Configuration Items and Define Configuration Baselines!

That’s next time!

WSUS and ConfigMgr 2012 HTTPS communication

Posted on 02/02/2013 by Stephan Wibier

When you have your ConfigMgr 2012 site fully communicating over HTTPS you may also want your Software Updates delivered over a secure channel.

Well that´s possible!

More info: http://technet.microsoft.com/en-us/library/bb633246.aspx

When you have the WSUS component installed on the SCCM 2012 SP1 server, the same certificate that was used to secure the ´Default Web Site´ can be used to secure the WSUS Administration site from within IIS.

TIP

Not all the virtual directories within the WSUS Administration site need to be enabled for SSL.
Only enable SSL for:

APIRemoting30
ClientWebService
DSSAuthWebService
ServerSyncWebService
SimpleAuthWebService

Web Server Configuration

To configure WSUS for SSL communication:

Open Internet Information Services (IIS) Manager.
Expand Sites, and select the WSUS administration site (which is often the ‘Default Web Site’).
Click the Bindings action.
Click Add, select HTTPS, and click Edit.
Choose the certificate from the list.
(Click View to verify the correct certificate was selected, click OK, and then click Close).
Select the APIRemoting30 virtual directory.
Double-click the SSL Settings option.
Enable the Require SSL option and click Apply.
Repeat for the ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories.

With the WSUS virtual directories correctly configured, run the following command on the WSUS server to finalize the configuration needed to support SSL:

WSUSUtil.exe configuressl {FQDN.stiteservername}

This utility is located in the Tools folder located within the WSUS installation folder.
(By default, this is folder is C:\Program Files\Update Services\Tools).

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles choose your Software Update Point and select Properties.

Now select the Require SSL communication to the WSUS server.

And as visible in the WCM.log we have SSL communication:

HTTPS Communication SCCM 2012 SP1 (Part 3)

Posted on 02/02/2013 by Stephan Wibier

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (HERE) and third one (this one) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen:

Have HTTPS traffic from and to the Distribution Point

So I have got my clients communicating over HTTPS, with my PKI Infrastructure, to the Management Point. Nice!
But now I want the traffic from and to the Distribution Point also over HTTPS.

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles select the server with the Distribution Point Role. Select Properties.

Import Certificate.
You need the ConfigMgr Client Distribution Point certificate (the .PFX), supply the password and OK.

And now the data is flowing secure from and to your DP.

Part 1 Here.

Part 2 Here.

HTTPS Communication SCCM 2012 SP1 (Part 2)

Posted on 02/02/2013 by Stephan Wibier

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen in this post:

Have the Clients talk over HTTPS to the site server (Management Point)

With all the certificates in place let’s see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.

Site Server Communication

Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.

In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site.

Right-click and select Properties.

Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS.

Under Trusted Root Certification Authorities select your Root CA Certificate.

For a client that has already been deployed just wait and the Client Certificate will change to PKI.

And I am communicating over HTTPS with my PKI:

As I can also see in my ClientLocation.log

From the ccmsetup.log is visible that all communication is secure.

Part 1 Here.

Part 3 Here.

HTTPS Communication SCCM 2012 SP1 (Part 1)

Posted on 02/02/2013 by Stephan Wibier

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (this one) I explained the Certificates needed, the second (HERE) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

As you could read in previous post my PKI Infrastructure is already in place.
Time to put it to its full use!

For full background details look here: http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012

ConfigMgr 2012 SP1 needs 3 certificates to fully function:

Client Certificate
Web Server Certificate
Client certificate for Distribution Points

The Client Certificate will be deployed through Active Directory with an auto-enrollment GPO. The other 2 will be imported on the SCCM 2012 SP1 server.

The Web Server Certificate will be configured in Internet Information Server (IIS), and the Client certificate for Distribution Points will be used authenticate the Distribution Point to HTTPS and for PXE support to clients. This will be configured in SCCM 2012 SP1.

Client Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Autoenroll’ for Domain Computers, do not clear ‘Enroll’.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your Client Certificate.

Auto-enrollment of the Client Certificate

For auto-enrollment use a Group Policy Object (GPO).

Best practice is to use a separate GPO for the auto-enrollment.
In the Group Policy Management console, Create a GPO in this domain, and Link it here.
(be sure to point to the right Organizational Unit (OU)).

Now go to Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies.

Right-click and Enable auto-enrollment:

Web Server Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Web Server.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site (IIS) Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Subject Name tab be sure the Supply in the request is selected.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Web Server Certificate.

Enrollment of the ConfigMgr Web Server Certificate

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the ConfigMgr Web Server Certificate you created.

Select More information is required to enroll for this certificate. Click here to configure settings.

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

Examples:

If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is sccm2012.lab.local: Type sccm2012.lab.local, and then click Add.
If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is sccm2012.lab.local and the Internet FQDN of the site system server is sccm2012.wibier.me:
- Type sccm2012.lab.local, and then click Add.
- Type sccm2012.wibier.me, and then click Add.

Configure IIS to use the ConfigMgr Web Server Certificate

On the SCCM Web Server open Internet Information Services (IIS) Manager.

Expand Sites, right-click your site (usually ‘Default Web Site’) and select Edit Bindings.

Select the HTTPS entry and Edit.

OK and Close.

(You can check the site by opening Internet Explorer and browse to your site with https://. There should not be a warning about a certificate.)

Client certificate for Distribution Points

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Request Handling tab select the Allow private key to be exported.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Client Certificate for Distribution Points.

Enrollment of the Client certificate for Distribution Points

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the Client certificate for Distribution Points you created.

After that Export the certificate WITH the private key.

Part 2 HERE!

Part 3 HERE!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 2)

Posted on 01/02/2013 by Stephan Wibier

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

A Windows Azure subscription (duh)
A working PKI Infrastructure
2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
A certificate (the .cer) added to the Management service of Windows Azure
Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
And well, uh SCCM 2012 SP1 😉

In Part 1 I took care of the setup of the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

So we took care of the Certificate, now we have upload it to Windows Azure.

Upload Certificate

Log on to the Windows Azure Management Portal.
Under Settings you can upload your Certificate (this will be the .CER one)

And the result is visible:

Create the Windows Azure Cloud Distribution Point:

Now it’s time to create the Distribution Point in the Cloud!

Launch you ConfigMgr Console and let’s start.

Under Administration – Overview – Hierarchy Configuration – Cloud is the Create Cloud Distribution Point.

And here you need your Subscription ID and Certificate (the .PFX one)

Select your Region, and Certificate:

Specify the alerts:

And off we go

Look good:

You can follow the process by looking in the CloudMgr.log.

This can take a while! So be patient, it will come eventually.

Still working:

And there we are!

And also in the Windows Azure Management Portal:

Distribute content to the Windows Azure Cloud Distribution Point:

There are no extra steps needed to distribute content to a Windows Azure DP.
You take an application and distribute it to the Cloud.

Logging under DistrMgr.log.

And in the console:

Cloud rules!

Read Part 1 Here!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 1)

Posted on 01/02/2013 by Stephan Wibier

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

A Windows Azure subscription (duh)
A working PKI Infrastructure
2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
A certificate (the .cer) added to the Management service of Windows Azure
Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
And well, uh SCCM 2012 SP1 😉

The subscription isn’t much of a hassle. Takes about 10 min!

In Part 1 I will setup the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

PKI Infrastructure

Nothing fancy here as this is a lab environment. Just setup the PKI infrastructure.

Add Server Role à Active Directory Certificate Services

Certificate Authority:

Enterprise:

Root CA:

New private key:

Select 2048 for Key character length:

CA Name:

Validity period (I don’t think my lab will last this long ;-))

Now Install the CA.

Deploy the Certificate

So that’s up and running, now for the fun part.

Microsoft has some good info on what certificates you need.

Source:

Deployment of the PKI Certificates for Configuration Manager:

http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_clouddpcreating2008

PKI Certificate Requirements for Configuration Manager:

http://technet.microsoft.com/en-us/library/gg699362.aspx

We will go from there.

Create a Security Group that contains the member servers to install System Center 2012 Configuration Manager SP1 primary site servers that will manage cloud-based distribution points.
On your Certificate Authority (CA) server go to the console and right-click Certificate Templates, choose Manage.
Right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
Select Windows Server 2003, Enterprise Edition
On the General tab enter a name (ConfigMgr Cloud-Based Distribution Point Certificate)
On the Request Handling tab – Allow private key to be exported.
Security tab – Remove Enroll for Enterprise Admins and Add your Security Group.
Click OK and close the Template console.
Right-click Certificate Templates, New – Certificate Template to Issue.
Select your Template and select OK.