Running LAPS Around Desktop Security (Part 3 – GPOs and Testing)

Now we reach the final stretch – the domain configuration is complete, we’ve installed the client side extensions on our workstations or servers, now they just need a policy that tells the CSE what to do!

pre

If you missed the first part of this series you can find it HERE, and the second part is HERE – otherwise continue reading on for the Group Policy configuration and testing of the console.

(more…)

Read More

Lenovo BIOS to UEFI Conversion During Task Sequence (SecureBoot and Virtualization Technology Too)

As we plan for our migration from Windows 7 to Windows 10 as an organization we know that we want to take advantage of Credential Guard and Device Guard in our new OS. However, we also know that this requires us to make a few configuration changes to our workstation “BIOS” configuration – namely converting from BIOS to UEFI, enabling SecureBoot, and enabling the virtualization technologies. Our organization has about 2300 workstations, and at least 1800 of them are physical devices spread over 50 sites including international offices – this is definitely not something that we want to handle manually.

Luckily – our gracious manufacturers have kept with the times and have offered us options to manage these settings from a command line! This is great, but since switching from BIOS to UEFI and enabling SecureBoot effectively screws up booting into the existing OS (UEFI doesn’t like non-GPT partitioned disks, etc) automating this process is going to require us to do it during the refresh task sequence. This is also not an issue – and there are a couple ways to accomplish it.

Since we are nearly exclusively a Lenovo shop, we wrote a script to handle the conversion. To save you some time – I’m sharing that script with you because:

sharing is caring

(more…)

Read More

SCCM and “Failed” Drives

First a little disclaimer… you should be backing up your data. If you’re not, stop reading and go work out a backup strategy.

We recently had an issue where our primary SCCM site server failed to boot after updates were applied to it. As it turned out, for whatever reason one of the secondary drives for the VM had been corrupted and we had to detach it from the VM to run a repair on the VHD. This drive happened to contain not only the entirety of our packaging efforts (source files, scripts, etc), but also was the default and only content storage location for our primary site DP role.

What we didn’t know – and what I’m sharing with you today – is now painfully obvious to me but slipped me by at the time. When we detached the drive from the VM and booted SCCM to reattach it and run repairs, the SCCM core components had already started up and didn’t see it’s content storage location. So after we repaired the drive when we expected everything to start working again (namely distributions from the DP) we were surprised when it refused to deliver anything that we didn’t refresh.

(more…)

Read More