/bundles/itninjaweb/img/Breadcrumb_cap_w.png

Blogs

Candidates requested for KACE SMA 9.0 Beta Testing

We are excited to announce that version 9.0 of the KACE Systems Management Appliance (SMA), is almost ready for the Beta/Release Candidate program. The Beta program is invaluable in making sure that we are shipping the highest quality product we possibly can. If you are interested in participating in the Beta/Release Candidate, check out this article: https://support.quest.com/kb/258074 

View comments (2)

Requirements when scanning user states - USMT

The KSDA or K2000 have the USMT tool from Microsoft embedded right out of the box. Capturing User States most of the time is a "pretty easy" job, but it do requires some stuff to be modified in your machine so it works fine.

I will list (with some screenshots) what is needed to get User State to run.

NOTE: USMT  IS A TOOL FROM MICROSOFT, IF YOU CAN'T RUN IT DIRECTLY IN YOUR TEST MACHINE,  YOU ARE NOT GOING TO BE ABLE TO RUN IT FROM THE K2000/KSDA EITHER .

* Be sure that you can access the K2/SDA Samba 
    * If you can't open the samba, check if SMBv1 is enable, and if it isn't, enable it and follow this other ITNinja enablesmb1
* Turn off your firewall (for both Win7 and Win10)
* Allow netlogon in your firewall
* Disable UAC, or set it to never notify
* In your Local GPOs, set to "Disabled" the User Account Control: Admin Approval Mode for the Built-in Administrator account (see image for detailed location)
* Use a Local admin account ALWAYS
* Disable any antivirus in your machine, if using Defender in Windows 10 disable the Real-Time protection every time you reboot the machine

DVUfxK.jpeg

ToCEqD.jpeg

tiC1O9.jpeg

View comments (1)

The satisfaction survey you deserve! K1000 + MS Forms

Prerequisites: You have K1000 SMA, you have Office 365 E1 or higher. https://forms.office.com/

Business case: IT department requires active feedback from clients on recent experiences (resolved issues/escalated issues) to gauge various metrics regarding the department. 

Problem: The internal satisfaction survey for the K1K is pretty limited therefore is generally disabled in the ticket work flow within a relatively short amount of time.

Solution: A lot of people probably don't know this, but built into MS 365 is a neat, misleading labeled product called Microsoft Forms which is in essence a basic survey tool similar to popular products offered through subscription services. While it supports the very basic requirements surveys require: multiple choice, true/false, text collection, rating, date, and anonymous or authenticated responses, it lacks more advanced functions such as if than else based on user interaction/response. This makes it a perfect use case for a product like KACE where you can build a generic, short question survey to engage your clients regarding recent experiences. 

If you are utilizing 365 in your environment, login to www.office.com and navigate to explore all your apps > forms, or simply use the direct url forms.office.com to launch the app in your browser. Build a test form, configure your settings. I use 'only people from your org can respond' with 'record name' disabled. This means that only people in my org can authenticate/submit responses, but the user names remain anonymous to the author. Click the Share button and be sure to copy the URL under 'Only people in my org can respond'

Now you can insert this URL as a hyperlink in your ticket notifications. In my case, I disabled the resolution ticket notification for submitters, and kept the ticket notification on closed configured. I created a basic HTML table that shows the status, last comment, resolution, the technicians name, and a survey field at the bottom that contains the URL/link to our survey. See below on what a table could look like.

This is a great alternative for anyone who may want better feedback than what the default satisfaction survey provides that supports basic survey functionality and supports flexible customization for orgs who may support multiple clients.

**BONUS** 
If you're in a hybrid 365 environment and all your clients (employees to your org) are within your local network, you can enable SSO for the Azure AD Connect (restricted to conditions) client which should work for both IE and Chrome. This means that users should not have to authenticate when they click the link provided they're on a domain joined pc and have the latest group policy updates.Documentation on that here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso

**EXAMPLE** Feel free to copy/paste the info for testing, it's just a very basic table that makes it easy for most people using a mail client that supports HTML markup to quickly see a summary of their recent ticket information.

<p> Hi $ticket_submitter_name, </p>

<p> The status of your ticket $ticket_id has been recently changed to $ticket_status by $ticket_owner_name. The most recent updates of your ticket can be found below. </p>

<style>
table, th, td {
border: 1px solid black;
padding: 5px;
border-collapse: collapse;
}
</style>
<table style="width:50%">
<caption><b> Ticket Details </b></caption>
<tr>
<td style="text-align:center">ticket</td>
<td>$ticket_id</td>
</tr>
<tr>
<td style="text-align:center">subject</td>
<td>$ticket_title</td>
</tr>
<tr>
<td style="text-align:center">status</td>
<td>$ticket_status</td>
</tr>
<tr>
<td style="text-align:center">resolution</td>
<td>$ticket_resolution</td>
</tr>
</table>

<p> Please tell us how we did by taking our <a href="SHARED URL OF YOUR FORM HERE">60 second survey</a>  </p>
Be the first to comment

Adopt a New Mindset to Fully Leverage Windows 10

With a host of new and upgraded security features, Microsoft’s new OS is designed to make the effort of Windows 10 migration worthwhile. But in addition to the time and resources required for deployment, it also demands a new mindset—one focused more on control than flexibility. Given the current climate in which cyberattacks and malware are increasingly pervasive, this shift is absolutely necessary. Windows 10 was developed around a protect, detect, and respond framework that carefully considers and addresses the multitude and complexity of security threats.

 

That said, you don’t deploy the new OS and then it just works, making your network instantly more secure. There is a bit more to it. To fully leverage all that Windows 10 offers, consider the following:

 

No Single Configuration Works for All

 

In the enterprise, there are a seemingly endless number of endpoints to secure, particularly considering the whole bring-your-own-device (BYOD) movement. There is no way to set a single configuration that will work for everyone on staff on every device. You therefore have to pick and choose a bit. Think about how the device will be used, and by whom, in order to protect it according to its potential risk and value. For example, you want to assert more control over information workers than someone who works in marketing, and given the recent trend of supply chain attacks (think CCleaner or NotPetya) where developers were targeted in order to get bad things published, you should probably consider tightening controls for developers as well.

 

You not only need separate credentials for team members based on their role, you also need them based on what device or machine they are using. Why? Do you really want your employee’s mobile phone that’s used to surf the internet and exposed to multiple risk factors to be the same device that handles domain administration? You need some type of separation, but you don’t want to have thousands of unique configurations either. Talk about a nightmare to manage! In reality, you’re probably looking at the neighborhood of three to seven configurations, depending on the size or complexity of your organization.

 

The best place to start is by removing more admin rights. In determining configurations per employee per device, again consider the user, mechanism, and intent. This may be an iterative process, and that’s ok. The key is to be thoughtful about it—and perhaps err on the conservative side.

 

Software Is Bad Until Proven Otherwise

 

Then comes the issue of which software and apps can run on which machines and devices. Here is where a major shift in approach is required. Instead of extending the trust that all software is good until proven otherwise, as we have since about 2006, IT administrators now must operate as though all software is bad until determined to be good. Microsoft understands this and baked it into Windows 10 accordingly.

 

Windows 10 allows you to establish layers of defenses for whitelistings, or the list of items that are granted access to a certain system. The first layer is cloud control. This means that if you exist in the reputation service as software that’s well known, that’s used frequently enough, and not discovered to be bad behaviorally, it will be auto edited to your whitelist. As such, you don’t have to add an entry at all. Just plug into the cloud and let the reputation in the cloud drive it.

 

The next layer is AppLocker. According to Microsoft: “AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.” Basically, if the admin puts it there, it’s considered safe. Not so if it’s the user, email client, or browser. You can create those rules, which will make your life much easier in the long run. Then comes managed installer. This essentially says that if you deploy software with Configuration Manager and that drops it down, it will be marked as good and added to the whitelist. Admins can also manually install and maintain explicit control.

 

There are a lot of layers here, but as such, they provide protection, and each is relatively easy to set up. Again, this can be an iterative process.

 

It Doesn’t Stop With Deployment and Configuration

 

You’ve gone through the time, expense, and trouble of configuring and deploying the new OS and establishing new rules for software. It’s now essential for you to maintain your systems. Microsoft consistently issues updates, as do software providers and app developers. To take advantage, you have to make sure new security features get turned on and fixes occur throughout your network. This is where you will see the most value and return on your investment.

 

Develop a plan for deploying those updates to every machine and device. This could mean devoting staff to the issue or opting for an automated solution that takes care of all of it for you. The updates simply have to happen in a timely manner or else you put your network at risk and everything to this point is for naught. No one wants that.

 

In the grand scheme, the move to Windows 10—and the broader shift in mindset—is a big deal, so don’t expect to get everything 100% right from the start. But as you learn, take advantage of the Windows 10 framework to make adjustments. Consider what you can fix right now, in three months, and on down the road. You don’t need to make such drastic changes that your end users can’t do their jobs at the end of the day. Just keep moving forward and leverage the security baselines Microsoft has established as you go.

Be the first to comment

WinPE 10 Automated Image Creation

<#
Setup_w10.ps1

Build WinPE 10

http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment#winpe
http://technet.microsoft.com/en-us/library/hh825144.aspx
http://technet.microsoft.com/en-us/library/hh824926.aspx

ISO: makewinpemedia /iso c:\winpe_amd64 c:\winpe_amd64\winpe.iso
USB: makewinpemedia /ufd /f c:\winpe_amd64 <drive letter>:

Sailer, Adam
2017.11.28
#>


$invoke = split-path -path $myInvocation.myCommand.Path -parent
$os = gcim win32_OperatingSystem
$proc = gcim win32_Processor


$arch = if ($proc.AddressWidth -eq 64) { 'amd64' } else { 'x86' }


$dest = "$env:SystemDrive\winpe_$arch"
$mount = "$dest\mount"
$image = "$dest\media\sources\boot.wim"
$label = "WinPE 10 $arch"


$unattend = @"
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-Setup" processorArchitecture="$arch" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Display>
<ColorDepth>32</ColorDepth>
<HorizontalResolution>1440</HorizontalResolution>
<RefreshRate>60</RefreshRate>
<VerticalResolution>900</VerticalResolution>
</Display>
</component>
</settings>
</unattend>
"@


Function Prep
{
write-host "`n`n@@ Called Prep" -fore magenta


$path = if ($proc.AddressWidth -eq 64) { ${env:ProgramFiles(x86)} } else { $env:ProgramFiles }

$map = @{
'KitsRoot' = "$path\Windows Kits\10\";
'OSCDImgRoot' = "$path\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\$arch\Oscdimg";
'WinPERoot' = "$path\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment";
}

$array = $env:path.Split(';')

$map.keys | sort-object | % { $key = $_
$array += $map.$key; [System.Environment]::SetEnvironmentVariable($key, $map.$key, "process")
}

$array = $array | sort-object -unique; $array
$path = [string]::join(';', $array)
[System.Environment]::SetEnvironmentVariable('path', $path, 'process')
}


Function CopySource
{
write-host "`n`n@@ Called CopySource" -fore magenta

remove-item $dest -recurse -force -ea silentlyContinue
copype $arch $dest
}


Function MountCurrent
{
write-host "`n`n@@ Called MountCurrent" -fore magenta

mount-windowsImage -imagePath $image -index 1 -path $mount -verbose
}


Function DismountCurrent
{
write-host "`n`n@@ Called DismountCurrent" -fore magenta

if (get-windowsImage -mounted)
{ dismount-windowsImage -path $mount -save }
}


Function Packages
{
write-host "`n`n@@ called Packages" -fore magenta

$lang = 'en-us'

## order matters! http://technet.microsoft.com/en-us/library/hh824926.aspx

$order = @(
'winpe-wmi'
,'winpe-netfx'
,'winpe-scripting'
,'winpe-powershell'
,'winpe-dismcmdlets'
,'winpe-securebootcmdlets'
,'winpe-storagewmi'
,'winpe-securestartup'
,'winpe-hta'
,'winpe-fmapi'
)

$order | % { $item = $_

dir $env:WinPeRoot\$arch -recurse -include "$($_).cab", "$($_)_$($lang).cab" | sort-object -descending | % {

write-host "`n$($_.Name)" -fore cyan; add-windowsPackage -path $mount -packagePath "$($_.FullName)"
}
}
}


Function Drivers
{
write-host "`n`n@@ called Drivers" -fore magenta

dism /image:$mount /add-driver /driver:$invoke\drivers\shared /recurse
dism /image:$mount /add-driver /driver:$invoke\drivers\$arch /recurse
}


Function Apps
{
write-host "`n`n@@ Called Apps" -fore magenta

copy-item $invoke\winpe_.jpg $mount\windows\system32\winpe_.jpg -force -ea silentlyContinue

reg load hklm\winpe "$dest\mount\windows\system32\config\default"

new-itemProperty -path 'HKLM:\winpe\Control Panel\Desktop' -name Wallpaper -value "%systemroot%\system32\winpe_.jpg" -propertyType String -force
new-itemProperty -path 'HKLM:\winpe\Control Panel\Desktop' -name MaxMonitorDimension -value 1920 -propertyType DWORD -force
new-itemProperty -path 'HKLM:\winpe\Control Panel\Desktop' -name MaxVirtualDesktopDimension -value 1920 -propertyType DWORD -force

reg unload hklm\winpe

copy-item $invoke\apps\$arch $mount\apps -recurse -ea silentlyContinue
$unattend | out-file -encoding ascii $mount\unattend.xml
}


Function Media
{
write-host "`n`n@@ Called Media" -fore magenta

makewinpemedia /iso $dest $dest\winpe_$arch.iso
}


#
#


Clear
Prep
DismountCurrent
CopySource
MountCurrent
Packages
Drivers
Apps
DismountCurrent
Media

Be the first to comment
Showing 11 - 15 of 3198 results