/build/static/layout/Breadcrumb_cap_w.png

Blog Posts tagged with Systems Management

Ask a question

KACE SMA | Bitlocker

03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.


Hi all,

 

It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article you can download several individual KACE-packages. You can download all of them here:  DOWNLOAD

If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources

 

First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:

bitlocker_00.png

 

My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.

 

The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:

bitlocker_01.png

 

To start we should first create a smart label which groups all devices where a TPM module is ready for the use with Bitlocker and no encryption technology is used. You can download the ready to use KACE-package here: DOWNLOAD

 

TPM Based Bitlocker Ready

bitlocker_02.png


Of course, you could add a filter like “OS Name” contains “Windows 10” (or any other filter which matches your environment) to make sure that only your clients will get Bitlocker enabled.

 

KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above. You can download a ready to use KACE-Script here: DOWNLOAD

 

[TW] Bitlocker enable TPM  & Password

Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

This will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.

bitlocker_03.png

 

You can also check the actual state in your KACE SMA device inventory:


 

If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule. You can download the ready to use KACE-package here: DOWNLOAD

 

Inventory: Bitlocker Recovery

Get-BitLockerVolume).KeyProtector


Good to know is that devices which need the recovery key will display a screen where users can see the ID of the numerical password. If they call your helpdesk team and don’t know which computer it is they can give you the ID and you can search for it in your KACE SMA device inventory or build a report for that.


 bitlocker_08.png

 

If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints. The smart label can be downloaded here: DOWNLOAD


Bitlocker missing Protector


All clients which fall into this label can then run the following KACE script on a daily schedule. You can download the script here: DOWNLOAD


[TW] Bitlocker add protector

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector


This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.

 

Kind Regards

Timo

 

View comments (5)

ScriptLogic and Realtimepublishers Launch Windows Desktop Administration eBook

http://scriptlogic.com/eng/pressroom/PressReleases/PR-2003-01-28.asp

Definitive Guide is a Must Read for Every Network Administrator

Pompano Beach, FL – January 28, 2003 – ScriptLogic Corporation (www.scriptlogic.com), the leader in desktop administration software for Windows-based networks, and Realtimepublishers.com, Inc., the worldwide leader in corporate sponsored e-publishing, today announced the release of The Definitive Guide to Windows Desktop Administration. This new eBook, sponsored by ScriptLogic and authored by Bob Kelly, one of the industry’s top Windows management experts, provides valuable guidance and real-world examples for creating an efficient desktop administration plan.

“We are very excited to sponsor The Definitive Guide to Windows Desktop Administration,” said Jason Judge, CEO of ScriptLogic Corporation. “This eBook provides its readers with great, practical information about how to lower the total cost of ownership of their Windows-based networks-- something we know a lot about. The eBook complements our goal of helping customers reduce the time and money spent maintaining their networks.”

The Definitive Guide to Windows Desktop Administration examines the life cycle of Windows desktop administration from the initial OS deployment to change management through best practices. Topics included in this eBook will help readers learn how to do the following:

Reduce Help desk and administration costs and increase user productivity

Define and automate administration tasks using the latest tools and technologies

Manage security with Group Policy and desktop lockdown

Manage user profiles and map network resources

Embrace ‘best practices’ and script custom solutions

Exclusive to ScriptLogic, The Definitive Guide to Windows Desktop Administration will be published on a chapter-by-chapter basis, as it is written, providing an in-depth look at how to manage the Windows desktop. Registered readers will receive email notification when each chapter of the eBook is made available for download. Readers can register now for the eBook at www.scriptlogic.com/ebook.

“ScriptLogic is a well established leader in the Windows desktop administration arena and we are very excited to be partnering with them to make The Definitive Guide to Windows Desktop Administration available to our readers,” said Sean Daily, CEO of Realtimepublishers. “In these challenging economic times, it is even more important for enterprises to reduce TCO through efficient desktop administration and we know our readers will appreciate this free resource.”

The Definitive Guide Series

The Definitive Guide eBook series provides timely IT content written for technical professionals, including system administrators, senior IT personnel, advanced users, and consultants. The titles in this series provide a wealth of information that goes beyond whatÂ’s found in product manuals and white papers, and are written by expert authors who are veterans in their respective fields. The Definitive Guide series, like all RealtimepublishersÂ’ series, are high-quality eBooks that are free to readers on the Web sites of industry-leading, high-tech companies around the world.

About The Author

Bob Kelly is the founder of AppDeploy.com and author of an upcoming book about the KiXtart scripting language. Bob is recognized as an industry expert in the area of application and OS deployment—writing, speaking and consulting on these and other related topics. With 13 years of experience in engineering and support, he currently works as the principal consultant in the support of several enterprise networks providing scripting, repackaging, migration, and implementation services at Integrated Data Systems in Chantilly, VA

About ScriptLogic

ScriptLogic Corporation is the leader in desktop administration software for Microsoft Windows-based networks. ScriptLogic, its award-winning, patent-pending, flagship product is the first commercial software to combine logon scripting, group policies and user profile management – into an intuitive graphical management console supporting all 32-bit Windows platforms (95, 98, Me, NT, 2000 and XP). An innovative, multi-functional solution, ScriptLogic eliminates redundant tasks, repeated trips to each desktop, maintaining multiple batch files and many other time consuming, labor-intensive activities – leaving IT staff free to concentrate on more critical issues. With deployments ranging from 10 to over 40,000 seats, ScriptLogic offers significant benefits to any size network. ScriptLogic, a privately held company, is headquartered in Pompano Beach, Florida and can be reached at (954) 861-2300 and on the web at www.scriptlogic.com.

About Realtimepublishers.com

Realtimepublishers.com is the worldwide leader in corporate-sponsored e-publishing. The company is revolutionizing the publishing industry through its unique approach of creating high-quality titles and publishing them at no charge to readers on the Web sites of industry-leading companies around the world. Current Realtimepublishers eBook sponsors include Citrix Systems, Microsoft, NetIQ, New Moon Systems, Quest Software, Aelita, and more. For information about Realtimepublishers and available eBooks, please visit www.realtimepublishers.com.

Be the first to comment

Copying files from SMS Distribution points using command line

When using a command line with SMS (.cmd) it will default to using the current windows path.

Using this command will insert the current path which is hany when rolling out from multiple distribution points as it is updated depending on what server share its in.

For example you would use this line:

xcopy.exe "%~dp0*.*" c:\temp /E /I /Q /H /Y

The %~dp0 is replace with the current server path.

Be the first to comment

How TO: Track Windows and Office Product Keys

I’ve been getting a lot of request for this in my trainings, so here it is. 
At the end of this post, you will have all the tools you need to track your Windows product keys and Microsoft office product keys. 
They way this works is we find the keys using nirsoft's keyfinder program. 
Next a VBS writes the keys to the registry. 
Finally we tie it all together with custom inventory rules. 

Requirements:Product Finder (now form Nirsfot) 
Here is the link to the portable version
http://www.nirsoft.net/utils/produkey.zip 

First thing we need to do is copy this VBS code into notepad and save it as keys.vbs 

Option Explicit

Dim objFSO			
Dim objTextFile
Dim winKey 
Dim officeKey
Dim strFile
Dim arrKeys
Dim i

Const ForReading = 1
Const winCDLine = "Windows"
Const officeCDLine = "Microsoft Office"
Const noViso = "Visio"
Const officeKeyReg = "offKey"
Const winKeyReg = "winKey"


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
    ("keys.csv", ForReading)

'Read the file into the array
strFile = objTextFile.ReadAll
arrKeys = Split(strFile, vbCrLf)

For i = LBound(arrKeys) To UBound(arrKeys)
	'try to find the windows product key
	If(instr(arrkeys(i),winCDLine))Then
		winKey = getKey(arrKeys(i))
		writeReg winKey,winKeyReg	
	End If
	'try to find the office product key
	If(InStr(arrKeys(i),noViso)) Then
	
	ElseIf(InStr(arrKeys(i),officeCDLine)) Then
		officeKey = getKey(arrKeys(i))
		writeReg officeKey,officeKeyReg
	End If
Next

Function getKey(strKeyLine)
Dim temper
Const KeyLoc = 2
Const ProdLoc = 0

temper = Split(strkeyLine,",")
getKey = temper(prodloc) & "_" & temper(KeyLoc)

End function


Sub writeReg(strValue,StrValueName)

Dim strComputer
Dim oReg
Dim wshShell

Const HKEY_LOCAL_MACHINE = &H80000002
Const strKeyPath = "SOFTWARE\TVG"
Const strKeyPath64 = "SOFTWARE\Wow6432Node\TVG"
Const is64Key = "SOFTWARE\Wow6432Node"

strComputer = "."

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _ 
    strComputer & "\root\default:StdRegProv")
Set WshShell = WScript.CreateObject("WScript.Shell")

'check for 64 bit
If(OS64()) Then
	oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath64
	oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath64,strValueName,strValue
Else
	oReg.CreateKey HKEY_LOCAL_MACHINE,strKeyPath
	oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
End If

End Sub

Function OS64()
Dim objOS
Dim colItems
Dim objItem
Dim strComputer

strComputer = "."
Set objOS = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objOS.ExecQuery("SELECT OSArchitecture FROM Win32_OperatingSystem")

'this should fail on 32 bit XP
On error resume next
For Each objItem In colItems
	If(IsNull(objItem.OSArchitecture)) Then 
		OS64 = False
	ElseIf(InStr(objItem.OSArchitecture,"64") > 0) Then
		OS64 = True
	Else 
		OS64 = False
	End If
Next
On Error Goto 0

If(Err <> 0) Then 
	OS64 = False
End if
End Function
 
Next thing we need to do is go to the scripting module and a new script. 
For script type select Online Shell Script. 
Choose a label, select windows as the operating system and set the script to run as local system. 
Next upload produkey.cfg, produkey.exe (both found in the nirsoft folder, make sure you unzip) and keys.vbs as dependencies. 
For the script text enter the following 2 lines. 
ProduKey.exe /windowskeys 1 /officekeys 1 /iekeys 0 /sqlkeys 0 /exchangekeys 0 /extractedition 1 /scomma keys.csv
cscript.exe keys.vbs


Last thing we need to do is change the script name from script.sh to script.bat (just below the script text). 

Now that we have the keys in the registry we can start creating the custom inventory rules. 
Go to the software module and add a new item. 
Call the first one “Windows Product Key” 
Select all your windows operating systems for supported OSs. 
Finally here is the syntax for the custom inventory rule: 
RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\TVG,winKey,TEXT)

Go ahead and save the software. 
Next add another item but this time call it "Microsoft Office Key" 
Highlight all the windows OSs again. 
Here is the syntax for the second piece of software. 
RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\TVG,offKey,TEXT)


At this point you could also create additional software records, for example one for each office key. 
That way depending on the key you would have a unique software title. This way you could use the KBOXs built in asset management module and do licence compliance. 

Below are two reports that you can use to see what machines have what keys installed. 
Office report: 
SELECT M.NAME,
       SUBSTRING_INDEX(MCI.STR_FIELD_VALUE,'_',1) AS OFFICE_VERSION,
       SUBSTRING_INDEX(MCI.STR_FIELD_VALUE,'_',-1) AS PRODUCT_KEY
FROM   SOFTWARE S,
       MACHINE_CUSTOM_INVENTORY MCI,
       MACHINE M
WHERE  MCI.SOFTWARE_ID = S.ID 
       AND M.ID = MCI.ID
       AND S.DISPLAY_NAME = 'Microsoft Office Key'
ORDER  BY OFFICE_VERSION,
          PRODUCT_KEY


Windows report: 
SELECT M.NAME,
       SUBSTRING_INDEX(MCI.STR_FIELD_VALUE,'_',1) AS WINDOWS_VERSION,
       SUBSTRING_INDEX(MCI.STR_FIELD_VALUE,'_',-1) AS PRODUCT_KEY
FROM   SOFTWARE S,
       MACHINE_CUSTOM_INVENTORY MCI,
       MACHINE M 
WHERE  MCI.SOFTWARE_ID = S.ID 
       AND M.ID = MCI.ID 
       AND S.DISPLAY_NAME = 'Windows Product Key'
ORDER  BY WINDOWS_VERSION,
          PRODUCT_KEY


I hope this is useful. 
Thanks to vacuna for helping me put this together. 
View comments (11)

Dell KACE Koncept Series: K1000 Inventory Fundamentals

Welcome

Welcome to the Dell KACE Koncept Series!  This series of blogs and videos will help provide some basic information on the K1000 and K2000 product lines.

Click here to view the video, it will open in a separate window.

 

Description

This video provides information on the Inventory component of the K1000 appliance.  This information is designed to provide a brief overview of:

  • Computer Inventory
  • non-Computer Inventory
  • MIA Inventory

If you would like to provide feedback, we'd love to hear it!  You can provide comments below, rate this post, or just email elearning@kace.com and tell us what you think.

Happy KBOXing!

Credits

Technical Advisor: Chris Blake

Multimedia Producer: Melinda Richards

View comments (3)
Showing 1 - 5 of 407 results

Top Contributors

Talk About Microsoft System Center Configuration Manager (SCCM)