MBAM Beta 2.0 Self Service Portal – This site requires JavaScript to be enabled

It is quite commonplace to be testing bitlocker solutions outside of the corporate environment and I would also imagine that there are numerous institutions that are likely to implement bitlocker that either disallow outright or have stringent control over internet access for client systems.  So it came as a surprise to find that the MBAM 2.0 Self Service Portal (SSP) refuses to work unless the system has internet connectivity.

“This site requires JavaScript to be enabled. How to enable scripting in your browser

The problem here is that the includes within the page code specify sources that are available on a remote Content Delivery Network (CDN) and there is no fallback for locally hosted versions of these files.

  <head>
  <!--         
  -- Third party scripts or code, linked to or referenced from this web site, are licensed to you by the third         
  -- parties that own such code, not by Microsoft, see ASP.NET Ajax CDN Terms of Use         
  -– http://www.asp.net/ajaxlibrary/CDN.ashx.         
  -->         
  <title>     
    MBAM SSP Notice 
  </title>   

  <link rel="stylesheet" href="/SelfService/Content/site.css" type="text/css"/>         
  <script src="//ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js" type="text/javascript"></script>          
  <script src="//ajax.aspnetcdn.com/ajax/3.5/MicrosoftAjax.js" type="text/javascript"></script>          
  <script src="//ajax.aspnetcdn.com/ajax/mvc/2.0/MicrosoftMvcAjax.js" type="text/javascript"></script>         
  <script src="//ajax.aspnetcdn.com/ajax/mvc/2.0/MicrosoftMvcValidation.js" type="text/javascript"></script>         
  <script src="/SelfService/Scripts/SelfServiceWebsite.js" type="text/javascript"></script>          

  <link rel="stylesheet" href="/SelfService/Content/Home/custom.css" type="text/css"/>

  </head>

I’m no web developer, so I had a real quick attempt to remedy this by downloading the referenced .js files and throwing them in the local scripts directory alongside the SelfServiceWebsite.js – alas I couldn’t find where to modify the include to alter the scriptsrc paths.  If anyone find out how to do this, please do let me know.

In the meantime, I can only hope that Microsoft improve the code before final release to include fallback to included local versions of these files.

Andy

MBAM Beta 2.0 & ConfigMgr 2012 SP1: Empty MBAM Supported Computers Collection

I deployed MBAM Beta 2.0 into my lab environment tonight but was struggling to see any compliance information for my MBAM encrypted systems.  The collection which is targeted by the Compliance Baseline was empty – despite the changes made to the configuration.mof and the import of the sms_def.mof classes – and the subsequent fully populated hardware inventory classes with data showing in the resource explorer.  So what gives?

Well, it looks to me like the default collection logic and parentheses might be a little mixed up – resulting in no clients meeting the criteria.  Here’s the default membership rule:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM_EXT on SMS_G_System_OPERATING_SYSTEM_EXT.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId where ((SMS_G_System_OPERATING_SYSTEM.Version like "6.1.%" and SMS_G_System_OPERATING_SYSTEM_EXT.SKU in (1,4,27,28,70,71) and SMS_G_System_TPM.SpecVersion >= "1.2") or SMS_G_System_OPERATING_SYSTEM.Version like "6.2.%") and SMS_G_System_COMPUTER_SYSTEM.DomainRole = 1 and SMS_G_System_COMPUTER_SYSTEM.Model not in ("Virtual Machine")

Here’s my modified membership rule that now includes my MBAM clients and non-MBAM clients that have returned HW inventory:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM_EXT on SMS_G_System_OPERATING_SYSTEM_EXT.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId where (SMS_G_System_OPERATING_SYSTEM.Version like "6.1.%" or SMS_G_System_OPERATING_SYSTEM.Version like "6.2.%") and SMS_G_System_OPERATING_SYSTEM_EXT.SKU in (1,4,27,28,70,71) and SMS_G_System_COMPUTER_SYSTEM.DomainRole = 1 and SMS_G_System_COMPUTER_SYSTEM.Model not in ("Virtual Machine") and  SMS_G_System_TPM.SpecVersion >= "1.2"

It’s late, maybe I don’t fully understand the default membership rule, but all I know is that my collection now contains the systems it should, and only the systems it should.

Andy

ConfigMgr 2012 SP1 with MDT 2012 Update 1, UDI Task Sequence and Bitlocker Error 6767

Redmond, we have a problem.  The “Client Task Sequence” template when used with Configuration Manager 2012 SP1 does not work too well when UDI is enabled and we want to Bitlocker our devices.

When we are performing a User Driven Installation, the MDT 2012 Update 1 template makes use of the ConfigMgr “Pre-provision Bitlocker” step, which adequately pre-provisions Bitlocker on the Operating System drive on a ‘used space only’ basis.  This is a good thing.   Later on in the Task Sequence we have an MDT specific step that uses the ZTIBde.wsf script which SHOULD configure and enable the protectors – but you may find that this will fail, resulting in an exitcode of 6767.  Tracing this error in the ZTIBde.wsf script takes us into a failure of the function that enables the Bitlocker protectors.  So what is going wrong?

Let us first understand that the ZTIBde.wsf was designed for MDT deployments primarily – with added ConfigMgr integration as an afterthought.  The ZTIBde.wsf script ON ITS OWN is capable of pre-provisioning Bitlocker in Windows PE AND ALSO, later (in the OS phase) configuring and enabling the protectors.  It’s a great little script.  In the MDT Client Task Sequence template however, the ZTIBde.wsf script is not used within the Windows PE phase to Pre-provision Bitlocker and instead the in-built ConfigMgr function is used.  The ConfigMgr function will pre-provision Bitlocker, however it does not then configure the appropriate variable that the ZTIBde.wsf Pre-provisioning function would and this is needed and consumed later by the ZTIBde.wsf script when it comes to Enabling the Bitlocker Protectors in the OS Phase.

The ZTIBde.wsf script has a section which checks if Bitlocker is enabled on the drive (IsBDE = TRUE) and also if the drive has NOT been pre-provisioned earlier (IsBDEPreProvisioned <> TRUE).  This test is used to accommodate the refresh scenario when the existing suspended protectors of a Bitlocker drive can simply be turned back on without having to configure any.  In the absence of the IsBDEPreProvisioned variable (or if it doesn’t equal TRUE) then this section of code will cause the script to skip over the configuration of any required protectors (specified in the UDI wizard) and simply try to enable any existing protectors, of which there are none – resulting in the error 6767 spat out by the EnableProtectors function.

So what do we need to do about this?  Well you could amend the script – but that wouldn’t be supported by Microsoft and your modifications could well be wiped out by any future revision (which may or may not address its shortcomings.  There are a few (non-exhaustive) alternatives that I could propose;

  1. If you are using the UDI Wizard AND you want the Bitlocker options to come through from it, then you should replace the “Pre-provision Bitlocker” step in the task sequence that uses the ConfigMgr function with the ZTIBde.wsf script – the very same script used later on to “Enable Bitlocker”.  This keeps the Pre-provisioning process and the Enable Bitlocker process solely in the MDT camp.  However, if you want the Recovery Key to be backed up to Active Directory then you will need to use a script afterwards to do that, or implement MBAM.
  2. If you are using the UDI Wizard AND are removing the Bitlocker configuration page but still want Bitlocker enabling then replace the “Enable Bitlocker” step in the task sequence with the ConfigMgr function – as you can specify the protectors used and also escrow the Recovery Key to Active Directory automatically.
  3. If you are NOT using the UDI Wizard but want to implement Bitlocker in your Task Sequence, then stick with the ConfigMgr step for pre-provisioning Bitlocker and replace the ZTIBde.wsf method for Enabling Bitlocker with the ConfigMgr function – for the same reasons as above.  In this scenario, you would need to ensure that your partitioning layout is suitable for Bitlocker.

Have fun with that!

Andy

ConfigMgr 2012 SP1: KB2801987 to fix MicrosoftPolicyPlatformSetup.msi Authenticode Signature

You should apply this hotfix as soon as possible to your Configuration Manager 2012 SP1 environments;

http://support.microsoft.com/kb/2801987

This is a server-side install only and you do not need to push anything out to the clients. The patch will update the existing MicrosoftPolicyPlatformSetup.msi in the client installation files folder.

Related to an earlier post of mine about having patience, you should VERY MUCH be patient after installing this hotfix as it will trigger the re-installation of most, if not all, of the server site components in the background after the hotfix install has completed.  Use CMTrace to monitor your sitecomp.log and give it plenty of time to settle down before firing up the ConfigMgr console to do ‘stuff’.  My server took about 30 minutes to complete the whole background tasks and also you should check that your MP has been re-installed correctly by monitoring the MPSetup.log and the mpMSI.log.  My MPSetup.log indicated a 3010 exit code after re-installation which means a reboot is required and you would be wise to do this immediately after the sitecomp.log has settled.

Andy

ConfigMgr 2007: The Self Signed Certificate Can Not Be Created Successfully

I’ve been scratching my head for the last hour or so at a customer site having issues with installing the PXE Service Point role onto some new Secondary Site Servers – getting an error “The Self Signed Certificate Can Not Be Created Successfully”.  This problem also affected the ability to extend the expiration time on the self signed certificate on existing PXE enabled site systems.

I spent considerable time tracing logs, file/object access and repeated uninstall/re-install of the PXE service point role.  Some Google searches for this error only returned results for people experiencing problems when re-installing the PXE service point role where it had once existed.

When I was down to my last few strands of hair, in a moment of inspired clarity, I remembered a little popup balloon when I was logged into the server stating that I was being logged on with a temporary profile (this organisation does not allow roaming profiles on their servers.)  I quickly created a local administrative user, gave it some permissions within ConfigMgr and ran a new Console window under those credentials and was able to add the PXE service point role no problem.

So I can only assume that during the generation of the self-signed certificate it is a requirement that a locally cached profile/folder must exist for the user, perhaps for only temporary reasons.

ZTIMoveStateStore.wsf does not move the StateStore folder during Refresh

When ConfigMgr 2012 is integrated with MDT 2012, the Client Task Sequence template includes a step that uses ZTIMoveStateStore.wsf to move the StateStore folder to WINDOWS\TEMP in the event of success or failure, however this script has not been updated to cater for the new location of the StateStore and when it runs it will simply not find the StateStore in the expected location and exit without any error.  This isn’t too much of a problem until you attempt a second refresh of a system -which will result in the Task Sequence failing to store the user state.

To rectify this, create a backup copy of the ZTIMoveStateStore.wsf script within the MDT Toolkit Files package and then open the original for editing.  You will be looking for any references to “oUtility.LocalRootPath” and replace these with “oUtility.StatePath” and remove the additional path.  There are 6 (SIX) lines to which this amendment needs to be made;

– 1 –

If oFSO.FolderExists(oUtility.LocalRootPath & "\StateStore") Then

becomes

If oFSO.FolderExists(oUtility.StatePath) Then

– 2 –

oLogging.CreateEntry "Moving " & oUtility.LocalRootPath & "\StateStore" & " to " & sArchiveDir & "\StateStore", LogTypeInfo

becomes

oLogging.CreateEntry "Moving " & oUtility.StatePath & " to " & sArchiveDir & "\StateStore", LogTypeInfo

– 3 –

oFSO.MoveFolder oUtility.LocalRootPath & "\StateStore", sArchiveDir & "\StateStore"

becomes

oFSO.MoveFolder oUtility.StatePath, sArchiveDir & "\StateStore"

– 4 –

oLogging.CreateEntry "Error moving " & oUtility.LocalRootPath & "\StateStore" & " to " & sArchiveDir & "\StateStore: " & Err.Description & " (" & Err.Number & ").  Trying to copy", LogTypeWarning

becomes

oLogging.CreateEntry "Error moving " & oUtility.StatePath & " to " & sArchiveDir & "\StateStore: " & Err.Description & " (" & Err.Number & ").  Trying to copy", LogTypeWarning

– 5 –

OFSO.CopyFolder oUtility.LocalRootPath & "\StateStore", sArchiveDir & "\StateStore"

becomes

OFSO.CopyFolder oUtility.StatePath, sArchiveDir & "\StateStore"

– 6 –

oLogging.CreateEntry "Error Copying " & oUtility.LocalRootPath & "\StateStore" & " to " & sArchiveDir & "\StateStore: " & Err.Description & " (" & Err.Number & ").  Trying to copy", LogTypeWarning

becomes

oLogging.CreateEntry "Error Copying " & oUtility.StatePath & " to " & sArchiveDir & "\StateStore: " & Err.Description & " (" & Err.Number & ").  Trying to copy", LogTypeWarning

 

This has worked great for me.

ConfigMgr 101: Patience dear boy… SMS_SERVER_BOOTSTRAP

In ConfigMgr world, one must learn patience – in particular when installing hotfixes, service packs and cumulative updates.  It is quite common for the installer GUI to complete and leave you under the false pretense that your environment is ready to go again, but what you will find is that the installer has triggered additional tasks which the SMS/ConfigMgr component manager needs to handle.

I would certainly recommend using trace32/cmtrace to watch the sitecomp.log when you are performings updates to your environment as this will give you an idea as to whether the component manager is initiating a re-installation of certain site components following an update.   You may see a flurry of activity which mentions the re-installation of components and the SMS_SERVER_BOOTSTRAP service.  When this log has settled back down to normal then you can think about returning your environment to normal usage.