SCAPaoT

Dear reader,

welcome to SCAPaoT. Ok, this is yet another blog for technical themes like there are so much others out there. But what is it for?

The goal is to deliver information’s about many themes regarding System Center, Automation, Powershell and other themes that comes into my mind and I’m faced with in my daily practice.

As the title claims, these are questions about Microsoft’s System Center products and process automation on enterprise environment.

Also Powershell will take a big part, as I’m a real fan of it and it is the most powerful scripting language that has ever developed for Microsoft systems. Nearly everything can be done with just a few lines of code.

So if you are interested, please stay tuned.

Kind regards,

Benedikt

While everyone is talking about Bitlocker, there are still some tasks to be done if your going to deploy it in an enterprise.
One of these tasks is, that non administrative users are not allowed to change the Bitlocker PIN (if you decide to use TPM and PIN as protector for the system drive).

At our own environment we decided to use the SCCM to accomplish this task.

1. We built a nice little app (VB.net) that uses the Bitlocker WMI interface to get the new PIN from the user.
2. We built a little program that executes an advertisement using the command line. This is done using the UIResource.UIResourceMgr-Class.
3. We made an package in SCCM with a program called “Set-Pin”. This package has “Persist content in client cache” enabled so execution works also in notebooks without access to the SCCM. Also it was set to execute “Only when a user is logged on” and “Run with administrative rights” and “Allow users to interact with this program”.
   This package is advertised to each client without an mandatory assignment, so it can be executed by each client as often it is started.

Now every client has a link in the start menu that executes the SCCM package (PackageID) and the program “SetPin” with administrative rights (as the SCCM-agent has administrative rights on the client).

As a nice little addition, our little tool was built with a “force” method. So we can force people to set the PIN (for example, on every new system or when a system changes his owner).

I have to say a big thanks to “the god of programming” for his support on building the little apps!

Servers mostly run with fixed IP-Addresses. So a question was to automate the server deployment using SCCM that also adds a fixed IP-Address to the server.

While SCCM has the ability to add a fixed IP-Address, the thing to do the deployment automatically was to add the OSD-Variables to the computer object in SCCM.

This can be done using a simple Powershell script and the WMI-Classes brought with SCCM.

# Powershell V2 only (V1 has errors in WMI)
param([string]$computer = ".",[string]$smssite = "MND",[int]$ResourceID=-9999,[string]$variable,[string]$value)

if(($ResourceID -ne -9999) -and ($variable -ne "") -and ($value -ne ""))
{
$pc_class = [WmiClass]""
$pc_class.psbase.Path ="\\$computer\ROOT\SMS\SITE_$($smssite):SMS_MachineSettings"
$pc = $pc_class.createInstance()

$pc.ResourceID = $ResourceID
$pc.SourceSite = $smssite

$pc.psbase.get() 

$pc.MachineVariables = $pc.MachineVariables + [WmiClass]"\\$computer\ROOT\SMS\SITE_$($smssite):SMS_MachineVariable"

$machinevariables = $pc.MachineVariables 

$machinevariables[($machinevariables.count)-1].Name = $variable
$machinevariables[($machinevariables.count)-1].value = $value

$pc.MachineVariables = $machinevariables 

$pc.put()

if($?)
{
  "Variable set"
}
else
{
  "Error in setting variable"
}
}
else
{
  "Not enough arguments given."
}

Adding variables this way is very easy and the correct names can be found in the SCCM documentation (http://technet.microsoft.com/en-us/library/dd252744.aspx).