Skip to main content

Written by Brian Mason.

MNSCUG April 2016 Meeting Notes

Sponsor - 1e renewed their Gold sponsorship again this year.  We thank them for their great support.

Speakers:

 

NOTES

Mike Terrill

 

Secure Boot is important to try to steer clear of rootkits/bootkits/ransomware.  Win10 isn’t just a skin over Win8.  Secure Boot is key.  Credential Guard and Device Guard run on Hypervisor – you need a couple more GB RAM for that so really plan on 8GB RAM for Win10.

Have to consider getting off BIOS and onto UEFI for Secure Boot.

The SQL queries shown are up on miketerrill.net

Mike brought in 3 laptops.  Dell, HP, Lenovo.

Lenovo A+ for vision but F on execution for managing hardware.  All build info is in WMI, but it’s a mess.

Dell leads the pack in listening to customers and helping us manage their boxes.  Dell OMCI is needed to expose all the hardware info (now renamed Dell Command Monitor).

Dell - Dell Command and Configure is the tool to expose out the bios via WMI.  Lots and lots of things will become available. 

CCTK - use this to modify the bios.

Settings of Interest -

Secure boot - determine the vendor settings for secure boot first.

If you have a device that isn't secure boot able, refresh it.  (toss it)

UEFI PXE - It uses a different network stack.  You need to enable UEFI PXE booting. (Each vendor calls this something different).  This is a setting made on the device itself. ConfigMgr will detect if you do this correctly and you may get an unexpected Disk Format step run.  Legacy PXE boot is what you don’t want to do.  

You can inventory this with ConfigMgr beforehand to be able to proactively approach what devices need this settings.

TPM and Virtualization settings should be inventoried.  This is useful for device guard.

WOL - use this.  Why aren't you using it. 

Is there a risk of DDOS from WOL?  Kind of.  The network teams needs to set this up correctly.  Whitelist your broadcast packet senders.  Limit to broadcast domain as well.

Device Boot Order -

You can have a different book order depending on if it wakes up via network or not.  Be aware of this.

Document all your BIOS settings, have a certification process for all things set in your BIOS.  Version and specific settings.  Once this information is inventoried in ConfigMgr, a custom report can do this for you.

When inventorying information in ConfigMgr - don’t select everything!  Your database will bloat to big sizes and Brian will yell at you.  Look at the slide deck for additional and specific recommendations per vendor. (link needed)

Just in general, it might be a bad idea to reduce the amount of things being inventoried.  By default too much stuff is being inventoried.  (free disk space is not enabled by default)

HP has a "Possible Values" property in their WMI Classes.  Thank you.

Lenovo is lacking when it comes to the WMI classes.

If you inventory a class that doesn’t exist, that’s ok.  No damage to database.  (this is also very normal)

DELL - If option roms are enabled, you cannot enable Secure boot. Enable UEFI Network stack to be able to UEFI PXE boot.

Other things to inventory that are useful -

Win32_Operatingsystem

dataExecutionPrevention_Available

OSArchitecture

SMS_LogicalDisk

FreeSpace

Win32_TPM

IsActivated_InitialValue

IsEnabled_

Others… see the slides

 

Why upgrade the Bios / UEFI?  They make it better with future releases, use them.  They are not finished software.

Because it works doesn’t mean it is supported. 

Software deployment from a task sequence is not supported.

BIOS update -

Suspend Bitlocker before doing a bios upgrade

Dell - you can't upgrade the bios from 64 bit WinPE.  Need a 32 bit.  This can be done in the OS though.  (after it installs)  You need like architecture when UEFI booting.  i.e. you can boot a surface with a 32 bit boot stick.

Get a twitter for the latest news.  Get on twitter.

HPQ Flash need WinPE-HTA support.  This is not on by default.

USB drives have a removable bit set that prevents partitions the disk.  This can changed by using some dodgy software.  This can only be done on certain drives.  It may make your disk inoperable as well.

There are lots of hidden variables that you can access with CM.  (it's like a mini-MDT)  Dynamic Variables are your friend.  You can add conditional logic to Dynamic Variables as well.  (Cool) SMSTSMacAdresses -> notice the typo

Tsenv2.exe was free, and then was not free but is now free again.  This is an awesome tool available from 1E.

Randomize your local admin password already!!!  Use LAPS for local admin passwords.  This is a good tool.

DeviceGuard requires UEFI and SecureBoot.

If you are deploying win7 x64 today, do it in UEFI mode it will make the win10 migration so much easier and you will thank yourself.

The win7 iso is missing some folders that are essential for UEFI.  ConfigMgr helps take care of this for you, but booting direct from a USB stick does not.  CSM legacy may be needed for windows 7 deployments, this can be disabled come windows 10 time. 

Legacy to UEFI - how?  Use Nomad, it can store user data. It's all USMT Under the hood.

 

Steve Rachui -

MDM native in windows 10 is the future, start preparing for it.

Subnet ranges are really hard on SQL in terms of performance.  Too many can be cumbersome. 

"schedule application to be available at" - this tells the client to download the content. If this is set the content will not download until it is available.

Configure your SQL db correctly.  One tempdb file per cpu core up to 8.  The DB sizes must be exactly the same size.

Use 64k blocks for your partition that hosts SQL

Implement Management Point replica databases

Why

Fault tolerance

Why not

To solve a performance issue - [Brian Mason: this is only partially true.  You can let your primary site work on things it needs to do like parsing inventory rather than be saddled with lookups.]

Content lookup works much better in current branch for some pretty cool technical reasons that you should have been in attendance to see.

  • Created on .