Tuesday, May 19, 2015

Making a 1E Nomad client exempt from pulls

For those not familar with Nomad from 1E: it is a peer to peer technology that helps elimintate Distribution Points with SCCM.  The client will ask if any machine in the local Subnet has the files.  If not it will then ask the ActiveEfficiency Server, assuming Single Site Download is setup, for files.  1E utilizes a Reverse QoS process along with many other cool features. 

My enviroment has many types of machines that we want to consume data utilizing Nomad but not allow other machines to pull from it.  For this 1E has a registry key.  We have several instances of when you don't want to interrupt a machine.  May it is a machine cluster crunching data, Video Editing machine, special server or maybe you have some political reasons as to exclude a machine.

The end result will be a machine with a Nomad Key
P2PElectionWeight set to 0
You must restart the Service for the machine to notice the change.

For this we create a Compliance check.  There are several ways to create this:


Find the MSI of the application you are detecting
At settings, click next

 At Compliance Rules, click Next

Select the approriate Platform

This is a quick Detection method, you can use anyone that works for you. 

Here is a method I used to Detect if a machine has SQL install and Running:
(Note this example doesn't' include excluding SCCM Secondary servers)

First I wanted to find the machines that had SQL, this could also include SQL express and some machines with Bitlocker maybe seen as having SQL, which I found odd.

Let's set the rule to "Must Exist" if we are really seeing SQL on the box
Now that we have a machine that has SQL detected we need to check to see if it is Running, 

With both of these rules and more versions you can create detections if a machine has software installed.  Remember if you have applications with the App Model then you have some work already done for you,

Now create your Baseline:
Software names have been removed from this list.  Notice the purpose of these is "Prohibited" the reason is because we don't want these applications running.

The deployment is only run once a month before the patches as this is a heavy load on the enviroment.  And we don't expect it to change much.  This

To make this work we need a colleciton that has all the non-compliance machines

Create a package and push this Regfile to the machine to make it exempt from pulls

IF '%PROCESSOR_ARCHITEW6432%'=='' goto x86
   reg.exe add HKLM\Software\1E\NomadBranch /v P2PElectionWeight /t REG_DWORD /d 0 /f /reg:64

 reg.exe add HKLM\Software\1E\NomadBranch /v P2PElectionWeight /t REG_DWORD /d 0 /f

:: Restart the NomadBranch Service
NET STOP NomadBranch && NET START NomadBranch

Saturday, May 16, 2015

Extend Reboot of SCCM temporarily

To followup on this post: http://sms-hints-tricks.blogspot.com/2015/05/override-sccm-reboot-time.html

Say you just wanted simply extend the reboot of machine by a few hours and not permanently? 

Simply edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Reboot Management\RebootData\ InitiatedTimeStamp

Add the number of seconds you wish to have then kill the ScNotification.exe process and restart the SMS Agent Host.

When this happens the SCNotification application should kick back in after a few seconds. It will read the changed registry value and use the new time for the reboot.

Wednesday, May 13, 2015

Skype for Business, forced install

Be aware this month, May 2015, any machines that are running Lync 2013 and didn't upgrade last month to Skype for Business will now be forced to Skype

In the SCCM console you will see this update:

Security Update for Skype for Business 2015 (KB3039779)

Bulletin ID: MS15-044
Article ID: 3039779
Date revised: Tuesday, May 12, 2015
Maximum severity rating: Critical
A security vulnerability exists in Skype for Business 2015 64-Bit Edition that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.
Applicable languages:

Affected products:
Office 2013

This security update is a part of MS15-044:

Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

From there you can drill down to the Lync / Skype Security update

Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
(Skype for Business Basic)

Not applicableCritical
Remote Code Execution

Once you open this update you will find this:

MS15-044: Description of the security update for Lync 2013 (Skype for Business): May 12, 2015
This security update resolves a vulnerability in Microsoft Lync that could allow information disclosure if a user opens a specially crafted Lync meeting request.

This security update for Microsoft Lync 2013 includes the new Skype for Business client.

  • The download page will still display this update as being for Lync 2013.
  • After you apply this May 12, 2015, security update, Lync 2013 will be upgraded to Skype for Business. Get the general information about the new experience in Skype for Business .
  • You can still use the Lync client user interface after you apply this update for Lync 2013 (Skype for Business). Get the general information about how to switch between the Skype for Business and the Lync client user interfaces for Office 365 users and Lync Server 2013 users

Tuesday, May 5, 2015

Override SCCM Reboot Time

The SCCM reboot counter is controled via the SCNotification application and Policy.  Below is a basic policy as seen from WbemTest and Policy Spy.


To modify this we create a local policy.  Local Policy will override the machine

WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path CCM_RebootSettings Create PolicySource="local",PolicyVersion="1.0" ,SiteSettingsKey="1", RebootCountdown=259200, RebootCountDownFinalWindow=4400 /NOINTERACTIVE

When you run this command the policy looks like the one below

When the restart happens...
You have something like this above.

Once the machine is set to reboot the registry will change here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client\Reboot Management\RebootData

The OverrideRebootWindowTime is the Epoch time for the Forced box that cannot be closed to appear. 
Rebootby is the Epoch time that will cause the machine to restart.

I am still experimenting to see if the time can be modified as to cheat the reboot time and keep extending or to force it to be shorter.  I will detail those finding later. 

I did find the Epoch time had to be adjusted.  I found the time to subtract 5 hours to adjust for my Timezone,.  While it says it is in UTC I think it is UTC but offset from my timzone.  Odd.,  I might find the real solution once I delve deeper into this .