Tuesday, September 4, 2018

Eliminate rogue KMS with ConfigMgr


A friend of mine came to me as he noticed he had several KMS servers in his environment, yet should only have the one as he also has ADBA setup for the newer Operating Systems. In digging it turns out these others were Windows 7 laptops. We are guessing the users did something to try and change Editions perhaps but definitely intentional. Instead of putting in tickets with his support team we chose to fix it via ConfigMgr ourself. Note this was a focused case so did not spend much time at all to make it more automatic so some expectations were made. If this issue resurfaces I'll do something with compliance settings to really automatically handle.

First off you can find out who is advertising as KMS by doing a SRV record lookup in DNS for _vlmcs._tcp.mydomain.com. nslookup is easiest, though you can use the DNS tool in RSAT and dig down via Forward Lookup Zones | mydomain.com | _tcp | and you'll see all _vlmcs.* records.

 C:\Users\kevinfason>nslookup  
 Default Server: UnKnown  
 Address: 10.1.1.10  
 > set type=srv  
 > _vlmcs._tcp.mydomain.com  
 Server: MYDNSSERVER  
 Address: 10.1.1.10  
 _vlmcs._tcp.tuffshed.com    SRV service location:  
      priority    = 0  
      weight     = 0  
      port      = 1688  
      svr hostname  = realkmsserver.mydomain.com  
 _vlmcs._tcp.tuffshed.com    SRV service location:  
      priority    = 0  
      weight     = 0  
      port      = 1688  
      svr hostname  = badkmsserver.mydomain.com  


First thing we did was remove the bad records from DNS leaving only the one good one. Since it was only a few systems acting up we created a collection and added these hosts as direct members. Then created a package with the following script to run on them and rerun weekly. Eventually, they went away. We kept an eye on the DNS records and removed as needed which was one time.

The script consists of several steps and its all ran via slmgr.vbs. The first step uninstalls whatever key the system has present:

 ECHO Uninstalling KMS Key  
 cscript %windir%\system32\slmgr.vbs /upk  
 ECHO.  

Next it installs the Windows 7 Pro KMS key that Microsoft provided:

 ECHO Installing KMS Setup Key for Windows 7 Pro  
 cscript %windir%\system32\slmgr.vbs /IPK FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4  
 ECHO.  

We were lucky in that it was only some Windows 7 systems doing it however if it was other versions  we would have to detect the right OS so we use the correct KMS key. Since we were just using a shell script I was originally thinking of just using ver to pull it then an if-then statement for the /IPK step. Something similar to this.
 for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j  

Since the system is now unlicensed we have it activate against the valid KMS.

 ECHO Activating the computer to KMS Server  
 cscript %windir%\system32\slmgr.vbs /ato  
 ECHO.  

Finally, we set the system to not report itself to DNS in case the user decides to do something like this again.

 ECHO Disable this machine from publishing itself as a KMS server in DNS  
 cscript %windir%\system32\slmgr.vbs /cdns  
 reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v DisableDnsPublishing /t REG_DWORD /d 1 /f  
 ECHO.  

Should this happen again I'll do something more intelligent to handle it. He also had some policy drawn up to invoke on the users via HR.

-Kevin

Monday, July 9, 2018

FreeNAS smartd service refuses to start

Logged into my FreeNAS-11.1-U5 console after updating it and had a system alert that smartd was unable to start.


The GUI log was complaining as well:


Don't recall which disks these were, so I went over to Storage | View Disks in the GUI and they were the USB sticks used for the mirrored boot. I knew this as I labeled each drives slot in the server.


Since the event log was mentioning removable this was another clue. S.M.A.R.T. really is not designed for USB flash drives and more for hard drives and solid-state drives. Click Edit on each of these and turn off S.M.A.R.T.:

I did not try it but you could pass '-d removable' for S.M.A.R.T. extra options based on the syslog complaining about that switch. This all generates a fresh smartctl.conf located in /usr/local/etc. Once completed, just head back over to services and smartd is running happily. If not just start it and you should be good.


-Kevin


Tuesday, July 3, 2018

Flash IEClickToPlay ConfigMgr Compliance Setting (manipulate mms.cfg)

Recently we updated Flash to version 30.0.0.113 on Windows 7 systems and discovered that they are not able to view Skype Broadcast events in Internet Explorer as discussed in greater detail here on the Adobe Forum. We use them quite heavily at my firm and basically, the video never starts. You see the spinning wheel at startup of the Skype Broadcast. It only impacted IE whereas Chrome and FireFox worked fine. We obviously do not want to revert to an older version so chose to correct the issue.

Compliance setting to the rescue, however, I won't cover how to create one from scratch. We are using one to set this line below in mms.cfg so that Skype Broadcast will work in IE on Windows 7.

 EnableInsecureByteArrayShareableDomain=*.broadcast.skype.com  

The mms.cfg file is located in %WINDIR%\System32\Macromed\Flash or %WINDIR%\SysWOW64\Macromed\Flash depending on the arch. We have a Powershell Discovery Script that looks for this line in mms.cfg and reports back and then a Remediation Script that sets it if needed.

For the Configuration Item we set the Supported Platforms to Workstation OS' of Windows 7 and higher as it may impact Windows 10.

The Compliance Rules are pretty straightforward. We have two rules, one for System32 and the other for SysWOW64 locations. This screenshot is for System32 and it looks for the script to return 'OK' and if not to run the remediation script.


The remediation script will keep any existing lines and just modify the one in question as well as encode in ANSI so Flash processes it correctly.

The Compliance Baseline is deployed to our 'All Workstations' Collection to evaluate every 14 days. This will eventually get incorporated into our main Adobe Flash Compliance setting as it manipulates autoupdate etc. We actually just took our Flash autoupdate PS1 code and changed the top lines so its easy to manage multiple settings in mms.cfg via one Compliance Setting.

  $SettingsToRemove = @(   
  )   
  $SettingsToAdd = @(  
  "AutoUpdateDisable=1"  
  "SilentAutoUpdateEnable=0"   
  "EnableIEClickToPlay=1"   
  )   

On the client side, the baseline's compliance report is pretty straightforward.




Download



These scripts are provided as-is, no warranty is provided or implied. The author is NOT responsible for any damages or data loss that may occur through the use of this Script.  Always test, test, test before rolling anything into a production environment.

You can find the report here


-Kevin