Crankdesk on CMCE 1602

WP_20160202_18_21_08_Rich_LIToday I had the pleasure to join the CMCE Usergroup in Switzerland/Zürich. Mirko was able to bring very interesting people together in the Trainingsrooms of Digicomp. I can absolutely recommend everyone to make the travel to join this guys.

Today I will give you a first hint, that you can get a similar event in Germany, too.

Following I wrote down a protocol over all sessions I visited (also with some personal comments). Hopefully you enjoy this and Mirko will allow me to host the presentations here as well.

Update 2016-02-03: A summary in german and the Powerpoint Slides are available here

WP_20160202_09_09_20_Rich_LIWhats new in Windows 10 (Sami Laiho) 

We learned that no passwords are needed in Finnland. The User Account for the local Administrator in Finnland is named Järjestelmänvalvoja.


  • Sami explained some amazing Marketing sentences of Microsoft things about Windows 10:
    • Start-Menu (Now with 2048 things)
    • Virtual Desktops (Was integrated before, but just available with sysinternals)
    • Running Applications in Windows (Sounds funny, they meant Universal App)
    • Transparent Command Prompt. The reason for that is, that the console host (not the command prompt was updated)
  • Question: How many desktop you have in a normal windows box: Correct answer: 3. One for Secure session, One for UI, One for Screensaver.
  • „If your customer says, they are not going to Windows 10 they are lying…“
  • Windows 8.0 is out of support. But new features like OneDrive for Business Sync Client are not released for Windows 8.1
  • Windows RT is dead. Last update released to get new startmenu on it.
  • Microsoft is recommending the upgrade instead of a clean installation.
  • Windows Update for Business
    • Means the checkbox -> Defer upgrades
    • Means the GPO: Defer upgrades and Updates
    • Is mainly used to get telemetry data from their enterprise customer. With WSUS it is not possible to get this telemetry data.
  • Provisioning packages
    • Used to transform Windows to an enterprise edition
    • During the Setup strike 5x the windows key to integrate them (Please read forward, how to create Provisioning packages)
    • Can be used to transform a Windows Phone to Windows Phone Enterprise? We don’t know. No one wanted to spend his Lumia 950 to test that.
  • Fixed ConHost
    • Same properties in Powershell and cmd
    • Copy / Paste …
  • Biometrics
    • Two factor, Biometrics, Windows Hello
    • We learned that Sami has a limited user finger & and an Admin-Finger
    • Problem: Its not possible to make an Admin Face
      • He established the Homer Simpson Dope
  • New store and Universal Apps
    • Two phases to improve the windows store
      • Emulation for iOS and Android and App-V Support
      • Make the store „more sexy“ what ever this means
    • Xbox is a key point in the strategy
    • The Xbox is cool and the people use it. If a xbox app is supported it can raise the selling for Windows phone and windows desktops
  • Azure AD
    • Centralized liensing
    • Directly connected to Azure
  • MDM
    • InTune, SCCM and 3rd party supported better than before
    • Not only for BYOD anymore
    • Three scenarios
      • Allow E-Mail
      • BYOD style management
      • Fully managed corporate service
  • Hardware features
    • Windows Hello, Realsense 3d cameras
    • Wireless charging
    • Software Guard Extensions
    • USB Type C and USB 3.1
    • Thunderbolt 3.0
    • Skylake
      • WiGig (Wireless Docking Station)
      • DDR4
    • Continuum
    • Virtual memory size and ASLR
    • I/O Memory Management Unit
      • External Devices cannot attach internal memory anymore
      • Known as: Intel VT-d / AMD-Vi

Security in Windows 10 (Sami Laiho)

Isolated User Mode

  • Example: A PC has a PC with Local Admin with Password „One“ and another one with the same Credentials. You can log in into the other one. This is called Pass2Hash (PC A is sending the password hash to PC B)
  • Windows 10 will block that now (it is part of all security guides of microsoft to use another username on every PC, so it should not be critical change. Does it? 😉 )
    • And never let Domain Admins log into any workstation
  • You need to have Hyper-V and SLAT (Second Level Address Translation)
    • Hyper will isolate the a small part in a virtual environment (not in a virtual machine)
    • Level 0 = Kernel Mode
    • Level 1 = 1 User Mode
    • Examaple: Administrator
      • Procdump lsass -> Takes care of hashes and so on
      • Use some tools to extract infos from this dump
    • The solution with isolated user mode:
      • There is an secure mode added to normal mode (also user and kernel mode)
      • The is a little hole (Shared Buffer/ Marshall) to communicate between Traditional Kernel and Secured Kernel.
      • The secured kernel cannot be extended, only Microsoft has access to that.
      • Why it is not possible to access the memory of the secure kernel within the normal kernel?
        • Because of virtualization
          • With that virtualization it is possible to give full access to a memory address (Secure Kernel) and just Read (or no) access to the normal Kernel
      • Is showed as „Secured system“ in the taskmgr
  • Could be enabled with bcdedit /set vsmlaunchtype auto
    • Features -> Hyper-V -> Hyper-V Plattform -> Hyper V Hypervisor
    • Features -> Isolated User mode
    • GPO: Turn On Virtualization Based Security
    • After that you get LsaIso.exe in the taskmgr.exe
  • What about the SID
    • SIDs are unique
    • SIDs have a computer or domain specific part and a RID
    • RIDs start from 1000 so you can count the number of users created on a computer (RID =RID-1000+1)
    • GEt the SID with  Whoami /all or PSGETSID
    • Is the SID needed? Again an again: Yes it is. If you read Marcs Blog about the SID, you have to do it carefully and till the end. There you will find: „The final case where SID duplication would be an issue is if a distributed application used machine SIDs to uniquely identify computers. No Microsoft software does so and using the machine SID“ and „if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep„. In my point of view strange, but wohoo…
  • What is a Security principal
    • Someone who has a SID
    • Object for permission
    • Users, Groups, Services, AD Objects
      • Contacts are aren’t SPs
  • A power user will have two different tokens
    • One for normal mode
    • One for elevated mode
    • You can check that with whoami /all
  • Privileges always beet Permissions
    • Domain admins has no privileges
    • You can use privileges on the following way: using robocopy with /b (Backup API) to replace files in system32. This is normally nearly impossible (System files are protected), but if you have backup privileges you can do that.
  • UAC
    • Why it is important: UAC is blocking 75% of all attacks without asking
    • Sami does a demonstration to call a Command Prompt with Win+B (Presentation Mode) with injecting registry keys with a powerpoint in elevated mode. This cmd can now be accessed from the logon screen

Windows Store for Business and other Apps (Mirko)

  • ->
    • Uses AAD in Background
    • Just for Windows 10
  • There is currently no License Management implemented
  • Assign from Business Store -> Deploy via InTune – Deploy via CM 16xx
  • Can also be used to deploy your own application
  • Business Store cached Apps from official Windows Store into its own Database
  • If I put an app to my business store (private store) I have to wait for a nightly job
  • You can view the Apps from the Business Store in the normal Windows Store in an new Company Tab
    • Currently its not possible to hide the normale Store Apps
    • If you try to install one of these Apps, the store asks you to login with your Live ID
  • How to deploy via InTune
    • You can add „Tools“ as Management Tool in Option „Settings“ -> Management Tool
    • In Azure you have to add your InTune application in Azure AD (Tab Applications)
  • I think, that’s goes in the right direction, but I also think, currently its not usable in an enterprise Environment. Lets give Microsoft a challenge and see, if Enterprise Manager can do it better at the end of year 😉

Office Lens_20160202_133053_processedICD (Roger Zander)

ICD build a provisioning package that can be used to integrate a BYOD device into your environment. Cooooool, Baby.

  • Is part of ADK
  • Features
    • Integrate Updates, Drivers and Applications
    • Customize Settings
    • Doesn’t need network connectivity
    • Applications
    • Certificates
    • Connection Profiles
    • Several windows settings
    • Can configure Unified Write Filter (UWF)
      • Move every write operation to dedicated storage
        • UWFMGR.exe overlay set-type disk
        • UWFMGR.exe overlay set-size 4096
        • UWFMGR.exe volume protect c:
        • UWFMGR.exe filter enable
        • UWFMGR.exe restart
    • Much more
  • Creates a ppkg which you can inject during setup and afterwards
  • The user has to click on the ppkg to apply the settings on his current machine
  • A Configuration can be removed in the Windows 10 Settings Dialog
  • Edition Upgrade (changepk.exe /ProductKey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx)
  • Can also be created with commandline tool icd.exe

Keeping SCCM up-to-date (Wally Mead)

WP_20160202_14_47_30_Rich_LISCCM will be updated every 3-4 month. To get this done much faster, Microsoft implemented some new features.

Comment: To test new features in a technical preview, you have to build up a dedicated environment, because the tech preview is another code-base and cannot be updates to a release build.

  • Online
    • Requires access to the cloud from site infrastructure
    • Will send telemetry data every week to the cloud
      • Service connection point (integrated) site system role is used to up- / and download
      • Previously: Windows InTune connection point
    • Done by the Update and Servicing Feature
      • Administration -> Overview -> Cloud Services -> Updates and Servicing
    • A special collection can be used to test the rollout of the new clients
    • On every server there is a new service is called cmupdate
  • Offline
    • Set Service Connection point to Offline-Mode (In properties of Service Connection Point)
    • Requires access to the cloud from any computer
    • Needs 3 Actions
      • Prepare your upload
      • Upload and Download
      • Import into Configuration Manager
    • Run SMSSETUP\TOOLS\ServiceConnectionTool\ServiceConnectionTool.exe on a computer that is connected to the internet
      • -export (Create a CSV file to check the data)
      • -prepare (Get Telemetry data out of SCCM)
      • -connect (Get Installation data for SCCM)
      • -import (Import the Installation data into SCCM)
  • The update process is tracked with the monitoring in SCCM Console
  • Piloting clients
    • You can create a designate collection you use to for new client versions
    • New clients are automatically deployed to this collection
    • With n approval process you can approve this version to production
    • In console monitoring you can control the status of your deployment
      • Monitoring\Client Status\Preproduction Clients
      • Monitoring\Client Status\Production Clients
    • You get be automatically notified, that your console should be updated
    • New clients are downloaded to Program Files\Configuration Manager\Client Staging





Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

Du kommentierst mit Deinem Abmelden /  Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s