Attack Computer Wiz

A Security & Technology Weblog

While building my first Domain Joined Windows 10 RTM system I discovered that the System Center Configuration Manager 2012 R2 client would not install. After reviewing the installation log, I discovered that the error code was "0x80070307". After a little research I discovered that this is due to SCCM trying to install the Windows Update Agent on the Windows 10 machine that is either already there or is older than the one on Windows 10 out of the box. The work around was simple, but it did not address Group Policy Deployments which, in the past, were not Operating System specific, rather they were just a blanket policy that covered everything.

The answer, copy my existing SCCM deployment GPO, modify the installation command, create WMI filters for the Operating Systems and apply the WMI filters to the GPO's.

Here is the step by step:

  1. In GPMC, navigate to "Group Policy Objects" and locate your SCCM deployment GPO.
  2. Right click your existing SCCM deployment GPO and choose "Copy".
  3. Move back up to the "Group Policy Objects" folder object and right click it, then chose "Paste".
  4. Find your "Copy of..." and rename it appropriately.
  5. Right click the new GPO and choose "Edit".
  6. Navigate to: "Computer Configuration > Policies > Administrative Templates ... > Classic Administrative Templates (ADM) > Configuration Manger 2012 > Configuration Manger 2012 Client > Configure Configuration Manger 2012 Client Deployment Settings.
  7. Under "Options", copy your existing string to notepad. It may look something like this: 

    1. CCMSetup.exe SMSSITECODE=**** FSP=****.net MP=****.net

  8. Modify your string so that is now looks like the below:

    1. CCMSetup.exe /skipprereq:windowsupdateagent30-x64.exe SMSSITECODE=**** FSP=****.net MP=****.net

  9. Close the editor.
  10. In GPMC, navigate to "WMI Filters".
  11. In the right pane, right click and choose "New".
  12. Name your WMI Filter "Windows 10 OS" and click the "Add" button.
  13. Leave the "Namespace" as it is (root\CIMv2).
  14. In the Query box type: 

    1. select * from Win32_OperatingSystem where Version like "10.%"

  15. Click "OK".
  16. In the right pane, right click and choose "New".
  17. Name your WMI Filter "Windows OS pre 10" and click the "Add" button.
  18. Leave the "Namespace" as it is (root\CIMv2).
  19. In the Query box type: 

    1. select * from Win32_OperatingSystem where Version like "6.%" or Version like "5.%" 

      *note: this will get Vista-8.1 and 2003-2012R2

  20. Click "OK", you should now see your two new WMI filters.
  21. Go back to "Group Policy Objects" and locate both your old and your new SCCM GPO's.
  22. Left click each GPO and on the very bottom of the "Scope" tab, choose your WMI filter for the appropriate Operating System, repeat for both GPO's.
  23. Lastly, assign your new Windows 10 GPO to the appropriate OU(s).
Next you can confirm that your WMI settings are working on each OS type:

  1. Shift+Right click CMD and chose "Run and Administrator"
  2. Type "gpupdate / force"
  3. Type "gpresult /z >> c:\temp\log.log
  4. Review the logs on each to make sure, they should look something like the below:

Now that you have confirmed that your new GPO with WMI filter is applied, simply reboot your Windows 10 computer and re-check your ccmsetup status.You should see "Configuration Manger" in control panel within a few second of your reboot. If not, review logs.


user Posted by Mike Wright

| More

Without IIS it is not as straight forward as one would like, but it is still pretty simple with this walk through.

  1. Launch "MMC" and add the Certificates Snap-in specifying "Local Computer".
  2. Open the "Personal > Certificates" and right click your existing certificate, choose "Delete from the options.
  3. Right click any open space where your old certificate was and choose "Import".
  4. Navigate to your new certificate, specify the certificate password and continue through the prompts.
  5. Once you see the new certificate in the MMC, double click it and choose the "Details" tab. Scroll down to "Thumb Print" and click it one time. You will see a series of letters and numbers in the bottom window. Copy those numbers and paste them into a blank Notepad document. Move Notepad aside but do not close it.
  6. Close the Certificates MMC.
  7. Open AD FS Management and navigate to AD FS > Service > Certificates.
  8. On the right side, click "Set Service Communications Certificate" and chose your new certificate.
  9. Close AD FS Management.
  10. Back to NotePad, Delete all the spaces from your pasted text. 
  11. Copy the thumb print (CTRL+C).
  12. Launch PowerShell as Administrator.
  13. In Powershell, type: Set-AdfsSslCertificate
  14. When prompted for the Thumb Print, press CTRL+V to paste your certificate thumb print into PowerShell and press enter.
  15. Close PowerShell.
  16. Open Services and restart the ADFS Service.
  17. Launch your ADFS portal and confirm your new certificate is being used.

Thanks for reading, I hope this helped!

user Posted by Mike Wright

| More

From their website:

"The EC-Council CCISO Body of Knowledge covers all five the CCISO Information Security Management Domains in depth and was written by seasoned CISOs for current and aspiring CISOs. Domain 1 covers the Policy, Legal, and Compliance aspects of Governance. Domain 2 delves into the all-important topic of audit management from the CISO’s perspective and also covers IS controls. Domain 3 covers the Role of the CISO from a Project and Operations Management perspective. Domain 4 summarizes the technical aspects that CISOs manage in their day-to-day jobs, but from an executive standpoint. Domain 5 is all about Strategic Planning and Finance – crucial areas for C-Level executives to understand in order to succeed and drive information security throughout their organizations."

A discounted training voucher can be found at the below link, limited time only:

user Posted by Mike Wright

| More

In some cases users in an Active Directory environment may see repeated lockouts after a recent password change. This is commonly associated with forgetting their new password, forgetting that they are logged onto another machine or server somewhere, or their old credentials are cached.

If after you have rebooted the machine, checked domain logs to try to figure out where accounts may be logged in, deleted Temporary Internet Files and you are at your whits end, cached credentials may likely be your culprit.

On your affected machine, run the blow command and delete any cached credentials that appear. This would especially be relevant if you are using a Proxy server.

rundll32.exe keymgr.dll, KRShowKeyMgr

user Posted by Mike Wright

| More

System Center Endpoint Protection (SPEC) may not install via SCCM policy if a conflicting application exists and cannot be uninstalled. This is commonly associated with an existing Antivirus application.

In order to find what the conflict is;

  1. Open regedit 
  2. Navigate to \HKLM\SOFTWARE\Microsoft\CCM\EPAgent 
  3. Look at “StateEventMessage” where you will find a message similar to the below:
System Center Endpoint Protection installation error. The System Center Endpoint Protection Setup wizard was unable to remove one or more programs that conflict with System Center Endpoint Protection. To install System Center Endpoint Protection you must manually uninstall the following programs and then run the wizard again. Error code:0x80041108. Programs: Trend Micro OfficeScan Client

In this example, the Trend Micro OfficeScan Client was installed and for whatever reason, SCEP could not remove it. At this point you will need to manually remove the conflicting application and re-initiate a policy refresh to the SCCM server.

Navigate to Control Panel, open the Configuration Manager client, clicked on the Actions tab, and force each action to run.

After a while the new SCEP icon will appears as expected.

user Posted by Mike Wright

| More