posted 18/08/10

PowerShell Twitter

By Fredrik Wall
,

I will start to twitter PowerShell stuff from a new twitter account today, @SteriaPosh. This will seperate my personal twitters from my Powershell Twitters.

No Comments
read more
posted 14/08/10

Create graphical programs with PowerShell

By Fredrik Wall
, ,

I wrote an article for Microsoft TechNet Sweden about making

Grapical Programs with PowerShell some time ago.

Now I have made a translation to English and It is available here.

 

Technorati Tags: ,,
7 Comments
read more
posted 12/08/10

The BitLocker certificate EKU and Windows Server 2008 R2

By Fredrik "DXter" Jonsson
, ,

Today, I discovered something that kind of bothered me.

 

I enrolled a number certificates in my test environment and the BitLocker Drive Encryption EKU (1.3.6.1.4.1.311.67.1.1) was one of the EKU’s present in the certificates. I looked at one of the certificates one of my Windows 7 machines and it looked just fine.

 

 

W7

No problems here. A regular certificate with the EKU’s presented to respective application.

 

 

However! When I looked at the exact same certificate on a 2008 R2 machine, it didn’t say the same thing:

 

 

2008R2

The Windows Server 2008 R2 machine was not able to translate the EKU to the correct application.

 

EKU’s are normally just numbers in a certificate that are being presented by the UI as their intended purpose. Because of this, the certificate itself is language independent since it is the UI that is translating the content in the certificate (such as EKU’s) to the current users display language.

 

However, to be able to solve this, I tried to install Desktop Experience on the server, I tried to unlock the drive manually by the cscript manage-bde.wsf, etc, but nothing worked. Whenever I tried to open the BitLocker flash drive that was encrypted with my certificate on my smartcard, it just prompted me for the recovery key for the device, it never asked me about my smartcard.

 

Eventually, I remembered a “quite important” thing to do on Windows Server 2008 R2. Smile with tongue out

 

I installed the BitLocker Drive Encryption feature in Windows, and then it happened. The “Unknown Key Usage” became known and I could finally unlock my drive with my certificate on my smartcard. Open-mouthed smile

 

Sometimes you feel very stupid when the most strangest problems have very simple solutions (especially when you have done it before). Even though I agree with the concept that BitLocker should be installed as a feature on a server, I still think that the EKU for BitLocker should be registered as an application OID in Windows by default, regardless of if BitLocker is installed/used or not, for display purposes. This is the case for other applications that are using certificates. For instance, I can see the “Secure Email” EKU of a S/MIME certificate regardless if I have a e-mail client installed or not. Winking smile

 

// Fredrik “DXter” Jonsson

 

P.S I want to give many thanks to my dear friends who helped me with many clever troubleshooting ideas. But I want to give special thanks to my dear friend Mattias Åslund at GraFu who borrowed me the physical server to use for this test this evening, and for even driving it to my place for me! You are a real pal man! Thanks a lot! Smile D.S

No Comments
read more
posted 25/07/10

Automated boot image management in MDT 2010 and WDS using PowerShell

By Fredrik "DXter" Jonsson
, , , ,

One of my favorite features in MDT 2010 is that everything you do in the GUI is executing a PowerShell command that is using the cmd-let’s that comes with the MDT 2010 PowerShell snapin. Smile

 

This gives excellent opportunities for scripting geeks such as Dalle and myself since we can automate and do exactly everything what the GUI does, since the GUI itself is using PowerShell behind the scenes. Winking smile

 

This weekend I upgraded my private MDT environment to MDT 2010 Update 1 which was a very smooth operation. I have a very simple MDT environment at home with a single WDS/MDT server. Since I wanted to have the new and cool background picture in Windows PE that comes with Update 1, I had to update the boot images and import them to the WDS server, which in my case was on the same machine.

 

Therefore I created this little PowerShell script that does that for me automatically. The script is using the PowerShell cmd-let Update-MDTDeploymentShare and PS-Drive provider that comes with MDT 2010 snaping. It is also using wdsutil which is a command line based tool for managing WDS.

 

The script does the following tasks:

1. Generates completely new and updated boot images for your deployment share.

2. Removes you previous LiteTouch boot images from your WDS server.

3. Imports the newly created LiteTouch boot images into your WDS server.

4. Set each boot image as default boot image for respective architecture.

 

 

image

I must say, it works really nice. Smile

 

 

image

“Do more with less…” – the PowerShell way. Winking smile

 

The script is defaulting to MDT default names, descriptions and file locations. If you have changed any of this, please update the script according to your environment. Some people may ask why I choose to use Remove-Image and Add-Image and not Replace-Image. Well, the answer is quite simple. If I have deleted the boot image in WDS, the script would not be able to execute since there is no image to replace. If we split it up in to two commands, we will always be able to recreate our boot image in WDS regardless if the boot image is present or not, since only the Remove-Image command will fail and not the Add-Image.

 

So right now I have scheduled this script to run on my WDS/MDT server each midnight. If I add any new storage or NIC drivers into MDT, they will be injected automatically into the boot images during the next scheduled generation of boot images during the night and I “never” have to open the WDS console manually again! Open-mouthed smile

 

Here is the script (don’t forget to modify it according to your installation):

 

Add-PSSnapIn Microsoft.BDD.PSSnapIn

New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "C:\DeploymentShare"

Update-MDTDeploymentShare -path "DS001:" -Force –Verbose

wdsutil /Remove-Image /Image:"Lite Touch Windows PE (x86)" /ImageType:Boot /Architecture:x86

wdsutil /Remove-Image /Image:"Lite Touch Windows PE (x64)" /ImageType:Boot /Architecture:x64

wdsutil /Verbose /Progress /Add-Image /ImageFile:C:\DeploymentShare\Boot\LiteTouchPE_x86.wim /ImageType:Boot

wdsutil /Verbose /Progress /Add-Image /ImageFile:C:\DeploymentShare\Boot\LiteTouchPE_x64.wim /ImageType:Boot

wdsutil /Verbose /Set-Server /BootImage:Boot\x86\images\LiteTouchPE_x86.wim /Architecture:x86

wdsutil /Verbose /Set-Server /BootImage:Boot\x64\images\LiteTouchPE_x64.wim /Architecture:x64

 

I must say, thank god for PowerShell! Red heart

 

// Fredrik “DXter” Jonsson

No Comments
read more
posted 10/07/10

PKI cleanup in AD with PS

By Fredrik "DXter" Jonsson
, , ,

Yesterday I created this little script and I wanted to share it with you guys.

Now that PKI View is removed from KB889250, some people has asked me how to remove all references to old PKI structures in Active Directory in a easier way than just LDAP. Even though AD cleanup is a standard procedure regarding CA decommission, many people are not aware of that and some people seems to just remove the ADCS role and think “that’s it!”. Sad smile

 

So yesterday I created a little script to do this AD cleanup automatically. It is using the Active Directory PS-Drive and the Remove-ADObject cmd-let that is provided by the Active Directory PowerShell Module that comes with Windows Server 2008 R2. Since the Active Directory PowerShell Module is using the Active Directory Management Gateway Service, make sure that at least one of your DC’s have it installed or is running on Windows Server 2008 R2. The idea of the script is to use it after a decommission of a single Enterprise Root or if you want to make sure that no old PKI stuff exists in Active Directory before you install a new PKI structure.  This script removes ALL existing references to internal PKI’s and CA’s, so use it very carefully! I think that people should use it only after you have decommissioned your last CA or before you install your first.

 

 
1

The first screen is presenting what the script will do.

 

 

2

A final warning before continuing to delete stuff. Winking smile 
 

 

3

The script is prompting for credentials using the Get-Credential cmd-let.

 

 

4

The script is searching the Public Key Services container in the Configuration partition (for the current domain) for specific PKI related objects that has object classes such as “certificationAuthority”, “pKIEnrollmentService”, “msPKI-PrivateKeyRecoveryAgent”, etc…

 

 

5 
All objects that are found are presented and the person that is executing the script has a option to remove the objects that are being presented. The Remove-ADObject cmd-let is doing the deletion of the objects with the credentials that was provided earlier to the credential prompt in the beginning of the script. Smile

 

 

6

A simple way to verify that everything is deleted correctly is simply to run the script again. If all PKI related objects are gone, the script will say so. Smile

     
If you think this sounds cool and want to test this in your test environment, the script is available from the download section on http://poweradmin.se/blog/download/?did=4
 

// Fredrik “DXter” Jonsson

4 Comments
read more
posted 23/06/10

Network Access Protection – How to do it, step by step…

By Fredrik "DXter" Jonsson
,

One of my favorite Microsoft documents is “Demonstrate NAP 802.1X Enforcement in a Test Lab”. Many people usually ask me how NAP works and it is always nice to be able to give a document as a reference when you are done with spreading the propaganda. ;)

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en

 

The guide has even been updated for Windows 7 and Windows Server 2008 R2. It is a very nice step by step guide (for test environments) so if you haven’t already checked it out, do it! ;)

 

// Fredrik “DXter” Jonsson

No Comments
read more
posted 10/06/10

We rocked LabCenter yesterday…

By Fredrik "DXter" Jonsson
, , ,

Last night, me and my dear friend Jonas Ländin talked yesterday at Second Wednesday at LabCenter, Stockholm.

 

The topic for the evening was “Homebrew software in embedded devices” and I really had a blast during the show! We showed and explained how third party firmware’s such as DD-WRT, OpenWRT and Tomato work and what you can do with them. We also went through topics such as software hacking, hardware hacking, firmware exploitation, debricking (through software and hardware), etc, etc… If anyone want any of my homemade scripts that I used yesterday for boot loader root shell access or debricking, please send me an e-mail and I will be happy to share them with you.

 

First of all I really want to thank Jonas who did the session together with me. You did a great job pal!

 

I want to thank everybody that came to see us! I hope you enjoyed the evening just as much as we did. :)

 

I also want to give big thanks to my dear friend and mentor Hasain who was kind enough to give me a ride with him back home to Västerås after the show was over. Thank you a lot my friend! You saved me a lot of time and effort!

 

And thank you everybody who watched the live stream at http://www.labcenter.se/live. That includes my beautiful girlfriend Eva, my partner in crime Dalle and my future colleague Claudia. ;)

 

Once again, thanks a lot everybody!

 

// Fredrik “DXter” Jonsson

No Comments
read more
posted 08/06/10

Skapa grafisk program med hjälp av PowerShell

By Fredrik Wall
, ,

Hej,

det var ett tag sedan jag skrev något här.

Dock har jag inte varit helt oproduktiv när det gäller skript och
PowerShell.

image

Min senaste artikel om PowerShell och att skapa grafiska program
med hjälp av PowerShell ligger nu ute på Microsoft TechNet Sverige.

Kommentera gärna vad du tycker om artikeln!

No Comments
read more
posted 02/06/10

PKI View is no longer a supported way for CA decommission

By Fredrik "DXter" Jonsson
, ,

Thanks to my post http://poweradmin.se/blog/2010/05/08/pkiview-msc-doesnt-say-the-entire-truth and the great, open and quick communication between myself and Microsoft, PKI View is no longer a part of KB889250, which is the step by step guide for CA decommission. I really salute Microsoft for listening to the communities (such as blogs ;) ) and removes references in KB’s that have unexpected behaviors and may cause confusion for people! Kudos to you guys! ;)

 

I guess it is back to hardcore, old school stuff again with ldifde.exe, dssite.msc and adsiedit.msc when it comes to CA decommissions, which is just fine with me! :D

 

Who knows? Maybe two guys will make a very nice PowerShell based GUI for managing the Public Key Services container using the Cmd-Lets for Active Directory in Windows Server 2008 R2? Time will tell… ;)

 

// Fredrik “DXter” Jonsson

1 Comment
read more
posted 25/05/10

Happy Geek Pride Day!

By Fredrik "DXter" Jonsson

Today is the 25:th of May, which is the day of the geeks, the Geek Pride Day. This day celebrates the rights that every person have, the right to be a nerd or a geek. :)

 

In according with being a geek, the following rights and responsibilities are associated with being a geek:

 

Rights:

1.The right to be even geekier.
2.The right to not leave your house.
3.The right to not like football or any other sport.
4.The right to associate with other nerds.
5.The right to have few friends (or none at all).
6.The right to have as many geeky friends as you want.
7.The right to be out of style.
8.The right to be overweight and short-sighted.
9.The right to show off your geekiness.
10.The right to take over the world.
 

 

Responsibilities:

1.Be a geek, no matter what.
2.Try to be nerdier than anyone else.
3.If there is a discussion about something geeky, you must give your opinion.
4.To save and protect all geeky material.
5.Do everything you can to show off geeky stuff as a "museum of geekiness."
6.Don’t be a generalized geek. You must specialize in something.
7.Attend every nerdy movie on opening night and buy every geeky book before anyone else.
8.Wait in line on every opening night. If you can go in costume or at least with a related T-shirt, all the better.
9.Never throw away anything related to geekdom.
10.Try to take over the world!

 

The text above is stolen from the following Wikipedia article: http://en.wikipedia.org/wiki/Geek_Pride_Day

 

To all my fellow geeks and nerds:

Happy Geek Pride Day! :D

 

// Fredrik “DXter” Jonsson

5 Comments
read more