This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.
Hello All, my name is Deepika and I’m a Premier Field Engineer with Microsoft India. I would like to share one of the methods to identify devices which are built via SCCM.
Imagine a scenario where machines are re-imaged\built at different geographical locations by using multiple Task sequences each with different TS steps and with different Operating systems Images referenced in it. To find which machines was built using which OS image will be a tough task unless we have some unique value\setting available to differentiate in these images.
Here is one instance I encountered where an organization had many methods of imaging a machine. A Standard OS Image is used in all these methods which has a hash associated with it and is not allowed to be modified as per their corporate security standards. Now there is a specific ask where the SCCM team wants to keep track or find machines which are built via SCCM going forward.
Plan is to generate Unique GUIDS, apply those while running the task sequences [One Unique GUID for One Task Sequence] and track them using Compliance baselines. Below steps can be followed to do the same.
- Generate one or more Unique GUIDs on SCCM server [Can be any server, in this case its generated on SCCM server
Use this method to generate GUIDS. : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-6
- Create a cmd file named: cmd when run creates the below entries in the registry. [Test this cmd file on a machine]
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\contosoBuildInfo1 /v UniqueID /t REG_SZ /d "b982f798-20b6-4419-a4fb-779ceab58c66" /f
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\contosoBuildInfo1 /v date /d "%DATE%" /t REG_EXPAND_SZ /f
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\contosoBuildInfo1 /v time /d "%TIME%" /t REG_EXPAND_SZ /f
- Create a package named ' UniqueSCCMBuildInfo' using the cmd file
- Edit the Task sequence used to build machine example: XYZTaskSequence CON0020E
Process to edit task sequence: https://docs.microsoft.com/en-us/sccm/osd/deploy-use/manage-task-sequences-to-automate-tasks#process-to-edit-a-task-sequence
- Add the 'Install Package' Task Sequence step as the last step named: 'ContosobuildInfo' add the package : ' UniqueSCCMBuildInfo'
- Enter cmd in Command Line of this step and save the Task Sequence.
- Create a Configuration Item with the registry values. Attached is the CI [If using the attached CI, please do modify the GUID]
Configuration Item: ContosoUniquebuild-CI
- Add this CI to the Baseline
Configuration Baseline: ContosoUniquebuild-Baseline
How to Create configuration baselines in System Center Configuration Manager https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-baselines
- Deploy the baseline to the appropriate collection.
- Monitor the compliance of this baseline. The machines which are compliant with this baseline are built via the specific SCCM Task sequence.
Monitor compliance settings in System Center Configuration Manager:
- If this SCCM package or cmd file is deployed outside of task sequence can also bring the machines as compliant. So, we need to have a process\Role Based Access Control which secures this package\GUID\cmd file to be deployed outside of Task Sequence.
- All existing machines will be non-compliant and will only be compliant once they are re-imaged.
A default report ‘List of Assets by compliance state for a configuration baseline' can be run against the specific baseline to list all the machines which is compliant, meaning these machines were imaged using the image example: ContosoUniquebuild.
Now we have list of machines with a specific image built using SCCM.