Tuesday, 12 December 2023

SCCM - SQL Query to find Configuration Item Compliance Status for Specific Collection

 select distinct VRS.Netbios_Name0, CI.ComplianceStateName from v_R_System VRS

right join v_FullCollectionMembership_Valid FM on VRS.ResourceID=FM.ResourceID

right join fn_ListCI_ComplianceState(1033) CI on VRS.ResourceID=CI.ResourceID

where CI.CI_ID= '456414' --Specify CI ID

and FM.CollectionID='CM100011' --Specify Collection ID

SCCM - SQL Query to get Scan Failed Device Details

 

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],

sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys

inner join v_gs_operating_system os on os.resourceid=sys.resourceid

inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid

inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID

where uss.lasterrorcode!='0'

order by uss.lasterrorcode

Intune & Bitlocker

Intune will only escrow the key if it is the one enabling BitLocker in the first place (i.e. after the user sign-in). If the BitLocker profile is already deployed to an encrypted system, Intune will not add its own key. To make this work you will need to use this PowerShell command:  BackupToAAD-BitLockerKeyProtector. This involves passing the “keyprotectorID” as a parameter so using a few lines of code can get the job done. I am using index 0 of the array just in case there are multiple recovery keys on the drive (more on that in the next section).


$BLV = Get-BitLockerVolume -MountPoint "C:" | select *

[array]$ID = ($BLV.KeyProtector | Where-Object {{ $_.KeyProtectorType -eq 'RecoveryPassword' }).KeyProtectorId

BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $ID[0]


Simply deploy this script via Intune and it will backup the key that was put in place from your initial pre-encryption process. The recovery key will then be accessible via Intune.

Proactive Remediation scripts

Detection script:

Try {

$Result = get-winevent -FilterHashTable @{LogName="Microsoft-Windows-BitLocker/BitLocker Management";StartTime=(get-date).Addseconds(-86400)}|Where-Object{($_.id -eq 846)} | ft message

$ID = $Result | measure-Object

If ($ID.Count -lt 5)

{

    Write-Output "Bitlocker backup to azure add succeeded"

    Exit 0

}

Else

{

    Write-Output $result

   Exit 1

}

}

catch

{

Write-Warning "Value Missing"

Exit 1

}

Remediation script

$BLV = Get-BitLockerVolume -MountPoint "C:" | select *

BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId

Escrow key failed to upload the on AAD

If the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so.


try{

$BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive

        $KPID=""

        foreach($KP in $BitlockerVol.KeyProtector){

            if($KP.KeyProtectorType -eq "RecoveryPassword"){

                $KPID=$KP.KeyProtectorId

                break;

            }

        }

       $output = BackupToAAD-BitLockerKeyProtector -MountPoint "$($env:SystemDrive)" -KeyProtectorId $KPID

return $true

}

catch{

     return $false

}


SCCM SQL Query Online device by Management Point

 SCCM SQL Query Online device by Management Point select srl.SiteCode, srl.ServerName, srl.InternetEnabled, srl.Shared, srl.SslState, SUM(br...