Security Compliance Manager 4.0 – Download Resources

Back in July 2016 Microsoft released Security Compliance Manager 4.0 with support for Windows 10 and Server 2016. For some reason (at the moment) it seems to be hard to find so here are all the bits one might need to get started.

Solution Accelerator Article about SCM4:
Security Compliance Manager (SCM)

A TechNet blog announcing SCM4 availability:
Security Compliance Manager 4.0 now available for download!

An article about the security baselines available and links to download them:
Windows Security Baselines

Download: Windows 10, version 1607 and Windows Server 2016 security baseline
Download: Microsoft Security Compliance Manager 4.0

SQL is needed to install it (yay) and it comes with SQL Express 2008, but here’s a link to SQL 2016 Developer with SP1, which is free now:
MSDN article: Developer Guides for SQL Server
Download: SQL Server Management Studio 16.5.3
Download: SQL 2016 Developer with SP1 (2,590MB ISO)

 

Reporting Web Service for Office 365

There’s an interesting web service that could be used to pull reporting data from Office 365, assuming you can authenticate using your tenancy’s service admin. Here the URL for the service:

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/

Microsoft provide a plug-in to Excel that uses this service and it can be used to pull mail protection statistics from your Office 365 tenancy: https://www.microsoft.com/en-us/download/details.aspx?id=30716

Get the latest* SCEP 2012 R2 client easily without updating SCCM

[Updated 2015-03-03]

If you need to get hold of the latest System Center Endpoint Protection 2012 R2 client installer, normally you’d have to download the original installer from the Volume Licensing Center and install from that, then update using the latest cumulative update for SCCM – on your SCCM server – which is really annoying. However there’s a cheeky back-door method that I’ve found. It’s publicly available and I’ve read nothing that says you shouldn’t do it this way.

If you have SCEP installed already, then as of 3rd Feb 2015 when you do a Microsoft Update it will be updated to version 4.7.209.0 – and luckily the installer will be left behind in your SoftwareDistribution folder. Just go here on your updated PC as soon as it finishes installing: C:\Windows\SoftwareDistribution\Download\Install and there you should find the scepinstall.exe installer waiting for you.
If for some reason it’s not there all you need to do is look in your C:\Windows\WindowsUpdate.log file for scepinstall and you’ll find a line in the log where the update system downloaded the install from. It should look like this:

http://au.v4.download.windowsupdate.com/c/msdownload/update/software/crup/2015/02/scepinstall_230274d8b20bbe30fb94a287fd82670af0309ea4.exe

Much easier than it used to be, but still not as easy as it should be.


Here’s the old and much harder way if you’re a bit of a masochist and don’t want the newest version(!):

Basically the answer was to get the March 2014 anti-malware platform update from its KB article and keep extracting its nested contents until you get to the scepinstall.exe file.

Here’s a list of the steps we’ll go through:

  1. Download the ConfigMgrV5 component of KB2952678
  2. Extract the hotfix by double-clicking
  3. Extract the hotfix contents using /extract
  4. Extract the msi using msiexec /a cm12-sp1cu4-qfe-kb2952678-x64-enu.msi TARGETDIR=<path>
  5. Copy and use the scepinstall.exe file

And here’s the detail:

First the latest version of the client as of this post is 4.5.216.0 – and Microsoft are providing an updater for that on Microsoft Update. Unfortunately the updater is purely that, an updater, and does not include all the installation bits we need. However if you go to the KB article for this updater (KB2952678) then we can find a “Hotfix Download Available” button.

Click to get the Hotfix and choose only the item named ConfigMgrV5 with a fix name of ConfigMgr_2012_SP1_CU4_KB2952678_ENU. Do the usual and give it your email address and fill in the captcha. You’ll then get a link to get the update from. To save visitors time the url you’ll get follows:

http://hotfixv4.microsoft.com/ConfigMgrV5/sp1/ConfigMgr_2012_SP1_CU4_KB2952678_ENU/05.00.7804.1508/free/474251_ENU_x64_zip.exe

We now need to extract this 3 times to get to what we want!

Run the .exe file to extract its contents somewhere. You’ll end up with a 26MB file called CM12-SP1CU4-QFE-KB2952678-X64-ENU.exe – we now need to extract this too. Run this in an admin command-prompt using the /extract switch, eg.:

CM12-SP1CU4-QFE-KB2952678-X64-ENU.exe /extract

You’ll be prompted for a place to put it, give the extracter an empty folder somewhere. Now you have a folder with the contents of this supposed ‘hotfix’. The magic we are looking for is buried inside the .msi file that’ll be in the root of the folder… cm12-sp1cu4-qfe-kb2952678-x64-enu.msi

Finally, we have to extract this msi. You might be able to use a universal extract to explode it, but it’s easier to just turn it into an administrative installation point, thusly, from an admin command-prompt:

msiexec /a cm12-sp1cu4-qfe-kb2952678-x64-enu.msi TARGETDIR="<full path to an existing empty folder>"

So, now you have an administrative installation point for the hotfix… and if we have a look inside we see the final target, scepinstall.exe

It’ll have the version we want (4.5.216.0) and can be used on 32-bit and 64-bit machine types. Copy that somewhere then tidy up all the bits we had to extract to get to it and you’re done.

Hope that helps.

* Of course this was the latest version available as of the date of this post, so there might be a newer update out there when you read this – it’s up to you to find it and apply this method.

Quickest Way to Shut Down / Restart in Server 2012 or Windows 8

I really don’t know why they did it but in Server 2012 and Windows 8 Microsoft have decided to make it really difficult to shut down and restart. And if you are in a remote desktop session it’s even harder than when you’re on the console.

Fortunately there’s a handy key-press they haven’t gotten rid of yet, namely good old Alt+F4. Just click on an empty space on the desktop, give that particular two-fingered salute and you get the following dialog:

Shut Down Windows dialog

So there we go. To be honest I was surprised it worked in an RDP session – I fully expected my session to get killed instead, but no it does indeed work as it needs to.

Orca 5 for Windows 8

Now that Windows 8 has hit RTM there is a slightly newer version of Orca the MSI editing tool available. This one is version 5.0.9200.0, but when it’s installed, in the Programs and Features dialog it’ll show up as 8.59.25584.

To grab yourself a copy get the Windows SDK for Windows 8, install using the option to ‘download for installation on a separate computer‘, and make sure only ‘Windows Software Development Kit‘ is selected in the features list. You won’t be able to de-select the .NET 4 download.

After your download is complete you can either install Orca from the download directory, or collect up the files you need to keep a copy for use later on. The files you’ll need are listed here and are linked directly to Microsoft download location for ease of collection:

a35cd6c9233b6ba3da66eecaa9190436.cab
fe38b2fd0d440e3c6740b626f51a22fc.cab
Orca-x86_en-us.msi

To install Orca just double-click on Orca-x86_en-us.msi and allow it to install. Job done!

PowerShell 3 for Windows 7, Server 2008 R2, Server 2008 and Vista

Following up on my post of a few years ago on PowerShell 2 being available, Microsoft have now released the bits needed to give you PowerShell 3 on Windows 7, Server 2008 R2, Vista and Server 2008. Sadly no PowerShell 3 lovelyness for XP, but then who really cares. I can barely remember how to use XP now I’m using Windows 8…

So without further a-do here is the download link for PowerShell 3:
http://www.microsoft.com/en-us/download/details.aspx?id=34595

Orca 5 – msi editing tool for Windows 7

I finally realised where to get hold of version 5 of Orca – the one most suitable for Windows 7 able to validate .msi files for Windows Installer 5. It was of course in the Windows SDK for Windows 7 and .NET Framework 4. Unfortunately there’s no mini-download for the msi sdk like with version 4.5, so for simplicity I’ve acquired the .msi for orca and put it online for download…

Orca 5.0.7693.0 (2.1MB)

If you would rather download the official version from Microsoft you need to install the debugging tools from the Windows SDK, then go in to Program Files\Windows SDK\7.1\Bin and orca.msi will be in there.

[Update 2012-09-08: there’s now a slightly newer version available here]

PowerShell 2 for XP, Server 2003, Vista and Server 2008 is available!

Microsoft are calling it the “Windows Management Framework” but in reality this is PowerShell 2.0 and it’s now available for download: http://support.microsoft.com/kb/968929

If you install over the top of PowerShell 1.0 on XP the startmenu link will go but you’ll be left with the documentation links. So it might be better to uninstall 1 then install 2. Not sure yet.
Part of this is the new ISE (Integrated Scripting Environment) too and it’s wonderfully good. Just go start, run, then type: powershell_ise

Note: it supports only XP SP3, Server 2003 SP2, Vista SP1+, and Server 2008 SP2.
Windows 7 and Server 2008 R2 have PowerShell 2 built-in of course.

Update on 7th Sep 2012: If you want PowerShell 3 click here

Decide for yourself if Bing is any good

Microsoft recently re-made and rebranded their internet search engine. Launched not long ago Bing.com seems to me to be pretty good. I always hated Live search; in fact I used to prove to my peers how crap it was simply by searching for something that had recently been made live by Microsoft themselves, such as a new Microsoft download I might need, like SQL 2008 SP1. Low and behold 9 times out of 10 Live search would find almost nothing of use, but google would give me exactly what I needed in the first result.
I never bothered to try Yahoo – I mean who the hell cares about Yahoo now anyway. To me they are like the AOL of ISPs – you only use them if you don’t know better.

Well now that Bing is here there’s a nice little tool some Microsoft guy has setup to help you decide if it’s any good. It’s a blind-search test and lets you run a query against Google, Yahoo and Bing at the same time, but doesn’t tell you where the results are from until you vote for the column of results which best fits what you were searching for. I think it’s a very clever idea. Try it out here: http://blindsearch.fejus.com/