HP ThinPro - BareMetal with HP ThinUpdate

Introduction

Do you want to reimage your ThinPro Thin Client device?  Perhaps you would like to update it to the latest ThinPro release without using a HP Device Manager template. A great way to achieve this is to create a bootable USB key using the free HP ThinUpdate tool.  Using the ThinUpdate tool you will select a ThinPro image for your Thin Client model.  The tool will wipe an inserted USB key, format it and download onto it the selected ThinPro image.

Install the HP ThinUpdate tool.

The ThinUpdate tool can be downloaded from the Software and Drivers section of support.hp.com.  The actual tool is not Thin Client model specific, but if you do enter in your model you will be directed to a location where you can download the tool.  One such location, for the T655 is:

https://support.hp.com/gb-en/drivers/hp-elite-t655-thin-client/2101137492

Download the tool and double click on the downloaded executable (in this case sp156567.exe).

Click Next on the wizard start page.  Accept the licence agreement and click on Next.

On the Location to Save files page, click on Change if you would like the .msi file saved to a different location.  Click on Next.  After the installer file is extracted double click on it to start the installation wizard.  Click Install on the Ready to install  HP ThinUpdate page.  Click Finish on the HP Thin Update setup wizard page.

Create a USB BareMetal install USB key

Insert your USB key into the device on which you installed the HP ThinUpdate tool - ensure you have copied any important files on it to a safe location.  Open the HP ThinUpdate tool from the Windows menu.  If prompted agree to download any updates.  Select Download a thin client recovery image to a local storage USB flash drive. 

The Image Downloads window appears.  In the Platform pull down menu select your thin client model.  In this case I select the T630.  In the Operating system pull down menu select the version of ThinPro that you would like to install.  In my case I select Thinpro 8.1.0  In the Images pull down menu select the ThinPro image you would like to install.  In my case I select the ThinPro 8.1.0 SP6.2 4096MB x64 Image.  Ensure that the USB flash drive appears in the Target area and then select Create.

A warning message appears advising that all data from the USB flash drive will be erased.  Click on Yes.

The USB flash drive is formatted and the download begins.

A completed successfully window appears when the USB key creation process finishes.

Perform a ThinPro BareMetal build on the HP Thin Client

The next sequence of instructions may be different, depending on your Thin Client model.

Insert your ThinUpdate USB key into the thin client.

Power on your device and click on ESC to enter the Startup Menu.  Click on Continue Startup.

The Loading UKit window appears.

The Imaging Tool main selection menu appears.  Select option 1 - Image Write Mode and press Enter.

The Image selection window appears.  Type in the number corresponding to the image you want to apply to the Thin Client device.  In my case I select Image 1 which is the ThinPro 8.1 SP 6.2 image.  Press Enter.

You will be presented with warning message and asked if you wish to continue.  Type Y for yes and click on Enter. The image writing process will take about 2-3 minutes to complete.

When the image operation has completed click on the Enter key to return to the main menu.

Click on 3 and then Enter to exit.

Remove the USB key and press Enter again.

After a few moments you will be at the hp ThinPro Continue Setup page.  Complete the wizard as required.

Conclusion

The HP ThinUpdate tool is very easy to use.  It only takes minutes to update or revert a Thin Client ThinPro OS to a factory reset state.  It is free to download as well.  Indeed there is a lot that is very pleasing about this useful little tool from HP.  I hope you have enjoyed reading this little blog and I wish you the same success in your Thin Client BareMetal reimaging tasks.

HP ThinPro - Deploy a Wallpaper Image

Introduction

HP Device Management (HPDM) is used to manage the HP Thin client running the ThinPro Operating system.  The ThinPro OS (Linux based) is a very secure environment.  I have been working with HPDM and HP ThinPro extensively for the past couple of years.  In the next series of blogs I will be discussing how to use HPDM to implement common OS tasks.  In this blog I will show you how to deploy a new wallpaper picture to your ThinPro estate.  The process has four steps:

1) Deploy the new wall paper image to a test device.

2) Set the new image as the desktop wallpaper on the test device.

3) Send a capture profile task to the test device.

4) Deploy the new profile to your pool of HP ThinPro devices.

Deploy the new wall paper image image to a test device.

You can start this by creating a local directory and copying the desired wallpaper image into this directory.  Do this on the HPDM server.  In my case I create a directory called FilesToSend, and I copy a picture of an Airbus aircraft into this directory.  

I then open the HPDM console and navigate to Manage Devices and right click on the test thin client, to which we are going to send the image.  We then select Send Task.

The Template Chooser windows appears.  Select File and Registry in the category column and select _File and Registry in the Template column and click on Next.

The Task Editor window appears.  In the Content tab click on Add.  The sub-task chooser window appears.  Click on Deploy Files and click on OK.  The Deploy Files window appears.  Click on Add from Local and select the wallpaper file.  In the Path On Device section enter in /tmp/.  

Click on OK and then OK.  Provide a name for the template, such as SendWallpaper and click on Generate on the Package Description Editor - Files to Deploy window.   

Click on OK to send the file to the test device.

Set the new image as the desktop wallpaper on the test device.

On the test ThinPro device click on the lower left hamburger and select Switch to Administrator and enter in the credentials when prompted.  Click again on the hamburger and select Control Panel.  Click on Appearance and then click on Desktop.  You will see a Theme drop down box - select Image and and then click on Choose a file.  In the Find a background image windows navigate to /tmp/ and select the sent image.  Click on Open and then Apply.

Send a capture profile task to the test device.

Now that we have sent the new wallpaper file to the test ThinPro device, and set this as the background wallpaper - we can capture this new configuration into a profile template.

In HPDM, right click on the test device and select Send Task....  The Template Chooser window appears.  In the left hand Category column select Settings.  In the right hand Template column select _Capture Profile.  

Click on Next.  The Task Editor window appears.  Enter in a name for the template such as Airbus Wallpaper and click on OK.

Deploy the new profile to your pool of HP ThinPro devices.

Having captured a new profile with a new wallpaper image, we can then deploy it at will to other ThinPro devices.  In the HPDM console navigate to Manage Devices.  In the right hand pane, select one or more ThinPro devices and click on Send Task.  The Template Chooser window appears.  In  the left hand column under Category select Settings.  In the right hand column under Template select the profile captured in the above section.  Click on Next and then OK to send the profile, with the new wallpaper image, to the selected ThinPro devices.

Conclusion.

The HPDM console can seem a bit confusing at first - however, as you perform more tasks you will become very comfortable very quickly.  It won't be long before you realise that indeed it is just as easy to manage these Linux based ThinPro devices as it is to manage your Windows devices.  I hope you have enjoyed this little blog and wish you much success in your own administrative tasks.

MECM with EHTTP and HSTS enabled on a DP

Introduction

Recently a penetration scan was done on a client's Microsoft Endpoint Configuration Manager's (MECM) environment.  The MECM security settings stipulated EHTTP rather than PKI security. EHTTP (Enhanced HTTP) secures client communication by using self-signed certificates.  Sometimes the overhead of using PKI certificates is not practical - for instance if automatic enrolment and renewal cannot be established.  EHTTP does secure communications when this situation exits.  Without a client PKI certificate, network access account or Windows authentication clients can securely download application content from distribution points.

And this was all good until the penetration scan revealed that the MECM Distribution Point was not in compliance with RFC 6797 - a vulnerability we needed to address.  This vulnerability states that the HSTS (HTTP Strict Transport Security) is missing from the HTTP server - that is, the MECM Distribution point.  HSTS is a security protocol that commands a browser to only communicate via HTTPS.  When HSTS is not activated the following attacks can occur:

1) Downgrade attacks: This is a cryptographic attack that can downgrade an encrypted connection to a lower-quality connect such as a cleartext connection.

2) Man in the Middle Attacks: This is a cyberattack in which direct communication between two entities is secretly compromised and a third entity is filtering and capturing the communication data.

3) Cookie hijacking: This is when the attacker steals HTTP cookies by listening on the communication between the two systems, thus gaining access to web browser data.

And so the begging question was this:  could we enable HSTS on a MECM distribution point configured to use EHTTP?  I found no definitive documentation answering this question.  The documentation I did find suggested HSTS could only be enabled on a site using PKI certificate authentication.  Further investigation was required.

Application download without HSTS and EHTTP.

Without enabling HSTS I cleared the Configuration Manager client cache and started a test install of a PSApp deployment toolkit package.  I then examined the datatransfer.log file on the client to determine the mode of transport the download used in the transaction.

The site communication was configured as per the following screen grabs.

As can be seen in the datatransfer.log file below the deployment download is initiated using http with redirection to port 80.

Application download with HSTS and EHTTP.

I then enabled HSTS on IIS on the MECM Distribution Point.

This was done by opening the IIS admin console and navigating to the Default Web Site.  It was then matter of clicking on HSTS in the actions column and enabling the feature, ensuring all options were selected.

I then opened a command prompt as administrator and ran the following command: iisreset.exe

On the test server I then cleared the MECM client caching by running control smscfgrc, clicking on the Cache tab and then clicking on Clear Cache

I then reinstalled the application within software center.  As can be seen from the DataTransfer.log file - the download takes place using HTTPS on port 443.

Conclusion

The tests here demonstrate that oftentimes what is expected in a given configuration is not always what is observed.  Enabling HSTS in this scenario should not have been possible when MECM is configured for EHTTP communications.  Astonishingly, forcing HSTSC on the IIS installation on the Distribution Points forces the MECM client to download application content using HTTPS on port 443 using self-signed certificates, almost as if the site is configured to use PKI certificates.  

A further dividend for us here is that the Penetration scan no longer detects the RFC 6797 vulnerability.

I hope you enjoyed this blog and I wish you much success in your own testing of HSTS with MECM using EHTTP.

Integrate the Splunk Forwarder Agent with an Omnissa Horizon VDI Image

Introduction

Splunk is a great tool and very useful for establishing any security issues in your environment.  It allows you to search, analyse and visualise data in real time.  It is a good fit for security sensitive environments, and this includes your VDI infrastructure.  In this blog I show you how to integrate the Splunk forwarder into your Omnissa Horizon Gold image (sometimes called the reference image), and in such a way that your cloned instances will also have their own unique data inputs into the Splunk repository.  The process consists of the following steps.

1) Install the Splunk Forwarder application.

2) Generalize the Splunk Agent.

3) Create the Synchronisation scripts.

4) Run the Optimization Tool and create the snapshot.

5) Create the Horizon Desktop Pool with the a Post-Synchronization Script.

The implementation steps in this blog have been tested on Splunk version 9.4.1 and Omnissa Horizon version 8.12.x

Install the Splunk Forwarder application.

Follow your standard OS installation process for creating a gold image, which should include installing the Horizon Agent.  When you are satisfied with your gold image, install the Splunk Universal Forwarding agent - again the wizard details will be specific to your environment.

When completed, wait for the Splunk application definitions to download - these will appear in <installation folder>\SplunkUniversalForwarder\etc\apps - by default this will be C:\Program Files\SplunkUniversalForwarder\etc\apps.  

For the purposes of this blog we are assuming you have installed the Splunk forwarding agent to the default directory.

There should be more than 8 subfolders indicating the apps download has completed.

When the app download has completed, delete the following file: "C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf"

Generalize the Splunk Agent

In this step we remove the properties specific to the Gold reference installation that are in the Splunk forwarder configuration files  - for instance the host name.

1) Open a command prompt as administrator and navigate to the bin directory - for instance C:\Program Files\SplunkUniversalForwarder\bin

Run the following command: splunk.exe clone-prep-clear-config

The next step is to verify that the cloneprep file appears in the SplunkUniversalForwarder directory

Create the Synchronization scripts

The synchronization scripts will execute a command to repopulate the configuration files with the cloned VM's details so that duplicated entries are not passed into the Splunk repository.  Manually this is achieved by running splunk.exe restart, however we need to create scripts to achieve this during the Horizon pool creation process.

1) Create a local directory on the VDI gold image - for instance c:\Scripts.

2) create a batch file in this directory - in this example we will call it begin.bat.  In this file enter in the following command:

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -file c:\scripts\modify.ps1

3) In the Scripts directory create another script file called modify.ps1.  Populate this file with the following PowerShell command: 

start-process -NoNewWindow -Filepath "c:\program files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList 'restart' -Wait

Note: you can test this by running begin.bat, but you will have to once more run the splunk.exe clone-prep-clear-config command to recreate the cloneprep file and generalize the Splunk installation.

Run the Optimization Tool and create the snapshot

As you would normally do, run the Optimization tool.  My process includes running the following in order: Analyze, Optimize, Generalize and then Finalize.  

Ensure the VM Gold build is switched off and then create a snapshot.  The snapshot is used, of course, when running the Desktop Pool Creation wizard.

Create the Horizon Desktop Pool with the a Post-Synchronization Script

In your Horizon Admin portal create an Instant Clone pool (ClonePrep) using the new Gold image and snapshot.  When getting to part 10 of the wizard, the Guest Customization window - enter in c:\Scripts\begin.bat in the Post-Synchronization Script name box.

After your pool is created, open a VDI instance with the Horizon client.  Ensure that the cloneprep file does not exist in C:\Program Files\SplunkUniversalForwarder.  Once confirmed you can also check entries exist in the Splunk repository for your cloned instance.

Conclusion

I hope you have enjoyed reading this little blog.  The VDI Horizon platform is great for spinning up multiple VM clones.  The Splunk Enterprise reporting solution is a great way of maintaining the integrity of your physical infrastructure, and using the above procedure - it is also a great way of observing any issues arising in your VDI Horizon platform.

HP Device Manager - updating components without internet access

Introduction

A good reason for using a VDI solution with the use of the HP ThinPro thin client devices is security.  The devices are highly secure - the ThinPro OS provides layers of security with signed OS components and a read only and encrypted file system.  And oftentimes, for this reason, they will be located in air-gapped highly secure environments.  HP Device Manager (HPDM) is used to manage these systems and HPDM does not require internet connectivity.  Thus the solution is a very good fit for environments that are sealed off from external threats.  HPDM does require updating from time to time.  When a new version of HPDM is released, all vulnerabilities address by the new release are resolved when the upgrader/installer file is executed on the offline installation of HPDM.  

In-between patches and updates, that is, updates to various components of HPDM, such as OpenSSL for instance - these are normally installed through the HPDM Configuration Center.  The administrator can click on the HPDM HTTPS Repository, click on Check for Updates, and then click on Download if updates are available.

The Problem

This updating solution is only suitable for HPDM installations on servers that have internet access.  Where there is no internet access, the Check for Update action will fail and the status will be Update Check Failed.

The Workaround

Such fixes and updates can be downloaded from an internet facing device and imported into the offline instance of HPDM.  Here is the process:

1) On the internet facing device, open a browser and go to https://ftp.hp.com/pub/hpdm/dmcatalog.xml.  Save this page locally as dmcatalog.xml.

2) Search the dmcatalog.xml file for .zip entries and download each of them by navigating to https://ftp.hp.com/pub/hpdm/Patches/HTTPS_Updates/<name of zip file>  For example:

https://ftp.hp.com/pub/hpdm/Patches/HTTPS_Updates/OpenSSL.zip

At the time of writing the dmcatalog.xml file contains the following .zip entries

Apache.zip

OpenSSL.zip

PHP.zip

These three files can be downloaded from the following URLs.

https://ftp.hp.com/pub/hpdm/Patches/HTTPS_Updates/OpenSSL.zip

https://ftp.hp.com/pub/hpdm/Patches/HTTPS_Updates/PHP.zip

https://ftp.hp.com/pub/hpdm/Patches/HTTPS_Updates/Apache.zip

Note: The name of the .zip file is case sensitive.  

3) Copy your downloaded files and the dmcatalog.xml file to a USB key and copy into the configuration center directory on your air-gapped HPDM server.  In this case I copy the files into c:\Program Files\HP\HP Device Manager\Configuration Center

4) Open a command prompt as Administrator and navigate to the Configuration Center directory, containing the updates and the dmcontrol.xml file.

5) Run the following command:  HTTPSUpgrade.exe -l  (as in lima)

Conclusion

As can be seen from the screen grab, all three components have been upgraded on a HPDM installation.  Further, this installation of HPDM does not have internet connectivity - thus the above process is ideal for highly secure, air-gapped environments.

I hope you have enjoyed this little blog, and I wish you much success in your own updating requirements.

WSUS - Reset Server Node issue

Introduction

My existing client relies heavily on WSUS for their patching purposes.  The is indeed a mature and tested solution but it does contain its own peculiar issues.  One of these is the Reset Server Node error message that appears when using the Updates Services administration console.  Oftentimes we want to know if the last synchronization completed successfully - and it is here where I am seeing the issue appear most times.  The administrator opens the console and navigates to Update Services\<Server>\Synchronizations. The Loading synchronization history percentage number will increase and stick at a random number.  After a couple of minutes an Error:Connection Error message appears with the options of Reset Server Node or Copy Error to Clipboard.  Getting beyond this stopper can be tricky and so in this blog I will list the fixes that have worked for me.

Note:  I have seen this error in installations of WSUS using the Windows Internal Database (WID).  The following fixes have been tested on installations using WID.

Fix 1: Run the clean-up Wizard.

This fix is straightforward.  Open the Updates Services Admin console and navigate to Options in the left hand side pane.  Select the Server Cleanup Wizard in the right hand side pane.  Ensure all options in the Server Cleanup Wizard are selected and click on Next and Finish to complete the wizard.

Fix 2: Increase Memory and CPU

This fix is convenient to implement on virtual machines.  If it is a VMWare VM then you can power down the VM and select Edit Settings in vSphere.  In our environments we have found that a configuration of 8 CPU and 16 GB of memory can resolve the issue.

Fix 3:  Reindex the WSUS database

On your WSUS server create a directory such as d:\WSUSMaintenance.  Copy the SQL script into this directory - naming it appropriately. In this example I name it WSUSDBMaintenance.sql.  The script can be found at:

https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/reindex-the-wsus-database  

The next step is to install the sqlcmd.exe utility.  This can be downloaded from:

Release v1.8.2 · microsoft/go-sqlcmd · GitHub

After downloading and installing the appropriate sqlcmd msi file, open a command prompt as an administrator and run the following command from the sqlcmd.exe location (usually c:\program files\sqlcmd\)

sqlcmd -I -S \\.\pipe\MICROSOFT##WID\tsql\query -i <path to sql file>\wsusdbmaintenance.sql 

For example: sqlcmd -I -S \\.\pipe\MICROSOFT##WID\tsql\query -i d:\wsusmaintenance\wsusdbmaintenance.sql  

There may be some error messages and these can be ignored.

Fix 4: Modify the WSUSPool Application Pool

In IIS admin navigate to Application Pools.  Right click on the WsusPool application pool and select Advanced Settings.

Modify the following values accordingly

Queue Length - 2000

Idle Time Out - 0

Ping Enabled - False

Private Memory Limit - 0

Regular Time Interval - 0

Fix 5: Clean up WSUS using Powershell.

Open a command prompt with administrator permissions and run powershell.exe -executionpolicy unrestricted

Enter in the following command:

Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

Fix 6: Reinstall WSUS after removing the WID database.

CAUTION: The following steps assume you have a procedure/document to install WSUS from scratch.  This fix shows you how to remove WSUS and the Windows Internal Database cleanly to address the Reset Server Node issue.

If none of the above is successful you may have to resort to a WSUS reinstall.  Keep in mind that simply removing the WSUS role and reinstalling the role may not, by itself, resolve the issue.  To be sure you should also remove the Windows Internal Database (WID) as well.  This is how I managed this task.

1) Open Server Manager and click on Local Server on the left hand side.

2) In the right hand pane navigate down to Roles and Features.  

3) Select Remove Roles and Features from the Tasks option.

4) The Before you Begin window appears.  Click on Next.

5) The Server Selection window appears.  Click on Next.

6) The Server Roles window appears.  Deselect the Windows Server Update Services feature.

7) The Remove features that require Windows Server Updates Services window appears.  Click on Remove Features. Continue clicking on Next to complete the wizard. 

8) Restart Server if required.

Having removed the WSUS role you can now remove the WSUS WID database.

1) In Explorer navigate to c:\windows\WID\Data.

2) Delete the SUSDB.mdf and the SUSDB_log.ldf files.

3) Open Server Manager and click on Local Server on the left hand side.

4) In the right hand pane navigate down to Roles and Features.  

5) Select Remove Roles and Features from the Tasks option.

6) The Before you Begin window appears.  Click on Next.

7) The Server Selection window appears.  Click on Next.

8) The Server Roles Window appears. Click on Next.

9) The Remove Features window appears.  Deselect Windows Internal Database.

10) The Remove features that require Windows Internal Database window appears.  Click on remove Features.  Continue clicking on Next to complete the wizard.

11) Restart the server if required.

The next step would be to delete the WSUS content.  If you specified c:\WSUS as your content folder, that is, the directory where updates are downloaded when synchronizing - delete the files in this directory.  You can then reinstall WSUS following your installation procedures.

Conclusion

The Reset Server Node error prompt is annoying and quite common as well.  I do hope one of the fixes in this blog has resolved your issue.  I thank you for reading this little blog and wish you successful patching in your environment.