Define WinHttp proxy for 32 & 64 bits applications

In order to define the “system” proxy on windows, you can now use Netsh (instead of proxycfg, that was used in the past)


to set the proxy, you can use the following process:

define the proxy within Internet Explorer

run the command

Netsh winhttp import proxy source=ie


Alternatively you can set the proxy directly via

Netsh winhttp set proxy myproxy:portnumber <exceptions>


One thing to take into consideration is that there are two versions of Netsh,

one 64 bits under c:\windows\system32 (the native and default one from the command prompt)

as well as the 32 bits one under c:\Windows\Syswow64 folder.

The 64 bits version should normally be the one to use.


How to use Firefox to connect to ServiceNow with NTLM (SSO)

In the previous post, I talked about how to use Firefox as default browser for Sccm Catalog access.

As I have encountered the same issue with an internal implementation of ServiceNow, I first thought that the workaround would be the same,

however in our environement NTLM authentication is being used instead of kerberos, so the entry is different:

Open about:config and confirm that you want to make changes


enter the fqdn of your server (without protocol), ie

You should now be able to connect directly to your ServiceNow instance without being prompted for a password.

How to use Firefox as default browser with SCCM Software Catalog

By default, if you use Firefox as default browser, and you open the Software Center then Click on
“Find Additional applications from the Software Catalog”, you will get prompted with a Authentication prompt

This is simply due to the fact that Firefox does not transmit the logged on user credentials by default, where Internet Explorer does.


In order to get the same functionality, add the following entry to your mozilla.cfg file

lockPref(“network.negotiate-auth.trusted-uris”, “”)

Of course, replace the value with your Sccm server FQDN.

Next time you launch the software catalog, you won’t be prompted for credentials.

The only thing you have to do is enable Silverlight, and the functionality will be the same as with Internet Explorer.


Add Certificates to Firefox installation with Certutil

The Firefox certificates are stored in the user profile in the cert8.db database.

[Addendum: The latest versions of Firefox allow the use of system certificates (managed by Gpo for instance) by setting the “Security.Enterprise_roots.Enabled” to True ]

The file is copied to the user profile only at first launch of Firefox.
You can import certificates into the file then deploy it as default for new users by putting it in the folder core\browser\defaults\profile of the installation

For more customization details, see this post: Customize Firefox ESR 31

What happens then when you want to add a new certificate to the user db ?
You could add the certificate to the cert8.db and redeploy it, but this would overwrite potential changes made by the user
The other way to proceed is to use Mozilla’s Certutil tool to add the certificate.
BTW, Do not try to use the default Certutil that comes with windows, this won’t work.

First step, download the tool(s) needed by certutil

Download NSS 3.11 for windows

Download Nspr 4.6 for windows

Note that those are not the latest versions of the binaries, as the download folders for later versions do not contain windows binaries,
You could try to “build” a later version of the tool, but this is not the purpose of this post.

Second Step, mix it all together

Unzip NSS to a folder
You should get the following folder structure

/bin (this is where you can find the certutil.exe utility, but it won’t work straight out of the box)

copy the contents of the /lib folder to the /bin folder

Unzip NSPR

You should get the following folder structure (same as for NSS)


copy the contents of the NSPR /lib folder to the NSS /bin folder

copy the certificate you want to deploy at the same level
you should get this structure

/bin (now also contains libs from nss and nspr)

In order to import the certificate into the user cert8.db, the command is the following

Certutil.exe -A -d path to folder where cert8.db can be found -i certificate -n Name of cert -t level of trust

The directory is different for each user. In order to find it, you need to look into the following file:
C:\Users\ *UserName* \AppData\Roaming\Mozilla\Firefox\profiles.ini

Here is an example of a profiles.ini



For the user testuser cert8.db file will be found in the folder C:\Users\testuser\AppData\Roaming\Mozilla\Firefox\Profiles\hicgn0ja.default

Here is the vbscript I use for deploying the cert: (no support will be provided, test before using it).
CONST ForReading = 1
Set objNetwork = WScript.CreateObject(“WScript.Network”)
strUserName = objNetwork.UserName
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set ObjShell = Createobject(“”)
Set FileSystem = CreateObject(“Scripting.FileSystemObject”)
strDBFileLocation = “cert8.db”

mydir = Replace(WScript.ScriptFullName,WScript.ScriptName,””)
strProfileLocation = “C:\Users\” & strUserName & “\AppData\Roaming\Mozilla\Firefox\profiles.ini”

If (fso.FileExists(strProfileLocation)) Then
‘wscript.echo “file exists”
strData = FileSystem.OpenTextFile(strProfileLocation ,ForReading).ReadAll
arrLines = Split(strData,vbCrLf)

For Each strLine in arrLines
If Left(strLine, 14) = “Path=Profiles/” then
strProfileName = Right(strLine, (len(strLine) – 14))
End if

strProfileFolder = “C:\Users\” & strUserName & “\AppData\Roaming\Mozilla\Firefox\Profiles\” & strProfileName

if (fso.FolderExists(strProfileFolder)) Then
myfile = strProfileFolder & “\cert8.db”
oldfile = strProfileFolder & “\cert8.old”
FileSystem.CopyFile myfile, oldfile, True
‘wscript.echo “folder exists”
End if

Certcmd = “Bin\Certutil.exe” & ” ” & “-A -d ” & strProfileFolder & ” ” & “-i” & ” ” & “certname.cer” & ” -n” & ” certname -t” & ” ” & “””CT,c,c””” Certcmd,0,True

End if

I did not try yet to use other features of the Certutil tool or of other tools that come with the downloads.
more information can be found on Mozilla’s website

Sccm Reporting: list updates that are part of a Software Update Group

While Sccm provides a lot of standard reports, sometimes they do not give you the information you want.

Let’s take a simple example.

If I go to Software Library / Software Updates / Software Update Groups, I can select one of the groups and show its members to display the list of updates that are part of the group. Now let’s try to provide this list to another person… it should be simple, right ?

But wait, I can’t export this view, cannot print it… and there does not seem to be a report for this in the default report list.. ?

Let’s build one by ourselves… !


Step 1: Find what tables / views are being used by the console

If you are proficient in SQL, you could use SQL Server Management Studio to query the tables and views until you find the information you are looking for.

An -easier – alternative is to look at the code the Sccm console is using to provide you with the results you are looking for. This can be done by looking at the sccm logs in Smsprov.log. For each operation in the console, you will get some SQL queries being run in the background, and those will appear in this log. (note that this log is to be found on the server itself, you will not find it on a  computer where the console is installed).


Now open Sql Server Management Studio and validate that the information returned is what you are looking for.

For my part I choosed to reduce the number of colums returned so as i can use them to create a report.

My Sql query looks like this :

select all upd.ArticleID,upd.BulletinID,upd.DatePosted,upd.DateRevised,upd.IsExpired,upd.IsSuperseded,upd.Description,upd.DisplayName,upd.CIInformativeURL from vSMS_CIRelation as cr,fn_ListUpdateCIs(1033) as upd where ((cr.FromCIID = 16832645 AND cr.RelationType = 1) AND upd.CI_ID = cr.ToCIID)

order by upd.DatePosted


Step 2: Let’s Create a Report based on our Query



Create a new Sccm SQL-Based Report, define the name and path and the Report Builder will automatically open.


Select to Create a new Table or Matrix, and for the Query Design window, click simply on Edit as Text and copy your query.


Select all fields and add them to the Values group.


There you are, resize the colums to get a report that looks a bit nicer.


Step 3: Make the report more user friendly

While report provides us with the updates present in a software update group, this software update group is fixed by our query. Let’s make it work for all Software Update groups…

In order to do this we need to get a list of Software update groups and their corresponding ID.

Here is a query that does just this:

select SMS_AuthorizationList.CI_ID,SMS_AuthorizationList.DisplayName from fn_ListAuthListCIs(1033) AS SMS_AuthorizationList

In order to be able to use this query we need to create a second dataset based on this query


We then define a new parameter


which values are based on the Second Dataset


We can now change the query of our first dataset to use the parameter:

select all upd.ArticleID,upd.BulletinID,upd.DatePosted,upd.DateRevised,upd.IsExpired,upd.IsSuperseded,upd.Description,upd.DisplayName,upd.CIInformativeURL from vSMS_CIRelation as cr,fn_ListUpdateCIs(1033) as upd  where ((cr.FromCIID = @ReportParameter1 AND cr.RelationType = 1) AND upd.CI_ID = cr.ToCIID) Order By upd.ArticleID

We replace our fixed CI_ID with the parameter.

Now when we launch the report, we can choose which Software Update Report we want to target.

You can automatically update the report title by using a TextBox using the expression


Finally I made the url clickable via the following change


Now we have a report that we can export, print and provide as needed.


Firefox ESR 31 customized Install with Sccm

Deploying Firefox has never been very difficult


Firefox Setup 31.0esr.exe -ms would do the trick.


However, when you want to install a customized version of Firefox, things can get a little bit more difficult.

It just takes a couple of minutes browsing the internet in order to find various sources explaining which files to edit in order to change this or that setting.

As new versions get released, the information you find might be obsolete for the version you are trying to deploy.


A major change was introduced in Firefox 21, which now uses different paths for the configuration files:

defaults/preferences -> browser/defaults/preferences

defaults/profile -> browser/defaults/profile

extensions -> browser/extensions

searchplugins -> browser/searchplugins

plugins -> browser/plugins

(see Link for source)


This basically means that guidelines previous to may 2013 are now potentially wrong if not updated.


So, how do I customize Firefox ?

One side note here. There are basically two ESR packages available. One from Mozilla, one, repackaged as an MSI from FrontMotion (they also created an add-on that allows to use GPOs for management).

I use here the default Mozilla package, but used FrontMotion’s Msi and Adminstudio in the past for different customers and the principle is the same at the end…


1. Extract the files from the installer. (I used 7zip to do so)



2. Configuration.ini

This file contains settings linked to the installation itself.

Create the file and put it at the root, at the same level as the setup.exe and the Core folder

InstallDirectoryName=Mozilla Firefox

The settings are self explanatory, this is where you can disable installation of the Maintenance Service.


3. Local-settings.js

This file forces Filezilla to look for configuration settings in the Mozilla.cfg file.

Create the file and put it under core\browser\defaults\preferences (create missing folders if they do not exist)

pref(“general.config.obscure_value”, 0);
pref(“general.config.filename”, “mozilla.cfg”);


4. Mozilla.cfg

This is the main config file.

Here you define your proxy settings, autoupdate options, etc.

Basically the settings that you can define here are a little bit like Policies and Preferences in Group Policies.

lockPref(“toolkit.telemetry.enabled”, false); will disable the telemetry, without letting the user change it back.

pref(“browser.startup.homepage”,”;); will set the default, allowing the user to change it.

All settings are visible if you type About:config in the browser url window (this is also how you can check what settings have been set by your custom file).

Create the file and put it directly in the core folder


5. Override.ini

[Crash Reporter]

This is where you can disable crash reporter and Profile Migrator (at first launch)

Create the file and put it under Core/Browser folder

* Note that version 31.4 does not seem to support the Crash Reporter Override file anymore, but this can be set via the registry.


6. Certificates

One last thing I did was customize the default Certificate Trust Authorities list to add our Proxy Certificate.

In order to do this, create a new Firefox profile (by connecting with a new user or cleaning your appdata firefox files).

Import the certificates that you need. Do not forget to set the Trust level (see below, for an internal proxy, only check “This certificate can Identify websites.”)


The changes will be stored into the cert8.db file under the user profile (C:\Users\%username%\AppData\Roaming\Mozilla\Firefox\Profiles\mozillaprofileID.default

Copy the file in the Core/browser/defaults/profile folder and it will be used as default for all subsequent profile creations.


7. Deploy the application with the path to the INI file

The path to the configuration.ini file must be a full path, not relative.

In order to do so I choose to create a batch file that uses the %~dp0 variable.

setup.exe /INI=%~dp0configuration.ini


One advantage of this way of working is that you don’t need to install Firefox, then copy files to different directories: customized files are used directly. Also, you don’t have to uninstall the Maintenance Service, as it’s simply not installed at all.

Nothing more ? CCK2 to the rescue

For configuring those settings and more, you can also use the tool from Mike Kaply, CCK2.

The site is also a very good source of information about the new features of Firefox.

The tool is an Add-On to Firefox that allows you to fully configure Firefox and deploy the resulting config as an extension or an Autoconfig file.


The simple feature to be able to import and integrate certificates into your deployment is worth the download. If you need to go beyond basic config, this is the tool that you need. The tool itself is free, and you can buy support if your company does not like unsupported free tools.


Windows 7 Bitlocker Encryption with Pre-provisioning, Used Space only and Mbam 2.5

A few months ago I was requested to implement Bitlocker Encryption for Windows 7 Clients.

At the time, Mbam 2.5 had been available since a few weeks only, and the documentation and implementation details were mostly linked to Windows 8 / 8.1 scenarios. Furthermore, most Bitlocker implementation details that I found on internet implied the use of Bitlocker GPOs and Active Directory as storage location, not Mbam.

However, after reading  the documentation, blog posts and support forums, I ended up being pretty confident that most new features made available for Windows 8 could also be used for Windows 7, so I ended up with the following goals:

1. Pre-provision Bitlocker: this allows you to enable bitlocker encryption before the OS is deployed. The resulting encryption targets used space only and is thus very quick. This task sequence step is part of SCCM 2012 and requires WinPe 4.

2. Allow MBAM to take ownership of the TPM so that both TPM and drive recovery information are stored and accessible through Mbam web console.

Basically this ensures that all the computers are encrypted during the Task Sequence, not after.

Here are the firsts steps I use in my Task Sequence:


Bitlocker must find the TPM in a specific state in order to be able to use it, ie. Enabled in the Bios,  Active but not Owned.

A VbScript takes care of this through WMI with the function SetPhysicalPresenceRequest(6) in order to enable and activate the TPM. (see

As you can see this runs within WinPE

A reboot is needed if the state of TPM has changed, then standard preparation steps are used. I define the OS partition as %System% so that I can use it in the Pre Provisining Bitlocker  step as this

manage-bde -on %system% -Used

If you enable it for your TS and press F8 durning the Task sequence you can use manage-bde -status to control the state of encryption. You will see that the drive is encrypted before data is written to it, so it takes only a few seconds.

Further in the TS, we install the Mbam Client for all clients, TPM or NOT, which allows to get effective reporting for the enterprise.


The encryption itself uses Alex Semi’s Script slightly modified as well as the reg entries from Mbam 2.5 documentation.


Since he uses AD to store TPM, the script would work, but this is not what we want. We need Mbam to take care and store the information for both disks and TPM.  I just made the comments in the scripts as seen below.

Function SetTpmOwner (sTpmOwnerPassword)
Dim iRetVal, oExec, sOwnerAuthDigest, sErrCode
‘ iRetVal = Failure

On Error Resume Next
‘// Convert password to Digest

‘  iRetVal = oTpm.ConvertToOwnerAuth(sTpmOwnerPassword, sOwnerAuthDigest)
‘  TestAndFail iRetVal, 6749, “Convert owner p@ssword to owner authorization”

‘// Set owner

‘  If not bEndorsementKeyPairPresent then
‘   iRetVal = oTpm.CreateEndorsementKeyPair
‘   TestAndFail iRetVal, 6750, “Create endorsement key pair”

‘  End if

‘  iRetVal = oTpm.TakeOwnership(sOwnerAuthDigest)
‘  oLogging.CreateEntry “Starting owner authorization process on the TPM”, LogTypeInfo
‘  TestAndFail iRetVal, 6751, “Change owner authorization”

SetTpmOwner = Success

End Function

We run Net stop mbamagent, Add registry keys created for our environment

see for details.

Then we restart the agent, Net start mbamagent

We then run the script :

Cscript.exe StartMbamencryption.wsf /MbamServiceEndpoint:http://yourmbamserverfqdn/MbamRecoveryandHardwareService/CoreService.svc

That’s it.

Some remarks:

First of course, use this in a test environment. Make sure you don’t loose/delete the TPM key as you might loose data.

Hardware differences might force you to check for missing endorsement keys ( I did not have this problem.

Use manage-bde to get the different states of the encryption.

Do not forget the ztiutility.vbs script. it is being used by StartMbamencryption.wsf

Make sure the correct SPN for Mbam is published to AD. There was a mistake in the Setspn command in the documentation.

Update: Note that Windows 7’s manage-bde command does not support Used Space Encryption, so the Manage-bde -status command when run in Windows 7 OS will report “Fully Encrypted” while it would report “Used Space Only Encrypted” when in Windows 8 or Winpe 5.

Hope it helps.

Here are the scripts: