The D-spot

Microsoft released an update for the company’s free operating system deloyment solution.  If you’re planning to migrate to Windows 7, Server 2008 R2 or Office 2010, MDT is the tool you need.  Here at the D Spot we have blogged a lot about MDT already.  Keep yourself up to date and read our MDT related posts.

What has changed in MDT 2010 Update 1

 

For native MDT users (Lite Touch Installation)

Support for Office 2010. Easily configure Office 2010 installation and deployment settings through the Deployment Workbench and integration with the Office Customization Tool.

Improved driver importing. All drivers are inspected during the import process to accurately determine what platforms they really support, avoiding common inaccuracies that can cause deployment issues.

 

For ConfigMgr 2007 users (Zero Touch)

New User Driven Installation deployment method. An easy-to-use UDI Wizard allows users to initiate and customize an OS deployment on their PCs that’s tailored to their individual needs.

Support for Configuration Manager R3 Prestaged Media.For those deploying Windows 7 and Office 2010 along with new PCs, a custom OS image can easily be loaded in the factory and then customized once deployed.

 

For all users

A smooth and simple upgrade process. Installing MDT 2010 Update 1 will preserve your existing MDT configuration, with simple wizards to upgrade existing deployment shares and Configuration Manager installations.

Many small enhancements and bug fixes. Made in direct response to feedback received from customers and partners all around the world, MDT 2010 Update 1 is an indispensible upgrade for those currently using MDT (as well as a great starting point for those just starting).

Continued support for older products. MDT 2010 Update 1 still supports deployment of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Office 2007.

 

Download binaries and documentation at Microsoft.

The populair PDF reader and writer from Adobe are often plagued by critical vulnerabilities. Therefore updating and patching Adobe Reader and Adobe Acrobat applications is highly necessary.

Here is how to slipstream the Reader 9.3.3 patch into the 9.3 source, suppress the automatic updates, and acrobat.com online services.

First step: get the sources.

Download sources

Adobe Reader 9.3: AdbeRdr930_en_US.msi

Adobe Reader 9.3.2 Patch: AdbeRdrUpd932_all_incr.msp

Adobe Reader 9.3.3 Patch: AdbeRdrUpd933_all_incr.msp

Adobe Customization Wizard 9: CustWiz90_en_US.exe

Because the upgrade path is 9.3 > 9.3.2 > 9.3.3, we also need the 9.3.2 patch file.

In the second step we need to create a network installation point (administrative installation point). I use C:\temp\reader933\adminpoint, you can choose your own.

Perform an administrative installation

1. Copy the sources to a directory of your choose, for example:
   

   C:\temp\reader933\sources

2. Create a distribution point folder (a folder where the installer can install the uncompressed program files)
   

   C:\temp\reader933\adminpoint

3. Open a command prompt and execute this command:
   

   Msiexec /a <path of AdbeRdr930_en_US.msi>

   With the /a parameter, you’re extracting the MSI to the administrative installation point (folder).

   

   When asked, point to the administrative installation point created in step 2 and hit Install.

   

   

   Admin point has been created:

   

   The 9.3 source files are extracted, now we will slipstream the 9.3.2 and 9.3.3 patches.

4. Apply the 9.3.2 patch:
   

   msiexec /a <path of msi at distribution point> /p <path of Reader 9.3.2.msp>

   for example in my situation:

   msiexec /a “C:\Temp\reader933\adminpoint933\AdbeRdr930_en_US.msi” /p “C:\Temp\adobereader\sources\AdbeRdrUpd932_all_incr.msp”

   

   

   

   

5. Then apply the 9.3.3 path:
   

   msiexec /a “C:\Temp\reader933\adminpoint933\AdbeRdr930_en_US.msi” /p “C:\Temp\adobereader\sources\AdbeRdrUpd933_all_incr.msp”

   

   

   

   

   Last step is to create a transform file. Here you can disable automatic updates and apply custom settings.

Create a transform file (.mst) using the Adobe Customization Wizard:

Run Adobe’s Customization Wizard and open the extracted MSI (leave other files in place). Then change the settings to suit your needs, use the screenshots as an example (this are our adaptations).

Create new key: AVGeneral (in HKCU\Software\Adobe\Acrobat Reader\9.0)

DWORD: bCheckForUpdatesAtStartup

Value: 0

Create new DWORD: OptIn (in HKCU\Software\Adobe\CommonFiles\Usage\Reader 9)

Value: 0

Before saving the package, create an empty setup.ini file in the root of your admin point. If you don’t create this file the Customization Wizard will throw the error: “Setup.ini not found”. (thanks Terry for letting me know)

Save the package, and you’re done.

Add sites to the Trust Manager

We needed to add some sites to the Trust Manager, this step isn’t necessary in the deployment process. We added this IP ranges to the Trust Manager:

172.33.*

172.75.*

Use this .reg file to deploy via scripting:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\TrustManager]

[HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\9.0\TrustManager\cDefaultLaunchURLPerms]

“tHostPerms”=”version:2|172.33.*:2|172.75.*:2″

Import via Customization Wizard should also work, although I didn’t tested the import feature. If somesome has experience with importing these settings, please share and make a comment!

Deployment:

I use this command line to deploy my slipstreamed Adobe Reader via ConfigManager 2007:

msiexec /i “path\AdbeRdr930_en_US.msi” TRANSFORMS=”path\AdbeRdr930_en_US.msi” /qb REBOOT=ReallySuppress /log “path\reader933.txt”

 

Update Sept 2010:

Patch to reader 9.3.4

Here is how to patch the Reader 9.3.3 administrative distribution point with the updated Reader 9.3.4 version.

First get the Adobe Reader 9.3.4 sources file from Adobe’s website. Then apply the 9.3.4 (.msp) patch to the previous created distribution point:

msiexec /a <path of msi at the distribution point> /p <path of downloaded patch>

for example in my situation:

msiexec /a “C:\Temp\reader933\adminpoint933\AdbeRdr930_en_US.msi” /p “C:\Temp\adobereader\sources\AdbeRdrUpd934_all_incr.msp”

It can be confusing, because I named the distribution point “reader933”.

Copy the files from distribution point to your desired location and you’re done!

This kit will help you complete a Proof of Concept (PoC) at your organization, at a customer or get familar with some Microsoft products in a lab environment.

Allowing you to quickly evaluate the new Microsoft desktop technologies, including Windows 7, Office 2010, Internet Explorer 8, and Application Virtualization (AppV) with Microsoft Desktop Optimization Pack technology.

It will also familiarize you with some of the important deployment tools provided by Microsoft to assist with your broader deployment efforts. This PoC isn’t meant to be comprehensive training mechanism but rather an introductory set of modules to familiarize you with tools and technologies.

Included in the package:

• Microsoft Assessment and Planning Toolkit (MAP)
• Microsoft Application Compatibility Toolkit (ACT)
• Microsoft Office Migration and Planning Manager (OMPM) (A tool to assess and upgrade Office versions and files, like macro compatibility for example)
• Microsoft Deployment Toolkit (MDT)
• Windows 7 Enterprise 90-day Trial image
• Microsoft Office Professional Plus 2010
• Office 2010 with Application Virtualization (App-V)

In short, a package that any consultant arriving on a mission around Windows 7 should have.

Download: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=26301cd1-cc72-4dd8-819e-12ef48322743

Recently I had a problem with my Windows 7 clients (built with my new and freshly created image) where they would not get activated by the KMS server. After some research I noticed that the KMS counter was not updated with new client and so my KMS server would never reach the point where it would actually start activating my clients (25 clients).

The reason for the KMS server not updating it’s counter was the fact that all my clients where reporting to the KMS server with the same Client Machine ID (CMID) which I noticed trough the events it reported in the Key Management Service event log of my KMS server.

If you ‘Bing’ on this one you will get lot’s of posts where this is due to the sysprep command which is not ran with the /generalize parameter. This parameter removes all hardware dependencies and when building a new client, it will create a new CMID.

However I did use the /generalize parameter so why do I get the same behavior. The solution is simple but it did take me some time to notice that  I seemed to have missed the <skiprearm> setting in my xml answer file. This setting should be removed before using the image in a production environment! If not you’ll end up rebuilding your image like me…

More info: http://support.microsoft.com/kb/929829

Grtz,
Steve.

HP has released a new version of their rapid deployment pack. It consists of Altiris DS 6.9 SP4, HP Firmware 9.00, Drivers  and a lot of preconfigured jobs to install your servers with various OS’s. Their SmartStart scripting toolkit is included as well to automate iLO and SmartArray config.
http://h18013.www1.hp.com/products/servers/management/rdp/knowledgebase/20000060.html

For Dell servers there’s a similar package.
http://www.symantec.com/business/theme.jsp?themeid=deployment_solution_dell

HP also launched a version for Microsoft SCCM.
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPICE-SC

1. Purpose:

Instead of using the ‘Devicepath’ method; with the Microsoft utility DPINST.EXE, it is possible to do a pre-installation of different device drivers; a major advantage is that de device can be attached later (even in a User context), without any intervention needed.
On installation with DPINST the drivers are installed in
C:\Windows\System32\DRVSTORE
Important: this method has nothing to do with the ‘Local Cache’.

2.     Prerequisites:
DPInst.exe
DPInst.xml

Is part of “Driver Installation Tools 2.01” downloaded from Microsoft

3.     Procedure:

 Download and/or extract the device drivers.

Normally the drivers are in the drivers folder of the extracted files, eventually under a sub-folder for the operating system (WinXP_32). 

A set of drivers should contain, one ore more:

*.cat files (Security Catalog)

*.inf files (Setup Information)

*.sys files (System File)

other files

 Add DPINST.exe and DPInst.xml in that folder.

The provided DPInst.xml file contains following parameters:

 <?xml version=”1.0″?>
<dpInst>
   <quietInstall/>
   <forceIfDriverIsNotBetter/>
   <suppressAddRemovePrograms/>
   <legacyMode/>  
</dpInst>

Manually Pre-Installation (stand-alone): 
Launch DPINST.EXE from the folder above created folder. Follow the instructions on screen.

Manually Pre-Installation (stand-alone with command-line switches on DPINST.exe):
Launch DPINST.EXE from the folder above created folder, with command-line switches: /lm /q /sw

IMPORTANT:

The command-switches are prior to the settings used in the DPInst.xml file.

 Command-switches explanation for above command-line:

/lm

The /lm command-line switch sets the legacyMode flag to ON, which configures DPInst to accept unsigned driver packages and driver packages that have missing files. For more information, see “Setting the legacyMode Flag” earlier in this paper.

/q or /s

The /q or /s command-line switch sets the quietInstall flag to ON, which suppresses the display of wizard pages, user dialog boxes, and other user messages that DPInst and Windows generate. The quietInstall flag works in combination with the presence of a EULA page and the suppressEulaPage flag, as described earlier in this paper in “Setting the quietInstall Flag” and “Setting the suppressEulaPage Flag”.

/sw

The /sw command-line switch sets the suppressWizard flag to ON, which suppresses the display of wizard pages and other user messages that DPInst generates. The suppressWizard flag works in combination with the presence of a EULA page and the suppressEulaPage flag, as described earlier in this paper in “Setting the suppressWizard Flag” and “Setting the suppressEulaPage Flag”.

I always struggle to import certificates. But with this commandline-tool (importpfx.exe) it is easy to install them.

———–

Go to http://home.fnal.gov/~jklemenc/dl/importpfx.zip and download importpfx.
Unzip it.
Usage: importpfx.exe -f -p -t USER|MACHINE -s [-r "Subject OU to remove" | -all]

This utility will import a PKCS12 certificate file (with a .p12 or .pfx extension) into the certificate store specified by the -s parameter.

The default behavior is to overwrite like certificates (if available). The -r “Subject OU” will remove all certificates matching the Subject CN
in from the CN in the PKCS12 file and the Subject OU set to the -r parameter.

PARAMETERS:
-f = PKCS12 filename
-p = Password to secure the private key with
-t = Store type (USER or MACHINE)
-s = The certificate store to import into (MY is a common param)

-r “Subject OU Text” = Delete all user certificates in which the Subject OU matches the -r “Subject OU Text” and the Subject CN matches the PKCS12 Subject CN
-r -all = Delete ALL user certificates in the

Import a PKCS12 file into the local machine Testing store and delete any stored certificates with a Subject containing OU=”Self-Signed CA”:
importpfx.exe -f x509.p12 -p “” -t MACHINE -s Testing -r “Self-Signed CA”

Delete ALL certificates in the USER MY store:
importpfx.exe -t USER -s MY -r -all

Examples:
Import a PKCS12 file into the MY store, overwriting if allowed:

importpfx.exe -f clientcert.p12 -p “testpwd” -t USER -s MY

Advantages : Silent install & You don’t have to know the username that is logged in.

source:http://www.symantec.com/connect/forums/install-p12-certificate-silently

Anyone using SCCM and Forefront Client Security? If so, then you probably have an auto-approve rule in WSUS for your definition files and therefore have these files automatically downloaded to your server. Seen the amount of definition files that are released, you could notice that these files begin to consume a significant amount of disk space and, as in my case, could run into disk space problems if not adequately monitored. Therefore I needed to get these files cleaned up to free up some disk space.

Cleaning up these definition files and freeing up disk space can be done trough the ‘Cleanup Wizard’ in your WSUS console. Normally you would manage your updates trough the SCCM console but the difference is that, by creating this auto-approve rule for definition files, these ‘updates’ are managed by your underlying WSUS infrastructure and not your SCCM infrastructure which you would use for other updates (Windows updates, etc.)

The first time I ran the Cleanup Wizard, this would appear to go in a state of not responding and finally freeze up.  These was because it was the first time I ran the wizard and has selected all different tasks…

It is better to perform these tasks individually and in certain order, the first time you run the cleanup wizard. I performed them in the following order:

1. I first selected the two bottom options where you decline certain updates
2. Then the first option, deleting unused updates and update revisions
3. To end with the third option where unnneeded updates are deleted

If like me, you want to schedule this cleanup to run every month or so, you can do this by using the following tool: http://wsus.codeplex.com/releases/view/17612. The tool provides you with an executable, help file and an sql file. Considering the arguments you pass in your command, you can perform the several cleanup tasks as you find in the cleanup wizard of WSUS and perform a database maintenance. All arguments and command line option can be found in the help file, I found it very useful.

Grtz,

Steve.

Op 4 februari kan je een Microsoft TechNet Live Meeting volgen over het automatiseren van Windows 7 en Windows 2008 R2 installaties.

Tijdens deze livemeeting zullen we u tonen hoe u aan de hand van onze bestaande tools zoals “Microsoft Deployment toolkit” en de “Windows Deployment Services” heel snel Windows 7 en Windows Server 2008 R2 kan installeren. Verder gaan we dieper in op de “boot from VHD” functionaliteit.
U zal ook merken dat we in Windows 7 en Windows Server 2008 R2 nieuwe mogelijkheden hebben om de installatie te vergemakkelijken en automatiseren.

Taal/talen: Nederlands.

Product(en): Windows 7,Windows Server 2008 R2.

Doelgroep(en): Infrastructuurspecialisten,IT-besluitvormer,IT-generalist,IT-implementeerder,IT-manager,Specialist voor desktop/eindgebruikers,Technisch persoon met invloed op BDM.

Duur: 120 Minuten

Begindatum: donderdag 4 februari 2010 14:00

Registreer voor dit event.

While setup some MDT lab environments this SQL error crossed my path a couple of times.

ZTI error opening SQL Connection. SQL server does not exist or access denied.

Unable to establish database connection using [CSETTINGS] properties. SQL Server does not exist or access denied.

Unable to establish database connection using [CROLES] properties. SQL Server does not exist or access denied.

I’m using a hidden share on the SQL Server box that MDT will use for authentication to the SQL Server. The same credentials are used to connect to the MDT database. So I had granted sufficient share and NTFS permissions to the hidden share and granted this user the db_datareader role on the MDT database.

If we read the error again it is clear that MDT cannot contact the SQL Server, it even cannot find the server.

Troubleshooting-time!

I hit F8 during deployment to get into a command prompt. Once in the command prompt I could contact the SQL Server box with the ping command.

A ping to the server gave a response of a wrong IP address. Turns out that the DNS server was holding an old IP address from the previous MDT and SQL Server installation. Deleting this A-record and register (ipconfig /registerdns) the SQL Machine again, was the solution for this issue.

In another lab environment I could ping and map a share on the SQL Server box.

net use * \\Servername\Hiddenshare$

Turns out that we forgot to open the Windows Firewall for SQL Server. Add an exception for sqlservr.exe and sqlbrowser.exe is enough. You don’t have to turn the complete firewall off.

With the firewall configured as it should and all DNS records registered, no error occurred and deployment went successfully.