/build/static/layout/Breadcrumb_cap_w.png

Blog Posts tagged with Software

Ask a question

Unsigned Driver Packaging

 

Unsigned Driver Packaging

Assumption: You have the .inf file and the .sys file. Sometimes you don’t even have the .sys file.

Packaging Tool: Wise Packaging Studio 8.0 (You can also do it using ORCA or InstallShield). Need the DIFx Merge Module. Copy the Merge Module into the …\Wise Share Point\Merge Modules folder.

Driver Tools: Download MS Platform 2003 SP1 SDK and MS Windows Driver SDK v7 (Need dpinst.exe and Inf2Cat.exe). Need the following files.

Steps to create the certificate and catalog file

Step 1

Run the following command

Makecert.exe-r-svXYZGGC.pvk-n"CN=XYZGGC" XYZGGC.cer

Provide a password twice; make sure it’s not a strong password. I have used password as the password

XYZGGC.cer and XYZGGC.pvk will be created.

Step 2

Run the following command

Cert2spc.exe XYZGGC.cer XYZGGC.spc

It creates XYZGGC.spc

Step 3

Run the following command (the password needs to be same as the above)

Pvk2pfx.exe-pvkXYZGGC.pvk-pipassword-spcXYZGGC.spc-pfxXYZGGC.pfx-popassword

Creates an XYZGGC.pfx file.

Step 4: Creating catalog file for the driver

Run the following command

Inf2cat /driver:" C:\UnsignedDriver\Drivers" /os:7_x86,XP_X86 /verbose

You might get some errors

 

Some common errors and fixes:

For Win7 date should be after 4/21/2009.

Add the entry CatalogFile.ntx86=DhrunAK128.cat after the DriverVer. DhrunAK128 is the same name as the inf file.

If the driver comes with addition files, then they have to be added under the [SourceDisksFiles] in the inf file.

So you have a catalog file dhrunak128.cat

Step 5: Signing the catalog file

Run the following command

Signtool sign /f XYZGGC.pfx /p password /t

http://timestamp.verisign.com/scripts/timestamp.dll /v

C:\UnsignedDriver\Drivers\dhrunak128.cat

Needs the same password as used earlier on.

Now we have a signed off certificate for the catalog file.

 

Making the Driver Package using Wise Packaging Studio

 

Open Wise Packaging Studio

Select Windows Installer Editor

Select Device Driver

Rename the Default Feature(Complete) as DriverDriver

Go to Merge Module and add the DIFxApp Merge Module in the feature Driver. Next > Finish

 
 Create a folder with a name of your choice under program file for the driver files and make it the INSTALLDIR.

In case of multiple drivers create separate folders for each one inside the INSTALLDIR. Make sure that the files are not in the same folder.

Now add the .inf, .sys, .cat and other files(following the same folder order as supplied by the vendor) in the respective driver folders.

Now go the components of the .inf files and make sure that the .inf files are the key files for the components.

Now click on the .inf file of one driver and select details.

Now go to Drivers and tick the Use DIFApp to install this driver file box.

 

Do the same for the other drivers. You can see the Driver Installation Order as you keep on adding driver installation.

Now for Unsigned Drivers you need to import the certificates before installing the drivers.

For this you need to write a custom action and also add the certificate manager and the certificate (created above) in the installation.

Create a folder under the INSTALLDIR named Cert and put the CertMgr.exe and the XYZGGC.cer in the folder.

Now go to MSI Script and you need to add two custom actions.

The CA should be after the BindImage Action. Add an End Statement.

Now Select Execute Program from Installed Files.

Give a Name, Call the CertMgr.exe by browsing to the required target folder inside installation.

Add the command line

-add“C:\Program Files\******\Cert\XYZGGC.cer”-s-rLocalMachine TRUSTEDPUBLISHER

For properties select, Deferred Execution in System Context and Synchronous , Ignore Exit code.

 

Just after this Custom action add another similar Custom Action with a different Command Line Argument

-add“C:\Program Files\*****\Cert\XYZGGC.cer”-s-rLocalMachine ROOT

Add an End Statement.

Now compile the WPS Project file to get a msi.

Now open the msi with WPS.

Go to the InstallExecuteSequence Table.

Make sure that the sequence number for MsiProcessDrivers is higher than the Custom action you have created to import the certificates.

Recompile the MSI.

Be the first to comment

KACE SMA | Bitlocker

04/25/2019 added a compatibility matrix.

03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.



OS Common Name
Build Version
Compatible
1507 (RTM) Pro & Ent
10240
No
1511 Pro & Ent
10586
No
1607 Pro & Ent
14393
No
1703 Pro & Ent
15063
No
1709 Pro & Ent
16299
Yes
1803 Pro  & Ent
17134
Yes
1809 Pro & Ent
17763
Yes

Feel free to check your support status of Windows 10 with this report: https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report


Hi all,

 

It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article you can download several individual KACE-packages. You can download all of them here:  DOWNLOAD

If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources

 

First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:

bitlocker_00.png

 

My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.

 

The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:

bitlocker_01.png

 

To start we should first create a smart label which groups all devices where a TPM module is ready for the use with Bitlocker and no encryption technology is used. You can download the ready to use KACE-package here: DOWNLOAD

 

TPM Based Bitlocker Ready

bitlocker_02.png


Of course, you could add a filter like “OS Name” contains “Windows 10” (or any other filter which matches your environment) to make sure that only your clients will get Bitlocker enabled.

 

KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above. You can download a ready to use KACE-Script here: DOWNLOAD

 

[TW] Bitlocker enable TPM  & Password

Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

This will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.

bitlocker_03.png

 

You can also check the actual state in your KACE SMA device inventory:


 

If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule. You can download the ready to use KACE-package here: DOWNLOAD

 

Inventory: Bitlocker Recovery

Get-BitLockerVolume).KeyProtector


Good to know is that devices which need the recovery key will display a screen where users can see the ID of the numerical password. If they call your helpdesk team and don’t know which computer it is they can give you the ID and you can search for it in your KACE SMA device inventory or build a report for that.


 bitlocker_08.png

 

If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints. The smart label can be downloaded here: DOWNLOAD


Bitlocker missing Protector


All clients which fall into this label can then run the following KACE script on a daily schedule. You can download the script here: DOWNLOAD


[TW] Bitlocker add protector

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector


This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.

 

Kind Regards

Timo

 

View comments (5)

K1000 :: Inventory :: Software :: Custom ticket rule for RegistryValueReturn REG_DWORD value for 5.3

If you are unable to get a RegistryValueReturn to work with a REG_DWORD key, try the following steps as a workaround:

 

ShellCommandTextReturn(reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AA1000000001} /v language) 

I did this rule in my test environment and it worked like a champ. 

1. Open up regedit.exe 
2. Find the key that you want 
3. Right-click it and say "copy key name" 
4. In your customer invnetory rule, type: 

ShellCommandTextReturn(reg query <insert_clipboard_contents_here_minus_brackets> /v <insert_value_name_here_minus_brakcets>) 

5. Make sure to select the OS's that he wants the rule to apply to. 
6.Force an inventory on a machine to test. 


When mine worked, I got this under Custom Inventory Rules in my computer inventory: 

1) CUSTOM - Registry Value Return:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AA1000000001} 
language REG_DWORD 0x409 

[string] 

Be the first to comment

Profiling Firefox in Citrix XenApp 6.5

Hello,

In the next few steps I will share with you, as to how you should profile Firefox(ver. 13) in citrix xenapp 6.5

Intro:

Firefox, as you all know is a web browser by Mozilla. Most of us have often struggled with the first few screens that come when you launch firefox for the first time after installation. Its really painful to repeat all those steps if you are planning to deploy this application over a network.

Solution:

Firefox creates a profile under %Appdata% (roaming in case of windows 7). Now if you open this folder you will find a folder named mozilla. under this folder you will find the folder Firefox, under this folder you will find a folder named crash reports, profiles and a profiles.ini file. If you open this profiles.ini, you will find the following content in it

[General]
StartWithLastProfile=1

[Profile0]
Name=default
IsRelative=1
Path=Profiles/n9i7r825.default

Now the most important thing in this ini file is the last line highlighted in bold in the above line. open the profile folder in the firectory where the profiles.ini file is present, you will find a folder by exactly similar name as in the above ini file. If you delete this folder firefox will again ask you to configure it, in the same manner it asked you , when you launched the application for the first. So to avoid this make sure you never delete this folder. Now  coming to the suppression of updates in the firefox. All the options related to pop up that surface after configuring firefox, updates, sending crash reports, etc.. are stored in prefs.js file. And this is the file that we are looking for.  This file is located in following location %AppData%\Mozilla\Firefox\Profiles\n9i7r825.default\prefs.js. Always keep a backup of this file , incase some of you dont wish to configure firefox over and again after installation. Just copy this file in the above mentioned location as soon as the installation is over, and the Firefox would bother you ever for the configuration

How to Profile:

Now what I am about to cover here is pertaining to XenApp 6.5.

1. Open the profiler in the profiling machine

2. Select New profile in the above step

3. Click next

4. name the profile as per your requirement.

5. Click next

6.Click next

7. Select the platform for which you wish to deploy the application and its language

8. now if your installation has just a single installer select the default option else select advanced option and  continue with the default option already present on the next screen and click next

9. Pass the exe and command line arguments if any on this screen and click next

10. Click launch installer. At this stage the installation of firefox would start. Proceed as if you were installing the firefox on your machine. Once done with installation, the next button will get highlighted by itself, click next it will take you to the next screen

Click next if you dont wish to install other applications alongside firefox and wish to profile those alongwith firefox, in which case you should select the second option. Rest i presume should be easy for all those reading this.

on the next screen the profiler will detect the installed applications by default. if it doesnt it means something went wrong and you need to start profiling again.

click next once you have run the application.

click next on this screen

follow the default settings on the next screen until you reach the final screen where the profiler asks you to build the profile as shown below

click finish and the profiler will build your profile. Exclusions related to files and folders can be done by opening the .profile file for upgrade. I will cover that later on, right now , dont wish to confuse the audience.

Finishing the application
Now if you'll remember i discussed something about the prefs.js file in the beginning. Yes, now that file comes into file. Now what i didnt tell you was, the xenapp 6.5 doesnt capture user related files , so how do we handle it? At this stage , we need to write a prelaunch vbscript which will copy this file everytime this application is launched

but first let me share with you the contents of prefs.js file

# Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
user_pref("app.update.mode", 0);
user_pref("app.update.service.enabled", false);
user_pref("browser.bookmarks.restore_default_bookmarks", false);
user_pref("browser.cache.disk.capacity", 1048576);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.migration.version", 6);
user_pref("browser.places.smartBookmarksVersion", 3);
user_pref("browser.preferences.advanced.selectedTabIndex", 2);
user_pref("browser.rights.3.shown", true);
user_pref("browser.search.update", false);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.startup.homepage_override.buildID", "20120614114901");
user_pref("browser.startup.homepage_override.mstone", "13.0.1");
user_pref("browser.taskbar.lastgroupid", "E7CF176E110C211B");
user_pref("extensions.blocklist.pingCountVersion", 0);
user_pref("extensions.bootstrappedAddons", "{}");
user_pref("extensions.databaseSchema", 12);
user_pref("extensions.enabledAddons", "{972ce4c6-7e08-4474-a285-3208198ce6fd}:13.0.1");
user_pref("extensions.installCache", "[{\"name\":\"app-global\",\"addons\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\extensions\\\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\",\"mtime\":1341981846073}}}]");
user_pref("extensions.lastAppVersion", "13.0.1");
user_pref("extensions.lastPlatformVersion", "13.0.1");
user_pref("extensions.pendingOperations", false);
user_pref("extensions.shownSelectionUI", true);
user_pref("intl.charsetmenu.browser.cache", "UTF-8");
user_pref("network.cookie.prefsMigrated", true);
user_pref("places.history.expiration.transient_current_max_pages", 104858);
user_pref("privacy.sanitize.migrateFx3Prefs", true);
user_pref("services.sync.clients.lastSync", "0");
user_pref("services.sync.clients.lastSyncLocal", "0");
user_pref("services.sync.globalScore", 0);
user_pref("services.sync.migrated", true);
user_pref("services.sync.nextSync", 0);
user_pref("services.sync.tabs.lastSync", "0");
user_pref("services.sync.tabs.lastSyncLocal", "0");
user_pref("toolkit.startup.last_success", 1341982165);
user_pref("toolkit.telemetry.prompted", 2);
user_pref("toolkit.telemetry.rejected", true);
user_pref("urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey", 1344569870);
user_pref("xpinstall.whitelist.add", "");
user_pref("xpinstall.whitelist.add.36", "");
 

the highlighted sections matter the most. If you observe closely, the highlighted lines are self explanatory, if not, let me tell you that those lines , will suppress automatic updates and automatic search engine updates.

now comes the the prelaunch vbscript file, but before that, did i tell you where you should keep this file , so that prelaunch.vbs copies this file everytime it runs in user. For that , open the .profile file generated in the above profiling steps. 

refer the image below

click update/install application , so that we can add file. click next on the screen that appears

on the next screen , select  advanced install, and click next. On the next screen , select "select files and folders radio button" and click next. it will take you to the following screen

the left hand section designates the files on the machine and the right hand section designates the file in the profiled application. Now in the left hand section, navigate to the desktop folder(i presume that should not be difficult ) Once on desktop folder, add that folder to the captured installation directory of firefox(u can keep the file anywhere in the captured directories, but i prefer INSTALLDIR). once the file is added , click next. On the next screen, select finish application and click next. again you will be presented with the screen asking you to run the application. Run the application and follow on screen instruction.When done , follow the default options on the screen untill you get the screen which asks you to build the profile and Voila!! you are done adding the file

Now lets write our vbscript file. Use the following content. I dont own any of the following content. Nor am i a very good scripter, but can write everyday scripts that can get the work done.

======================================================================

Option Explicit

On Error Resume Next
Const OVERWRITE_EXISTING = True

Dim objShell, objFso, struserpath, filepath, strCD, cmd, strAppdata, strSource1, strSource2, strDest, strDest1, strDest2, strDest3, strMicro, strFile

Set objShell=wscript.CreateObject ("wscript.Shell")
Set objFso=CreateObject ("Scripting.FileSystemObject")

strAppdata = objshell.expandenvironmentstrings("%appdata%")
strCD = objshell.expandenvironmentstrings("%ProgramFiles(x86)%")

strSource1 = strCD & "\Mozilla Firefox\profiles.ini"
strSource2 = strCD & "\Mozilla Firefox\prefs.js"
strMicro = strAppdata & "\Mozilla\"
strDest1 = strAppdata & "\Mozilla\Firefox\"
strDest2 = strAppData & "\Mozilla\Firefox\Profiles\"
strDest3 = strAppData & "\Mozilla\Firefox\Profiles\382pmpjp.default\"
strFile = strAppdata & "\Mozilla\Firefox\Profiles\382pmpjp.default\prefs.js"


If Not objFSO.FolderExists( strMicro ) Then
            objFSO.CreateFolder strMicro
End if

If Not objFSO.FolderExists( strDest1 ) Then
            objFSO.CreateFolder strDest1
End if

If Not objFSO.FolderExists( strDest2 ) Then
            objFSO.CreateFolder strDest2
End if

If Not objFSO.FolderExists( strDest3 ) Then
            objFSO.CreateFolder strDest3
End if

If Not objFSO.FileExists( strFile ) Then
         
         objFso.CopyFile strSource1 , strDest1
                 objFso.CopyFile strSource2 , strDest3, OVERWRITE_EXISTING
        
        
                
End if



Set objShell= nothing
Set objFso= nothing

======================================================================

Save this file by anyname.vbs
Now how to add this script to our profile?

again refer the following options

This time click properties and you will get the following screen

select the highlighted section. Uncheck the use profile settings. this will open up the prelaunch & Post exit scripts section.

Click Add. browse to the directory where you have kept your vbs file. Do not change any other option on the window unless you are sure about it. Once done adding the file, click apply and ok and save the profile on desktop. and you are done. Now when  you publish this application you will no longer get the same configuration windows and also the auto update will be disabled.

 

Do let me know if in case, someone finds any difficulty in the above mentioned steps

 

 

View comments (2)

Custom Inventory Rule and Accessing Registry on 64 Bit OS

Dell Kace agent is a 32 bit application. Hence on a 64 Bit OS, registry path HKLM in Dell Kace agent will point to HKLM\Software\Wow6432.

Hence, In Custom Inventory Rule, to access HKLM\Software of the 64 bit hive, use HKLM64\Software.

Ex: 

On a 64 Bit OS, to check the existence of a registry key from HKLM\Software\Intel construct Custom Inventory Rule as

RegistryKeyExists(HKLM64\Software\Intel)
Be the first to comment
Showing 1 - 5 of 395 results

Top Contributors

Talk About appdeploy-news