/build/static/layout/Breadcrumb_cap_w.png

Blog Posts tagged with Supporting Windows

Ask a question

Unsigned Driver Packaging

 

Unsigned Driver Packaging

Assumption: You have the .inf file and the .sys file. Sometimes you don’t even have the .sys file.

Packaging Tool: Wise Packaging Studio 8.0 (You can also do it using ORCA or InstallShield). Need the DIFx Merge Module. Copy the Merge Module into the …\Wise Share Point\Merge Modules folder.

Driver Tools: Download MS Platform 2003 SP1 SDK and MS Windows Driver SDK v7 (Need dpinst.exe and Inf2Cat.exe). Need the following files.

Steps to create the certificate and catalog file

Step 1

Run the following command

Makecert.exe-r-svXYZGGC.pvk-n"CN=XYZGGC" XYZGGC.cer

Provide a password twice; make sure it’s not a strong password. I have used password as the password

XYZGGC.cer and XYZGGC.pvk will be created.

Step 2

Run the following command

Cert2spc.exe XYZGGC.cer XYZGGC.spc

It creates XYZGGC.spc

Step 3

Run the following command (the password needs to be same as the above)

Pvk2pfx.exe-pvkXYZGGC.pvk-pipassword-spcXYZGGC.spc-pfxXYZGGC.pfx-popassword

Creates an XYZGGC.pfx file.

Step 4: Creating catalog file for the driver

Run the following command

Inf2cat /driver:" C:\UnsignedDriver\Drivers" /os:7_x86,XP_X86 /verbose

You might get some errors

 

Some common errors and fixes:

For Win7 date should be after 4/21/2009.

Add the entry CatalogFile.ntx86=DhrunAK128.cat after the DriverVer. DhrunAK128 is the same name as the inf file.

If the driver comes with addition files, then they have to be added under the [SourceDisksFiles] in the inf file.

So you have a catalog file dhrunak128.cat

Step 5: Signing the catalog file

Run the following command

Signtool sign /f XYZGGC.pfx /p password /t

http://timestamp.verisign.com/scripts/timestamp.dll /v

C:\UnsignedDriver\Drivers\dhrunak128.cat

Needs the same password as used earlier on.

Now we have a signed off certificate for the catalog file.

 

Making the Driver Package using Wise Packaging Studio

 

Open Wise Packaging Studio

Select Windows Installer Editor

Select Device Driver

Rename the Default Feature(Complete) as DriverDriver

Go to Merge Module and add the DIFxApp Merge Module in the feature Driver. Next > Finish

 
 Create a folder with a name of your choice under program file for the driver files and make it the INSTALLDIR.

In case of multiple drivers create separate folders for each one inside the INSTALLDIR. Make sure that the files are not in the same folder.

Now add the .inf, .sys, .cat and other files(following the same folder order as supplied by the vendor) in the respective driver folders.

Now go the components of the .inf files and make sure that the .inf files are the key files for the components.

Now click on the .inf file of one driver and select details.

Now go to Drivers and tick the Use DIFApp to install this driver file box.

 

Do the same for the other drivers. You can see the Driver Installation Order as you keep on adding driver installation.

Now for Unsigned Drivers you need to import the certificates before installing the drivers.

For this you need to write a custom action and also add the certificate manager and the certificate (created above) in the installation.

Create a folder under the INSTALLDIR named Cert and put the CertMgr.exe and the XYZGGC.cer in the folder.

Now go to MSI Script and you need to add two custom actions.

The CA should be after the BindImage Action. Add an End Statement.

Now Select Execute Program from Installed Files.

Give a Name, Call the CertMgr.exe by browsing to the required target folder inside installation.

Add the command line

-add“C:\Program Files\******\Cert\XYZGGC.cer”-s-rLocalMachine TRUSTEDPUBLISHER

For properties select, Deferred Execution in System Context and Synchronous , Ignore Exit code.

 

Just after this Custom action add another similar Custom Action with a different Command Line Argument

-add“C:\Program Files\*****\Cert\XYZGGC.cer”-s-rLocalMachine ROOT

Add an End Statement.

Now compile the WPS Project file to get a msi.

Now open the msi with WPS.

Go to the InstallExecuteSequence Table.

Make sure that the sequence number for MsiProcessDrivers is higher than the Custom action you have created to import the certificates.

Recompile the MSI.

Be the first to comment

KACE SMA | Bitlocker

04/25/2019 added a compatibility matrix.

03/29/2019 added some modifications. Thanks to Andrew Lubchansky for helping me creating this.



OS Common Name
Build Version
Compatible
1507 (RTM) Pro & Ent
10240
No
1511 Pro & Ent
10586
No
1607 Pro & Ent
14393
No
1703 Pro & Ent
15063
No
1709 Pro & Ent
16299
Yes
1803 Pro  & Ent
17134
Yes
1809 Pro & Ent
17763
Yes

Feel free to check your support status of Windows 10 with this report: https://www.itninja.com/blog/view/kace-sma-windows-10-end-of-life-report


Hi all,

 

It’s a long time since I have posted a blog here. Today I want to share with you my KITLOCKER (KACE & Bitlocker ;) ) stuff. In this article you can download several individual KACE-packages. You can download all of them here:  DOWNLOAD

If you need assistance in importing these files to your KACE SMA feel free to contact your local partner, your local sales rep or have a look to this KB article: https://support.quest.com/kace-systems-management-appliance/kb/116949/how-to-import-and-export-resources

 

First: These scripts are Win10 only and tested with x64 1809 Pro and Ent. Also, you need to have an TPM Module in your devices which needs to be activated and the OS needs to be the owner (default in Win10)! You can double check this in your KACE SMA device inventory:

bitlocker_00.png

 

My scenario is that Win10 devices should use Bitlocker with Aes256 bit to secure the hard disk. The disk should be automatically unlocked by TPM during boot (no password needed). If something went wrong or the hardware has changed there should be a recovery key which can be entered. This key should be stored in KACE SMA and not in AD. Also, there should be no GPO involved.

 

The Bitlocker information in your device inventory should look like this if there is currently nothing set up on your device:

bitlocker_01.png

 

To start we should first create a smart label which groups all devices where a TPM module is ready for the use with Bitlocker and no encryption technology is used. You can download the ready to use KACE-package here: DOWNLOAD

 

TPM Based Bitlocker Ready

bitlocker_02.png


Of course, you could add a filter like “OS Name” contains “Windows 10” (or any other filter which matches your environment) to make sure that only your clients will get Bitlocker enabled.

 

KACE SMA will now put all the devices where we can enable Bitlocker into this Label. There is a simple PowerShell command which will enable Bitlocker and start the encryption. Also it will add a recovery password as a key protector which will be needed in case of hardware changes. You can run this by a daily schedule and all devices which already have Bitlocker enabled will not be affected if you use the “TPM Based Bitlocker Ready” smart label which I have shown above. You can download a ready to use KACE-Script here: DOWNLOAD

 

[TW] Bitlocker enable TPM  & Password

Enable-BitLocker -MountPoint $env:SystemDrive -EncryptionMethod Aes256 -TpmProtector -SkipHardwareTest
sleep -Seconds 15
Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector

This will start the encryption process of the C: drive. The user can’t abort it and it will also survive reboots.

bitlocker_03.png

 

You can also check the actual state in your KACE SMA device inventory:


 

If the encryption has been completed by the device, it will automatically fall out of the “TPM Based Bitlocker Ready” smart label. Now we have a secured hard disk which will be automatically unlocked during the bootup by the TPM module. Now we need a custom inventory to store all the key protector information’s in our SMA device inventory. This can be done with a simple custom inventory rule. You can download the ready to use KACE-package here: DOWNLOAD

 

Inventory: Bitlocker Recovery

Get-BitLockerVolume).KeyProtector


Good to know is that devices which need the recovery key will display a screen where users can see the ID of the numerical password. If they call your helpdesk team and don’t know which computer it is they can give you the ID and you can search for it in your KACE SMA device inventory or build a report for that.


 bitlocker_08.png

 

If you want to be sure that clients will always have a recovery password as a key protector you can additionally create a smart label. This will check the right key protectors after every inventory of the device. This could be used for running a script which will then add a recovery password as a key protector. This could be useful if admins change configurations local on the endpoints. The smart label can be downloaded here: DOWNLOAD


Bitlocker missing Protector


All clients which fall into this label can then run the following KACE script on a daily schedule. You can download the script here: DOWNLOAD


[TW] Bitlocker add protector

Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector


This is the basic setup you can use to manage your hard disk encryption for your endpoints. You can think about creating notification which will alert you if a device has Bitlocker missing or a wrong configuration. I hope that this article helps you, creating your own KITLOCKER strategy. If there is anything unclear feel free to use the comment section.

 

Kind Regards

Timo

 

View comments (5)

Step-by-step: How to create a network bootable floppy


A Step-by-Step: Creating a Network Boot Disk 

Using Windows NT's Network Client Administrator

Creating a network boot disk can be a real headache. The subject is documented fairly poorly and tools to help you do the job are equally hard to come by. Due to the need for network startup disks for use with imaging software, this has become a regularly revisited subject at AppDeploySM. Though most imaging software packages come with their own network boot disk generation utility, even with these you may still want to create your own in an attempt to get the most optimal use of the limited space you have on that floppy disk. Step-by-step instructions covering how to do it yourself seem to be very difficult to find- so here goes:

 Network Client Administrator Installation

Network Client Administrator Installation

If you have an NT workstation you may skip to "Network Client Administrator Execution". Windows 2000 does not include an equivalent tool, however you may use the Windows NT version of the tool on a Windows 2000 system by performing the following steps: 

Create a folder called C:\Ncadmin.

Create a subfolder called C:\Ncadmin\Clients

Copy the following files from the I386 folder on the Windows NT Server 4.0 CD-ROM to the folder you created:

  •  Ncadmin.cn_

  •  Ncadmin.ex_

  • Ncadmin.hl_

At a command prompt, change to the C:\Ncadmin folder, and then type the following command:

"expand -r ncadmin.*"

Double-click Ncadmin.exe to launch the utility.

 Network Client Administrator Execution

Network Client Administrator Execution

Note: If you know that your network card is not listed, you will need to implement the steps below to add it to those available before proceeding.

Once launched, select the “Make Network Installation Startup Disk” from the menu and press the “Continue” button to begin.

You are requested to provide a path to the client installation files. Enter “C:\Ncadmin\Clients” as the path if you followed the steps above (or the appropriate directory if running from an existing NT Server installation), select the “Share Files” radio button and press “OK”.  This will share the "C:\Ncadmin\Clients" folder as “clients”, which you may feel to remove after your network boot disk has been created. 

The next dialog prompts you to choose what type of floppy, network client, and network card driver you wish to create the boot disk for. Choose “Network Client v3.0 for MS-DOS and Windows” as your network client.  Select your network card from the list and press “OK” to continue. If your network card is not listed, see “Adding new entries to the Network Client Administrator” below.

The next dialog will prompt you for startup disk configuration information including Computer Name, User Name (must be unique on the network), Domain, and Protocol and (if necessary) IP information. Select “TCP/IP Protocol” from the protocol dropdown list, it may appear that there is only one item to select- look closely and you should see a very small scroll bar in the dropdown list (push the down arrow to see “TCP/IP Protocol”). If available it is recommended that you use DHCP for simplicities sake- otherwise fill in the proper IP information here. 

Next the boot disk itself will actually be created. You will need to provide a blank, formatted system disk (bootable) for the files to be placed on. Windows NT/2000 cannot do this for you, as there is no DOS equivalent operating system present to place on the floppy. Go to a DOS or Windows 9x machine and format the disk with the “/s” option to create the blank, formatted system disk. This should NOT be a Windows NT formatted diskette.

As the floppy is populated with the necessary files a progress dialog is presented. When complete, you have your network boot floppy. If you should run into problems see some tips at the end of this document, our network boot disk creation FAQ or visit our network boot disk user forum.

 Adding New Entries to the Network Client Administrator

Adding New Entries to the Network Client Administrator

1. Copy the “Clients” subdirectory from the Windows NT Server compact disc to “c:\Ncadmin\clients”. Note that this requires nearly 70 megabytes (MB) of disk space.

2. Copy the network card’s entry in the [netcard] section of your NDIS2 driver's Oemsetup.inf and paste it into the [netcard] section of the file Wcnet.inf, found in the "\Clients\Msclient\Netsetup" folder.

For example, the following is the [netcard] section of the 3com 3C90x driver's Oemsetup.inf file:

[netcard]

tcm$el90x="3Com EtherLink PCI NICs (3C90X)",0,ndis,ethernet,0x07,tcm$el90x,tcm$el90x_nif

3. Append the NDIS2 driver's header and NIF section from the Oemsetup.inf file to the bottom of the same Wcnet.inf file.

For example, the following are the header and NIF sections of the 3com 3C90x driver's Oemsetup.inf file:

[tcm$el90x]

ndis3=1:el90x.386
ndis2=1:el90x.dos
mlid=1:3c90x.com

[tcm$el90x_nif]

param=DriverName,"",static,"el90x$"
slot=SLOT,"Adapter Slot Number",int,"1,64,1",1,0x32
param=earlyrelease,"Early Release Option",keyonly,,,0x02
param=maxrequests,"Maximum number of general requests",int,"3,10,1",3,0x02
param=maxmulticasts,"Maximum number of multicast addresses",int,"1,50,1",16,0x02
param=maxtransmits,"Maximum number of queued transmits",int,"3,50,1",10,0x02
param=maxreceives,"Maximum Receive Buffers",int,"3,30,1",3,0x02
param=maxframesize,"Maximum frame size",int,"256,17952,8",4096,0x02

4. If in step three the data you appended contained DEVDIR= and/or DEVICE= entries, delete those lines from the file (Wcnet.inf).

5. If not already present, add the line, "ndis2=1:<drivername>" to the header (first part) of the data appended and save the Wcnet.inf file.  The driver name should have the .DOS extension. The 3com example above already contains this entry.

6. Copy the NDIS2 driver to the "\Clients\Msclient\Netsetup" folder.

In the 3com 3c90x example you would copy the file el90x.dos to the "\Clients\Msclient\Netsetup" folder.

 Troubleshooting Your New Network Boot Disk

Troubleshooting Your New Network Boot Disk

Error 33: Unable to Bind

Some cards require the Drivername value to be set under the header section in the Protocol.ini file. For example the 3c905 example described above exhibited this error until the protocol.ini file was edited to include the entry “drivername=el90x$” as follows:

[network.setup]

version=0x3110
netcard=tcm$el90x,1,TCM$EL90X,1
transport=tcpip,TCPIP
lana0=tcm$el90x,1,tcpip

[tcm$el90x]

DriverName=el90x$   <---- Note DriverName entry was added manually

[protman]

drivername=PROTMAN$
PRIORITY=MS$NDISHLP

[tcpip]

NBSessions=6
DefaultGateway0=
SubNetMask0=
IPAddress0=
DisableDHCP=0
DriverName=TCPIP$
BINDINGS=tcm$el90x
LANABASE=0  
 

One visitor reports that the DriverName entry was case sensitive, so be careful. (and thanks to Brian Fort for sharing!)

If the problem persists, this error can also sometimes be attributed to a problem with the internal name used in the protocol.ini. The internal driver name of the NIC driver is not what is expected. The driver name is normally the same as the filename of the driver with a $ appended to the end (i.e. FEM556N2.DOS would be FEM556N2$), but this isn't true for all drivers, check with your NIC vendor. 

Need some space? You can delete the file "a:\net\neth.msg" as it is not needed (121 kb)

Need a packet driver? Check out this resource: ftp://ftp.crynwr.com/drivers/00index.html 

 

 
Be the first to comment

[Konf 2011] 100% Windows 7 Deployment Automation

For those of you who were at the Konference, you may have seen my presentation on Windows 7 automation that uses several methods to achieve total automation for the end user experience. For those of you who missed it or who didn't attend the Konference, here is the presentation:

100% Windows 7 Deployment Automation

I will be adding code examples to this post soon, but I at least wanted to make the presentation available. I will also post a link to the video of my presentation if and when it becomes available on the DellKACE website.

For the following examples, much of the code is written in AutoIT. If you are unfamiliar with AutoIT, head over to www.autoitscript.com and download the free IDE and compiler. Also, I wrote an O'Reilly book back in 2007 that is available on Amazon for $7.99 that gives you a basic start with the language. Now, here is the example list. This will be growing.

View comments (1)

Installing windows 7 admin tools as a post install task

A few people have asked if there was a scripted way to deploy the win 7 deployment tools so I thought I would share it.

This link has all the info that you need.


http://technet.microsoft.com/en-us/library/ee449483(v=ws.10).aspx

basically install Windows6.1-KB958830-x86-RefreshPkg.MSU using /quiet /norestart

(as a post install)

Then have a batch file that runs to install the components that you want.

dism /online /get-features to display the features that you need installed (on a machine that is already setup).

An example of using group policy management console is
dism /online /enable-feature /featurename:RemoteServerAdministrationTools /featurename:RemoteServerAdministrationTools-Features /featurename:RemoteServerAdministrationTools-Features-GP

Refer to the URL for additional options.

Be the first to comment
Showing 1 - 5 of 396 results

Top Contributors

Talk About Best Practices