News Contact Company



June 30, 2011
Newsletter July 2011

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

July 2011

All good things come in three! (or…..)

1.      I am happy to announce the new class “The deployment foundation class”. A 4 day class that covers the bases for the tools offered by Microsoft for the deployment of Windows 7. The class is developed and presented by no other than the Microsoft MVP (Setup and Deployment) Rhonda Layfield; known and recognized speaker and instructor at TechEd and other major events. This is the perfect pre-requisite for the Lite Touch and Zero Touch Deployment master classes
First session planned and scheduled for Washington DC in September.

2.      Deployment Geek Week travels overseas. We will together with CEO training take the popular Deployment Geek Week to Sydney, Australia. Johan and Mike will run this unique 5 day class directly after the TechEd in Australia and NZ finish. If you can’t make it to TechEd, don’t miss this opportunity to learn from the masters.

3.      And if you can’t go down under, and did not get a seat at the Seattle session, there is still an opportunity to meet with Johan and Kent in the “Ultimate ConfigMgr 2012 and MDT training”. This is another unique 5 day class that focuses on the new and long awaited for version of Config Mgr 2012 as well as MDT version next.

4.      …..and summer is finally coming to the pacific northwest……

Kent Agerlund:

Author updates using SCUP 2011

Johan Arwidmark:

Leftover junk prevents new installation in MDT 2010

Michael Petersen:
Finding and adding only the correct device drivers to the Boot image

 

 

Mikael Nystrom:
The story behind driver ranking (or why did Windows pick THAT driver)

Author updates using SCUP 2011

With the new version of System Center Updates Publisher authoring updates are now easier than ever before. In In this example I will deploy Java 6 update 25 x86. I have already downloaded the update to a local file share \\sccm4\sccm_sources$\Software\JavaUpd25\jre-6u25-windows-i586.exe

 

Before you start author any update you will need to do some detective work. You need to figure out:

·        A way to download patch, either vendor site or local file server

·        A method to detect whether a given update is required or not.

·        A method to detect that you successfully deployed the update.

·        Figure out the command  line to do a silent installation

·        Find the vendor website that contains information about the update.

 

To detect if a previous version of Java is installed I will query these registry keys:

·        Must exist: HKLM\Software\Javasoft\Java Runtime Environment\1.6

·        Must not exist: HKLM\Software\Javasoft\Java Runtime Environment\1.6.0_25

 

To verify that the installation was successful I will query this registry key

·        Must exist: HKLM\Software\Javasoft\Java Runtime Environment\1.6.0_25

 

Open the SCUP 2011 console and navigate to the Updates workspace. Create folder by using the Ribbon. In this example my folder is called Oracle

Click Create, Software Update on the Ribbon

In Package Source click Browse and navigate to:

jre-6u25-windows-i586.exe.

 

In download URL (or UNC) type the UNC path to the file:

\\sccm4\sccm_sources$\Software\JavaUpd25\jre-6u25-windows-i586.exe

 

Binary language (in my example is English)

English

 

Command line:

/s "IEXPLORER=1 MOZILLA=1" /quiet

 

Click Next.

In Language select:

English

 

In Title type:

SUN Java  6 Update 25

 

In Description type something meaningful like what are being fixed by this update.

 

In Classification select:

Security

 

In Vendor type:

Oracle

 

In Product type:

SUN Java

 

More Info URL type:

http://www.oracle.com/technetwork/java/javase/6u25releasenotes-356444.html

 

Click Next.

On the Optional information page you can type the official Update information, is none is provided I suggest you invent a naming standard for the different vendors.

 

Bulletin ID:

SUNJAVA6UPD25

 

Article ID

QSUNJAVA6UPD25

 

Support URL:

http://www.oracle.com/technetwork/java/javase/overview/index.html

 

Severity:

None Specified

 

Impact:

Normal

 

Restart Behavior:

Can request reboot

 

Click Next

On the prerequisites page click Next.

On the Supersedence page you can select any older version that is being superseded with this update. It requires that the older update is also present in the catalog. In my example, this is the first Java update in the catalog, click Next.

On the Installable rules page you will type in whatever information you have to detect a previous installed version. Click the Yellow star icon.

Rule Type select:

Registry

 

Subkey type:

Software\Javasoft\Java Runtime Environment\1.6

 

This registry key is for a 32 bit application on a 64-bit system:

Enabled

 

Click OK

Click the Yellow icon and create a new rule

 

Rule Type select:

Registry

 

Subkey type:

Software\Javasoft\Java Runtime Environment\1.6.0_25

 

This registry key is for a 32 bit application on a 64-bit system:

Enabled

 

 

Click OK

Highlight the last rule and press Alt+G or click the Not icon.

 

Click Next.

On the Installed rules page you will type in whatever information you have to detect that this new update is successfully installed.

 

Click the Yellow icon to create a new rule.

 

Rule Type select:

Registry

 

Subkey type:

Software\Javasoft\Java Runtime Environment\1.6.0_25

 

This registry key is for a 32 bit application on a 64-bit system:

Enabled

 

 

Click OK

Click Next.

Click Next.

Click Close

Click Publish on the Ribbon, select Full Content and click Next.

Click Next.

Click Close.

 

The update will now become available in Configuration Manager after the next software update synchronization process.

My Configuration Manager 2012 client: installation progress, preparing – installing – installed.

 

Java 6 update 25 is installed.

/Kent

The story behind driver ranking (or why did Windows pick THAT driver)

I like things that are automated but I don’t always like the “automagic”, what I’m trying to say is that I like to know “why” so I can make it work the way I want it to. I while back a customer asked me the very simple question

-        Why does Windows 7 pick THAT driver, it is the wrong one?

Before we continue we need to define “wrong” here, wrong could be a working driver, it’s just not that exact driver, could be wrong version, wrong vendor, wrong architecture or whatever that makes it wrong in the eye of the beholder

The process is called Driver Ranking and it occurs when you add drivers to windows, during plug and play it scans the driver repository more matching PNP numbers. If Windows finds multiple drivers that has the same PNP number a ranking process begins. I told my customer and he said simply

-        Please, can you do a blog post on that subject

So, I did

http://deploymentbunny.com/2011/06/06/nice-to-know-why-did-windows-7-pick-that-driver/

If you do have an interest in this, read it trough. It will most likely give some more background information and maybe a “aha, that’s way…”

/Mike aka The Deployment Bunny

(btw, both Johan and I have a bunch of sessions at TechEd Australia, hope to see some of you there)


Leftover junk prevents new installation in MDT 2010

One of the most common issues with MDT 2010 Lite Touch deployments is leftover junk from a previous installation preventing a second installation to continue. The solution - Get rid of the junk. Here is sample script...

WARNING!: Per the instructions you will modify the unattend.xml inside the boot image you use for bare metal deployments only, meaning the boot image(s) on your WDS server. Please don't go outside the instructions and modify the boot images in the MDT deployment share - That will kill your entire Refresh and Replace deployments.

Download the sample files

Instructions for Manually updating your x64 boot image

(Just change x64 with x86 for updating your x86 image)

1.    Extract the article sample files to a folder
 

2.    Create the D:\Mount folder (My Data drive is D:)
 

3.    Start a Deployment Tools Command Prompt
 

4.    Use ImageX to mount your boot image

ImageX /mountrw D:\RemoteInstall\Boot\x64\Images\LiteTouchPE_x64.wim 1 D:\Mount

5.    From the article download folder, copy the ZTICleanSetupInProgress.vbs script to D:\Mount\Deploy\Scripts
 

6.    From the article download folder, copy the x64\Unattend.xml file to D:\Mount (overwrite the existing file)
 

7.    Unmount the wim file (close all Explorer windows first)

ImageX /unmount /commit D:\Mount

8.    Done

Note: If you want to automate the above updates of the WDS boot image, you can do this via an Exit function to the Deployment Share Update process. In the C:\Program Files\Microsoft Deployment Toolkit\Samples folder you will find a sample named UpdateExit.vbs that you can customize.

See the
Automatically update MDT 2010 boot images in WDS article by Michael Niehaus for more info on the Deployment Share Exit.

 

 /Johan

 

Finding and adding only the correct device drivers to the Boot image

 

It seems to me, people tend to add way too many drivers to their boot images, which in some cases make WinPE unstable, and subsequent make the Deployment fail. It also makes it near impossible to figure out which driver versions/types are actually included, as that info is kind of limited from within the Boot Image node itself …

What I do, is find the exact drivers needed for my WinPE environment to work on the specific model(s), and add only those drivers.. If I Can boot WinPE, and gain access to the network (IPCONFIG) and hard disk (DISKPART – list disk), I do not update my boot image, even if I choose to add a new NIC to the deployed OS itself!

In this example I will use a DELL latitude E6320, because this particular machine has a network driver not already included in WinPE.

The first thing to do is go into the device manager and check which driver the network card is using. I usually do this from the Win7 preloaded OS that comes with the machine (you know! before reinstalling). If this is not an option, you can do something similar from within WinPE using DrvLoad.exe, and wmic, but more about that in a late post!!

As you can se from the picture, the Network adaptor is using an Intel® 82579LM Gigabit Network Connection driver.

The problem you then run into, is that, this is not the name of the driver in the Intel driver package. The driver is defined as an INF and the actual name of the driver is found within the particular INF. To find the name of the INF you can check the driver details in properties of the driver. It will show you the SYS file which is always name the same as the INF

As you can see, the driver in question should be e1c6232.inf, and if you download the newest NIC driver package from Intel (or get it from your vendor), and open that driver in notepad, you will find the driver you need inside the INF.

Now the driver must be imported into ConfigMgr. Normally I would import all the NIC drivers, and the look for the same info from within ConfigMgr. Do an import only, no need to add to category, package or Boot Image, at this point. Once imported your NIC drivers will look something like this.

,

By highlighting the driver you can even see which other drivers are included, and which platforms it I applicable to:

You can see that this particular driver works on Windows 7 x86 SP1, and that it also supports Intel® 82579V Gigabit Network Connection.

The info corresponds to that found in the running OS, so it’s clearly the driver needed in the Boot image. Finally all there is left to do is inject and update DP, and the boot image should work like a charm.


/Michael P

 

 

 

 

Where to find us......

Deployment Foundations Class with Rhonda Layfield  Washington DC         September 12-15

Understand how hackers attack the Windows Platform with Marcus Murray

Amsterdam

September 12-14

Mastering PKI & Certificate Services 2008 R2 with Hasain Alshakarti

Online lIve
London

August 15-17
October 31

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

July 18-22 SOLDOUT

The Ultimate ConfigMgr2012 and MDT2012 training with both Kent Agerlund and Johan Arwidmark    

New York City August 15-19   

 

Full schedule at http://www.truesec.com                                                            

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement