Fortigate Forticlient Silent Installlevel 1 does not work on 6.X Version how to solve

 

Problem: Forticlient Silent Option to select different Module to install does not work as before with Forticlient 6.X up to 6.0.5 (FortiClientSetup_6.0.5.0209_x64)

Problem: You see an empty Forticlient Window when you open it

 

 

Explanation:

Bis jetzt gab es fuer den Forticlient:

  • Forti Configurator (Ein Tool bei welchem man die Optionen wählen konnte und dann gleichzeitig ein CONFIG file mitgeben und es machte am Schluss ein MSI)
  • Ein Windows Installer OPTION INSTALLLEVEL (Mit dieser konnte man bis Forticlient 5.9.X sagen was man will (SSLVPN/VPN/Antivirus usw.)

 

Den Configurator gibt es nur noch auf dem Developer Network von Fortinet. Damit man dort an das File kommt MUSS man zwei Fortinet Mitarbeiter als Referenz angeben.

To get the Configurator where you can you have to open a developer account with Fortinet. And to do that you have to get approval of TWO Fortinet employees (Fortinet E-mail Addresses). That's simply because they don't want customer to modify the default install and use the ONLINE Installer so everybody tries their Antivirus and Patch Module. Before you could download the Forticlient Configurator for free und the Support Forticlient download section.

There are also other nice things there like the VPN Automation scripts and SSLVPN Commandline tools. I am sure a lot of Fortinet Customer would like to use those and don't even know they exists and swap to VPN technology from Microsoft https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vpn-technology-overview

 

 

This thread Shows what happens when you use Installlevel=1 (As worked before with Forticlient 5.X)

https://forum.fortinet.com/tm.aspx?m=165279

https://docs.fortinet.com/document/forticlient/6.0.2/configurator-tool/823336/use-forticlient-configurator-tool-tool-for-windows

 

Forticonfigurator:

 

Nice ;-.)

 

Solution:

Use INSTALLLEVEL 3 instead of 1

 

msiexec.exe /i FortiClientSetup_6.0.5.0209_x64\forticlient.msi /quiet INSTALLLEVEL=3

The MSI package:

VPN, SSLVPN, SSO is fine for most enterprise users.

We don't see the NAC Option in the GUI even if we choose it with option 3 > We don't want that so Installlevel 1 would be the choice but that DOES not work as mentioned.

 

 

Here is the reason Fortigate makes this so complex. They want to sell EMS which can be used to Deploy Forticlient.

 

 

MCAFEE Removal Tools Enduser Line and Corporate Endpoint (GUI or EPO)

Sometimes we have client machines where we can't rollout ENS or VSE even when all is fine. Because some people left over OEM supplied version of Mcafee Enduser products (User tried to Deinstall or update without Local Admin) or because a migration has gone bad because a user closed the laptop LID or lost power during migration. Or user forced off Desktop client. We very rare have such cases since 10 years and the EPO is great solution how it handles MSI Packages and Migration on Clients, Server and Terminal Server. If regular Deployment Solution would work like this?

So here are the two solutions for removing:

  1. Mcafee ENDUSER Products
  2. Mcafee ENS Corporate Version

 

 

MCPR (Removes all Enduser products or OEM Supplied version like on HP or DELL)

DOWNLOD: http://us.mcafee.com/apps/supporttools/mcpr/mcpr.asp

https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&articleId=TS101331&_afrLoop=710472012957521&leftWidth=0%25&showFooter=false&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3Dfalse%26_afrLoop%3D710472012957521%26articleId%3DTS101331%26leftWidth%3D0%2525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D4xkm1wh6e_9

 

Sample leftover Enduser products:

 

 

MCAFEE Endpoint Product Removal Tool (ENS Corporate)

You can only download that tool if you have a VALID NAI Mcafee Support running

Here is HOW to find in under downloads. Yes you need a manual to download a file ;-(

www.mcafee.com

Choose Enterprise

There is standalone version for Remote Support or a Version which you PUSH out to Problems clients with the EPO with Task Sequence. You can set OPTION in the Deployment JOB if you let it run with EPO.

Some sample Commandline we use with the EPO Push Version to remove stalled single endpoint ENS 10.X > 10.X Migrations

--accepteula --ENS --=600

--accepteula --ENS --noreboot

Server 2016, MDT 2013, W10 1809 6.3.8456.1000 SQL Compact Database

If you don't connect MDT on Server 2016 to an SQL Database it will use SQL Server Compact to store information

You see in MONITOR. You ONLY access the Info from the Compact Edition with SQL Management Studio 2008R2

And NOT the newer Version I have read somewhere. With the SQL Management Studio 2008R2 we

Can open the SDF database from C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

 

You can also access through API Web:

http://localhost:9801/MDTMonitorData

http://localhost:9801/MDTMonitorData/Computers

http://localhost:9801/MDTMonitorData/ComputerIdentities

 

It's written that they keep the information in there for 3 days. So this is only a temporary solution until the client runs.

 

C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

 

To see or view data itself you could use:

https://www.linqpad.net/

 

 

GPO, Group Policy, Extra Registry Settings, Display names for some settings cannot be found

 

GPO error you see in Group Policy Console after you migrated/imported GPO from another domain or location:

Extra Registry Settings:

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

Cause:

  1. This is a leftover of some old GPO you migrated over years and want to get rid OFF (Our solution with Powershell)

OR

  1. (Not so good) you are missing certain ADM* files in your Central Policy Store but have the GPO already there (Copied from somewhere). Check this link to understand what we talk about: http://www.butsch.ch/post/GPO-W10-CSE_NOBACKGROUND-and-CSE_Drives-GPO-English-German-mix-how-to-fix-RIGHT-way.aspx). So this is what the original error says (Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.)

     

 

How to solve this for problem 1 above:

Let's assume all is fine and the GPO with the Central Policy Store and you migrated or imported GPO has some old things you would like to get of rid of and maybe someone merged them into newer GPO over the years XP > W7 > W8 > W10 15** > W10 17** > W19 18** etc. (Just some things that dropped out in a new version of W10 as example)

Simple an option that maybe dropped out (Does not exist) in W10 1809 but did before. And you want to use the same GPO as you did in 1709 for another customer.

 

Error in GPO-console:

Backup the GPO to DISK and shortly verify gpreport.xml and search for the string just to make sure it's in that POLICY you think it is and that all is fine before you correct it.

Here you see the error again in the GPO console:

Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

 

Setting

State

Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

0

Software\Policies\Microsoft\Windows\Backup\Client\DisableBackupLauncher

1

Software\Policies\Microsoft\Windows\Backup\Client\DisableBackupToDisk

1

Software\Policies\Microsoft\Windows\Backup\Client\DisableBackupToNetwork

1

Software\Policies\Microsoft\Windows\Backup\Client\DisableBackupToOptical

1

Software\Policies\Microsoft\Windows\Backup\Client\DisableBackupUI

1

Software\Policies\Microsoft\Windows\Backup\Client\DisableRestoreUI

1

Software\Policies\Microsoft\Windows\Backup\Client\DisableSystemBackupUI

1

Software\Policies\Microsoft\Windows\PreviewBuilds\EnableConfigFlighting

1

Software\Policies\Microsoft\Windows\PreviewBuilds\EnableExperimentation

1

Software\Policies\Microsoft\Windows\SideShow\Disabled

1

Software\Policies\Microsoft\WindowsMediaCenter\MediaCenter

1

 

 

SOLUTION:

 

Here is how to exact remove that settings from the existing GPO settings running on your Admin W10 with GPO-Console (RSAT) with Powershell.

Let's start with a sample we want to get rid of:

Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

Step 1

Check if the error is under USER or COMPUTER (SYSTEM) part of GPO.

HKLM\

HKCU\

Add to the Registry String depending where it is:

Sample: Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

After: HKCU\ Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed (If it's a USER Policy)

After: HKLM\ Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed (If it's a COMPUTER Policy)

Step 2

Cut of the last value name and separate

HKLM\ Software\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

"HKLM\ Software\Policies\Microsoft\Windows Mail"        ManualLaunchAllowed

 

Sample Powershell would be:

Remove-GPRegistryValue -Name "W10_C_Computer"

-key "HKLM\Software\Policies\Microsoft\Windows Mail"

-ValueName ManualLaunchAllowed

 

After we have all the info and correct string let's do this sharp:

 

Powershell Import-Module -Name grouppolicy to load API for GPO

Import-Module -Name grouppolicy

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows Mail" -ValueName ManualLaunchAllowed

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupLauncher

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupToDisk

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupToNetwork

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupToOptical

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableBackupUI

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableRestoreUI

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\Backup\Client" -ValueName DisableSystemBackupUI

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds" -ValueName EnableConfigFlighting

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds" -ValueName EnableExperimentation

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\Windows\SideShow" -ValueName Disabled

Remove-GPRegistryValue -Name "W10_C_Computer" -key "HKLM\Software\Policies\Microsoft\WindowsMediaCenter" -ValueName MediaCenter

 

 

 

KB 4489881 Breaks WDS MDT on Server 2016 PXE boot

To date there are two Social MSDN Threads where people and very und-happy and Microsoft DOES not think it's important

to mention the Problem on their KB Article under Problems. This has just come into our timeline range where

we rollout and MDT/WDS Server for medium sized customer who has no Enterprise Agreement and thus no SCCM.

Manage over 15 WSUS servers for SBS to Enterprise but has no info in that direction. (Not mentioned on MS/TechNet or Ask Woody which we mostly consult for good info)

 

Problem during PXE Boot:

Windows failed to start a recent hardware or software change might be the cause.

"Status 0xc0000001"

support.microsoft.com/de-ch/help/4489881/windows-8-1-update-kb4489881

 

Here is how to fix it:

Uncheck under TFTP the option Enable Variable Window Extension

Reboot the WDS/MDT Server or restart the WDS Service.