Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

Alle Binaries sowie ein Export des Projektes von Enteo V6.2 sind unter dieser URL zu finden:

http://www.ntfaq.ch/home.aspx?seite=enteo62_Referenz_Paket_Butsch_Informatik

http://www.butsch.ch

Was macht das Paket?

Dieses universelle Referenz Paket soll zeigen wie man in einer reellen Deployment Umgebung auf das Environment und die User eingehen kann.

Bei vielen Software Deployment fehlen diese Optionen obwohl Sie an sich Grundbausteine einer Software Verteilung sind. Dieses Beispiel soll einen

Anstoss in die richtige Richtung und als Ersatz für eine ein fehlendes Beispiel von Enteo dienen. Zielpublikum:

Desktop Engineer mit mehreren Jahren Deployment Erfahrung und Basis Kenntnissen in Enteo. Enteo Quer‐Einsteiger z.B. von SMS, SCCM,

Altiris oder z.B. Highsystem. Nicht geeignet für Supporter, welchen man aus Unwissenheit die Software Verteilung mal Testweise übergibt.

Finger weg und zurück an den IT‐Chef geben und bitten, dass er das Kapitel ITIL‐Risk Management und Recovery besser durchliest;‐)

Pflichtenheft an das Master Paket: Das Paket soll folgendes erfüllen….

‐     Abfragen ob der Screensaver aktiv ist > Denn dann wollen wir nicht installieren

‐     Ermitteln ob der Client gelockt ist > Denn dann wollen wir nicht installieren

‐     Es soll Abfragen ob ein User gerade arbeitet und angemeldet ist (Ev. Geht es nur dann?)

‐     Soll wissen wie es Enteo seitig kommt (Serviceinstaller oder Autoinstaller)

‐     Soll den User Fragen ob Sie das Update wollen oder man möchte diese nur laufen lassen, wenn jemand angemeldet ist (z.B. Green‐IT‐Oeko Shop ohne WOL und mit Stromleisten!)

 Das Master Paket wird anhand eines Beispiels erklärt. In diesem Falls das Deployment von Adobe Flash 10.1.85.3 vom September 2010.

Das Paket macht eine Migration des Flash Players auf die aktuelle Version. Desktop Deployment und IT ist Migration und Wandel.

Frisch installieren kann jeder und ist einfach! Darum wird in einer Präsentation nie eine Migration von Flash Player sonder immer nur eine frische Installation gezeigt.

Im Package Folder haben wir folgende Binary Files. Alle kann man bei uns downloaden.

Dies wird z.B. hier verwendet:

Einzelne Teile des Enteo Skriptes erklärt:

Hier kontrolliere ich mit "locked.exe" ob der Client gelockt/gesperrt ist. Da wir z.B. für eine Flash/Adobe Reader Upgrade offene Apps (Internet Explorer)

zumachen müssen soll dies NICHT passieren wenn der User Weg von seinem PC ist (CTRL‐ALT‐DEL gemacht).

Mit dem Enteo Befehl ExitPROCEX; "UNDONE" verlassen wir das Script. Das "UNDONE" sieht man dann z.B. bei den Policies in der Enteo Konsole.

Der Vorgang wiederholt sich einfach beim nächsten Enteo Intervall oder Start der Maschine spätestens wieder.

Microsoft W10 Update to 1909 failed because the pre Check found the certain DLL somewhere under the c:\drivers or C:\SWSETUP olders. (APP/Software or driver was not installed, Update block by JUST finding the Certain DLL somewhere on certain paths used by certain Producer/OEM.

Often used paths for drivers and where W10 Update tried to find add. Info about a system and what was installed (Beside Software, Registry and Windows-Installer Cache/DB).

• HP > C:\SWSETUP\
• DELL > c:\DRIVERS\
• Our deployment solution > c:\DRIVERS\

We just had a case where we update W10 1709 to 1909 through a Deployment solution. Updates of HP Laptop failed.

If we installed the Update manual we did see that the "Infineon TPM Professional Package" was blocking. But the software was not installed.

Reason for W10 Update failing:

At that customer we use c:\drivers\ for our deployment structure on HP (Like Dell does > By the way don't use c:\drivers for your own packages/batch on DELL systems it will break some DELL batches).

Under that structure we have a library of certain most used HP Service Packs. There was one which included an Infineon TPM driver. Just by searching through those files

Microsoft thinks the drivers IS installed a Blocks the update. The driver was not installed on the system.

Solution:

Just delete those Directory and files if you don't reference them and they are not used MSI-Source files on the system you handle the update. On HP systems you can even rename the folder like from C:\SWSETUP\ to C:\_SWSETUP\ and it will work.

Where we found that info:

We silent deploy the 1909 there will following command line which gives us detailed Debug Log Info:

c:\drivers\setup\CUSTOMER_W10_1909\setup.exe /auto upgrade /copylogs \\SERVER\w10_1909$\CLIENTS_DEBUG\%computername% /DiagnosticPrompt enable /Priority Normal /postoobe c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ENDE_OK.cmd /postrollback c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ROLLBACK.cmd /Quiet /ShowOOBE none /telemetry disable /compat IgnoreWarning /DynamicUpdate disable /migratedrivers all

In these Logfiles then you will find the reason why he did not upgrade. You will also see why if you skip the OPTIONS: /Quiet /ShowOOBE none

search over all log files for "StatusDetail="UpgradeBlock"

It will be found in the logfile Compatdata*.xml

Here is the info regarding the Block within the XML File:

<Program IconId="ifxspmgt.exe_f069054697b0a0ae" Id="0006c5c9b5d907dd9c81f4d74bb61beb7e3900000904" Name="Infineon TPM Professional Package">

<CompatibilityInfo BlockingType="Hard" StatusDetail="UpgradeBlock"/>

<Action Name="ManualUninstall" ResolveState="NotRun" DisplayStyle="Text"/>

</Program></Programs>

The where the files that Windows 10 Update found BUT where not installed on the system.

Just delete the files if unused and the update will do it what it should.

TLS 1.3

https://tools.ietf.org/html/rfc8446

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it's all safer and faster?

https://blogs.windows.com/windows-insider/2020/07/15/announcing-windows-10-insider-preview-build-20170/

The problem is that some Next Generation Web Filter (Firewall) can't look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you're Firewall can't handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy

CHROME:

chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)

MICROSOFT EDGE CHROMIUM:

edge://flags/

As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what's supported:

https://browserleaks.com/ssl

https://news.sophos.com/en-us/2020/08/18/report-firewall-best-practices-to-block-ransomware/

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you

https://www.f5.com/c/landing/encrypted-threats/article/tls-1-3-are-you-ready-for-the-update

https://community.checkpoint.com/t5/General-Topics/CheckPoint-TLS-1-3-support-When/td-p/63672

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/understanding_traffic_decryption.html

https://www.sonicwall.com/support/knowledge-base/ssl-tls-protocols-supported-by-sonicos-matrix/170615123553371/

Read more:

https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

https://www.imperial.ac.uk/media/imperial-college/faculty-of-engineering/computing/public/1819-pg-projects/Detecting-Malware-in-TLS-Traf%EF%AC%81c.pdf

https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/

https://www.heise.de/security/meldung/Verschluesselung-TLS-1-3-Fauxpas-gefaehrdet-Embedded-Systeme-mit-wolfSSL-4883741.html

https://www.heise.de/hintergrund/Was-TLS-1-3-ist-und-wie-Sie-davon-profitieren-4248740.html

https://www.sans.org/reading-room/whitepapers/vpns/paper/39715

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/

Unable to deploy W10 > W10 19XX (Feature Updates) to Windows 10 Clients via WSUS on Server 2012 R2.

That is a patch you need to Update your W10 client from W10 19XX to 19XX/20XX via WSUS.

This should have been fixed by Update KB 2919355 and Windows8.1-KB3095113-v2-x64. However on some WSUS Server 2012 R2 we could not install the patch (Depending on the order you installed Patches and installed the WSUS role timely). The patch does open the handling of ESD files in the Web server IIS (So the IIS know what to do with the Extension and how to Deliver it). You can manually add that entry in IIS.

Here is how to solve manual

Right side "ADD"

File name extension:

.esd (With the dot infront)

MIME type:

application/octet-stream

OK

Close and maybe restart IIS or best WSUS Server.

After reboot of the WSUS you that the clients download the update.

You can read here further info:

https://support.microsoft.com/de-de/help/3095113/update-to-enable-wsus-support-for-windows-10-feature-upgrades

This pre-needs KB 2919355

01.09.2020, this is solved in 10.7.0.1607 JULY 2020 Release

Produktversion (Endpoint Security Platform)

10.7.0.1961 JUL 2020 Release

Produktversion (Endpoint Security Threat Prevention)

10.7.0.2021 JUL 2020 Release

Web Control

10.7.0.1607 JUL 2020 Release

On several W10 machines we have seen Outlook.exe crash with Mcafee ENS Endpoint Security 10.7 Web Control active.

This behavior is seen up to Release 10.7.0.1675 and HOTFIX 10.7.0.1733 on 19.05.2020 and is because of the function "E-Mail annotations" in Mcafee Web Control Module from ENS (Endpoint security).

This function will check existing URL in existing E-Mail and if the URL is Malicious Block or warn the user WITHIN the E-Mail.

For Mcafee to draw that warning it needs chart.dll. On some systems there is know old story with mix of chart.dll (We are unsure of 32/64 or language MIX like German and English lead finally MS side to this error but Google is full of it). Mainly it's because Windows itself has a chart.dll and there is a version from Office. Those are different.

Error your see:

"Required file chart.dll not found in your path. Install Microsoft Outlook again"

"Die erfoderliche Datei chart.dll wurde"

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

Version 16.0.4924.1000 +"chart.dll"

For Mcafee to draw that warning it needs chart.dll. On some systems there is know old story with mix of chart.dll (We are unsure of 32/64 or language MIX like German and English lead finally MS side to this error but Google is full of it). Mainly it's because Windows itself has a chart.dll and there is a version from Office. Those are different.

You can see what happens here. The YELLOW is when it does not find the chart.dll at that certain path.

SOLUTION:

McAfee ENS > Web Control > Optionen > Advanced Options > TURN off the FIRST OPTION (Uncheck)

View German Mcafee ENS

View EPO Policy English

This is what the function does. It highlights malicious URL. Here a sample from a Mcafee SECURITY FOR Exchange

Alert warning which had a malicious URL link. (This is a double alert but just to show what we talk about)

You don't have to reinstall Outlook.exe, Office, or ENS Modules. Just turn off the option.

Some Links with chart.dll (Not related to McAfee)

https://answers.microsoft.com/en-us/office/forum/office_2016-outlook/2016-outlook-has-error-message-required-file/772b47c6-ead1-4d6f-9ad1-41da627cb9c7

Links with Mcafee at askwoody.com

https://www.askwoody.com/forums/topic/outlook-2016-and-chart-dll-error-multiple-pcs/

https://community.mcafee.com/t5/Endpoint-Security-ENS/Outlook-2016-and-chart-dll-error/m-p/651239

ERROR: Install a driver failed because Bluetooth is off or unavailable.

Product: HP Phonewise Driver Install Error

Finally found a solution to a HP W10 Setup brand Problem. Had that under 1803/1809/1903. We are unsure If this was related to a CLEANUP tool we use to remove/Uninstall certain

HP bloat ware from Github. Install a driver failed because Bluetooth is off or unavailable.

This seems a rather complex installation because HP has to make sure that the BLUETOOTH drive is ON in BIOS, is active in W10 itself

And only then can install or uninstall the driver. If you look at the twi batch they are rather complex and handle reboot persistence etc.

We finally found a way to get rid of the error. There is a schedule Task running which handles the reboot persistence.

Remove that entry and you get of the warning. The RED Error we could not explain since the correct file was there AND the used

Mcafee ENS 10.7 virus protection DID not block the file.

HP PhoneWise Device Maintenance

We have a Server 2016 fully patched until 05/2019. We run a KMS-Server which does not have a SRV KMS 2016 channel activated.

PROBLEM: Strangely we can't change to Product key with the GUI. There is simply no reaction when you click "Change product key" button.

We have seen things like this under Control Panel (Unable to scroll) in W10 1903 where Dameware did not work and only possible with RDP.

Use the Activation Wizards to do it. In a cmd type.

slui 3

The wizard appears

Enter the MAK key (NOT any KMS please ;-)

You can also change the key with Commandline direct:

slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
slmgr.vbs /ato

To date there are two Social MSDN Threads where people and very und-happy and Microsoft DOES not think it's important

to mention the Problem on their KB Article under Problems. This has just come into our timeline range where

we rollout and MDT/WDS Server for medium sized customer who has no Enterprise Agreement and thus no SCCM.

Manage over 15 WSUS servers for SBS to Enterprise but has no info in that direction. (Not mentioned on MS/TechNet or Ask Woody which we mostly consult for good info)

Problem during PXE Boot:

Windows failed to start a recent hardware or software change might be the cause.

"Status 0xc0000001"

support.microsoft.com/de-ch/help/4489881/windows-8-1-update-kb4489881

Here is how to fix it:

Uncheck under TFTP the option Enable Variable Window Extension

Reboot the WDS/MDT Server or restart the WDS Service.

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.

Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment

Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL pki.infineon.com (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.

Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.

Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.

The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.

Workaround:

URL we need open in our sample: pki.infineon.com which prevents a complete Enterprise Deployment system to fail

Sample from Fortigate for other Certs they missed:

F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )

In our case:

F-SBID( --name "Root.Certificate.pki.infineon.com"; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see:

Butsch.ch | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

So you understand that this is a problem which persists over all firewall producers:

https://support.symantec.com/en_US/article.HOWTO9584.html

Symantec: About the Install Readiness Check for Certificate Revocation List access

https://success.trendmicro.com/solution/1058226

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

Checkpoint:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection

Mcafee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25504/en_US/epo_530_pg_0-00_en-us.pdf

Security related this is turned OFF on W10 all release. You still may need this for Remote Management or testing

Certain things you can't do on the LOCAL client (Like checking process for LOGON Credentials provider with WMI).

Here is how to turn on Windows Remote Management Silent via Commandline on WINDOWS 10.

Screen shows Paessler WMI Tester we use do test certain WMI query.

winrm.cmd quickconfig –q

https://technet.microsoft.com/en-us/library/hh921475%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396