Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

Alle Binaries sowie ein Export des Projektes von Enteo V6.2 sind unter dieser URL zu finden:

http://www.ntfaq.ch/home.aspx?seite=enteo62_Referenz_Paket_Butsch_Informatik

http://www.butsch.ch

Was macht das Paket?

Dieses universelle Referenz Paket soll zeigen wie man in einer reellen Deployment Umgebung auf das Environment und die User eingehen kann.

Bei vielen Software Deployment fehlen diese Optionen obwohl Sie an sich Grundbausteine einer Software Verteilung sind. Dieses Beispiel soll einen

Anstoss in die richtige Richtung und als Ersatz für eine ein fehlendes Beispiel von Enteo dienen. Zielpublikum:

Desktop Engineer mit mehreren Jahren Deployment Erfahrung und Basis Kenntnissen in Enteo. Enteo Quer‐Einsteiger z.B. von SMS, SCCM,

Altiris oder z.B. Highsystem. Nicht geeignet für Supporter, welchen man aus Unwissenheit die Software Verteilung mal Testweise übergibt.

Finger weg und zurück an den IT‐Chef geben und bitten, dass er das Kapitel ITIL‐Risk Management und Recovery besser durchliest;‐)

Pflichtenheft an das Master Paket: Das Paket soll folgendes erfüllen….

‐     Abfragen ob der Screensaver aktiv ist > Denn dann wollen wir nicht installieren

‐     Ermitteln ob der Client gelockt ist > Denn dann wollen wir nicht installieren

‐     Es soll Abfragen ob ein User gerade arbeitet und angemeldet ist (Ev. Geht es nur dann?)

‐     Soll wissen wie es Enteo seitig kommt (Serviceinstaller oder Autoinstaller)

‐     Soll den User Fragen ob Sie das Update wollen oder man möchte diese nur laufen lassen, wenn jemand angemeldet ist (z.B. Green‐IT‐Oeko Shop ohne WOL und mit Stromleisten!)

 Das Master Paket wird anhand eines Beispiels erklärt. In diesem Falls das Deployment von Adobe Flash 10.1.85.3 vom September 2010.

Das Paket macht eine Migration des Flash Players auf die aktuelle Version. Desktop Deployment und IT ist Migration und Wandel.

Frisch installieren kann jeder und ist einfach! Darum wird in einer Präsentation nie eine Migration von Flash Player sonder immer nur eine frische Installation gezeigt.

Im Package Folder haben wir folgende Binary Files. Alle kann man bei uns downloaden.

Dies wird z.B. hier verwendet:

Einzelne Teile des Enteo Skriptes erklärt:

Hier kontrolliere ich mit "locked.exe" ob der Client gelockt/gesperrt ist. Da wir z.B. für eine Flash/Adobe Reader Upgrade offene Apps (Internet Explorer)

zumachen müssen soll dies NICHT passieren wenn der User Weg von seinem PC ist (CTRL‐ALT‐DEL gemacht).

Mit dem Enteo Befehl ExitPROCEX; "UNDONE" verlassen wir das Script. Das "UNDONE" sieht man dann z.B. bei den Policies in der Enteo Konsole.

Der Vorgang wiederholt sich einfach beim nächsten Enteo Intervall oder Start der Maschine spätestens wieder.

Here is how to catch different Windows 10 OS release within WMI.

We used this the first time during a 1709 > 1909 Migration where we wanted to push customer startlayout.xml (Different new syntax and command for W10 1909)

with GPO ONLY to the 1909 clients. SBS/KMU seamless upgrades but often forget to handle GPO Policy side during the upgrade process. If you wan to modify

The startlayout/startmenu tiles this is often the first place you will need the WMI filters.

W10 Version Info:

Major   Minor   Version Build      Info       Released

10           0             1607       14393    2016 RTM LTSC 09/26/2016

10           0             1709       16299    2016 SAC            10/17/2017

10           0             1803       17134    2016 SAC            04/30/2018

10           0             1809       17763    2019 LTSC           11/13/2018

10           0             1903       18362    2019 SAC            5/21/2019

10           0             1909       18363    2019 SAC            11/12/2019

WMI Query to check which version you run of Windows 10.

NAMEPSPACE: Root\CIMv2

W10 1607:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "14393"

W10 1709:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "16299"

W10 1803:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17134"

W10 1809:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17763"

W10 1903:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18362"

W10 1909:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18363"

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wql-sql-for-wmi

GPO WMI FILTER

Based on above info from us you can build the GPO filter for each W10 version.

Example: Use the Paessler WMI tester to check

If the query was successful then you get FEEDBACK from the Query (if not it would be empty)

Please also check these WMI related links from us:

http://www.butsch.ch/post/W10-Enable-Remote-Management-for-WMI-from-Commandline-silent.aspx

http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

http://www.butsch.ch/post/Script-WMI-Fetch-modell-BIOS-Version-with-VB-like-SM_info-from-Dell.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-GPO-Settings-PROXY-Explained-F5-F8.aspx

Security related this is turned OFF on W10 all release. You still may need this for Remote Management or testing

Certain things you can't do on the LOCAL client (Like checking process for LOGON Credentials provider with WMI).

Here is how to turn on Windows Remote Management Silent via Commandline on WINDOWS 10.

Screen shows Paessler WMI Tester we use do test certain WMI query.

winrm.cmd quickconfig –q

https://technet.microsoft.com/en-us/library/hh921475%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

Internet Explorer, Group Policy, Gruppenrichtlinien, IE11 GPO Settings, PROXY Explained F5-F8

1. IE11 has to be installed so you see the IE10 Option
2. There is not IE11 Option > That's ok > Choose IE10 it will work fir IE11
3. You are on a SRV 2012 R2 or W8 to see this option or W7 with installed updated
4. You did try it always fails or you get too MUCH Gpo settings from the GUI Mode.

    

This is what we talk about and seems to make confusions. People set if with it and at the end did with HKCU keys.

You can configure the options with F5, F6, F7 and F8 keys from the GUI. Only choose the options you want to change.

ALL RED > Will not be touched (Like GPO Settings DEFAULT)

ALL GREEN > Will be touched or changed (Like GPO setting ENABLE/DISABLE) depending on the GUI if you have a checkbox selected or not.

GREEN = Stuff you want to change

RED = LEAVE IT at it is

Some sample settings

If you go back one step on the GPO Console and do an F5 / Refresh

You should only see the option which you marked GREEN with F7 or F8

Lets make a sample (That i don't want touched)

See forgot two things and not clear how to select under security

Back in GPO Console one step, Update F5, Refresh

The above mentioned is RED THUS Gone / Not touched

We recommend to enable a check if you DO Registry KEYS or such Settings with GPO and not deployment.

Make sure you have a WMI Filter to also capture IE11

Check out I11 LINKS:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-Umsetzen-Unternehmensmodus-Enterprise-Mode.aspx

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

IE11patch Infos:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO = Does not install on same system

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

Internet Explorer 11 Setup with IEAK11 for Deployment

We have seen several posting on Social MSDN but also deployment blogs with people struggling with the IEAK Setup of IE11 or better the 9 PRE patches the IE setup 10/11 needs.

Technet http://support.microsoft.com/kb/2847882 describes the Updates that have to be installed before you can Install IE11 silent.

Error Source 1, Setup tries to fetch updates in the back and fails because of Proxy

If these are not on the machine the Setup will try to fetch them from internet. Because the "Computer account" (Not the user) mostly has no PROXY information this will fail. I will not show you how you change that here; Target would be to have all files ready from deployment.

Error Source 2, Reboot OR WMI Update for Patches after installing PRE Patches

If you install the 9 patches with a batch or script you should:

a) Reboot the client which makes it a Reboot and advance package which some deployment can't handle

b) Solution > Rebuild the Patch Inventory by "c:\windows\system32\wbem\wmic.exe qfe" (Does not work on 19.03.2015)

The IEAK 11 Version from March 2015 does actualy check the Version of the files AS they are in place. So no Patches are checked to decide if add. Updates are downloaded. Thus the Reboot may be needed IF in use FIles are present.

> THUS only working solution would be on march 2015 to do a 3 STEP package

1) Install PRE Deployment Patches (Reboot)

2) Install IEAK (Reboot)

3) Install Post Deployment Patches (may need Reboot)

00:01.841: INFO:    Version Check for (KB2834140) of C:\Windows\System32\d3d11.dll: 6.1.7601.17514 >= 6.2.9200.16570 (False)
00:01.841: WARNING: Checking version for C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll.  The file does not exist.
00:01.841: INFO:    Version Check for (KB2639308) of C:\Windows\System32\Ntoskrnl.exe: 6.1.7601.17803 >= 6.1.7601.17727 (True)
00:01.841: INFO:    Version Check for (KB2533623) of C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll: 6.1.7600.16385 >= 6.1.7601.17617 (False)
00:01.841: INFO:    Version Check for (KB2731771) of C:\Windows\System32\conhost.exe: 6.1.7601.17514 >= 6.1.7601.17888 (False)
00:01.841: INFO:    Checking for correct version of C:\Windows\Fonts\segoeui.ttf.
00:01.856: INFO:    Version Check for (KB2786081) of C:\Windows\System32\taskhost.exe: 6.1.7601.17514 >= 6.1.7601.18010 (False)
00:01.856: INFO:    Version Check for (KB2888049) of C:\Windows\System32\drivers\tcpip.sys: 6.1.7601.17514 >= 6.1.7601.18254 (False)
00:01.856: INFO:    Version Check for (KB2882822) of C:\Windows\System32\tdh.dll: 6.1.7600.16385 >= 6.1.7601.18247 (False)
00:02.621: INFO:    Download for KB2834140 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=303935 -> KB2834140_amd64.MSU.
00:02.636: INFO:    Download for KB2533623 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=254722 -> KB2533623_amd64.MSU.
00:02.636: INFO:    Download for KB2731771 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258387 -> KB2731771_amd64.CAB.
00:02.636: INFO:    Download for KB2786081 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=273751 -> KB2786081_amd64.CAB.
00:02.652: INFO:    Download for KB2888049 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324542 -> KB2888049_amd64.MSU.
00:02.668: INFO:    Download for KB2882822 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=324541 -> KB2882822_amd64.MSU.

Error Source 3

KB2670838, Blurry Fonts Patch

KB2898202, Hotfix for Blurry Fonts Patch

If you take a closer look at the patches in KB2847882 you will see that thy want to install the "blurry Fonts patch / KB2670838" which caused a lot of trouble a few months ago. On most WSUS this is denied. However the IE11 needs that Patch. Even worse if you UNINSTALL the Blurry Fonts patch IE will get uninstalled fully.

Solution is to install KB2670838 and then KB2898202 the HOTFIX.

• FIX: Font smoothing and antialiasing for some fonts do not occur after hotfix 2670838 is installed in Windows 7 Service Pack 1 or Windows Server 2008 R2

  http://support.microsoft.com/kb/2898202

Thanks to Karen HU from Pactera/china for pointing us in that direction.

https://social.technet.microsoft.com/Forums/de-DE/0bb37a16-f8a3-4648-897e-6a1a5986a437/not-wanted-fonts-patch-kb2670838-and-ieak11-silent-last-status?forum=ieitprocurrentver

Here is how a Failed Logfile will look for the IE11 Setup c:\windows\IE11_main.log

01:52.679: ERROR:   WMI query for Hotfixes timed out. Query string: 'Select HotFixID from Win32_QuickFixEngineering WHERE HotFixID="KB2729094"'  Error: 0x00040004 (262148).
01:52.711: INFO:    Download for KB2729094 initiated. Downloading http://go.microsoft.com/fwlink/?LinkID=258385 -> KB2729094_amd64.MSU.
01:52.726: INFO:    Waiting for 1 prerequisite downloads.
02:23.880: INFO:    Prerequisite download processes have completed. Starting Installation of 1 prerequisites.
02:23.880: ERROR:   Error downloading prerequisite file (KB2729094): 0x800b0109 (2148204809)
02:24.098: INFO:    PauseOrResumeAUThread: Successfully resumed Automatic Updates.
02:24.114: INFO:    Setup exit code: 0x00009C47 (40007) - Required updates failed to download.

Here is a list of Binaries:

Uninstall described with IE10 but also valid for IE11

----------

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO  = Does not install on same system

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

Check this LINK:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

The "sm_info" from Dell does not work on most new machines and under Windows PE 2.X/3.0 so you will have to use VB/WMI to get the machine type:

Save above as bios.vbs

Then in a batch File you check the machine AND based on that you do certain things or install software which you can't install silent.

cscript.exe //NOLOGO c:\windows\system32\bios.vbs | find "8510"
if %errorlevel%==0 goto 8510

cscript.exe //NOLOGO c:\windows\system32\bios.vbs | find "6710"
if %errorlevel%==0 goto 6710

cscript.exe //NOLOGO c:\windows\system32\bios.vbs | find "6120"
if %errorlevel%==0 goto 6120

:8510
echo "This is HP 8550"
goto ende

:ende