Deployment

Apple iTunes 12.7 and Software License Agreement registry key

Posted by nickekallen on in Deployment 1 Comment

Image result for itunesiTunes is the ugly step-child (or the Meg, or the bastard) of the Apple family. As iPhone still remains the phone of choice within my family and quite a few corporations there is still a need from time to time to deal with this excuse of a software.

As a revisit to the previous post where I did track down howto eliminate the end-user requirement to accept the Software License Agreement on corporate installations – there has been some changes in the years past. As the software has decided the progress updates are evil and show no indication of pretty much anything moving this will be how time is spent to track the latest version.

Previously to identify the necessary parts to avoid presenting the SLA for the end-user we required two parts. The first is an identifier for the SLA, and the second was where to put this identifier in the registry.

Registry

Second things first. The registry key still remains the same. The below is the registry key necessary for a Windows 10 x64 installation of Apple iTunes 12.7.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apple Computer, Inc.\iTunes]
"SLA"="EA1511"

 

SLA value

To retrieve the value (EA1511) we need a slightly different process than previously used. The value was stored in iTunesPrefs.xml in the earlier versions of iTunes, however that file doesn’t exist anymore and instead we can see the following files

image

Opening all of them will reveal binary or hexadecimal-files and neither will allow us to decipher anything we need. As the SLA is most likely located within the installation folder we can poke around and see if the actual SLA will provide us with anything.

Locating the RTF-file License within en.lproj (for english users) could potentially contain something useful.

image

Opening the document and scrolling around it will reveal the two last lines at the bottom of the document

image

And there it is!

End result

image

VMware Horizon View Client–silent install

Posted by nickekallen on in Deployment 0 Comment

A few short notes on howto silently deploy the VMware Horizon View Client 4.0.1.

The latest release can be downloaded from VMware

 

File: ‘VMware-Horizon-Client-x86_64-4.0.1-3698521.exe’

Intent is to have no desktop-shortcut, enable all features, set a default server and have the user automatically login.

Parameters:

'/s /v"/qn 
REBOOT=ReallySuppress 
ADDLOCAL=ALL 
DESKTOP_SHORTCUT=0 
STARTMENU_SHORTCUT=1 
VDM_SERVER=vdi.site.com 
LOGINASCURRENTUSER_DEFAULT=1 
LOGINASCURRENTUSER_DISPLAY=1"'

Registry update:

'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\VMware, Inc.\VMware VDM\Client\Security'
Name: 'LogInAsCurrentUser' Value: 1 Type: DWORD

Symantec Endpoint Protection 12.X on OSX

Posted by nickekallen on in ConfigMgr, Deployment 0 Comment

If you are using ConfigMgr 2012 (or one of the plugins hi-jacking the infrastructure – such as Parallels) to manage the Mac OSX devices there are some caveats to the ordinary guide of both from Symantec on howto install the Symantec Endpoint Protection aswell as the Microsoft guide “How to Create and Deploy Applications for Mac Computers in Configuration Manager”.

First of all you need access to the Symantec Endpoint Protection media and to actually start the installation. Once its started you can immediately headover to Symantecs guide on howto Deploy (keyword deploy) SEP with Apple Remote Desktop or Casper.

The guide states that once the installation is fired up (and you acknowledge that its OK if this requires you to restart the computer) you can access the Tools-menu

image

Clicking the “Create remote deployment package” will immediately fire off a new menu that will allow you to choose a file-name and a place where the new package can be saved.

image

Once the deployment package is created you you will receive a helpful note about only deploying this with a deployment system, and remembering to restart afterwards.

image

As per the ConfigMgr article on howto deploy applications for Mac there is a need to convert the generic PKG-format to the ConfigMgr compatible (and unique) CMMAC format.

This specific package does unfortunately not provide any detection mechanism, so the command-line to convert this package is.

./CMApputil –c SEPRemote.pkg –o /volumes/usbstick/ -s

-c points the utility to our original package

-o points to the where we want to place our final package (named SEPRemote.cmmac)

-s will omit the creation of the detection rules

Visual Studio 2013 silent install

Posted by nickekallen on in Deployment 4 Comments

Visual Studio 2013 is now available through Microsoft Volume Licensing Website, and can also be downloaded through Developer Network.

Directly from the Visual Studio-website you can find all editions with the latest Update 3 slipstreamed into a single media, however if you visit the Microsoft Volume Licensing Website there is only the RTM version of Visual Studio 2013 available. The major difference between the Visual Studio-website and the MVLS-website is that the license is embedded within the downloaded media you retrieve from MVLS. The files available from Visual Studio-website is a 90-day trial version. If you press the Key-option at MVLS no product key is presented to you.

So, if you want to deploy Visual Studio 2013 with the latest (or any) update? Do the following!

Downloaded Visual Studio 2013. Technically we are not interested in the bits, but when the download is started a product key is generated with the download link

Downloaded the latest ISO-file from the edition of Visual Studio 2013 (Professional perhaps?)

image

Once the ISO-files is downloaded (weighs in at about 6gb), extract the file.

Do not read the guide from Developer Network on howto deploy Visual Studio in an unattended manner (well, ok – if you really want to). Instead start the vs_<edition>.exe file with a question mark. Like this

vs_professional.exe /?

The following output is generated;

Setup - Usage

This setup supports the following switches:

/Help              Display this usage text.
/H
/?

/Quiet             Quiet mode with no display and no user interaction.
/Q
/Silent
/S

/Passive           Display progress but do not wait for user input.

/PromptRestart     Prompt the user before restarting the system.

/NoRestart         Do not restart during or after installation.

/ForceRestart      Always restart the system after installation.

/Log               <filename> Specifies a location for the log file.
/L

/Uninstall         Uninstall the product.
/U

/Uninstall /Force  Uninstall the product and features shared with other
products.
/U /Force          Warning: using this switch may cause other products i
nstalled on this machine to stop functioning properly.

/Repair            Repair the product.

/Layout            Create a copy of the media in specified folder.

/NoRefresh         Prevent setup checking for updates from the internet.

/NoWeb             Prevent setup downloading from the internet.

/Full              Install all product features.

/AdminFile         <filename> Specifies the installation control file.

/AddRemoveFeatures Choose which features to add or remove from the insta
lled product.

/CustomInstallPath <path>
Set Custom install location

/ProductKey        <25-character product key>
Set custom product key (no dashes)

For more information see <a href="http://go.microsoft.com/fwlink/?linkid=376912&c">http://go.microsoft.com/fwlink/?linkid=376912&c</a>
lcid=0x409

A sample command-line for silent install would be;

vs_professional.exe /Q /S /LOG %SYSTEMROOT%\TEMP\VS_2013_U3.log /NoWeb /NoRefresh /Full /ProductKey XXXX-XXXX-XXXX-XXX

Office 365 / 2013 and App-V – Exclude apps

Posted by nickekallen on in App-V, Deployment, Office 4 Comments

With the latest release (June 5) of Office Deployment Tool there is the ability to exclude applications when creating a package. For example, if you don’t want to deploy – say Lync? – even though you are technically licensed for it.

How does it work?

Create your XML-file

The XML defines what product you want to deploy / create an App-V package for.

A reference can be found on Technet, with the entire list of all applications that can be excluded. Do note that each application you want to exclude is a new line within the XML-file

image

<Configuration>

<Add SourcePath="c:\media\" OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
<ExcludeApp ID="Access" />
<ExcludeApp ID="InfoPath" />
<ExcludeApp ID="Lync" />
</Product>
</Add>
<Display Level="None" AcceptEULA="TRUE" />
<Property Name="AUTOACTIVATE" Value="1" />
</Configuration>

Run the command-line

Download source media;

 setup.exe /download c:\media\configuration.xml

Create the App-V package;

setup.exe /packager c:\media\configuration.xml c:\media\package

Now you have a package!

Just to deploy!

Remember, Office is only supported to be deployed as a global package when using App-V

 

Read more about this on Technet!

Adobe PDF Addon download

Posted by nickekallen on in App-V, Deployment 5 Comments

Previously I discussed the deployment of Adobe PDF Addon with a virtualized instance of Adobe Acrobat. The Adobe PDF Addon is also known as the Adobe PDF Printer or the Adobe Distiller. In the end – its a piece of software that contains a driver and therefore can not be virtualized.

Extracting this from a generic piece of Adobe Acrobat media is rather painful, if at all possible, however the Adobe Distiller (aka Adobe PDF Addon) is available as a standalone installer.

How would one retrieve this standalone installer?

Well, by an odd-chance I bypassed the Creative Cloud Packager and downloaded the Adobe FrameMaker 12 from the Adobe Licensing Website. Hidden within these source-files there is a folder named;

AdobePDFCreationAddOn11_x86_x64

image

There are a few things needed to silently install this msi (distillr.msi).

Visual C++ 2010 SP1 (x64) is a prerequisite for the application.

There is a check by the installer to ensure that it is not installed standalone. Within the InstallExecuteSequence table the following CustomAction-reference needs to be removed;

image

With the above in place – you are all set togo!

Apple itunes 11.1.4 and Software License agreement (and Process Monitor)

Posted by nickekallen on in Deployment 3 Comments

After discussing the an upgrade of iTunes throughout the organization and the implications of suppressing the forced Software License Agreement within iTunes on the initial launch I decided to go on a discovery with the iTunes application.

Previously all packagers have surpressed the Software License Agreement by providing the iTunesPrefs.xml file within the package and placed a copy within both %APPDATA% and %LOCALAPPDATA%. During an upgrade the fact that such a file would be replaced of course overwrites any user preferences. Potentially we could provide some additional scripting to crack open the files and replace any particular value that would tell iTunes that the Software License Agreement is accepted. The value (for 11.1.4) looks like this in %APPDATA%;


<key>license-agreements</key>

<dict> <key>EA1068</key> <true/>

</dict>

Thats a lot of work. And I am lazy.

Let’s review the start-up process of iTunes, without having accepted the Software License Agreement in Process Monitor

The actual license-agreement is obtained from a file called License.rtf, so we can easily search for this file within Process Monitor to see just about where iTunes is deciding to show the Software License Agreement.

image

If we review the activity above we can spot that pre-reading the License.rtf file (sv.lproj is for Swedish – so I am getting a Swedish license agreement) it checks a few registry keys and the file iTunesPrefs.xml. Obviously the checking of the iTunesPrefs.xml-file is to check wether or not this particular user had accepted the license agreement. However, the check for the registry key within HKEY_LOCAL_MACHINE was a bit unexpected. Actually it is looking for the registry value SLA – Software License Agreement. Unfortunately there is no documentation of this value anywhere. Obvious one is just to create a DWORD with a value of either 1 or 0. Neither changes the behavior of iTunes, however it can be confirmed that iTunes does read the value. Creating a string (REG_SZ) with a 1,0,Yes,No,Accepted, iTunes or any other value doesn’t change anything.

It seems to be a perfect fit though? The name SLA seems to fit the scenario, however what value can actually change the behavior of iTunes? Within %APPDATA%\Apple Computer\iTunes and the file iTunesPrefs.xml there actually is an answer to the question. It seems that setting the same value as located within iTunesPrefs.xml gets iTunes to suppress the presentation of SLA for all users on machine.

image

The value seems to change for every new version of iTunes– so with a new version of iTunes one would have to accept it once manually and extract the necessary value from the iTunesPrefs.xml-file

Final registry key from a Windows 7 x64;


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apple Computer, Inc.\iTunes]
"SLA"="EA1068"

Let’s wrap up a MST-file for easy deployment!

Desktop shortcut

Stops the desktop shortcut from beeing created

Goto the InstallExecuteSequence-table and set the following;

image

Language / Software Update / Suppress reboot / SLA

Forces the language to English, disable the Software Update and suppress any reboot – aswell as allow the installation to complete by accepting SLA

Goto the Property-table and set the following;

image

iTunes lockdown and SLA

Lockdowns any feature you want of iTunes and suppresses the SLA prompt. For a full explanation of the Parental Control feature within iTunes you can read the Apple-published article; How to manage iTunes Control features. The suggested value below will do some basic lockdown such as disabling checks for new versions

Goto the Registry-table;

image

Finally a nice clean installation for iTunes!

Adobe Reader Security – Trusted certificates

Posted by nickekallen on in Deployment 2 Comments

When Adobe Reader XI 11.0.0.6 was released there was suddenly a new pop-up once you open Adobe Reader for the first time, and had settings in the profile from an older Adobe Reader X installation.

image

The message reads;

Trusted certificates from your previous version of Adobe Reader were found. Would you like to import them?

Any certificates that are not imported in this step will not be available in this version of Adobe Reader.

Adobe calls this the Addressbook and apparently this specific feature is the Addressbook Import.

There is a setting within the Windows Registry reference (under Security –> Addressbook Import) that documents three options an administrator can make to avoid having this nagging users.

The setting is “iImportAddressBook” and has three options;

  • 0: Do not copy the old address book. The user is NOT prompted and the address book should NOT be installed.
  • 1 or null: Default: The user is asked whether the address book should either be installed or not.
  • 2: Import the address book silently.

To suppress this message, and silently import the address book you can set it the suggested DWORD-value to 2. It would look something like this;

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Security\cDigSig]
 "iImportAddressBook"=dword:00000002

If you need this to be part of the deployment the suggestion is to add this value as part of the Registry. Recommended approach is to use Adobe Customization Wizard XI – if using the Adobe supported editor the registry key will be part of their custom MSI table EnterpriseRegistries.

Oracle Java JRE 7 Update 51 MST

Posted by nickekallen on in Deployment 4 Comments

imageI created an MST-file for the Oracle JRE 7 Update 51 MSI and thought it would be a good idea to make it available for download.

Do note that in JRE 7 U45 there is a new exception-list which can be configured – another potential way to customize your package. See the exceptionlist documentation

How do you retrieve the Java 7 MSI-files?

See this FAQ answer for Oracle;

https://java.com/en/download/faq/msi.xml

Very detailed guide;

http://www.74k.org/extracting-java-msi-from-java-exe

How do you pre-configure settings for the deployment?

See this very detailed explanation from Oracle about deployment.properties;

http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/properties.html#overview

What does the MST file contain?

Registry-key to disable updates

[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy]
"EnableJavaUpdate"=dword:00000000
"EnableAutoUpdateCheck"=dword:00000000

Properties set to set security level for web-browsers to medium

WEB_JAVA_SECURITY_LEVEL set to M

(options are V for Very High and H for High (default)

Custom action to remove start menu shortcuts

Will remove the following directory;

%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Java

Download the MST-file here

There is a very detailed post on Itninja about the possibilites for deployment if more tweaking is necessary.

Identify CustomActions using Process Monitor

Posted by nickekallen on in Deployment 0 Comment

SysInternals has for a long time provided us with the valuable tool Process Monitor, which everyday presents new use cases.

While troubleshooting an installation that seemed to be running a specific CustomAction once a self-heal was initiated and in error set a few registry keys to an odd-value.

The registry-keys could not be located within the Registry-table and there was a ridiculus amount of CustomActions.

Registry key that was wrongfully set looked like this (when it was not correct);

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Taylor\Workbench\Installed Products]
"Proficy Machine Edition (TM)"="v5.50 Build 3655"
"View"="v5.50 Build 3655"
"Logic Developer - PLC "="v5.50 Build 3655"

Unfortunately, none of the CustomActions had very descriptive names as to which one would touch this key and there were a lot of them. A lot. Infact they started at 5750 and stopped at 6720 in the InstallExecuteSequence table.

How do you identify a CustomAction which sets a registry key ? Using timestamps in Process Monitor of course!

A fare warning before you start the steps; A lot of memory will be required due to the capture of Process Monitor

1. Fire up Process Monitor and let it monitor. No filter needs to be applied immediately.

2. Initiate the installation using verbose-logging. A sample command-line could look like this;

msiexec /i install.msi /qb TRANSFORMS=install.mst /l*v install.log

3. Once the installation is completed, stop the monitoring within Process Monitor.

4. Search for the registry key (or file if that is your case). As we are looking for when the registry key is updated, certain operations aren’t applicable. For example, RegOpenKey isn’t something that corresponds to the operation we are looking for. Therefore you can exclude this and avoid a lot of traversing through unnecessary finds.

As you can see, searching can take a bit of time;

image

The 3 million rows are quite heavy;

image

5. Once the applicable registry key is found and the RegSetValue is located the timestamp is located.

(click the image to see all of it)

image

6. Review the log-file generated during the installation and find the corresponding timestamp (12:04:11,972791 is the time in the screenshot).

The accuracy of Process Monitor has given us a very precise timestamp (972791 are the last digits) and we can easily see that during the time-slot of 12:04:11 there are 7 different CustomActions occuring, however only two occur within the reach of 12:04:11:97~.

image

As the FindfxViewVersion1 is actually executed after the timestamp, we can safely assume that it is the FindFrameWorXVersion that is setting the registry key in question.

7. Looking at the InstallExecuteSequence table the CustomAction is set to run at sequence # 6260, however no conditions are set for it.

The CustomAction will in error execute during any repair (and self-heal) and reset the registry keys due to the lack of conditions.

The following modification was done using InstEd to add a condition;

image

You could play around with different conditions that might suite your case and Symantec has provided a great overview of some commonly used scenarios!