Tuesday, October 20, 2015

Easy PowerShell Code Signing



The other day i started working with custom application detection method scripts in SCCM 2012 and wanted to use PowerShell as my scripting method.  Generally i will pass a temporary Set-ExecutionPolicy bypass, run the script, then reset the execution policy.  This works in SCCM 2012 applications, package, and task sequence command lines, but it does not work for detection method scripts.  These require signed PowerShell scripts.

I figure, if I am going to go down the route of signing scripts I may as well start doing it for all of my scrips.  In order to make my life easier, I created a PowerShell script to automate this process.  This script also allows others who may not be familiar with script signing an easy way to sign their own scripts.

For this to work you will need a Class III Authenticode Code-Signing Certificate.  After you have the code signing certificate installed you are ready to run this PowerShell script to sign any script you have with your code signing certificate.

The script performs the following actions:
  1. Prompt user for the location of the script to be signed
  2. The script will then convert your .ps1 file encoding to UTF-8.  The Set-AuthenticodeSignature cmdlet will throw an error if files are not converted to UTF-8 encoding.  By default PowerShell scripts created with the ISE are saved with a "Unicode big endian" encoding.
  3. The script will then sign your .ps1 file with the code signing certificate from your system.
Script Code:
<# 
# NAME: PSCodeSigning.ps1 
# AUTHOR: Michael Wolf / http://thecomputermanagersden.blogspot.com/
# DATE:19.10.2015
.Synopsis 
  Signs Powershell Scripts with your Code Signing Certificate
.DESCRIPTION 
  This script will prompt you for the path to a script you wish to sign.
  It will then ensure the script is converted to UTF-8 encoding.  This is to resolve an issue with scripts created in ISE with a default encoding of "Unicode big endian"
  Finaly your script will be signed with the code signing certificate available on your system.
.EXAMPLE 
   PSCodeSigning.ps1
.INPUTS 
   -
.OUTPUTS 
   - 
.NOTES 
   Be aware that you will need to have a valid code signing certificate in your User Certificate Store.
   Run the gci command below to confirm you have a code signing cert.
   gci cert:\CurrentUser\My -CodeSigningCert
   
   Function Get-FileName sourced from Scripting Guy
   http://blogs.technet.com/b/heyscriptingguy/archive/2009/09/01/hey-scripting-guy-september-1.aspx
#> 

Function Get-FileName($initialDirectory)
{   
 [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") |
 Out-Null

 $OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
 $OpenFileDialog.initialDirectory = $initialDirectory
 $OpenFileDialog.filter = "All files (*.*)| *.*"
 $OpenFileDialog.ShowDialog() | Out-Null
 $OpenFileDialog.filename
} #end function Get-FileName

#Powershell script you wish to sign.
$CertPath = Get-FileName
#Timestamp Server
$Timestamp = "http://timestamp.globalsign.com/scripts/timestamp.dll"

#Open and convert Powershell Script to UTF-8 encoding so it will work with Set-AuthenticodeSignature Commandlet
(Get-Content $CertPath) | Set-Content -Encoding "utf8" $CertPath -Force -Confirm:$false

#Retrieve the first installed code signing certificate
#If the certificate you wish to use is not the first certificate in the list adjust the [0] to the appropriate value.
$Cert = @(gci cert:\CurrentUser\My -CodeSigningCert)[0]

#Sign 
Set-AuthenticodeSignature $CertPath $Cert -TimestampServer $Timestamp

Posted by at No comments :
Labels:

Tuesday, March 3, 2015

Microsoft SCCM 2012: How to create a SAS 9.4 Package

How to install SAS 9.4 silently using Microsoft SCCM 2012

Please reference the SAS Deployment Wizard and SAS Deployment Manager 9.4 Users's Guide for tips on deploying SAS.  The sections relevant to sccm deployment are the Quiet Installation as well as the Record and Playback section.

The following assumes you already have a copy of the SAS 9.4 Software Depot.

Creating the SAS response file
Perform the following to create a record file on a test system without SAS installed.
  1. Copy the SAS 9.4 Software Depot to c:\ on the test workstation.
  2. Open a command prompt and type the following command to start creating a response file
    1. "c:\SAS Software Depot\setup.exe" -record -responsefile "c:\SAS Software Depot\sdwresponse.properties"
  3. Following are the SAS installation options I selected, but this will vary depending on your environment
    1. Select Deployment Task
      1. Select Install SAS Software, Next.
    2. Specify SAS Home
      1. Keep Default (C:\Program Files\SASHome), Next.
    3. Select Deployment Type
      1. Select Install SAS Foundation and Related Software, Next.
    4. Select Products to Install (* Default Selection)
      1. SAS Deployment Tester – Client*
      2. SAS Enterprise Guide*
      3. SAS Enterprise Miner Workstation Configuration*
      4. SAS Foundation*
      5. SAS Integration Technologies Client*
      6. SAS Providers for OLE DB*
      7. SAS/GRAPH ActiveX Control*
      8. SAS/IML Studio*
      9. SAS PC Files Server
      10. Select Next.
    5. Select SAS Enterprise Guide Mode
      1. Select 64-bit Native, Next.
    6. Select SAS Foundation Products
      1. Check all products (checked by default), Next.
    7. Specify SAS Installation Data File
      1. Select your sid file.  This should be found under the sid_files directory in your Software Depot.  If there is one in the sid_files directory the SAS deployment wizard should see it there by default.  Next.
    8. Select Language Support
      1. Select clear All (only English is selected), Next.
    9. Select Regional Settings
      1. Select English (United States) en_US, Next.
    10. Default Product for SAS File Types
      1. Select Use existing default product for SAS file types, Next.
    11. Select SAS PC Files Server System Service Option
      1. Check Start Service Now and Automatically when Windows Starts, Next.
    12. Specify SAS PC Files Server Port
      1. Port Number 9621, Next. (This can be changed if you have security concerns)
    13. Deployment Summary, Next.
    14. Select Support Option
      1. Select Do Not Send, Next.
    15. Additional Resources, Finish.
  4. Copy the sdwresponse.properties file in the root of your Software Depot to the root of the Software Depot that will be the source for your package.
Creating the SCCM 2012 Silent Install Package
Note that due to the large deployment size of SAS it is not being installed from cache and instead run directly from the distribution point.
  1. Go to Software Library, Packages, and select Create Package
  2. Package
    1. Name = SAS 9.4 64Bit
    2. Description = EXPIRE=28FEB2015 (put whatever you want here, i put expiration for reference)
    3. Manufacturer = SAS
    4. Language = English
    5. Version = 9.4
    6. Check this package contains source file.  Then select the path to your SAS Software Depot.
    7. Next.
  3. Program Type
    1. Select Standard Program, Next.
  4. Standard Program
    1. Name = SAS 9.4 64Bit
    2. Command line = setup.exe -quiet -responsefile "\\sccmdp.fqdn\SMSPKGG$\packageID\sdwresponse.properties"
      1. Note that you need a full path to the response file which is why i place the full path to the file on the distribution piont.  Another method would be to precopy the response file to a known location on the endpoint and then reference that locations.  The important thing is that the full path to the file is needed
    3. Startup folder = (blank)
    4. Run = Normal
    5. Program can run = Whether or not a user is logged on
    6. Drive mode = Runs with UNC name
    7. Next
  5. Requirements
    1. Platform Requirements.  Select this program can run only on specified platforms
      1. All Windows 8 (64-bit)
      2. All Windows 8.1 (64-bit)
      3. All Windows Server 2012 R2 (64-bit)
      4. All Windows Server 2012 (64-bit)
      5. Windows 7 SP1 (64-bit)
      6. Windows Server 2008 R2 SP1 (64-bit)
      7. Windows Server 2008 SP2 (64-bit)
    2. Estimated disk space = Unknown
    3. Maximum allowed run time = Unknown
    4. Next.
  6. Summary, Next.
  7. Close
Now you need to Distribute the SAS 9.4 64Bit package to your distribution points and then Deploy the package to collections.

Creating an Uninstall Package
If you have the need to silently uninstall SAS 9.4 you can create a program with the following command line to silently uninstall SAS 9.4

"C:\Program Files\SASHome\SASDeploymentManager\9.4\sasdm.exe" -quiet -uninstallall

Updating SAS with a new license file
The following command can be used to update your SAS instance:

  1. 32Bit Version Renewals
    1. "C:\Program Files\SASHome\x86\SASRenewalUtility\9.4\sasrenew.exe" -s "datafile:%cd%\SAS94_9B7QDC_70007566_Win_Wrkstn.txt"
  2. 64Bit Version Renewals
    1. "C:\Program Files\SASHome\SASRenewalUtility\9.4\sasrenew.exe" -s "datafile:%cd%\SAS94_9B7QDC_70083910_Win_X64_Wrkstn.txt"

One thing to note is that the above command doesn't seem to play well when called directly from the program command line.  For this reason, i actually put this command into a .cmd or .bat file and then setup my program to call the .cmd or .bat file.

Also, if you have an environment where users may not have a consistent SASHome directory (Ex: SASHome2), you may want to copy the contents of the SASRenewalUtility directory to a source location and run the sasrenew.exe from their.

Other comments and considerations
In some scenarios you may not want to do a silent install and instead all the user to select the options they want to install.  If this is the case there are some issues I ran into in my deployment testing

  1. If the program calls setup.exe and the environment is set to Administrative Rights with the option Allow users to interact with this program some functions may not work correctly.  Specifically if users do a full installation it will prompt at some point for the location of the browser and will not allow the user to select or manually enter the location.
  2. To work around the issue noted above the program needed to be set to run with user rights.  This means the user will need to be a member of the administrators group on the system.  The user will also need read/execute rights to the content location on your distribution point.


Posted by at No comments :
Labels: ,

Tuesday, August 12, 2014

SCCM 2012 R2 CU2: OSD fails with error 0x80004005

While appling SCCM OSD image on systems with SSD's you may receive an error stating that the Task Sequence failed with error code 0x80004005.


This error will occur shortly after the partitioning sequence in OSD when it attempts to apply a wim.

One thing to note is that this issue has occurred for me in the following scenario.

  • SSD installed in the system.
  • Network card listed after SSD in the Bios boot order.
  • A Format and Partition sequence similar to the following:


This issue did not occur if there was one primary partition set to 100%.  This issue may also appear if you have an SSD and a HDD with the HDD higher in the boot order in the Bios or with the SSD on a sata channel other than SATA0.  In my case the issue was caused by the nic listed after the SSD hard drive in the bios boot order.

Following are my recommendations to resolve the issue:

  • Ensure SSD is on SATA0
  • If you have an SSD and a HDD in the system make sure the SSD is higher in the boot order.
  • Ensure that the nic is listed before the SSD device in the bios boot order similar to boot the order shown below.

Hopefully this helps.  Please leave a comment or provide feedback if you have any other suggestions that may be helpful to others that run across this issue.
Posted by at 1 comment :
Labels:

Monday, June 9, 2014

Microsoft SCCM 2012: Office Professional Plus 2013 SP1 (32-bit) Application

This post will focus on creating a package in SCCM for Microsoft Office Professional Plus 2013 SP1 (32-bit).  This package will uninstall previous 32bit Office instances.

Please note that the 32bit Office version will not uninstall previous 64bit instances.  If you have a mixed 32bit/64bit office environment you will need to setup other programs or packages to handle the uninstall of 64bit office.

Visio and Project can be packaged in a similar manner.  If you have a Visio/Project source media that is 32 & 64 bit make sure you choose the setup.exe located inside of the x86 or x64 folder depending on which version of the application you are publishing.

Note:  After installing Office 2013 with Service Pack 1 from the Volume Licensing Service Center (VLSC) with a customized MSP file using the Office Customization Tool (OCT), Lync and OneDrive for Business are not installed.

Please reference the following post if you run into this issue:
http://blogs.technet.com/b/odsupport/archive/2014/03/21/lync-2013-and-onedrive-for-business-are-not-installed-when-installing-office-2013-with-service-pack-1.aspx

To resolve the issue download the updated OCT from here (choose the version that matches your office installation):
http://www.microsoft.com/en-us/download/details.aspx?id=35554

Run the .exe to extract the files to a temporary location.  Once extracted grab the admin folder and copy it over your existing Office 2013 SP1 source admin folder.

Creating an Office Customization .msp file


In order to deploy office silently we will need to create an Office customization file.  This will include out product key as well as many other customizations.

First we need to go to the source where you Office install files are located and launch setup with the following command in order to start the Microsoft Office Customization Tool:

setup.exe /admin

Select Create a new Setup customization file for the following product.

Next we make any Office customizations that we would like to be applied to your Office install.  Following are the customizations I generally make to create a .msp that when applied will perform an install that requires no user interaction (progress bar only) as well as remove some of the initial popups users are prompted with.  In this case the .msp is for a MAK product key.

  • Setup
    • Installation and organization name
      • Organization name: = your organization
    • Licensing and user interface
      • Select Enter another product key
        • Product key: = xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
      • Check I accept the terms in the License Agreement
      • Display level: = Basic
        • Check Suppress modal
        • Check No cancel
    • Modify Setup properties (Add these properties in)
      • AUTO_ACTIVATE = 1 (Activates Office)
      • SETUP_REBOOT = Never (Suppresses Reboot)
  • Features
    • Modify user settings
      • Microsoft Office 2013
        • Privacy
          • Trust Center
            • Disable Opt-in Wizard on first run = Enabled
        • FirstRun
          • Disable First Run Movie = Enabled
    • Set feature installation states (Run from My Computer for all components)
Once you have made all of the changes that you would like to customize your Office installation select File, Save As.  Save the file in the Office\updates folder as customizations.msp.

Creating a SCCM Office 2013 Professional Plus 2013 (32-bit) Application


When creating an application for Office you will first point the application the proplusww.msi, but Office doesn't allow you to install an application directly from that MSI.  You are required to install Office by launching setup.exe.  You will see in the following steps that we will initially point it to the proplusww.msi, then go back in and e

  • In the SCCM Console go to Software Library, Application Management, Applications, Create Application.
  • General section. Select Manually specify the application information.  Next.
    • General Information
      • Name = Microsoft Office 2013 Professional Plus 2013 SP1 (32-bit)
      • Administrator comments = Enter your admin comments here
      • Publisher = Microsoft
      • Software version = 2013 SP1
      • Check Allow this application to be installed from the Install Application task sequence action without being deployed
      • Next
    • Application Catalog
      • Icon.  Browse to the Office Setup.exe and select the Office icon from the list.
      • Check Display as a featured app and highlight in the company portal
      • Next
    • Deployment Types
      • Add
      • General section. Select Manualy specify the deployment type information. Next.
        • General Information
          • Name = Microsoft Office 2013 Professional Plus 2013 SP1 (32-bit)
          • Administrator comment = Enter your admin comments here
          • Languages = English
          • Next
        • Content
          • Content location = location of your source Office file
          • Installation program = setup.exe
          • Uninstall program = setup.exe /uninstall
          • Next
        • Detection Method
          • Add Clause
            • Setting Type = Windows Installer
            • Product code = Browse to the proplusww.msi located in the proplus.ww folder of your Office source media
            • Ok
          • Next
        • User Experience
          • Installation behavior = Install for system
          • Logon requirement = Whether or not a user is logged on
          • Installation program visibility = Normal
          • Next
        • Requirements
          • Free Disk Space of any local drive >=  3072 MB
          • Operating System = Window 7 / Windows 8 / Windows 8.1 / Windows Server 2008 R2 (64-bit) / Windows Server 2012 (64-bit)
          • Total physical memory >= 1024 MB
          • CPU >= 1000 MHz
          • Next
        • Dependencies
          • Next
        • Summary, Next.
        • Completion, Close.
      • Next
    • Summary, Next.
    • Completion, Close.
Now right click on your application and distribute content.  Once the content has been distributed you can now deploy the application to collections.


Posted by at 19 comments :
Labels: ,
Subscribe to: Posts ( Atom )