Thursday, May 24, 2012

Windows 7 Trusted Sites for all users - Active Setup

On a recent deployment of laptops I needed to add a certain domain to trusted sites for all user accounts (local and domain) on a number of domain attached computers.  Idealy I would use GPO to do this, but I also had to hit the local user accounts (in fact, local accounts would be used almost exclusively for these laptops).

With Windows XP we could do this by adding the proper keys to HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\etc.  This would apply the domain to the trusted sites for all users on the computer (note that the site was not visible in Internet Options, but still applied), but in Windows 7 the HKLM option doesn't work anymore.  Of course adding the value to HKCU functioned the same as in the past, but I can't do this for each local account all on these computers. Not to mention should I ever need to change it.

Note: There is a GPO to add trusted sites, but when it's enabled it removes the ability for the end user to then add to the list (greyed out).


After poking around I found several mentions of using Active Setup which sounded very promising.  Only problem was no one (that I read) really points out how to use it.


To start, here's a great writeup of what Active Setup is: http://www.sepago.de/helge/2010/04/22/active-setup-explained/
And this wiki site briefly hits on it: http://wpkg.org/Adding_Registry_Settings

But again, neither of these really says how to use it.  So, by looking at the sites above we get a brief rundown of how it works.  blah blah blah by checking on user logon the values in the HKCU with the values in HKLM it knows if it's been applied and runs if it hasn't.

Cool, so if we add a value to HKLM and it hasn't be added to HKCU then it applies, yeah!  Even better, we CAN manage HKLM from GPO.  So, using Active Setup we can apply settings to the Local Users using Computer Configuration GPO's.


To add an Active Setup key:
  1. Navigate to regedit
  2. HKLM\Software\Microsoft\Active Setup\Installed Components
  3. Here you see the list of GUID's from other software / setups
  4. Add a new key, in my example I'm going to call it {newtrustedsite}.  It can be called anything, but has to be unique (duh)
  5. Within this add a new string value named "Version"
  6. Give Version a value, but don't use period.  Use commas instead. For instance "1,0,1"
  7. New string named "StubPath". Here what you want it to do.  Could be an application to execute, script, other cmd line something.
  8. We're going to add a trusted site so my StubPath looks like this "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contoso.com" /v https /d 2 /t REG_DWORD /f

All done.

User logs in and it detects that it hasn't been "installed" and runs the command adding the key.  Now the user checks his trusted sites via the GUI and see's it and can even modify (to include delete the key you just added).  When you want to updated the key you just make your changes to the StubPath and increment the Version value.

Now to push via GPO you just use either an adm or push with registry preferences under Computer Configuration.

Friday, May 18, 2012

Windows could not parse or process unattend answer file

Had a lot of issues with cloning a Windows 7 system when using an unattend.xml

Windows could not parse or process the unattend answer file for pass [specialize]. The settings spefcified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows-Shell-Setup].

After much searching I found this which was spot on:
http://jamiebaldanza.org/2010/03/31/copyprofile-does-not-process-and-causes-windows-could-not-parse-or-process-the-unattend-answer-file-for-the-pass-specialize/

Thank you Jamie!

I had set the copyprofile paramater and had ensured that only the administrator account was present by removing the other profiles through the user control panel.

Seems that when I removed the users through the control panel it did not delete the values in the profilelist registry value.

To fix rather than making a new sysprep image I did the following:
  • Exported the wim from WDS
  • Mounted my image from the wds server
    • imagex /mountrw d:\ 2 c:\mountedimage
  • Modified the system registry values
    • Open Regedit
    • Highlight HKEY_LOCAL_MACHINE
    • File - Load Hive
    • Navigate into your mounted image to Windows\System32\Config
    • Select the SOFTWARE  (no extension)
    • Give a temp name to the hive
    • Navigate into the temp hive mount and remove the obsolete keys
    • Select the temp hive name
    • File - Unload Hive
  • Commit changes
    • imagex /commit c:\mountedimage  (I found that using commit and unmount in seperate command limited the amount of times I get the error that it couldn't fully unmount)
  • Unmount
    • imagex /unmount c:\mountedimage
  • Imported the wim back into WDS as a new build
    • Right click my install images group and "Add Install Image"

Wednesday, May 16, 2012

Add Driver Package to Capture Image - Windows Deployment Services 2008 R2

Using Windows Deployment Services 2008 R2 with a Capture Image of Version 6.1.7600 I have now had two instances where the network doesn't load.  In both cases I've found that this is due to the network driver missing from the capture image.

I've found a lot of posts and blogs on how to add the drivers to the image and some do it the easy way, but a good number of them don't.


After booting from the capture image you attempt to enter the servername / ip address for the WDS and hit connect. This results in:

Error: The network location cannot be reached. For information about network troubleshooting, see Windows Help.

At this point if you press Shift F10 to open command prompt and type wpeutil InitializeNetwork followed by ipconfig it will result in a blank response.  Running ipconfig /renew results in "The operation failed as no adapter is in the state permissible for this operation"


Add the driver to WDS:
  1. Download the NIC from the manufacturer and extract the .inf / other files.
  2. Place the driver files on the WDS server. In my case I put them in the following directory: C:\Drivers\Lenovo\E520\x64 and x86
  3. Open your WDS console
  4. Right click on Drivers
  5. Add Driver Package
  6. Select driver from a folder
  7. Navigate to the Drivers folder
  8. Next
  9. You should see it list all the drivers it finds
  10. Check the ones you want and press next
  11. Next
  12. It will copy the drivers
  13. Next
  14. Select or create a new driver group
  15. Finish
Add the driver to the Capture Image:
  1. Ensure your capture image isn't in use
  2. Go to Boot Images
  3. Select your Capture Image
  4. Right click and "Add Driver Packages to Image"
  5. Next
  6. "Search for Packages"
  7. In the results pane select the drivers you want to add
  8. Next
  9. Image will be mounted, drivers added and dismounted
  10. Finish
PXE Boot your machine to your capture image and connect.

Note: you can test the NIC prior to adding it to the image by getting the NIC drivers on a floppy or USB, PXE booting to capture, pressing Shift F10 to open cmd prompt, running drvload "path to .inf" and then issuing wpeutil InitializeNetwork.

Thursday, May 3, 2012

Windows 2008 R2 View Print Server Properties

In Windows 2003 / 2008 to view the installed print drivers you could open your print server properties by simply right clicking white space in the printers windows.

With Windows 2008 R2 the process is just as easy, but since it's now different, it can be very difficult to find...
  1. Open Devices and Printers
  2. Highlight any object under the Printers and Faxes section
  3. At the top of the window three new options appear next to the normal "add a device" and "add a printer"
    1. See What's printing
    2. *Print Server Properties
    3. Remove Device