The malware apocalypse for Windows XP begins in just 1 day! Or does it?

XPGravestone

It doesn’t seem like 12 years since Windows XP and Office 2003 first arrived but now their time will draw closer to the end in less than 2 days. At this point Microsoft will drop Enterprise support for the products potentially making the products legacy and an increasing security risk?

What does this really mean for security? Well if I was a ‘bad guy’ I’d be waiting until the 8th April 2014 before unleashing any exploits I discovered for Windows XP and Office 2003. The reason is Microsoft will no longer engineer security patches for the products. Experts are describing this time as the malware apocalypse for Windows XP.

MemorableMomentsinZombieZinema38-1

The fact that most UK cashpoints, Self service retail tills and NHS hospitals are still on XP is really surprising. There is a wealth of free information on the internet to help organisations make the move from XP. This kinda makes me think of my mum’s old Jamaican saying:

“Those who wont hear, must feel!”

As with Y2K, the apocalypse came and went without so much as a flutter and I was looking forward this time to observe this foretold carnage however, this time the government has stepped in to try to stay the execution. This gives the public sector security patches for a further 12 months while they migrate from XP. After then perhaps the darkness will really begin.

BlackLanterns

Posted in Uncategorized | 4 Comments

LTI/ZTI Scripting: Add computer to an AD Group

I’m currently doing some intense SCCM 2012 training so I’ve not been posting or in the forums recently. I’ve still been responding to emails though.

I received an email from a reader earlier this week. He wanted to add the current computer to an AD security group during his deployment.

It turns out that I wrote such a script a few weeks earlier. It’s in the repository here.

The script will add the current computer to an AD Group that is set in the customsettings.ini

The script is then run in a task sequence with the command line:

cscript.exe “%SCRIPTROOT%\ZTIAddMember.wsf

The code below is a sample of the customsettings.ini changes.

[Settings]
Priority=Default
Properties=CustomProperty, ADGroup 

[Default]
OSInstall=Y
ADGroup = LDAP://CN=IT Computers,OU=Groups,DC=corp,DC=continuum,DC=com

The code is “As is”. No refunds!

Posted in MDT 2010, MDT 2012, SCCM, Scripting | Tagged , , , , | 24 Comments

Hotfix rollup released for Windows 7 SP1 and Windows Server 2008 R2 SP1.

MicrosoftUpdateCatalog

Big news in deployment right now. Microsoft has release a hotfix rollup is for Windows 7 SP1 and Windows Server 2008 R2 SP1. So it’s kinda like Service Pack 1 and a half. There are 4 flavours 2008R2 Itanium/x64 and Windows 7 x86/x64.

You can get it from Microsoft Update Catalog by clicking the link here.

MU_Updates

You can then add the updates to your basket and download them.

There’s a Microsoft KB article here. Article KB2775511

The updates are in a format suitable for importing into the Packages folder of your MDT deployment share.

MU_MDT_Packages

Posted in Deployment, Windows 7 | Tagged , , , , | 9 Comments

Deployment Terminology

There are a many terms used to describe the deployment of operating systems and its associated practices. Here are some of the most popular ones and an explanation of when to use them.

Deployment.
The process of applying operating system images to a computer(sometimes called build). This may also include it’s associated framework inc. drivers, patches, service packs, applications etc. The term is a general phrase that describes the process as a whole.

Windows Image Deployment (WIM Imaging).
This term describes any of the methods used to apply images based on the Windows Imaging file format.  

Operating System Deployment(OSD).
This term can be used literally but usually refers to the deployment of images using the OSD feature of System Center Configuration Manager.

Lite-Touch Deployment (LTI).
This describes the use of Microsoft Deployment Toolkit to apply images. This includes any such  methods including PXE boot with Windows Deployment Services

Zero-Touch Deployment (ZTI).
This describes applying images with System Center Configuration Manager with Microsoft Deployment Toolkit integrated.

User-Driven Installation (UDI).
This is Zero-Touch deployment that is initiatedby a user using the User Driven Installation feature of MDT. It could also refer to any other method of deployment where the user user initiates the build.

Imaging.
The term ‘imaging’ when appending a noun can refer to where the image is being deployed from but it’s not totally accurate terminology. eg WDS Imaging, File Share Imaging, 

Below are a few useful links to various articles on this topic.

Operating System Deployment Terminology This is a glossary of most of the popular imaging process technical terms.

Choosing a Deployment Strategy This post will demystify the terms High Touch, Lite-Touch and Zero-Touch.

Deployment Dilemmas This post will explain the following terms – In-Place Upgrade, New Installation, Refresh and Replace.

Posted in Uncategorized | 1 Comment

MDT: Refreshing computers with Static IP Addresses

No DHCP? No Problem

In this scenario, you have a computer with static IP Address assignments that you wish to maintain during a REFRESH.

There’s a Task Sequence step called Capture Network Settings. This runs the script ZTINICConfig.wsf that can capture network settings and store them in the Variables.dat file.

CaptureNIC

There are 2 switches of use here in the ZTINICConfig.wsf script. (From the manual)

/ForceCapture –  If there are any local networking adapters with static IP addresses saved, this script captures those settings and saves them to the local environment—for example, C:\MININT\SMSOSD\OSDLogs\Variables.dat. This script can be useful in capturing static IP settings for a large number of computers for automation.

/RestoreWithinWinPE – When specified, applies any saved static IP network settings to the local computer, when appropriate; used for internal processing only.

CaptureNIC-Params

Use both switches to capture adapter settings in a refresh.

Posted in Deployment, MDT 2010, MDT 2012 | Tagged , , , , | 14 Comments

MDT: Automating Static IP during Bare metal boot

No DHCP? No Problem

In this scenario, the requirement is to boot a lite touch boot image with a static IP address, where is no DHCP available. You can use a custom answer file (unattend.xml) to configure your static IP settings at boot. Below are 2 methods

Method 1 – Netshell

Use the answer file in your extra files folder to run a command line like netsh  during boot. I’ve previously explained how to use the extra files for BGInfo and the process is pretty much the same.

  1. Create a folder called ‘ExtraFiles’ (or Extrafiles64) in your deployment share.
  2. Next, create a folder called Windows with a subfolder called System32 beneath it.
  3. In the Deployment Workbench, Right-Click on the Deployment Share and select properties. Then click on the Windows PE x86 Settings (or Windows PE x86 Settings )Tab
  4. In the Windows PE Customizations section browse to the ExtraFiles (or Extrafiles64) folder

Unattend.XML

  1. Open Windows System Image Manager and select a DeploymentShare
  2. Then select a Windows Image
  3. Then create a New AnswerFile
  4. Add the following settings to the Answer File in the WindowsPE configuration Pass

Microsoft-Windows-Setup | RunSynchronous | RunSynchronousCommand

5. Add the following settings:

Description=Set Static IP Address
Order=1
Path=netsh interface ip set address Ethernet static 10.0.0.9 255.255.255.0 127.0.0.1

Description=Set Background
Order=2
Path=Bginfo.exe Win_PE.bgi /silent /timer:0 /NOLICPROMPT

Description=Lite Touch PE
Order=3
Path=wscript.exe X:\Deploy\Scripts\LiteTouch.wsf

WSIM-SetIP

In this example I am placing the command before BGInfo and Lite Touch PE. Ommit the BGInfo section if you’ve not configured it.

6.  Save the file in your deployment share as \ExtraFiles\Unattend.XML then update the deployment share to recreate the LiteTouchPE_x86.wim (or ISO or x64)

Method 2 – Set a Unicast IP Address

In this method, we use the native settings of the WindowsPE answer file configuration pass.

1. Navigate to Microsoft-Windows-TCPIP | Interfaces | Interface | Ipv4Settings and select Add Setting to Pass 1 windowsPE.

WSIM-Add-IPv4Settings

2. Add the following settings:

Ipv4Settings
    DhcpEnabled=false
Metric=10
RouterDiscoveryEnabled=false

WSIM-Set-IPv4Settings

3. Under Microsoft-Windows-TCPIP | Interfaces | Interface | UnicastIpAddresses

and select Add Setting to Pass 1 windowsPE.

WSIM-Add-IPAddress

4. Add an IP Address with the following settings:

Key=1
Value=10.0.0.9/24WSIM-Set-IPAddress

5. Navigate to Microsoft-Windows-TCPIP | Interfaces | Interface

and change the Identifier to “Ethernet”.

WSIM-Set-Identifier

6. Again, save the file in your deployment share as \ExtraFiles\Unattend.XML then update the deployment share to recreate the LiteTouchPE_x86.wim (or ISO or x64)

Be aware that this method only has very basic IP settings.

Posted in Deployment, MDT 2010, MDT 2012 | Tagged , , , | Leave a comment

MDT: Manually configure a Static IP Address during LTI Deployments

No DHCP? No Problem.

Part 1.

I’ve been working on the various methods of setting Static IP addresses during Lite Touch deployments and decided to space the articles out over the week. Today we’ll cover the easy ones.

If you boot into WinPE and find you don’t have an IP Address there are 2 quick ways to configure one. The first is to use the Welcome wizard pane. If you don’t see this pane then remove the line SkipBDDWelcome=YES from your bootstrap.ini file.

WelcomePane
Simply click the Configure with Static IP Address button then a new pane will appear where you can enter the IP details.

IPPane

You can also use netsh to set a static IP via a command prompt.

Netsh-SetStaticIP

In this scenario, WINPE uses “Ethernet” as the adapter name. The command is

netsh interface ip set address Ethernet static 10.0.0.9 255.0.0.0 127.0.0.1

In the next post, I’ll explain how to automate a Static IP Address during a bare metal boot.

Posted in MDT 2010, MDT 2012 | Tagged , , , , | 4 Comments