After years(?!) of being in the dark ages we have now launched a new website for Atea Spintop (all of Atea Services have new pages). Please have a look at out new site at: http://www.ateaspintop.com/
I personally think it looks great, but hey ho, thats just me. Vegas is just a week away and Atea Spintop will be there as en exhibitor, so its busy times.
//Andreas
Posted in Uncategorized
You may have noticed that a new AIK was released, more information about this can be found at Niehaus blog:
http://blogs.technet.com/b/mniehaus/archive/2011/02/17/windows-aik-for-windows-7-sp1-released.aspx
Note that CM team is testing W7 SP1 and WinPE 3.1 and until testing is completed it is unsupported
Posted in Uncategorized
This blog covers the settings and changes needed to be done in order to achieve a single image of Windows XP deployment both for Encrypted and Un-encrypted computers with a single image.
In order to understand this document, a good understanding of the BDD2007 or Microsoft Deployment product is needed, as well as a good understanding on how the Windows boot process works.
At this customer we added a section to the BDD 2007 workflow that stopped the computer refresh process the hardware was detected to be a laptop. This was done to avoid End User Support personnel to accidently destroy computers as the process then did not handle the Utimaco SafeGuard Easy product. In order the allow refresh builds of laoptops this line has to be removed from the CustomSettings.ini file. The line that disables builds on laptops is a line under Laptop-%True% section, or subsection, which sets the Value OSINSTALL to zero (false). This will make the process halt and the OSD process will return an error. In order to allow installation this has to be set to 1 (true), which is set in the default section.
In order for WinPE to actually read an encrypted hard drive, special Utimaco drivers will have to be added to the WinPE boot image.
Reading an encrypted drive is only possible if there is a valid installation of BootSector code, i.e. the Utimaco F2 prompt during boot is displayed. Booting to WinPE must happen after the manual or automatic logon to with the PBA is done.
If no active BootSector Utimaco code is found the filter drivers will not engage and all reading and writing to the disk will be unencrypted. This will be the case in a bare metal situation, although it is possible to boot to PXE after the PBA login, allowing the process to be modified to ensure that even bare metal builds are encrypted from start. This would minimize the time it takes to encrypt a hard drive after a bare metal build, this is out of scope of this document.
The installation of Utimaco 4.2 Drivers are documented by Utimaco. Even though this document covers the installation of drivers into BartPE the process is exactly the same.
Please note that drivers for Safeguard 4.2 CANNOT read a hard drive encrypted by 4.3, this is likely to be caused by version mismatch of the BootSector code.
Adding the filter drivers to version 4.3 is exactly the same as for 4.2, if needed these drivers can be lifted from an existing 4.3 installation. This is achieved by copying all SafeGuard 4.3 drivers from System32\Drivers folder and copying them to the System32\Drivers folder of the WinPE image.
The reference Image will have to be updated with the appropriate version of Utimaco SafeGuard. Both version 4.2 and 4.3 can be installed in the reference image. Please ensure that encryption of the virtual machine running the Reference Image is completely encrypted before capturing the image.
The WinPE .iso file that is used for capturing the reference image has to be updated with the correct version of Utimaco drivers. If a reference image is created with Utimaco Safeguard 4.3 then the 4.3 filter drivers must be added to the capture .iso file.
Utimaco provides several methods of configuring the software. In this document we will cover two of them, one based on the use of configuration files, the other based on scripting using the Utimaco automation object.
Other ways of configuring these settings could potentially be used, please refer to the Utimaco documentation for a thorough description of these methods.
Utimaco provides a tool to create configuration files for Utimaco, these configuration files can then be used to change any of the settings using a command line. The exact process of creating these configuration files is documented in the Utimaco SafeGuard help files.
The automation object could potentially be used to configure Utimaco Safeguard as it provides a more flexible way of changing and determining settings. Currently there is no need to use this automation object as the objectives can be achieved with configuration files. However, in a multi setting environment where several machines are to be configured independently this will likely be the best solution. The automation object is documented in the Automation.chm located in the “Tools” folder of the Utimaco SafeGuard Easy 4.2 CD.
The PBA does not have to be disabled during an OS refresh, however since the OSD process contains several reboots it is necessary to do so in order to automate the entire process. Since this customer does not use PBA, testing has simply been done by turning on PBA without single user logon. Additional testing would have to be made if PBA with single sign on is encountered anywhere.
Even though you could potentially use this feature to bypass the PBA at boot time it might not be practical to do so. The WOL setting is detected by the Microsoft and Utimaco Safeguard Graphical Identification and Authentication (GINA) and logon to the computer is disabled. Depending on the process that is chosen for PBA enabled machines this could potentially be used as it solves issues with Single Logon.
The PBA is temporarily disabled during the migration by running the Utimaco SafeGuard Easy “Execcfg.exe” executable, located in the installation directory of Utimaco SafeGuard. By creating a configuration file that disables the PBA, allowing Autologon with the PBA. This is then either done prior to the deployment process, or as a part of the imaging process. The benefit of doing this outside of the process is that imaging can be pushed from SMS outside working hours with the use of WOL, to limit implication to the end user. However, if the PBA is not disabled before the machine is powered up the computer would then halt at the PBA screen.
Depending on the PBA, Single Logon features configured and other unknown requirements the appropriate actions would have to be taken.
After the computer installation has succeded the PBA can be enabled again by using the same process as above. This process would then have to be decided depending on the Post deployment process. The most likely option is to enable PBA when the OSD process is completed.
In order to do an OS refresh with a computer that has Utimaco SafeGuard Easy installed from the start there are no additional steps. The BootSector code will already be installed and activated. This means that the computer is encrypted from the beginning to end.
In order to complete the Utimaco SafeGuard Easy installation on a computer that has been build using the bare metal scenario the preboot code must be installed. This is done by executing the “execcfg.exe” executable and pointing it to the configuration file used for the full install.
There are several steps required in order to disable Utimaco after the image has been applied, there is no requirement to do so, the computer works fine even though these steps are not taken. An error message is appearing during boot time but this does not stop or hinder the boot process. The removals of these drivers are purely esthetical.
The Utimaco SafeGuard easy install can be re-enabled later down the line with the use of the following commands. The Production.cfg file mentioned below is the same used for a new install.
Please not that there are no line breaks in the command below.
|
REG.EXE ADD HKLM\System\CurrentControlSet\Services\AES-256 /v Start /t REG_DWORD /d 0 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\SGEFLT /v Start /t REG_DWORD /d 0 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\SGECTL /v Start /t REG_DWORD /d 2 /f REG.EXE ADD HKLM\System\CurrentControlSet\Services\SGLogPlayer /v Start /t REG_DWORD /d 2 /f REG.EXE ADD HKLM\System\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d SgeFltPartMgr /f REG.EXE ADD HKLM\System\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d SgeFlt /f REG.EXE ADD HKLM\System\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F} /v UpperFilters /t REG_MULTI_SZ /d SgeFltVolSnap /f “%PROGRAMFILES%\SafeGuard\Safeguard Easy\execcfg.exe” /f:”%~dp0Production.cfg” |
The following steps have been added to the deployment sequence in order to achieve zero touch deployments in the customers environment. These steps are likely to change in the production environment but provides all commands necessary to automate the process.
Please note that there are no line breaks in the command lines below.
| Phase | Group | Task Name | Description | Command Line |
| Validation | Non Replace/Disable Computer | Disable PBA | This command line disables the PBA, using a configuration file. This could potentially be done via scripting directly using the Utimaco Automation object. | %programfiles%\SafeGuard\SafeGuard Easy\execcfg.exe /f:”%SCRIPTROOT%\DISABLEPBA.CFG” |
| PostInstall | Utimaco Configuration | Load System Hive | This loads the system hive of the applied image so that it can be modified. | %SCRIPTROOT%\REG.EXE load HKLM\UtimacoSave %OSDTARGETDRIVE%Windows\System32\Config\system |
| PostInstall | Utimaco Configuration | Copy Volume Information | This copies the Volume information that has been automatically populated by WinPE to the mounted system hive. This ensures that Utimaco will not blusceen with the new image. | %SCRIPTROOT%\REG.EXE COPY HKLM\System\CurrentControlSet\Enum\STORAGE\Volume HKLM\UtimacoSave\ControlSet001\Enum\STORAGE\Volume /s /f |
| PostInstall | Utimaco Configuration | Set Sysprep Bootdisk Signature | This script sets the required key for Sysprep to be able to run when Utimaco is enabled. | cscript.exe “%SCRIPTROOT%\ListDisk.vbs” |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Disable AES Driver | This disables the AES encryption driver. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\AES-256 /v Start /t REG_DWORD /d 4 /f |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Disable SGE Filter Driver | This disables the filter driver from loading, with out this disable the computer will bluescreen. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\SGEFLT /v Start /t REG_DWORD /d 4 /f |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Disable SGE Control Driver | This disables the SGE Control Driver. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\SGECTL /v Start /t REG_DWORD /d 4 /f |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Disable SGE Log Player | This disables the SGE Log player driver. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Services\SGLogPlayer /v Start /t REG_DWORD /d 4 /f |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Delete Disk Drive Upper Filter | This removes the Utimaco filter drivers from the list of valid filter drivers, if this is not done the machine will bluescrren. Normally the only valid filter driver is PartMgr but this could potentially change with AV etc. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d PartMgr /f |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Delete Floppy Disk Upper Filter | Same as above, but floppy drivers normally dont have any known filter drivers by default. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318} /v UpperFilters /t REG_MULTI_SZ /d “” /f |
| PostInstall | Utimaco Configuration/Disable Utimaco on Desktops | Delete Storage Volume Upper Filter | Same as above, but instead of Partmgr we have to default to VolSnap which is the default filter driver for volumes. The GUIDs used in these commands are generic MS deaults, so they should not change. | %SCRIPTROOT%\REG.EXE ADD HKLM\UtimacoSave\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F} /v UpperFilters /t REG_MULTI_SZ /d VolSnap /f |
| PostInstall | Utimaco Configuration | Apply Utimaco Production Settings | Adds a line to cmdlines.txt so that injection of Utimaco data will be added to OS disk after sysprep | cmd.exe /c echo “”%programfiles%\SafeGuard\SafeGuard Easy\execcfg.exe” /f:”%SCRIPTROOT%\Production.CFG”">>%OSDTARGETDRIVE%Windows\Source\i386\$OEM$\Cmdlines.txt |
| PostInstall | Utimaco Configuration | Unload System Hive | This saves and unloads the system hive that have been modified. | %SCRIPTROOT%\REG.EXE unload HKLM\UtimacoSave |
| StateRestore | N/A | Hide Utimaco Shortcuts | Hides the Utimaco Shortcuts if Utimaco is not used. | attrib.exe +H “%ALLUSERSPROFILE%\Start Menu\Utimaco\*” /S /D |
| StateRestore | N/A | Disable PBA | This task can be used to enable PBA if needed. | %programfiles%\SafeGuard\SafeGuard Easy\execcfg.exe /f:”%SCRIPTROOT%\ENABLEPBA.CFG” |
This script is used to set correct disk signature for Sysprep.
|
On Error Resume Next strComputer = “.” Set oshell = CreateObject(“WScript.Shell”) Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″) Set colItems = objWMIService.ExecQuery(“Select * from Win32_DiskDrive”,,48) For Each objItem in colItems Wscript.Echo “Index: ” & objItem.Index Wscript.Echo “Partitions: ” & objItem.Partitions Wscript.Echo “Signature: ” & hex(objItem.Signature) oShell.RegWrite “HKEY_LOCAL_MACHINE\UtimacoSave\Setup\BootDiskSig”, objItem.Signature, “REG_DWORD” Next |
Posted in Deployment, Tips'n'Trix
Just read that Adobe will release SCUP catalogs for their new products, Acrobat and Reader X! Very happy to see that Microsoft suppliers starts to use the features in SCCM
Posted in SCCM, Tips'n'Trix | Tags: SCCM, SCUP
Microsoft just announced that 16th of Feb they will release SP1 to VL customers and MSDN/TechNet subscribers and 22nd of Feb to the public and Windows Update.
Source:
http://windowsteamblog.com/windows/b/bloggingwindows/archive/2011/02/09/announcing-availability-of-windows-7-and-windows-server-2008-r2-sp1.aspx
http://blogs.technet.com/b/windowsserver/archive/2011/02/08/windows-server-2008-r2-and-windows-7-sp1-releases-to-manufacturing-today.aspx
Posted in Tips'n'Trix, Windows 2008, Windows 7 | Tags: Service Pack 1, Windows 7
Following the success of MMS 2009 (our session ended up as one of the top 10! (and the ashfailure of 2010) Andreas and Johan Arwidmark have been been selected to present at this years MMS conference.
Link to the session on the MMS website: http://www.mms-2011.com/topic/details/BA32
//Andreas
Posted in Uncategorized
I am now working with Atea Spintop as an product area manager for their infrastructure software. Hopefully I will have more time to blog about interesting bits here.
Also check out http://www.ateaspintop.com and http://www.facebook.com/ateaspintop
//Andreas
Posted in Uncategorized | Tags: Atea Spintop
Have you ever wondered why your startup is slow? I assumed you noticed the new event viewer, but have you noticed the Applications and Services Logs, also try to turn on the View > Show Analytic and Debug Logs..
To our goal, have a look at slow startups.. Have a look at this log: Applications and Services Logs\Microsoft\Windows\Diagnostics-Performance\Operational.
Have a look at the event id: 100 for Startup, 200 for Shutdown, 300 for Standby.
Open an event with event id 100 and it could look something like this:
You can clearly see that you this startup took 321482 ms just over 5 minutes. Press details too have a more detailed information about every step in the startup sequence. Too see what too longer time than usual have a look at the event with event id 101..
You could also try my PowerShell script that will gather the information and summarize it for you.
|
BootTime (ms) Main Path Boot Time (ms) Boot Post Boot Time (ms) BootNumStartupApps OSLoaderDuration (ms) |
Top 10 start up applications Top 5 start up drivers Top 5 start up services |
Download it here
Posted in Tips'n'Trix, Windows 7 | Tags: Troubleshoot, Windows 7
Wikileaks are still under fire from people that are trying to shut them down. Found this funny text on one of the mirrors at: http://213.251.145.96/cable/2007/05/07STOCKHOLM506.html
“The good cooperation on counterterrorism, both domestically and internationally, has helped Swedish authorities carry out their mandate to protect Swedish citizens and national interests. Due to domestic political considerations, the extent of this cooperation in not widely known within the Swedish government and it would be useful to acknowledge this cooperation privately, as public mention of the cooperation would open up the government to domestic criticism.”
What happened to our sovereignty and neutrality?
//Andreas
Posted in Uncategorized
Hey,
Just realized that Lady Gaga plays at the MGM on the 25th of Mars. This means that any MMS goers has the ability to see her perfom in the city of sins.
//Andreas
Posted in Uncategorized
Mattias Fors
Andreas Hammarskjöld
Recent Comments