Adding Console Users to PDQ Deploy

Posted on Leave a commentPosted in PDQ Deploy

We made some pretty big changes in PDQ Deploy 10. One change that may have caught a few PDQ Deploy users off guard is the need to add console users for access to the PDQ console instead of simply having local admin privileges. Adding console users is especially important for those using the command line interface to use PDQ Deploy.

Adding Console Users to PDQ Deploy

If you go to File > Preferences > Background Service, you will see which user processes all background tasks for PDQ Deploy. It is also in this window that you can add console users. Console users are Windows users that have access to the PDQ Deploy console.

adding console users

After adding the computer name you’ll need to type the password for the background service user (not the user you are adding)

Alternatively, admins are added by logging in after starting PDQ Deploy. If the user opening PDQ Deploy is not a registered console user then they’ll see this message:

logging in as console user

At this point, you have two options:

  1. You need to add this user to the list of console users (using the method shown above).
  2.  In this window you (or the user) may enter the password for the Background Service (Quintana in our example). Once they’ve logged in at this screen, their machine is added to the list of console users.



 


How to Manage Java Settings

Posted on Leave a commentPosted in Deployment Examples, PDQ Deploy

Java’s quarterly release for July 19, 2016 (Java 8 update 101) contains fixes for security vulnerabilities. Admins are advised to apply this critical patch to systems as soon as possible to protect against potential attacks. Here’s a quick guide to silently install Java 8 and then manage Java settings for added security and control. Below is a video tutorial on these steps.

Silently Install Java 8

In PDQ Deploy you have a couple options to silently install Java 8. You can use the Package Library which has a Java 8 deployment package that is ready to import and silently install across your network. (PDQ Deploy trial users have access to up to three free package imports from the Package Library during their trial.) Alternatively, you can build your own package using the free version of PDQ Deploy.

PDQ Deploy Package LibraryUsing the Package Library

We’re a little lot biased and do recommend using the Java 8 package available in the Package Library. This deployment package contains additional steps that ensure your deployment will be successful such as uninstalling past versions of Java and exiting programs that can cause deployments to fail.

Bonus, the work building the package is already done…so why not use what’s already there?

  1. Import your package Navigate to the Package Library and select Java 8 Update 101 64 or 32-bit (depending on what machines you are deploying to). Click “Import” to begin downloading your package.
  2. Send your deployment to target computers Your import can be found (by default) in the left tree under the Packages folder. Highlight the Java Package and click “Deploy”. From there you’ll be able to select target computers from AD, Spiceworks, or PDQ Inventory. Click deploy and you’re done!


Building Your Own Deployment Package

    1. Download the offline version of Java. Online versions are smaller in size and will not silently install successfully.
    2. Extract the Java MSI. You will want the Java MSI over the EXE because MSIs have already defined silent parameters, which you must have for a successful deployment. If you don’t have silent parameters you could see error messages, have failed deployments or worse.
    3. Now you’re ready to build your deployment package. Add the Java MSI to the Install File line, and be sure to select Include Entire Directory. Then you’ll want to add the following parameters on the parameters line to disable auto updates and machine reboots:
     JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No

Manage Java Settings

Now that you have that deployed…it’s time to manage Java settings.

  1. Create a new GPO for managing Java settings in your Group Policy editor.
  2. In your Group Policy Management Editor, right click and select the Oracle Java pak. (Refer to this video to learn how to set up PolicyPak and add your Java “pak”.
  3. Double-click on your newly added Java pak to start managing.Manage Java Settings You’ll see several tabs of options for settings in Java. Here are a few suggested settings to look at:
  • Update Uncheck “Check for Updates Automatically”. Having this checked means you can decide when Java gets updated and can deploy patches on your terms and not leave it to Oracle (or your user) to decide.
  • Security Select “Very High” from the Security Level dropdown.
  • Exception Site List You can set MODE=REPLACE to override any site list settings or you can set MODE=MERGE to add site to possibly existing site lists.

 

With your settings you can (and probably should for utmost protection against users tampering with your settings) right click and select “Perform ACL Lockdown”.


What’s New in PDQ Deploy 10

Posted on 3 CommentsPosted in PDQ Deploy

logo-deployThe PDQ Deploy release has new features that make it even easier to get deployments out to the correct computers and with more precision. Depending on your environment, some users may find this means faster deployments.

Additionally, there are improvements to repository clean up and added integration with PDQ Inventory. PDQ Deploy can be upgraded to version 10 by clicking the “A new version is available” notice in the right corner of your console.

New Features in PDQ Deploy 10

Additional Deployment Conditions

PDQ Deploy 10 boasts new conditions in deployment steps to allow you to run (or not run) steps on certain deployment targets. Deployment step conditions are a Pro and Enterprise level feature.

Deployment conditions

File and Registry Conditions

Set steps within your deployments to only go to target computers with particular registry keys or values. With file conditions you also have some wildcards you can use as you which you can add by clicking the green plus symbol.

PowerShell Condition

This allows you to limit steps in deployments to computers with particular versions of PowerShell. Use the drop down to check versions of PowerShell you want target computers to have for a particular environment. If a computer does not have a PowerShell version you have selected, then the package will not deploy.

Repository Exclusions

In PDQ Deploy 9, repository clean up was introduced (see File > Preferences > Repository). Now you have the option to chose which individual files or directories to exclude from clean up. Check multiple files to exclude or select one and click Exclude Directory to add items to your exclusion list.

repository clean up pdq deploy 10

Open in PDQ Inventory Option

Need to see more information on a computer you see in PDQ Deploy? Easy. Right click on any computer name and select Open in PDQ Inventory. This will open the computer window in PDQ Inventory. You can also select multiple computers before right-clicking to see information for those computers.

open in pdq inventory pdq deploy 10

Delete Deployment History

Clear the deployment history in your scheduled deployments for any computer. This feature is handy if you have imaged a new computer using the same name as a previous computer. Clearing the history will allow PDQ Deploy to send deployments to the new computer that otherwise might have been marked as already successfully deployed to.

In your schedule under the Computer History tab, when a computer is highlighted you have the option to delete the history for that computer. Next time a schedule is run, the deployment will be sent to the computer as no record of that deployment being run exists. You can also click Delete from All Schedules to remove all history of that computer from any and all schedules it may have been a part of.

Clear history window





How to Silently Install WinZip (and then Globally Manage it)

Posted on Leave a commentPosted in Deployment Examples

Let’s get WinZip deployed to your computers. After you silently install WinZip, you’ll then define the settings you want on all devices in your network. Below is a video that will walk you through all the steps.

Silently Install WinZip

Because WinZip is a paid product (you’ll need your own license handy), it’s not available in the Package Library. However, it is a very simple application to create a deployment package for (and the free download of PDQ Deploy is all you’ll need to get the job done).

In PDQ Deploy, create a new package and for the install field add your extracted MSI file for WinZip. You’ll need the following parameters to silently install WinZip. Without parameters your deployment could time out and fail.

INSTALLCD="/noqp /noc4u /noip /nopredefinedjobs /autoinstall"

Before you exit out, make sure you have “Include Entire Directory” checked so that you have all the needed files for installation. You’re ready to deploy.

silently install Winzip package



Managing WinZip

Watch this video to learn how to set up PolicyPak, the video will also show you where to find and how to add these “Paks” you’ll need to help quickly manage hundreds of applications.

  1. First things first…in your Group Policy editor, add a new GPO. Right click and select edit.
  2. In the GroupPolicy Management Editor, right click and select WinZip. (Refer to the video on setting up PolicyPak to see how to set up these paks.)GP Management editor
  3. Double-click on the WinZip application listed to open the panel you’ll use to adjust settings for WinZip in Group Policy. Make your changes and adjustments, right click within the panel to Disable corresponding control in target application” or if you have particularly clever end users, you may also want to select “Perform ACL Lockdown” to make sure your settings are not tampered with. You can also make certain none of your users adjust the settings you select in any tab, by right clicking on the tab you want to lock and select “Disable whole tab in target application”. ACL lockdown

After applying GPUpdate your settings will take effect. It’s that easy!


Remotely Install Printer Drivers

Posted on 2 CommentsPosted in Deployment Examples, PDQ Deploy

There are a few ways to remotely install printer drivers. This post will cover two methods, using a print server and setting up an IP port. Both of these methods are also covered in a tutorial done at a webcast. A recording of this webcast is available below. Let’s dive in!

Remotely Install Printer DriversPrinter

Using Print Server

This method is the easiest and adds the printer for all users on the target machine. To add a printer using print server you’ll need run a couple commands. Using PDQ Deploy, create a new package and add two command steps.

The first command step will delete the printer if it does already exist. Doing this prevents errors that can occur from adding an already existing printer.

%WINDIR%\system32\Printui.exe /gd /q /n"\\TOKEN\Lexmark MS310dn North"

In the second command step, you’ll add the printer. The difference between these commands is the /gd (for global delete) is now a /ga (for global add).

%WINDIR%\system32\Printui.exe /ga /q /n"\\TOKEN\Lexmark MS310dn North"

Remotely Install Printer Drivers - using printer server
In both commands /q is critical for a silent deployment. Without that parameter your deployment will hang. You can see other parameters by entering the following into a command prompt:

printui /?

For your changes to take effect you may need to stop and start the print spooler. If after deploying the printer does not appear, add the following commands to your deployment:

NET STOP SPOOLER 
NET START SPOOLER

IP Port

In this method, you will create a TCP/IP port and then install your printer.

First, spare yourself possible errors and clear out the printer and port. For this deployment package you’ll start off with a command step with the following command (of course, substitute your own printer name and IP address in your commands):

cscript %WINDIR%\system32\Printing_Admin_Scripts\en-US\prnmngr.vbs -d -p "Lexmark MS310"
cscript %WINDIR%\system32\Printing_Admin_Scripts\en-US\prnport.vbs -d -r "IP_10.0.0.246"

In the next command step, you’ll add the port. Again, substitute the appropriate IP address in quotes.

cscript %WINDIR%\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r "IP_10.0.0.246" -h 10.0.0246

 

Your next two steps (one for each architecture type, 32-bit vs. 64-bit) will install your printer using an install step. You’ll want to get your install files from the printer vendor and research what parameters you may need to silently install your printer driver.

For our example, (which you can watch in the video below starting at 21:53) we got a batch file from the vendor which is listed in the install step as the install file.  Then, the “Include Entire Directory” box is also checked. This is important if your installation does require multiple files.

 




How to Prevent a Disconnect During GP Update

Posted on Leave a commentPosted in Uncategorized

If you’ve used RDP  and run the gpupdate /force you may have seen the “Remote Desktop Services session has ended” error which forces your RDP to disconnect. Here’s how to prevent a disconnect during GP Update. It just requires a simple registry edit.

Desktop error-prevent disconnect

 

Prevent a Disconnect During GP Update

Reconnect to the machine and go to your registry editor.

Then go to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet. Once under Current Control Set do a search for fDenyTSConnects. Odds are you’ll see a “1”. Double-click to edit and change the Value data field to 0.

regedit fDeny - Prevent a Disconnect During GP Update

That’s it! When you go to run gpupdate /force again, the policy will successfully update.


Automating Software Installs for Imaged Computers

Posted on Leave a commentPosted in PowerShell

Today we’ll look at automating software installs for imaged computers, all while saving yourself some storage space and more importantly…time.

Before you get started here, you’ll want to have an Active Directory security group and OU for imaged machines set.

Automating Software Installs for Imaged Computers

PowerShell Code

The PowerShell code is really pretty straightforward. It looks to the OU you created where machines will be dropped after they are added to Active Directory by the imaging process. You can set the frequency to whatever fits best with your environment.

New additions to this OU will be assigned to the security group you create, and once they are deployed and moved out of the Imaging OU and into the OU where they will serve their life sentence, the script removes them from the security group. This all syncs up with the dynamic collection you will create in PDQ Inventory!

It’s pretty slick in once you have an image created, and machines in the OU, the PowerShell script works with PDQ Deploy and PDQ Inventory to deploy your baseline applications to the machines. The script will also generate email notifications, alerting you to any changes that it has made to the security group.

#######################################################
# END USER DEFINED VARS #
#######################################################

#Array for computers that will be removed
$removed = @()
#Array of hostnames stripped from $search
$sanitized = @()
#Array of hostnames stripped from $members
$memsanitized = @()


#########################################################
# CONTAINERS FOR CHANGED HOSTS #
#########################################################

#table for hosts added to the Baseline group
$addedtable = New-Object System.Data.DataTable "Added Hosts"
$addedcolumn = New-Object System.Data.DataColumn Name, ([string])
$addedtable.Columns.Add($addedcolumn)

#table for hosts removed from the baseline group
$removedtable = New-Object System.Data.DataTable "Removed Hosts"
$removedcolumn = New-Object System.Data.DataColumn Name, ([string])
$removedtable.Columns.Add($removedcolumn)


####################################
# ADD TO GROUP #
####################################
Foreach ($s in $search){

$sanitized += $s.SamAccountName

}

#If exists in group, skip, else add.
Foreach ($san in $sanitized){

If (Get-ADGroupMember "TUSC Baseline" | Where { $_.SamAccountName -eq $san}){

 Out-Null

 }
Else {

 Add-ADPrincipalGroupMembership -Identity $san -MemberOf "$securitygroup" 

 #actually add data to added table.
 $addedrow = $addedtable.NewRow()
 $addedrow.Name = $san
 $addedtable.Rows.Add($addedrow)
 
 }
}

########################################
# REMOVE FROM GROUP #
########################################

#Trim group members down to a new array of just hostnames
Foreach ($mem in $members){

 $memsanitized += $mem.SamAccountName

}
 
#Do some logic that compares the array and dumps differences to a new array. This array will contain members that need the group stripped away. 
Foreach ($ms in $memsanitized){

 If ($sanitized -contains $ms){

 Out-Null
 
 }
 Else {

 $removed += $ms

 }

}

#If there is actually something in the $removed array, take action and removed that machine from the group.
If ($removed -ge 1) {

 Foreach ($rem in $removed){

 Remove-ADPrincipalGroupMembership -Identity $rem -MemberOf "$securitygroup" -Confirm:$False

 #add data to removed table
 $removedrow = $removedtable.NewRow()
 $removedrow.Name = $rem
 $removedtable.Rows.Add($removedrow)
  }
}

#Counts on the datatables to determine if email will be sent.
$acount = $addedtable.Rows.Count
$rcount = $removedtable.Rows.Count

If ($acount -and $rcount -eq 0) {

Out-Null

}

Else {

###########################################################
# CONVERSION TO HTML TABLE FOR EMAIL #
###########################################################

#This builds the table for machines added to TUSC Baseline
$ahtml = "<br><table><tr><td>Hostnames Added to TUSC Baseline</td></tr><br>"
foreach ($arow in $addedtable.Rows){
 $ahtml += "<tr><td>" + $arow.Name + "</td></tr>"
}

$ahtml += "</table> <br>"

#This builds the table for machines removed from TUSC Baseline
$rhtml = "<br><table><tr><td>Hostnames Removed from TUSC Baseline</td></tr><br><br>"
foreach($rrow in $removedtable.Rows) {

$rhtml += "<tr><td>" + $rrow.Name + "</td></tr>"
}
$rhtml += "</table>"

########################################################
# SEND EMAIL REPORT #
########################################################
#Send the message
#Send-MailMessage -SmtpServer $smtpserver -From $from -to $to -Subject $subject -Body $body -BodyAsHtml
}
$addedtable.Dispose()
$removedtable.Dispose()

Exit

Run this script as a scheduled task. You will want to create the task to run as an account that has been delegated access to manage group memberships in Active Directory. I recommend setting up the scheduled task as a Service Account that has been delegated access to change group memberships in Active Directory.

Also, the Start A Program line you will want to use for the executable is the path for Powershell (Typically C:\windows\WindowsPowershell\v1.0\powershell.exe) and in the Arguments field use:

-noprofile –ExecutionPolicy Bypass –File <path to .ps1 script>

Setting Up Automated Software Deployments

Create a new dynamic collection in PDQ Inventory using the filters as show below. Change the value to match the name of your security group in Active Directory.

dynamic powershell collection



Next in PDQ Deploy, you’ll create a new schedule. (Either select Deploy > New Schedule or go to File > New Schedule.) Set the trigger to Heartbeat (requires a Pro or higher license).  Under the Targets tab, select Link to and select the PDQ Inventory collection you created in the last step. Click OK.

link to collection automating software installs for imaged computers

 

Now that you have your schedule saved, you may attach packages to it for deployment. When the Heartbeat trigger detects a new machine in the PDQ Inventory Collection you have linked to, these packages will be deployed to those target machines.

 

attach package to schedule

 

That’s all there is to it! Now when you image a machine, and it goes into the OU, PowerShell will add it to the appropriate groups, PDQ Inventory will add it to your collection, and PDQ Deploy will push your selected applications to it. When you move the machine out of your Imaging OU, the PowerShell script will detect the change and remove that machine from the Security group, which will update your Dynamic Collection.




Setting Up DFS on Windows Server 2012 R2

Posted on Leave a commentPosted in Uncategorized

Let’s walk through setting up DFS on Windows Server 2012 R2. If reading is not your thing, there is a video tutorial down below that goes through these same steps. The following steps assume that you already have both of your servers set up. You’ll just be setting up roles and replication.

Setting Up DFS on Windows Server 2012 R2

Let’s start with your first server:

  1. Open Site Manager, Manage>Add Roles and Features. This will open the add roles and features wizard, click next to start set up.
  2. Select role-based or feature based installationrole or feature based Setting Up DFS on Windows Server
  3. Select server, in our example that will be SITE1.destination server
  4. The next section will be Server Roles under file and storage services. Check DFS Namespaces and DFS Replication both on this (your main) server. When you go to check Namespaces it there will be a pop up that asks you if you would like to add features. Click Add Features.server roles - Setting Up DFS on Windows Server
  5. Hit next twice to confirm features. Then install.

Now you’re ready to go over and set up site two, go through all the same steps for site one except for in step four in Server Roles. You will only need to select DFS Replication, do select to Add FeaturesYou do not need to select DFS namespaces.

Setting up Namespaces and Replication

Next steps in setting up DFS on Windows Server will be to set up your namespaces and replication. First you’ll set up Namespaces. Namespaces are how you are going to call your shared file area you are replicating.

Go to DFS Management. Once DFS Management is up, right click on Namespaces in the left panel and click New Namespace.

namespace

Enter the name of the server (in our example that’s site1). Click next, then give your namespace a name (our example will use LMFAO). You’ll be given the option to select a Domain-based or Stand-alone namespace. For our example we’ll do a domain-based namespace (which is much easier, so I heartily recommend it).

namespace type

Lastly you will be shown a summary; click create to finish making your new namespace.

Setting up Replication

  1. Back at your home window in DFS Management you’ll now right click on new replication group.new replication group
  2. Select the Multipurpose replication group option.replication group type
  3. You’ll name your replication group in the next window (our example will use the name REPO). After that, you will add both of your servers.replication group members
  4. Once added, the next window select Full mesh. This will ensure that anything on the first server will be on the other server and vice versa.
  5. Next, you’ll set the bandwidth. Here you’ll need to consider your network traffic and set it accordingly. replication schedule and bandwidth
  6. Select primary server and then add a local path of a folder to replicate. Be sure to select Permissions > Custom Permissions to add groups or users and give permissions as appropriate.custom permissions
  7. Once you have made all those changes and hit next, you’ll double click on the servers listed to enable them for replicating. Click enable and specify the path you want to synchronize with.enable replication dfs on windows server

That’s it, the next window will provide you with a summary of your selections. If all looks good to you, click create.

 

In your DFS Management Console, double click on your replication folder and go to the Replicated Folder tab. You’ll notice that the publication status is Not Published. Right click on that and select Share and Publish in Namespace.

publish REPO

Click next until you get to the Namespace path. Browse to the parent folder and name the folder. A preview of the namespace path is listed.

namespace path

Again, after clicking next you’ll see a summary and can click Share. That’s it! Congrats, you’ve successfully finished setting up DFS on Windows Server 2012 R2.

 


What’s New in PDQ Inventory 9

Posted on Leave a commentPosted in PDQ Inventory

Time to upgrade to the new PDQ Inventory 9. Yes, there are new features. Read on to see what’s new in this version. If your PDQ Inventory license is current, you can get these upgrades at no extra charge. Learn more about our licensing.

What’s New in PDQ Inventory 9

Network Discovery

Add computers to PDQ Inventory with the network discovery tool. This handy new feature will scan supplied IP ranges and add the discovered devices to your PDQ Inventory database. This feature does require a current PDQ Inventory license of Pro or higher. Simply to go Add Computers > Network Discovery.

Network discovery

 

This will bring up the Network Discovery window that will allow you to specify a Subnet or IP addresses or IP address ranges to find computers. Click Start Discovery to begin adding computers and devices to PDQ Inventory, which will open the Network Discovery Status window to allow you to see the progress.

Network discover ip addresses

 

Automatic Backups

Now your PDQ Inventory database is automatically backed up. These settings can be found under File > Preferences > Database. The image below shows the default setting for backups. Change them up as you see fit to what best suits you. You also have the option to run a back up at any time by clicking Backup Now. These backups do count against your set number of backups kept, and the oldest backup will be deleted to maintain the number of backups as set. Pro or Enterprise mode required.

pdq inventory database backup

Feature Improvements

Registry Scanner Improvements

PDQ Inventory 9 introduces wildcards for use in creating registry scanners (these are similar to the changes introduced in the File Scanner back in version 8). Registry scanners are a Pro or higher feature. Add a registry scanner in File > Preferences > Scan Profiles. Click New and in the Scan Profile: New Scan Profile window, select Add > Registry. Available wildcards are listed for your reference. For example the Registry scanner below scans all subkeys and values under HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientState. The data collected can be used to determine if the 32 or 64-bit version of Chrome is installed.

NewRegistryScanner

Edit IP Address

In PDQ Inventory 8 the ability to add non-Windows devices was added to help you better keep track of various devices that cannot be scanned like your Windows computers. In this new release, you can now add or edit the IP address listed for these devices. To edit fields for these items (that have Allow Scan disabled), simply double click on the device listed in the PDQ Inventory console. Fields that are white can be edited.

ip address edit

Adding Product Keys

Save product key information in PDQ Inventory. Double-click on a computer and select Product Keys from the left pane to enter in keys.




Real World Applied PowerShell

Posted on 1 CommentPosted in Uncategorized

Webcast: Real World Applied PowerShell

If you missed this week’s live webcast, well, you’re in luck! We have a recording available as well as some of the scripts used in this webcast for your copy+paste pleasure.

Clearing Event Logs

# This will clear a single log
Clear-EventLog -Log Application, System 
# This will clear all the logs
Get-EventLog -List | Foreach-Object {Clear-EventLog -Log $_.Log}

Note: The Get-EventLog cmdlet only grabs the classic Event Log logs. If you need to view all the windows logs, including the more modern logs in modern OSes, you may wish to use the Get-WinEvent cmdlet.
To see the difference, compare:

Get-EventLog -List

with

GetWinEvent -ListLog *

DISM

Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient

 

In this video…

PowerShell improvements – 1:46
Package Library installing PowerShell 5 – 2:42
Is it worth upgrading all my clients to Win 10 for PS5? – 4:51
Common tasks for administrators / Batch vs PowerShell – 6:13
Clearing event logs using cmd – 7:02
Clearing event logs using PowerShell – 8:09
Can I upgrade from PS2 to PS5 in Win7, or do I need to install PS3 then PS4, then PS5? – 10:26
Making PowerShell scripts silent with PDQ Deploy – 13:08
Enabling and disabling Windows features using DISM- 16:34
Enabling and disabling Windows features using PowerShell – 17:20
Should I use PowerShell to set (not force) a users default ‘open with’ program, or would a group policy be better? – 23:35
PS5 (Win 10) has an Execution Policy Change that prevents security risks from running scripts. How do you bypass this without having to press [A] – yes to all? – 25:06