Real World Applied PowerShell

Posted on Leave a commentPosted in Uncategorized

If you missed this week’s live webcast, well, you’re in luck! We have a recording available as well as some of the scripts used in this webcast for your copy+paste pleasure.

Clearing Event Logs

# This will clear a single log
Clear-EventLog -Log Application, System 
# This will clear all the logs
Get-EventLog -List | Foreach-Object {Clear-EventLog -Log $_.Log}

Note: The Get-EventLog cmdlet only grabs the classic Event Log logs. If you need to view all the windows logs, including the more modern logs in modern OSes, you may wish to use the Get-WinEvent cmdlet.
To see the difference, compare:

Get-EventLog -List

with

GetWinEvent -ListLog *

DISM

Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient

 

In this video…

PowerShell improvements – 1:46
Package Library installing PowerShell 5 – 2:42
Is it worth upgrading all my clients to Win 10 for PS5? – 4:51
Common tasks for administrators / Batch vs PowerShell – 6:13
Clearing event logs using cmd – 7:02
Clearing event logs using PowerShell – 8:09
Can I upgrade from PS2 to PS5 in Win7, or do I need to install PS3 then PS4, then PS5? – 10:26
Making PowerShell scripts silent with PDQ Deploy – 13:08
Enabling and disabling Windows features using DISM- 16:34
Enabling and disabling Windows features using PowerShell – 17:20
Should I use PowerShell to set (not force) a users default ‘open with’ program, or would a group policy be better? – 23:35
PS5 (Win 10) has an Execution Policy Change that prevents security risks from running scripts. How do you bypass this without having to press [A] – yes to all? – 25:06


Disable Windows 10 Upgrade Notice On All Computers

Posted on Leave a commentPosted in Deployment Examples, PDQ Deploy

Microsoft has really gone all-in when it comes to alerting (some would say “annoying”) their Windows 7 and 8.1 users about upgrading to Windows 10. As a sys admin, you’re probably wanting to disable Windows 10 upgrade notice for all of your computers. (Note: These notifications do not occur in the Enterprise and Embedded editions of 7 and 8.1)

There are several methods for preventing either an OS upgrade or the notifications but, as usual, let’s focus on how to disable these silently across many computers in your organization.

Disable Windows 10 Upgrade Notice

Option I – Import the pre-built package from the Package Library

If you use PDQ Deploy and you have access to the Package Library you can import the package called Disable Windows 10 (GWX) Notification.

DisableGWXPackageLibrary

After importing you can simply deploy this package to your existing Windows 7 and 8.1 computers. If you use PDQ Inventory you can select a the appropriate collections for these OSes as your targets. This will help you avoid deploying this unnecessarily to Non 7/8.1 targets.

The package in the Package Library already has the OS conditions set to only use Windows 7 and 8.1.



Option II – Build your own PDQ Deploy package

I am going to use a batch file so that this can accommodate the users of the Free version of PDQ Deploy. In the Pro and Enterprise versions you could simply use Command steps.

  1. Create a batch file using an appropriate editor such as Notepad or Notepad++. Enter the following four lines into your new batch file.
    ECHO OFF
    %SYSTEMROOT%\System32\taskkill.exe /f /im GWX.exe /im GWXUX.exe
    
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v DisableGwx /t REG_DWORD /d 1 /f
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableOSUpgrade /t REG_DWORD /d 1 /f
  2. Save your new batch file. In this example I am calling the file DisableGWX.bat and placing it in a new folder on my C:\ drive called Deploy.
  3. In PDQ Deploy create a new package and name it appropriately (or inappropriately, I don’t care).
  4. Add your batch file to the Install File field. In this example you don’t really need to modify the Success Codes field. Just a note, if you are using Command Steps and you are separating the Taskkill line into a separate command then make sure to use the following Success Codes: 0,128
  5. DisableGWXStepDetails

  6. If you are using the Pro or Enterprise version of PDQ Deploy go to the Conditions tab and deselect all the O/S Versions except Windows 7 and Windows 8.1.           Disable Windows 10 Upgrade Notice
  7. Save and close your new PDQ package.
  8. Click the Deploy button and deploy this to a few test computers. If you have a computer near-to-hand that has the Get Windows 10 (GWX) icon in the systray then you will be able to get pretty fast feedback as to whether or not this deployment works. The batch file will simply kill the gwx.exe and gwxux.exe processes (if they are running) and then add some registry values which will prevent further notifications and/or upgrades.

Optionally, you could uninstall the offending patch (KB3035583)  that placed GWX on the system but, depending on how your Windows updates get delivered, it could get reinstalled.  By making the registry changes listed above you should be covered.

I won’t go into deleting the Task Schedules created by the KB3035583 patch because the registry settings above effectively neuter these tasks.



Option III – Group Policy

You can also use Group Policy to disable Windows 10 upgrade notice as well as upgrades. You can see how to do this (as well get some other useful information) by visiting this Microsoft KB article.

 

 


Silently Install Adobe Creative Cloud

Posted on Leave a commentPosted in Deployment Examples, PDQ Deploy

You’ve got some users that need access to Adobe Photoshop or Dreamweaver perhaps…that’s where deploying Adobe Creative Cloud comes in. This post will have two parts. First you will make configurations using the Creative Cloud Packager, then you will create a deployment package to silently install Adobe Creative Cloud.

Note: These steps will ONLY work for Team, Enterprise, or Education plans of Creative Cloud, NOT individual.

Making Configurations with the Creative Cloud Packager

You’ll need to have administrator access to the Creative Cloud account. Log in at Adobe.com and select Manage team. From there you will be able to download the Creative Cloud Packager under Deployment Tools > Download Win.

creative cloud packager download

This will download the CCPLauncher.exe. Launch the executable and login, then you will be able to select Create Package.

create package adobe

Now you’ll need to give the package a name, a location where the package should be saved, architecture (32 or 64-bit), and the license type. License type will vary from plan to plan. Named License is available for the Teams plan. Serial Number License is available for the Enterprise plan, and Device License is available for the education plan. You should only see the license(s) applicable to your account.

adobe license type

In Package configurations, de-select the Applications & Updates via the Apps Panel options if the users are not also local administrators. This will keep your users from getting update notifications or otherwise being prompted to install updates. 

silently install adobe creative cloud no update notifications

Next, select the applications and/or updates you wish to build into your installer.

installing adobe products

That’s it! Click build and the Creative Cloud Packager will create a directory containing your MSI installer.

Silently Install Adobe Creative Cloud Package

For these next steps you’ll need to have PDQ Deploy downloaded. The free version works great for deploying to either 32-bit or 64-bit architectures. However if you want to create a deployment package that will deploy to both the 64-bit installer and the 32-bit installer to the respective target computers, you’ll want a two-step package that allows you to specify which architecture each package is to be deployed.

For our example we will create a two step package to silently install Adobe Creative Cloud Package to both architecture types.



  1. In PDQ Deploy click New Package or select File > New Package
  2. Name the Package and make sure you have your copy mode set to pull. Pull is recommended due to the size of this installation. Using the pull copy mode also requires that you place the Repository on an accessible file share. (Learn more about Push vs. Pull Deployments.deploy adobe creative cloud
  3. Click on Step 1, give the step a title. For the Install File, navigate to the directory where you downloaded the Creative Cloud 32-bit installer. Make sure you select Include Entire Directory. If left unchecked your deployment WILL FAIL as you will be missing important pieces required for the installation. adding adobe msi
  4. Click on the Conditions tab and select the O/S Version. Since Adobe Creative Cloud products will only run on Windows 7 and above, exclude XP and Vista. Exclude servers unless required.

    Select the appropriate architecture. Since this step is installing the 32-bit Creative Cloud applications, select 32-bit from Architecture.architecture adobe cc

  5. If you have PDQ Deploy Pro or Enterprise mode and need to deploy another architecture type, add a new Install step. Repeat steps 1-4 with the new install file. If you are using the free version of PDQ Deploy or only need to deploy to one architecture type you’re ready to save and silently install Adobe Creative Cloud. install adobe cc

After you save the package you will find it in the Packages folder in the left side tree. Highlight the package, and click Deploy > Deploy Once in the right corner of the console.



IMPORTANT: While we make every effort to test on multiple platforms and architectures, it is highly recommended you test the deployment before a general release into production. Given the possibility of the package being substantially sized, testing will provide important information on bandwidth limitations and deployment times. In our tests, a single instance of Photoshop took anywhere from 15 – 20 minutes to deploy.

Troubleshooting Deployment Issues

If the package deployment fails and/or you receive a 1603 error, please try the following.

  • Machines should be fully patched and not in need of a reboot.
  • Check to ensure sufficient space is available on the drive where Adobe CC will be installed. Some Creative Cloud deployments can be several gigabytes in size, which includes the files copied to the target and the installed size.
  • Clear out %WINDIR%\Temp directory.
  • Review the troubleshooting steps in this article: http://support.adminarsenal.com/entries/448443

This post was adapted from a Knowledge Base article available at support.adminarsenal.com


New in PDQ Deploy 9

Posted on Leave a commentPosted in PDQ Deploy

PowerShell stepPDQ Deploy 9 is now available! You can upgrade to PDQ Deploy 9 by clicking the link in the status bar at the bottom of your console. Once you’re up-to-date, you’ll probably like to know what new features you’ll see! Well, you’ve come to the right place, read on…

What’s New in PDQ Deploy 9

PowerShell Step

Include PowerShell cmdlets as a package step in your deployments. You can still include PowerShell scripts in an Install Step as a ps1 file, but with a PowerShell step you can enter your cmdlets(s) without having a separate script. Either type or paste your script in to the text box or add a ps1 file by clicking Insert PowerShell Script at the bottom of the text area. You’re ready to save and deploy! You can also add the PowerShell script step (as other steps such as the reboot or message) before and after Auto Deployments as well.

Why PowerShell? PowerShell is a sys admin’s best friend. Get acquainted with PowerShell with these tutorials on some handy scripts that will make your job that much easier. PowerShell helps you with tasks such as setting static and DHCP IP addresses and getting screenshots.

powershell step

The PowerShell step is available in Pro and Enterprise levels of PDQ Deploy.

Automatic Database Backup

Below are the default settings for backing up your PDQ Deploy database. These settings can be found under File > Preferences > Database. Change them up as you see fit to what best suits you. You also have the option to run a back up at any time by clicking Backup Now. These backups do count against your set number of backups kept, and the oldest backup will be deleted to maintain the number of backups as set.

database backups pdq deploy

Clean Up Repository

Repository getting a bit full? Now you’re just a click away from clearing out those unused repository files with your PDQ Deploy Pro or Enterprise mode license. This option can be found under File > Preferences > Repository.

This only clears out unused files associated with a package. Clicking the See Unused Files button opens a new window that will show the files that will be removed if you were to click delete.

clean PDQ Deploy Repository



Join a free LIVE webcast this Thursday, May 5th, 2016 at 9 AM PDT/12 PM EDT for in depth tutorials and explanations on these features. We will be taking questions LIVE during the webcast as well, see you there! 


Keeping .NET Dependent Applications Up-to-Date

Posted on Leave a commentPosted in PDQ Inventory

Some applications have requirements for a certain version of .NET to be installed. In a case like this, not only do you need to make sure that you have the correct version of the application you want to install, but you also need to make sure you have the correct version of .NET. An example of this is Paint.NET

Updating Paint.NET

Paint.NET is a free (and quite handy) image editing tool. It is a fairly popular download from the PDQ Deploy Package Library. Tracking machines that have out-of-date versions of this application is fairly easy; however, there is one gotcha when you want to get the latest version out to some of these computers.

The issue is that the latest (as of this writing) versions of Paint.NET require that Microsoft .NET 4.6 or later is installed. If you attempt to deploy Paint.NET 4.09 to a computer that doesn’t have the correct .NET runtime you will get a 1603 error. This is why you will want to have two collections (if you use PDQ Inventory) to track old Paint.NET versions.



Getting Organized with Collections

The image below shows the Paint.NET collections in PDQ Inventory. These collections are available in the Collection Library, so you won’t need to build them yourself if you have PDQ Inventory in Enterprise mode. Notice how there is an extra “Old” collection titled “Paint.NET(Old – Require Microsoft .NET 4.6 or higher)”.

Paint.net Collections

Below are two images showing the Old collections. The first shows machines that have an old Paint.NET and have the appropriate .NET runtime. The second shows machines with an old Paint.NET but also have an old .NET runtime. These computers will need to have Microsoft .NET 4.6 (or higher) deployed to them. Yes, this package is also available in the Package Library.

Paint.net Old with correct NET

Paint.net Old with old NET

Creating custom collections like these are sometimes necessary when you have applications that must meet certain prerequisites before being upgraded.

It is very important to remember something when checking prerequisites. Usually you need to perform some extra magic with your collection filters when you are looking for machines that are missing certain applications. Tracking .NET versions is different than looking for old versions of software. PDQ Inventory places all detected versions of .NET in a single row with each version delimited by a comma. This is why we could use a simple filter of .NET Versions “Does Not Contain” 4.6.

Let’s say you have an application that requires a target computer to have the Microsoft Visual C++ 2015 runtime. To find computers that don’t have this runtime and also have an old version of your app would require filters that looks something like the image below. Notice the Group Filter that is set to Not Any.

Requires VIsual C runtime



 

 


Resolving Java Errors

Posted on Leave a commentPosted in Deployment Examples, PDQ Deploy

zack v the machine

Death, taxes, and a new Java update…all inevitable. The worst of it is silently installing Java doesn’t always go smoothly. Let’s go over some of the most frequently seen Java errors and how you can get them resolved and on to the rest of your day.

Most Common Java Errors

1603 Error

The Java 1603 error is a common error, mostly because the error code encompasses so many possibilities. Basically, a 1603 error just tells you “Whoops! That didn’t work.” Not very helpful, is it? Possible issues range from a previous Java installation still running to issues with installation file itself. Troubleshooting this error can seem impossible.

  1. Deploy the Java 8 Package If you tried doing a silent install of Java without success, try out the Package Library. The Java 8 package is ready-to-deploy and has been deployed successfully by thousands of sys admins.
  2. Try the Java 8 – ALTERNATE Package If the first package didn’t work, you may have some prior Java installation remnants impeding your install. The Java 8 – ALTERNATE package is a heavy-hitting deployment. Only deploy this to computers that the first deployment failed on. This package deletes keys found in the registry, and as always, if you can avoid touching the registry, do. That said, this deployment is very effective when you do encounter errors with a typical Java deployment.

If you’re using Symantec End Point Protection in your environment, you might get a 1603 error if you run as the deploy user account. Change your deployments to run as the local system and your install should be successful. You can change the run as setting under the options tab for any step in your deployment.

change to local system



1618 Error

1618 is another relatively common error code, but is not unique unique to Java deployments. The 1618 error code occurs with MSI installation files. The Microsoft Installer can only process one installation at a time, and if you’re seeing a 1618 error this means that another MSI file was being installed when you attempted to deploy your Java MSI file.

This error is pretty easy to solve…just wait. Let the installation in progress finish up. If you want to make sure all the installation processes are finished before attempting another deployment, you could reboot that computer.

You could also go in and stop the installation, just be aware that killing an in progress installation could leave you with a corrupted installation. With that in mind, use the following command to terminate the msiexec.exe.

taskkill.exe /f/im msiexec.exe

This is included in a command step in the Java ALTERNATE package

I Just Checked My Browser…it Doesn’t Have My New Java Installation!

You’ve just deployed the latest Java, the installation went smoothly. How exciting! But wait…you remote in to one of the computers you deployed to and checked if this new Java was being used and it still shows an old version of Java! What’s up with that?!

Likely, the deployed the wrong Java for that browser has been deployed. Most browsers are 32-bit, so you would want to deploy a 32-bit Java. Deploy 64-bit Java and your 32-bit browser won’t use it. Easy fix, just deploy the appropriate version of Java for your browsers and you’ll be good to go.

32 64 bit java

Modifying Your Java Installation

I want to configure the Java control panel and/or modify the exception site list

Awesome. Check out a full blog post on how to do that here.

I’d like to use a previous version of Java

If you have an Enterprise license of PDQ Deploy, you can access most past versions of any package. Select a package and you’ll notice in the right corner a list of past version of Java ready to be imported for you to deploy. If you don’t have an Enterprise level license, you can still create your own package by first, getting your install file from Oracle. You can then build your own deployment package in your free download of PDQ Deploy. (See step-by-step how to build your own deployment package here.)




QuickTime Zero Day Vulnerability

Posted on 3 CommentsPosted in Deployment Examples, PDQ Deploy

There are two major zero day vulnerabilities for QuickTime for Windows…and the fix? Uninstall it. According to TrendMicro, Apple has indicated they will not fix these as QuickTime for Windows will no longer be receiving updates. It is recommended that QuickTime is uninstalled as quickly as possible. (Read more here.)

Uninstalling QuickTime

Package Library users will notice that all QuickTime packages have been removed. No sense in deploying a highly vulnerable application, right?

There is the Uninstall QuickTime package available to those with Enterprise level access to the Package Library. Free trials of PDQ Deploy Enterprise are available and include the ability to import up to THREE packages free during the 14 day trial. This deployment runs silently and will not interrupt any of your users while it is being deployed.




Copying Files to All User Profiles with PowerShell

Posted on Leave a commentPosted in PowerShell

Copying files to all of the the user profiles is a snap with PowerShell.

It’s one of the more common questions that I’m asked, so I thought I’d get a blog post written about it so that people have something to reference.

Copying Files to All User Profiles

If you have ever used a computer, then you probably already know how to copy files. Copying files with PowerShell, however, makes things a great deal more interesting and fun.

Here are a few quick examples. They will copy single files or entire folder structures.

(more…)


How to Pass PCI Compliance Audits

Posted on Leave a commentPosted in PDQ Inventory

Lets dive in and look at some reports you can use to help you pass PCI Compliance audits.

Pass PCI Compliance Audits: The Reports You Might Find Useful

Check if Software is Up-to-Date

An important part of PCI audits is checking that software is up-to-date, particularly those applications that are notorious for vulnerabilities and exploits. A few key applications that PCI Compliance auditors would look for are IE, Flash, and Java.  Save yourself a some work in the long run by having a report all ready to go.

You can follow these same steps for any application, for this example let’s use Flash. In the following steps, PDQ Inventory Enterprise mode is used to create reports, although you can accomplish the same results using the free download of PDQ Inventory. You’ll just have to create a new report and set up the filters yourself. (Click here to learn more about filters, note that filters for collections and reports are essentially used the same way.)



In the Collection Library, select Flash IE (Old) and then select from the New Report drop down the “From Collection” option. This will automatically create a report using the same filters and information that created the collection. You can do this with any collection, not just the ones in the Collection Library. But since the Collection Library filters are already set up and ready to go you may as well take advantage of that.

ie old report from collection - Pass pci compliance audits

With a newly created report you’ll be able to print or export the needed information for the auditor or other curious eyes.

Staying Up-to-Date on Applications

If you want to make sure your report shows all your computers are up-to-date…set up some Auto Deployments. Flash, Java, and IE (and so much more) are all available to set up to automatically deploy when an out-of-date version is detected. Learn more about Auto Deployments here.

Point-of-Sale Machines

Point-of-Sale computers face far more scrutiny than other computers. You’ll want to have a report ready to show all software installed on those machines to pass PCI compliance audits. Here’s how you can build a report to show what is on your Windows POS machines.

First, create a collection with your POS computers. Create a static collection (click the static collection button in the toolbar up top) and select computers.

POS collection

You can also create a dynamic collection based on criteria such as AD Group Membership or based on computers having a particular piece of POS software installed. Using a dynamic collection means that computers will be automatically added to the collection based on the criteria you set. This is a great way to maintain an up-to-date collection.

point of sale - dynamic collect

Then it’s time to run your report. Select your newly created Point-of-Sale collection and then go to Report > Run Report > Applications to run the applications report or right-click on the collection to access the same Run Report options.

application count

 

Now you have a report of all POS computers and what applications are installed on them. Hit the Print Preview button to print (naturally) or to export this report as a PDF, csv, or many other file types.

all applications

While you’re at it…

While you’re building and running these reports you might want to consider adding a few more reports for your information.

  1. Hardware Assessment. Now is a good time to look over machines and see what computers might need upgrades this year. For example, you could create a report to tell you which machines have lower amounts of memory. Now you know what budget requests you might need to make or how to allocate your IT budget. Again, this is where the Collection Library comes in handy. In the left side tree you can navigate to Collection Library > Hardware > Disks.
  2. low disk space collection

    To create a report,  with the collection of interest selected, go up to Report > Run Report > Memory Modules. You may want to adjust the value column to the amount of GB you’re interested in reporting on. Edit (with Pro or Enterprise level) the report by clicking Define Report.

  3. Software Counts. Another good thing to check is if your company is compliant with licensing agreements. Mark a date in your calendar annually to run the Application Count report (Report > Run Report > Application Count). Select the collection you want to report on or just do this for all computers, whatever makes sense in your environment.

software counts report


April Fools Day Pranks for Sys Admins

Posted on Leave a commentPosted in PowerShell

As the all powerful sys admin, you have access to fantastic tools to play pranks on your co-workers…namely their own PCs. Try out some of these pranks and watch the confusion on your co-worker’s faces.

April Fools Day Pranks for Sys Admins

The Talking Computer

Does your co-worker have his speakers on? Good. Send this PowerShell cmdlet to send a surprise verbal message. If you’ve got a particularly gullible co-worker, maybe you’ll even convince them someone is trapped inside their computer.

Add-Type -AssemblyName System.speech
$speak = New-Object System.Speech.Synthesis.SpeechSynthesizer
$speak.Speak('Hello...')

Just substitute the Hello…with a phrase of your choice and you’re ready to deploy your .ps1 script. Read the full PowerShell blog by Kris to see how to add modifications such as slowing down, or speeding up speech and more.

Surprise Musical Number

If you’ve got a WAV file handy, it’s pretty simple to play some tunes on an unsuspecting co-worker’s machine. I hope they have their speakers turned up for this one!

(New-Object Media.SoundPlayer "C:\temp\Jack Johnson - Unfortunate Fool.wav").PlaySync()

See the full blog post to see options for using MP3 and other files, as well as how to get your .ps1 file deployed successfully.

 

Happy April Fools! Looking for more April Fools Day pranks for sys admins? Check out this thread at /r/sysadmin.  Share your success stories in the comments. Have a prank you like to pull using your sys admin powers? We’d love to hear about it!