New in PDQ Deploy 9

Posted on Leave a commentPosted in PDQ Deploy

PowerShell stepPDQ Deploy 9 is now available! You can upgrade to PDQ Deploy 9 by clicking the link in the status bar at the bottom of your console. Once you’re up-to-date, you’ll probably like to know what new features you’ll see! Well, you’ve come to the right place, read on…

What’s New in PDQ Deploy 9

PowerShell Step

Include PowerShell cmdlets as a package step in your deployments. You can still include PowerShell scripts in an Install Step as a ps1 file, but with a PowerShell step you can enter your cmdlets(s) without having a separate script. Either type or paste your script in to the text box or add a ps1 file by clicking Insert PowerShell Script at the bottom of the text area. You’re ready to save and deploy! You can also add the PowerShell script step (as other steps such as the reboot or message) before and after Auto Deployments as well.

Why PowerShell? PowerShell is a sys admin’s best friend. Get acquainted with PowerShell with these tutorials on some handy scripts that will make your job that much easier. PowerShell helps you with tasks such as setting static and DHCP IP addresses and getting screenshots.

powershell step

The PowerShell step is available in Pro and Enterprise levels of PDQ Deploy.

Automatic Database Backup

Below are the default settings for backing up your PDQ Deploy database. These settings can be found under File > Preferences > Database. Change them up as you see fit to what best suits you. You also have the option to run a back up at any time by clicking Backup Now. These backups do count against your set number of backups kept, and the oldest backup will be deleted to maintain the number of backups as set.

database backups pdq deploy

Clean Up Repository

Repository getting a bit full? Now you’re just a click away from clearing out those unused repository files with your PDQ Deploy Pro or Enterprise mode license. This option can be found under File > Preferences > Repository.

This only clears out unused files associated with a package. Clicking the See Unused Files button opens a new window that will show the files that will be removed if you were to click delete.

clean PDQ Deploy Repository



Join a free LIVE webcast this Thursday, May 5th, 2016 at 9 AM PDT/12 PM EDT for in depth tutorials and explanations on these features. We will be taking questions LIVE during the webcast as well, see you there! 


Keeping .NET Dependent Applications Up-to-Date

Posted on Leave a commentPosted in PDQ Inventory

Some applications have requirements for a certain version of .NET to be installed. In a case like this, not only do you need to make sure that you have the correct version of the application you want to install, but you also need to make sure you have the correct version of .NET. An example of this is Paint.NET

Updating Paint.NET

Paint.NET is a free (and quite handy) image editing tool. It is a fairly popular download from the PDQ Deploy Package Library. Tracking machines that have out-of-date versions of this application is fairly easy; however, there is one gotcha when you want to get the latest version out to some of these computers.

The issue is that the latest (as of this writing) versions of Paint.NET require that Microsoft .NET 4.6 or later is installed. If you attempt to deploy Paint.NET 4.09 to a computer that doesn’t have the correct .NET runtime you will get a 1603 error. This is why you will want to have two collections (if you use PDQ Inventory) to track old Paint.NET versions.



Getting Organized with Collections

The image below shows the Paint.NET collections in PDQ Inventory. These collections are available in the Collection Library, so you won’t need to build them yourself if you have PDQ Inventory in Enterprise mode. Notice how there is an extra “Old” collection titled “Paint.NET(Old – Require Microsoft .NET 4.6 or higher)”.

Paint.net Collections

Below are two images showing the Old collections. The first shows machines that have an old Paint.NET and have the appropriate .NET runtime. The second shows machines with an old Paint.NET but also have an old .NET runtime. These computers will need to have Microsoft .NET 4.6 (or higher) deployed to them. Yes, this package is also available in the Package Library.

Paint.net Old with correct NET

Paint.net Old with old NET

Creating custom collections like these are sometimes necessary when you have applications that must meet certain prerequisites before being upgraded.

It is very important to remember something when checking prerequisites. Usually you need to perform some extra magic with your collection filters when you are looking for machines that are missing certain applications. Tracking .NET versions is different than looking for old versions of software. PDQ Inventory places all detected versions of .NET in a single row with each version delimited by a comma. This is why we could use a simple filter of .NET Versions “Does Not Contain” 4.6.

Let’s say you have an application that requires a target computer to have the Microsoft Visual C++ 2015 runtime. To find computers that don’t have this runtime and also have an old version of your app would require filters that looks something like the image below. Notice the Group Filter that is set to Not Any.

Requires VIsual C runtime



 

 


Resolving Java Errors

Posted on Leave a commentPosted in Deployment Examples, PDQ Deploy

zack v the machine

Death, taxes, and a new Java update…all inevitable. The worst of it is silently installing Java doesn’t always go smoothly. Let’s go over some of the most frequently seen Java errors and how you can get them resolved and on to the rest of your day.

Most Common Java Errors

1603 Error

The Java 1603 error is a common error, mostly because the error code encompasses so many possibilities. Basically, a 1603 error just tells you “Whoops! That didn’t work.” Not very helpful, is it? Possible issues range from a previous Java installation still running to issues with installation file itself. Troubleshooting this error can seem impossible.

  1. Deploy the Java 8 Package If you tried doing a silent install of Java without success, try out the Package Library. The Java 8 package is ready-to-deploy and has been deployed successfully by thousands of sys admins.
  2. Try the Java 8 – ALTERNATE Package If the first package didn’t work, you may have some prior Java installation remnants impeding your install. The Java 8 – ALTERNATE package is a heavy-hitting deployment. Only deploy this to computers that the first deployment failed on. This package deletes keys found in the registry, and as always, if you can avoid touching the registry, do. That said, this deployment is very effective when you do encounter errors with a typical Java deployment.

If you’re using Symantec End Point Protection in your environment, you might get a 1603 error if you run as the deploy user account. Change your deployments to run as the local system and your install should be successful. You can change the run as setting under the options tab for any step in your deployment.

change to local system



1618 Error

1618 is another relatively common error code, but is not unique unique to Java deployments. The 1618 error code occurs with MSI installation files. The Microsoft Installer can only process one installation at a time, and if you’re seeing a 1618 error this means that another MSI file was being installed when you attempted to deploy your Java MSI file.

This error is pretty easy to solve…just wait. Let the installation in progress finish up. If you want to make sure all the installation processes are finished before attempting another deployment, you could reboot that computer.

You could also go in and stop the installation, just be aware that killing an in progress installation could leave you with a corrupted installation. With that in mind, use the following command to terminate the msiexec.exe.

taskkill.exe /f/im msiexec.exe

This is included in a command step in the Java ALTERNATE package

I Just Checked My Browser…it Doesn’t Have My New Java Installation!

You’ve just deployed the latest Java, the installation went smoothly. How exciting! But wait…you remote in to one of the computers you deployed to and checked if this new Java was being used and it still shows an old version of Java! What’s up with that?!

Likely, the deployed the wrong Java for that browser has been deployed. Most browsers are 32-bit, so you would want to deploy a 32-bit Java. Deploy 64-bit Java and your 32-bit browser won’t use it. Easy fix, just deploy the appropriate version of Java for your browsers and you’ll be good to go.

32 64 bit java

Modifying Your Java Installation

I want to configure the Java control panel and/or modify the exception site list

Awesome. Check out a full blog post on how to do that here.

I’d like to use a previous version of Java

If you have an Enterprise license of PDQ Deploy, you can access most past versions of any package. Select a package and you’ll notice in the right corner a list of past version of Java ready to be imported for you to deploy. If you don’t have an Enterprise level license, you can still create your own package by first, getting your install file from Oracle. You can then build your own deployment package in your free download of PDQ Deploy. (See step-by-step how to build your own deployment package here.)




QuickTime Zero Day Vulnerability

Posted on 3 CommentsPosted in Deployment Examples, PDQ Deploy

There are two major zero day vulnerabilities for QuickTime for Windows…and the fix? Uninstall it. According to TrendMicro, Apple has indicated they will not fix these as QuickTime for Windows will no longer be receiving updates. It is recommended that QuickTime is uninstalled as quickly as possible. (Read more here.)

Uninstalling QuickTime

Package Library users will notice that all QuickTime packages have been removed. No sense in deploying a highly vulnerable application, right?

There is the Uninstall QuickTime package available to those with Enterprise level access to the Package Library. Free trials of PDQ Deploy Enterprise are available and include the ability to import up to THREE packages free during the 14 day trial. This deployment runs silently and will not interrupt any of your users while it is being deployed.




Copying Files to All User Profiles with PowerShell

Posted on Leave a commentPosted in PowerShell

Copying files to all of the the user profiles is a snap with PowerShell.

It’s one of the more common questions that I’m asked, so I thought I’d get a blog post written about it so that people have something to reference.

Copying Files to All User Profiles

If you have ever used a computer, then you probably already know how to copy files. Copying files with PowerShell, however, makes things a great deal more interesting and fun.

Here are a few quick examples. They will copy single files or entire folder structures.

(more…)


How to Pass PCI Compliance Audits

Posted on Leave a commentPosted in PDQ Inventory

Lets dive in and look at some reports you can use to help you pass PCI Compliance audits.

Pass PCI Compliance Audits: The Reports You Might Find Useful

Check if Software is Up-to-Date

An important part of PCI audits is checking that software is up-to-date, particularly those applications that are notorious for vulnerabilities and exploits. A few key applications that PCI Compliance auditors would look for are IE, Flash, and Java.  Save yourself a some work in the long run by having a report all ready to go.

You can follow these same steps for any application, for this example let’s use Flash. In the following steps, PDQ Inventory Enterprise mode is used to create reports, although you can accomplish the same results using the free download of PDQ Inventory. You’ll just have to create a new report and set up the filters yourself. (Click here to learn more about filters, note that filters for collections and reports are essentially used the same way.)



In the Collection Library, select Flash IE (Old) and then select from the New Report drop down the “From Collection” option. This will automatically create a report using the same filters and information that created the collection. You can do this with any collection, not just the ones in the Collection Library. But since the Collection Library filters are already set up and ready to go you may as well take advantage of that.

ie old report from collection - Pass pci compliance audits

With a newly created report you’ll be able to print or export the needed information for the auditor or other curious eyes.

Staying Up-to-Date on Applications

If you want to make sure your report shows all your computers are up-to-date…set up some Auto Deployments. Flash, Java, and IE (and so much more) are all available to set up to automatically deploy when an out-of-date version is detected. Learn more about Auto Deployments here.

Point-of-Sale Machines

Point-of-Sale computers face far more scrutiny than other computers. You’ll want to have a report ready to show all software installed on those machines to pass PCI compliance audits. Here’s how you can build a report to show what is on your Windows POS machines.

First, create a collection with your POS computers. Create a static collection (click the static collection button in the toolbar up top) and select computers.

POS collection

You can also create a dynamic collection based on criteria such as AD Group Membership or based on computers having a particular piece of POS software installed. Using a dynamic collection means that computers will be automatically added to the collection based on the criteria you set. This is a great way to maintain an up-to-date collection.

point of sale - dynamic collect

Then it’s time to run your report. Select your newly created Point-of-Sale collection and then go to Report > Run Report > Applications to run the applications report or right-click on the collection to access the same Run Report options.

application count

 

Now you have a report of all POS computers and what applications are installed on them. Hit the Print Preview button to print (naturally) or to export this report as a PDF, csv, or many other file types.

all applications

While you’re at it…

While you’re building and running these reports you might want to consider adding a few more reports for your information.

  1. Hardware Assessment. Now is a good time to look over machines and see what computers might need upgrades this year. For example, you could create a report to tell you which machines have lower amounts of memory. Now you know what budget requests you might need to make or how to allocate your IT budget. Again, this is where the Collection Library comes in handy. In the left side tree you can navigate to Collection Library > Hardware > Disks.
  2. low disk space collection

    To create a report,  with the collection of interest selected, go up to Report > Run Report > Memory Modules. You may want to adjust the value column to the amount of GB you’re interested in reporting on. Edit (with Pro or Enterprise level) the report by clicking Define Report.

  3. Software Counts. Another good thing to check is if your company is compliant with licensing agreements. Mark a date in your calendar annually to run the Application Count report (Report > Run Report > Application Count). Select the collection you want to report on or just do this for all computers, whatever makes sense in your environment.

software counts report


April Fools Day Pranks for Sys Admins

Posted on Leave a commentPosted in PowerShell

As the all powerful sys admin, you have access to fantastic tools to play pranks on your co-workers…namely their own PCs. Try out some of these pranks and watch the confusion on your co-worker’s faces.

April Fools Day Pranks for Sys Admins

The Talking Computer

Does your co-worker have his speakers on? Good. Send this PowerShell cmdlet to send a surprise verbal message. If you’ve got a particularly gullible co-worker, maybe you’ll even convince them someone is trapped inside their computer.

Add-Type -AssemblyName System.speech
$speak = New-Object System.Speech.Synthesis.SpeechSynthesizer
$speak.Speak('Hello...')

Just substitute the Hello…with a phrase of your choice and you’re ready to deploy your .ps1 script. Read the full PowerShell blog by Kris to see how to add modifications such as slowing down, or speeding up speech and more.

Surprise Musical Number

If you’ve got a WAV file handy, it’s pretty simple to play some tunes on an unsuspecting co-worker’s machine. I hope they have their speakers turned up for this one!

(New-Object Media.SoundPlayer "C:\temp\Jack Johnson - Unfortunate Fool.wav").PlaySync()

See the full blog post to see options for using MP3 and other files, as well as how to get your .ps1 file deployed successfully.

 

Happy April Fools! Looking for more April Fools Day pranks for sys admins? Check out this thread at /r/sysadmin.  Share your success stories in the comments. Have a prank you like to pull using your sys admin powers? We’d love to hear about it!

 


Now Available: PDQ Inventory 8

Posted on 3 CommentsPosted in PDQ Inventory

What’s New in PDQ Inventory 8

Adding Non-Windows Devices

Keep track of your various devices by adding them into PDQ Inventory. Information that can be scanned is limited and some fields will require manual input from you. Prebuilt collections are included and you can build reports on these devices within PDQ Inventory. To manually change the Allow Scan status, in the Computer window, go to Computer > Allow Scan (or right-click a computer and select Allow Scan).

Collect Non-OS Updates

See what Hot Fixes were applied to your computers by double-clicking any computer and selecting the Hot Fixes page. Prior to version 8, this page only collected Microsoft OS updates but now includes software hot fixes as well.

scan for hotfixes inventory 8

For Pro Users

Collect BitLocker Drive Encryption DataDiskDrive300px

You can view BitLocker information on individual computers by double-clicking a computer in the main console, and selecting the Disk Drives page. Select the drive in order to view its partitions. The BitLocker data that is collected includes:

  • Protection Lock Status
  • BitLocker Encryption
  • BitLocker Version
  • Conversion Status
  • Percentage Encrypted
  • Identification Field
  • Automatic Unlock
  • Key Protectors

You may notice not all of these fields are visible. If you have a field you would like to make visible simply click the customize this grid icon in the left corner of the table.

bitlocker encryption

File Scanner Improvements 

The file scanner has gotten a major face lift in this update. The new interface makes it easier than ever to set up your scan to grab exactly the information you need on files in your network. Learn more about configuring the file scanner here.

For Enterprise Users

Run Now Option for Auto ReportsRun Auto Report Now

You’ve got your reports scheduled and running regularly, (see how to set up auto reports, click here) but then you need a report right away. Now you can get those auto reports immediately.

After selecting Auto Reports from the tree and selecting your desired report, click the Run Now button. All the same settings you specified when you first set up the auto report will be used (except the set schedule obviously…you just told the report to run now).

run now auto reports

After that, your schedule will also still continue to run. If you need to make changes you can make those in the right sidebar.



 


Modifying the Registry for All Users

Posted on Leave a commentPosted in PowerShell

We’re going to look at modifying the registry for all users whether or not a user is logged into a machine. This is a continuation of my last blog post – Modifying the Registry of Another User.

As a quick refresher, we learned how to modify a user’s registry (HKEY_CURRENT USER or HKEY_USERS) without having that user logged onto a machine. We had to load and unload their NTUSER.DAT file separately in the HKEY_USERS registry hive.

It was pretty exciting. 

Now, we’re going to add to that excitement by learning how to do it for all users instead of only specific users.

Modifying the Registry for All Users

Before we can modify the registry for all users, we need to be able to go out and grab all the ntuser.dat files so that we can load them as we did in the last blog post.

I know what you’re thinking. You’re thinking that’s easy! We know that the ntuser.dat file is in the C:\Users\<Username>\ directory, so that should be as simple as searching through C:\Users for any ntuser.dat file, right?!

This will only work if nobody is logged into a machine. We have to take into consideration any currently-logged on users. Any currently-logged on users will already have their ntuser.dat files loaded into the registry. This includes users who forget to log off. Even though their session is disconnected and somebody else has logged on, their registry is still loaded in the registry.

Here’s an example of this. I’m currently logged into my test machine. There is also a disconnected user Reg who forgot to log off:

PS Blog - Registry - HKU example

If I try loading Reg’s ntuser.dat, I encounter an error telling me that ntuser.dat is already being used by something else.

PS Blog - Registry - Cannot load ntuser.dat

So, what do we do?

We need to find all users on a machine and compare it with all currently-logged on user security identifiers (SIDs).

Find all users and their SIDs

Fortunately for us, there is a convenient location in the registry that stores the users on a machine and their SIDs.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*

This location will have a list of all the SIDs for a machine as well as some other properties. We’re interested in the SIDs that start with S-1-5-21. Notice that you see the two SIDs from an earlier screenshot:

PS Blog - Registry - ProfileList example modifying the registry

From this, we are able to use regular expressions and some calculated properties to select some great information with PowerShell. We’ll use the Get-ItemProperty cmdlet to get that information from the registry.

$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
 Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} |
     select  @{name="SID";expression={$_.PSChildName}},
             @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}},
             @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}

Now we have a list of the usernames and their associated SIDs.

Getting SID of users in HKEY_USERS

Next, we’ll need to compare those SIDs with the SIDs of the users that are currently logged on and have their registry’s loaded to HKEY_USERS:

Get-ChildItem Registry::HKEY_USERS | Where-Object {$_.PSChildName -match $PatternSID} | select PSChildName

Easy peasy.

Putting it all together

Now, we just need to compare the two lists of SIDs and we’ll be able to modify the registry at will. I’ve compiled it all into a template that somebody could use to read or modify the registry of each user on a machine. In my example, I load each registry (if not loaded) and attempt to read the Uninstall key at HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*

This will show me which users have per-user installs of software as well as the software name:

 

# Regex pattern for SIDs
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
 
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | 
    Select  @{name="SID";expression={$_.PSChildName}}, 
            @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, 
            @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
 
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}
 
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username
 
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
    # Load User ntuser.dat if it's not already loaded
    IF ($item.SID -in $UnloadedHives.SID) {
        reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null
    }
 
    #####################################################################
    # This is where you can read/modify a users portion of the registry 
 
    # This example lists the Uninstall keys for each user registry hive
    "{0}" -f $($item.Username) | Write-Output
    Get-ItemProperty registry::HKEY_USERS\$($Item.SID)\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | 
        Foreach {"{0} {1}" -f "   Program:", $($_.DisplayName) | Write-Output}
    Get-ItemProperty registry::HKEY_USERS\$($Item.SID)\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | 
        Foreach {"{0} {1}" -f "   Program:", $($_.DisplayName) | Write-Output}
    
    #####################################################################
 
    # Unload ntuser.dat        
    IF ($item.SID -in $UnloadedHives.SID) {
        ### Garbage collection and closing of ntuser.dat ###
        [gc]::Collect()
        reg unload HKU\$($Item.SID) | Out-Null
    }
}

Final Notes

Use this information with a healthy dose of caution. It is never wise to modify the registry without a good reason, and even some good reasons aren’t always great justification. In other words, be responsible and test your scripts before using on production systems. We cannot be held responsible for any issues that you may encounter.

Happy PowerShelling!


PDQ Inventory 8 Now in Beta

Posted on 2 CommentsPosted in PDQ Inventory

The latest PDQ Inventory 8 Beta is now available. To try out the new beta in your console go to File > Preferences > Auto Update Alerts. If Include Beta Versions is checked, you’ll see a link in the lower right corner of the console that will allow you to update to the latest beta available.

Maybe you’d like to know what’s in the beta before you download it. Here are some new additions to expect.

PDQ Inventory 8 Beta: What’s New?

Adding Non-Windows Devices

Keep track of your various devices by adding them into PDQ Inventory. Information that can be added is limited and will require manual input from you. But you can still build collections and report on these devices within PDQ Inventory.

Collect Non-OS Updates

See what Hot Fixes were applied to your computers by double-clicking any computer and selecting the Hot Fixes page. Prior to the beta, this page only collected Microsoft OS updates but now includes software hot fixes as well.

scan for hotfixes inventory 8

For Pro Users

Collect BitLocker Drive Encryption DataDiskDrive300px

You can view BitLocker information on individual computers by double-clicking a computer in the main console, and selecting the Disk Drives page. Select the drive in order to view its partitions. The BitLocker data that is collected includes:

  • Protection Lock Status
  • BitLocker Encryption
  • BitLocker Version
  • Conversion Status
  • Percentage Encrypted
  • Identification Field
  • Automatic Unlock
  • Key Protectors

You may notice not all of these fields are visible. If you have a field you would like to make visible simply click the customize this grid icon in the left corner of the table.

bitlocker encryption

For Enterprise Users

Run Now Option for Auto ReportsRun Auto Report Now

You’ve got your reports scheduled and running regularly, (see how to set up auto reports, click here) but then you need a report right away. Now you can get those auto reports immediately.

After selecting Auto Reports from the tree and selecting your desired report, click the Run Now button. All the same settings you specified when you first set up the auto report will be used (except the set schedule obviously…you just told the report to run now).

run now auto reports

After that, your schedule will also still continue to run. If you need to make changes you can make those in the right sidebar.