Windows Software Deployment

Windows software installers have not changed much since the days of XP, much software is distributed as a .exe which then contains a self extracting installer for putting file into the appropriate place and adding registry entries etc. The .msi file format brought some standardisation, and now with Intune, there is a new format, the intunewin.

The intunewin format is a container format for the files for the software installer, which is created by the packager, and is then encrypted and signed by Intune with a certificate that can be verified by an endpoint that has joined to the O365 tenant. There is an install and and uninstall command that needs to be set for the intunewin file in Intune for the actual deployment.

There are many blog posts across the Internet that cover the installation of specific applications that they have had issues packaging for Intune, frequently using an install.cmd to perform tasks that are not able to be set as a command line option. For one application that I recently packaged, I created an install.cmd that deployed two firewall rules before then installing the software with a msiexec /i etc. Without these firewall rules in place, on first running of the application, a Firewall popup (that a user is not able to accept) woudl occur, and the applicatio n would not function correctly. The application vendor a/ does not support Intune, and b/ suggests that installs should be performed by an Administrator. With the rise of MDM for managing endpoints, Application vendors need to start packaging their Windows software with a similar mindset to creating IOS/Android software, everything packaged in a simple to deploy  manner that can deployed with modern deployment methods.





What time is it ?

Time is quite important for computers, for some purposes, to be synchronised to within 5  minutes is accurate enough, for other purposes milli, micro, nano or femto seconds are required.

When comparing logs across multiple devices, having devices do not have time synched can make tracing events harder than it needs to be.

One can add a single time standard to get around this, but for NTP to work well, there should be at least 3 standards, one could however configure a GPS time server that takes time from GPS (or to be precise PPS to get sub millsecond accuracy) and also uses external NTP servers to confirm that the GPS output is “sane”, A raspberryPi can do this quite well.

To go “better” than NTP, the next step along the ladder is PTP (Precision Time Protocol), which has a very different way of workign to NTP, in that a GM (Grand Master) clock is the single source of truth in a PTP domain, one can then have that GM clock accessed by secondary level “boundary” clocks to act as a distribution layer. While a raspberryPi can run PTP, the jitter from the raspberryPi is at a level where it can be seen when comparing to dedicated devices, or say a Solarflare card that is fed with a “clean” PPS in, it is however good enough to see the change in one way delay when the path goes over 1, 2 or 3 Ethernet switches.



Exchange, Smarthosts, Basic Auth and TLS

Exchange server has the capability to use TLS to encrypt email in transit to another mail server.

When used for receiving, it checks that it trusts the root certificate (so a chain of trust is established) and the CRL (Certificate Revocation List) to make sure that the certificate has not been revoked in the CDP (CRL Distribution Point).

Therefore, if you want to use a certificate from a private CA, as well as importing the private root certificate to the trusted root certificates on both sides, you also need to publish a CRL on each side that the other side can check.

When you want a better filter for Windows event logs

The built in filtering in windows event logs is fine for when you want to find a specific event, but if you want to find when a specific service started or stopped, it’s not up to the job. Luckily there is the capability to use XML filters which I use in a custom view


 <Query Id="0"> 
  <Select Path="System"> 
  *[EventData[Data[@Name='param1'] and (Data='Hyper-V Time Synchronization Service')]] 

Deleting Shadow Copies

If you need to delete shadow copies, you can either delete them in explorer, or use vssadmin, or use wmic

To delete using vssadmin

vssadmin Delete Shadows /For=C: /Oldest
vssadmin Delete Shadows /For=C: /All

for a full list of options

To delete using wmic

shadowcopy delete

Boot 2012r2 from USB

Windows Server 2012r2 introduced tiered storage spaces. Storage spaces works best when you have shelves of JBOD HDD and SSD, but there are also benefits for smaller deployments for servers with 6+ disk slots. There is however an issue that Windows cannot boot from a storage space, therefore you would need to dedicate at least one disk slot for a boot disk, there is a solution for this issue. Since Windows Server 2008r2, Windows has had the capability of boot (and run, as opposed to boot and install) from a UFD (USB Flash Drive). This then allows for example, a six disk slot server, to have two SSDs and four HDDs in a two way mirrored Tiered Storage Space, ideal for a lab Hyper-V server.

There are some downsides, a UFD in a USB2 port is not as fast as a SSD on a SAS/SATA port, however for the use case, an increased boot time might not be an issue. Also there is no redundancy in a single UFD, however there are no moving parts. If the UFD is suitably sized, the wear leveling of the UFD should provide a reasonable lifespan. Microsoft suggested a 16GB UFD for 2008r2, I would suggest a 64GB UFD.

Following on from the Microsoft information, I used a Kingston DataTraveler Ultimate 64 GB UFD.

The Microsoft instructions for 2008r2 use a .vhd file, but it is possible to use a .vhdx with only a few small changes.

Install the Windows 8.1 ADK on a suitable computer. As I don’t use Windows 8 or 8.1, I used a 2012r2 server.

Either mount a 2012r2 ISO, or extract the the install.wim, I have presumed that an ISO has been mounted to E:

From an elevated command prompt

list disk
select disk <USB disk number>
create partition primary
format quick fs=ntfs 
assign letter=v

The letter isn’t important, just something that doesn’t conflict with existing drive letters

I am quite happy with multiple command windows open and switching between them, so open another elevated command prompt.

mkdir c:\HYPERV2012r2
create vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx maximum=20480 type=fixed
select vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx
attach vdisk
create partition primary
format quick fs=ntfs label=HYPERV2012r2
assign letter=r

Again, the letter isn’t important, just something that doesn’t conflict.

To “build” the OS in the mounted .vhdx, open an elevated Deployment and Imaging Tools environment prompt. This will open in C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\

cd amd64\DISM
dism.exe /apply-image /Imagefile:E:\sources\install.wim /Index:1 /ApplyDir:R:\

When booting and running from USB with a core install, a page file should not be required, and for maximum life of the UFD, you should not use a page file on the UFD, the following disables the page file.

reg load HKLM\HyperVTemp r:\windows\system32\config\system
reg add "HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management" /v PagingFiles /t REG_MULTI_SZ /d "" /f
reg delete "HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management" /v ExistingPageFiles /f
reg unload HKLM\HyperVTemp

Now return to the diskpart window, and unmount the .vhdx

select vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx
detach vdisk

and copy the .vhdx to the UFD

copy c:\HYPERV2012r2\HYPERV2012r2.vhdx v:\

Now mount the .vhdx on the UFD

mkdir c:\HYPERV2012r2
select vdisk file=v:\HYPERV2012r2.vhdx
attach vdisk

Create a boot sector.

cd ..\BCDBoot
bootsect /nt60 v: /force /mbr

And create a BCD

bcdboot r:\windows /s v:

When the BCD has finished, you should be able to eject the UFD and boot from it. The first boot would be as if you have completed an install where you need to set the Administrator password.

Tomcat7 on Ubuntu 14.04 with Oracle Java running on port 80

Start with installing Oracle Java

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

Now install tomcat7

sudo apt-get install tomcat7

To run on ports below 1024, authbind needs to be enabled

sudo nano /etc/default/tomcat7

change #AUTHBIND=no to AUTHBIND=yes

sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat7 /etc/authbind/byport/80


sudo nano /etc/default/tomcat7

Add JAVA_HOME=/usr/lib/jvm/java-8-oracle

You should now be able to start tomcat7

Managing time (NTP) on standalone Windows Servers, Domain Controllers, or desktops

On standalone Windows servers (servers not members of a domain) the time service only checks the time against an NTP server on startup as a triggered action. If the server is on hardware with a “reliable” hardware clock, this is usually not a problem as clock drift on most modern hardware is minimal, if however the hardware clock is not reliable, or the Computer is running in a virtual environment, it may take incorrect clock data from the VM host (if the host has an unreliable or “wrong” hardware clock, or it may just drift more than expected.

First of all I like to set the time service to be automatic

sc triggerinfo w32time delete

Start the time service

net start w32tm

Configure a suitable set of NTP servers, I use the pool project.

ww32tm /config /manualpeerlist:"" /syncfromflags:manual /update

and force the time service to resync against the configured time servers

w32tm /resync

Using a PFX formatted certificate on Cisco IOS

Rather than converting from pfx to pem format, why not just use a pfx?

With the way that pfx files are formatted, copying and pasting from a terminal is not possible, however if you can get the certificate transferred over FTP, it becomes much simpler :-)

The certificate has to have the full chain in it, and a passphrase.

conf t
ip ftp username <ftp username>
ip ftp password <ftp password>
copy ftp flash:

enter server name
enter source file name
enter destination file name

conf t
crypto pki trustpoint <trustpoint name>
fqdn <f.q.d.n>
subject-name cn=<f.q.d.n>
revocation-check crl
rsakeypair <trustpoint name>
crypto pki import <certificate.pfx> pkcs12 flash:<certificate> <passphrase>
wri mem

to show the certificate

show crypto pki trustpoints status

Allowing RDP on on Windows 2012r2 core

On Windows 2012r2 server core, the firewall is enabled with the public profile on installation, so just enabling RDP in sconfig does not allow RDP access.

You can enable RDP to pass through the firewall with the following powershell command

netsh advfirewall firewall set rule group="remote desktop" new enable=yes

Alternatively, you can enable RDP and configure the firewall with the following

cscript C:\Windows\System32\SCRegEdit.wsf /AR 0