Category Archives: Windows

Windows Software Deployment

Windows software installers have not changed much since the days of XP, much software is distributed as a .exe which then contains a self extracting installer for putting file into the appropriate place and adding registry entries etc. The .msi file format brought some standardisation, and now with Intune, there is a new format, the intunewin.

The intunewin format is a container format for the files for the software installer, which is created by the packager, and is then encrypted and signed by Intune with a certificate that can be verified by an endpoint that has joined to the O365 tenant. There is an install and and uninstall command that needs to be set for the intunewin file in Intune for the actual deployment.

There are many blog posts across the Internet that cover the installation of specific applications that they have had issues packaging for Intune, frequently using an install.cmd to perform tasks that are not able to be set as a command line option. For one application that I recently packaged, I created an install.cmd that deployed two firewall rules before then installing the software with a msiexec /i etc. Without these firewall rules in place, on first running of the application, a Firewall popup (that a user is not able to accept) woudl occur, and the applicatio n would not function correctly. The application vendor a/ does not support Intune, and b/ suggests that installs should be performed by an Administrator. With the rise of MDM for managing endpoints, Application vendors need to start packaging their Windows software with a similar mindset to creating IOS/Android software, everything packaged in a simple to deploy  manner that can deployed with modern deployment methods.





Boot 2012r2 from USB

Windows Server 2012r2 introduced tiered storage spaces. Storage spaces works best when you have shelves of JBOD HDD and SSD, but there are also benefits for smaller deployments for servers with 6+ disk slots. There is however an issue that Windows cannot boot from a storage space, therefore you would need to dedicate at least one disk slot for a boot disk, there is a solution for this issue. Since Windows Server 2008r2, Windows has had the capability of boot (and run, as opposed to boot and install) from a UFD (USB Flash Drive). This then allows for example, a six disk slot server, to have two SSDs and four HDDs in a two way mirrored Tiered Storage Space, ideal for a lab Hyper-V server.

There are some downsides, a UFD in a USB2 port is not as fast as a SSD on a SAS/SATA port, however for the use case, an increased boot time might not be an issue. Also there is no redundancy in a single UFD, however there are no moving parts. If the UFD is suitably sized, the wear leveling of the UFD should provide a reasonable lifespan. Microsoft suggested a 16GB UFD for 2008r2, I would suggest a 64GB UFD.

Following on from the Microsoft information, I used a Kingston DataTraveler Ultimate 64 GB UFD.

The Microsoft instructions for 2008r2 use a .vhd file, but it is possible to use a .vhdx with only a few small changes.

Install the Windows 8.1 ADK on a suitable computer. As I don’t use Windows 8 or 8.1, I used a 2012r2 server.

Either mount a 2012r2 ISO, or extract the the install.wim, I have presumed that an ISO has been mounted to E:

From an elevated command prompt

list disk
select disk <USB disk number>
create partition primary
format quick fs=ntfs 
assign letter=v

The letter isn’t important, just something that doesn’t conflict with existing drive letters

I am quite happy with multiple command windows open and switching between them, so open another elevated command prompt.

mkdir c:\HYPERV2012r2
create vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx maximum=20480 type=fixed
select vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx
attach vdisk
create partition primary
format quick fs=ntfs label=HYPERV2012r2
assign letter=r

Again, the letter isn’t important, just something that doesn’t conflict.

To “build” the OS in the mounted .vhdx, open an elevated Deployment and Imaging Tools environment prompt. This will open in C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\

cd amd64\DISM
dism.exe /apply-image /Imagefile:E:\sources\install.wim /Index:1 /ApplyDir:R:\

When booting and running from USB with a core install, a page file should not be required, and for maximum life of the UFD, you should not use a page file on the UFD, the following disables the page file.

reg load HKLM\HyperVTemp r:\windows\system32\config\system
reg add "HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management" /v PagingFiles /t REG_MULTI_SZ /d "" /f
reg delete "HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management" /v ExistingPageFiles /f
reg unload HKLM\HyperVTemp

Now return to the diskpart window, and unmount the .vhdx

select vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx
detach vdisk

and copy the .vhdx to the UFD

copy c:\HYPERV2012r2\HYPERV2012r2.vhdx v:\

Now mount the .vhdx on the UFD

mkdir c:\HYPERV2012r2
select vdisk file=v:\HYPERV2012r2.vhdx
attach vdisk

Create a boot sector.

cd ..\BCDBoot
bootsect /nt60 v: /force /mbr

And create a BCD

bcdboot r:\windows /s v:

When the BCD has finished, you should be able to eject the UFD and boot from it. The first boot would be as if you have completed an install where you need to set the Administrator password.

Managing time (NTP) on standalone Windows Servers, Domain Controllers, or desktops

On standalone Windows servers (servers not members of a domain) the time service only checks the time against an NTP server on startup as a triggered action. If the server is on hardware with a “reliable” hardware clock, this is usually not a problem as clock drift on most modern hardware is minimal, if however the hardware clock is not reliable, or the Computer is running in a virtual environment, it may take incorrect clock data from the VM host (if the host has an unreliable or “wrong” hardware clock, or it may just drift more than expected.

First of all I like to set the time service to be automatic

sc triggerinfo w32time delete

Start the time service

net start w32tm

Configure a suitable set of NTP servers, I use the pool project.

ww32tm /config /manualpeerlist:"" /syncfromflags:manual /update

and force the time service to resync against the configured time servers

w32tm /resync

Allowing RDP on on Windows 2012r2 core

On Windows 2012r2 server core, the firewall is enabled with the public profile on installation, so just enabling RDP in sconfig does not allow RDP access.

You can enable RDP to pass through the firewall with the following powershell command

netsh advfirewall firewall set rule group="remote desktop" new enable=yes

Alternatively, you can enable RDP and configure the firewall with the following

cscript C:\Windows\System32\SCRegEdit.wsf /AR 0

Disabling IPv6 on Windows 2012 core

one simple powershell command

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters -Name DisabledComponents -PropertyType DWord -Value 0xffffffff