Tag Archives: 2017

Disabling SMB1 after WannaCry? Make Sure SMB2 is enabled

Published / by Rens Hollanders / 1 Comment on Disabling SMB1 after WannaCry? Make Sure SMB2 is enabled

After recent events in the online world, everybody is in a frenzy patching their servers, disabling SMB1, removing the feature from Windows 10 and Windows Server 2012 R2 (after It should have been done way way before). So was I. This week’s priority at the customer I’m working for is entirely dedicated to patching servers (if they weren’t patched prior to WannaCry, which was a small percentage nevertheless) and disabling and removing the SMB1 feature on all the machines.

A lot has been written about WannaCry and how to deal with it. The two most helpfull articles come from big MS itself: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server and WannaCrypt attacks: guidance for Azure customers.

After patching and removing the feature (directly instead of just disabling it first) on a Windows 2012R2 Server, I discovered I couldn’t browse to the server any longer. Each time I did a: “\\sctxps-01\d$” (which is a Citrix Provisioning Services Server) I got a message the server couldn’t be reached:

After hitting some key phrases on Google and finding the recommendations of Microsoft, it struck me. The Set-Command: “Set-SmbServerConfiguration -EnableSMB1Protocol $false” which configures SMB to be turned off, can also be partially used as a Get-Command to see it’s current states. And look what we found:

It appeared SMB1 Protocol was still turned on, however due to the removal of the feature entirely from the Server, the machine wasn’t reachable any longer through UNC, IP and even localhost. After hitting the command: “Set-SmbServerConfiguration -EnableSMB2Protocol $true” the server could be reached again.

It appeared someone had configured SMB1 before and turned of SMB2. Due to the removal now the servers SMB shares couldn’t be approached any longer over the network.

So please check your SMB status with: Get-SMBServerConfiguration before doing something drastic like removing SMB features. Of-course in an ideal world this would all be planned, risk, impact and analysis etc. But in an ideal world their wouldn’t be any Cryptolockers either.

Cheers! Rens

MDT – WinPEshl.ini what does it do?

Published / by Rens Hollanders / 2 Comments on MDT – WinPEshl.ini what does it do?

Something I’ve had on my blogroll for a long time and now finally found some time to write about it.

This little ini file is very important in the process of MDT doing what it does. As some of you may know, MDT uses a standard WinPE image which will be modified on the fly during the “update deploymentshare process” where boot images are generated, drivers embedded, the wallpaper and extra files are set.

After booting the WinPE image it will automatically start a VB script and call the parameters trying to connect with the deploymentshare. This all starts with WinPEshl.ini.

After installing the MDT software on your workstation or (management) server, you will find the ini file on a special location: C\Program Files\Microsoft Deployment Toolkit\Templates.

When you open the file the contents are as following:

Now for instance let’s say you would want something to execute prior to starting the process of connecting to the deployment share, you have some options:

  1. Modify the WinPEshl.ini
  2. Modify the MDT generated boot image after deploymentshare update
  3. Modify the default boot image

The default boot image which MDT uses as base for the modified MDT boot image can be found in the following two locations:

  1. x64: C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us
  2. x86: C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us

In my opinion it is best to stick with modifying the WinPEshl.ini for several reasons:

  1. Its traceable, easy documented by saying locating there and there is modified with x and y
  2. Its consistent, if you are altering a MDT generated and updated boot image, you need to do this every single time when you completely regenerate the boot images. I believe that when you are merely updating the existing images nothing changes
  3. It’s considerably faster to modify the ini file, then mounting a wim image with dism providing its customizations.

So what customizations are we talking about here, well I have encountered the following requests:

  1. Running scripts such as placing DNS suffix priority in a multiple domain environment
  2. Running scripts to wipe the disk entirely (for particular machines) preventing the dirty environment found error pop-up
  3. Running diagnostic tasks, password scripts etc.

So to end this, I think WinPEshl.ini is a need little file that has a huge responsibility in the process of MDT which can easily be altered to accomplish things that need to go outside and before the deployment process takes place.

For more info please see: Winpeshl.ini Files

Cheers! Rens

Activating Adobe Acrobat in a non-persistent environment

Published / by Rens Hollanders / 14 Comments on Activating Adobe Acrobat in a non-persistent environment

So, yeah recent events at a customer lead me to writing this article for my own purposes of documenting what I did and sharing this with you to prevent the frustration I’ve encountered.

Lets just say Adobe isn’t that keen on using its software in a SBC environment or VDI infrastructure. Or you might say they still have the perception of the traditional stand alone work-space. -This is just my opinion

Using a product such as Adobe Acrobat DC requires activation for every single user that uses it, perhaps you have encountered it before. Upon starting Adobe Acrobat, the program closes itself and you are prompted with the following screen:

This to me is just unfeasible in a SBC or non-persistent environment, I guess that’s why this application gets packaged into a Microsoft App-V or VMware thinapp so often.

But since we haven’t got these tools to our possession we needed a different solution. This solution can be found by using adobe_prtk.exe which is part of the Adobe Provisioning Toolkit.

First of all we discovered the customer had a single user license, which will get you nowhere if you want to activate the product for multiple users. Adobe is software that cannot be easily fooled around with (which is a good thing from a anti-piracy standpoint).

So after a quick chat with Adobe support and the software distributor, the client purchased a volume license based on the English language (since this was cheaper).

Now we where able to activate and stream the license (that’s the way Adobe works) to the machines. To do this we will need the following things:

  1. The serial number
  2. Grant an offline exception for the product through the Adobe Customization Wizard
  3. Know if the product is Continues Track or Classic Track (see here)
  4. License ID or LEID (see here)
  5. The command lines

As I said before you’ll need a volume license serial number, the track the customer had or used was “Continuous” and the accompanying “LEID” is: “V7{}AcrobatESR-12-Win-GM”

This leads to the following command line for Adobe_PRTK.exe: “Adobe_prtk –tool=VolumeSerialize –generate –serial=XXXX-XXXX-XXXX-XXXX-XXXX-XXXX –leid=V7{}AcrobatESR-12-Win-GM –regsuppress=ss –eulasuppress”

As you can see, the Return Code is “0”, which is a good thing. After running the command above a prov.xml is generated. This file holds the license information. This “prov.xml” file on it’s turn can be used to stream the activation of Adobe Acrobat against machines that are non-persistent such as a VDI work-space, Citrix XenApp MCS or PVS etc.

The command line to use the prov.xml is: adobe_prtk.exe” –tool=VolumeSerialize –provfile=”prov.xml” –stream

Again if everything is successful the Return Code will be “0”. We have created a job that after every boot or reboot the command line above is executed against every machine Adobe Acrobat is installed on.

This will resolve the “sign-in required” screen in your user sessions. The activation is machine based, however make sure people cannot start Adobe Acrobat more times then you have licenses for.

This situation resolved the activation issues with the customer. However there was one oddity happening which we have recently discovered. If you have supplied alternative languages in the Adobe Acrobat Customization Wizard DC, you will need to provide and purchase a license in the desired language. So if you want to have a Dutch Acrobat installation, purchase a Dutch license (licenses in other languages appear to be more expensive then native English).

Our software distributor provided a English license because this was cheaper for the client, but when the client switched the desktop from English to Dutch, Adobe needed activation again, the currently streamed license was insufficient and the “Sign-in” required screen prompted again. To avoid this make sure you will only install the English language.

After returning the question to the software distributor the feedback was as following:

Purchase the language you desire and English is always available, purchase a English only license and no other language can or may be selected.

Hope you find this useful and it will save you time and energy.

– Something wrong? Did I mess up, talking BS or got another trick up your sleeve? Please let me know in the comment section!

Cheers! Rens