W10 1709 (Fall Creator) unable to make OS Setup package under DSM Frontrange 2016.2 R2 latest updates

W10 1709 (Fall Creators Update) unable to install under DSM Frontrange 2016 R2 latest updates

You are unable to do a SETUPdatei with the Paket Assistant under DSM 2016.2 R2 latest patches 14.11.2017 3844

Unter dem angegeben Verzeichnis-Pfad wurden keine Installationsdateien gefunden.

 

ERROR:

 

WORKAROUND:

Add following on DSM/Frontrange/Enteo Server:

<INIValue>rs3</INIValue>

<INIValue>rs3_release</INIValue>

 

First time in file: \\enteoserver\enteoshare\ OSD\OSSetupTypes \OSSetupTypes.xml

A second time in same file:

Save

Try again

 

 

W10: Enable Remote Management for WMI from Commandline silent

Security related this is turned OFF on W10 all release. You still may need this for Remote Management or testing

Certain things you can't do on the LOCAL client (Like checking process for LOGON Credentials provider with WMI).

Here is how to turn on Windows Remote Management Silent via Commandline on WINDOWS 10.

Screen shows Paessler WMI Tester we use do test certain WMI query.

winrm.cmd quickconfig –q

https://technet.microsoft.com/en-us/library/hh921475%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

 

MCAFEE 5.3.3 Certificate - Cipher Suites TLS problem- Agent does not report back

Mcafee EPO Server 5.3.3 seems to have problems on some older OS like 2008R2 regarding TLS ciphers (We did not see this in 2012R2 to date with our customers). The A-Z sort order of those is the source. This had such an impact that Mcafee did release this info to all customer with SNS-Alert.

This has been a month where we on our side have seen why PKI Engineer has to be Senior and understand all Levels of the full enterprise (Appliance, Software, Hardware etc.) The times where you could slip through that gray zone without really understanding what it does 100% are over. When it comes to Exchange or Sharepoint SAN Certificates to CRL Certificate Revocation list you have to understand what it does.

https://kc.mcafee.com/corporate/index?page=content&id=KB89858

This issue can manifest in many ways including, but not limited to:

  • McAfee Agent Wake Ups and Run Client Task Nows succeeding on the endpoint, but never reporting back status.
  • Drive Encryption activation failures.

The ePO server_servername.log (located in ePO_install_dir\db\log) will include messaging that demonstrates its inability to communicate to the Application Server service, similar to the following:
 

20170918133528 E #05472 MCUPLOAD SecureHttp.cpp(987): Failed to send HTTP request.  Error=12029 (12029)
20170918133528 E #05472 NAIMSERV server.cpp(583): Failed to send request, err=0x80004005, HTTP status code=0
20170918133528 E #05472 NAIMSERV server.cpp(968): Error sending data channel message to application server

 

System Change

Upgraded ePO to 5.3.3.

 

Reorder the ciphers to have the following at the top:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

This is an interesting tool which we used before at ISP's.

www.nartac.com/Products/IISCrypto

 

 

Installshield V6.X, Microsoft APP-V 4.6.x Sequence error

 

ERROR: The installshield engine (ikernel exe) could not be launched interface not registered

FEHLER: Schnittstelle nicht unerstützt

Problem: You are unable to sequence a software setup which comes with Installshield/Flex Version 6 under WIN 7 with APPV 4.6.X sequencer.

 

We just had a case where a producer of a German software still uses Installshield 6 (From 2000 17 years old) to push EVEN

recent client version of their software to customers. The application did work in any older version under APPV. If they would have re-written their code

and use Installshield/Flex products from version 10/11 they could even SUPPLY a APP-V package do their customers. But the full version edition of that suite is around USD 5'000.- so they tend to skip updates ;-)

 

https://www.flexera.com/producer/resources/white-papers/is-appvdevelopers.html

 

Error we had while trying to Sequence Allegion Interflex Client 1.83 which comes with Installshield 6.

 

You tried all:

http://consumer.installshield.com/faq.asp

  • All TEMP Folder at any location %temp% and c:\windows\temp where deleted
  • No running Installshield leftover anywhere
  • Every Installation of any other or older version of Installshield components where removed
  • DCOM Permission for SYSTEM user Set or reverted
  • Windows Installer AUTO / MANUAL State (During or before sequence state changed and reverted)
  • Tried to silent install the Installshield IN the sequencer with .INI Files etc.

 

We stripped down the problem to Installshield 6 setup itself: "IkernelUpdate.exe"

Just the Runtime Part of Installshield which is contained in as sample a setup.exe solution software developers ship their software made with Installshield.

On a complete other second sequencer machine we had the same error on German Windows 7 64BIT SP1 Enterprise.

 

We shortly did investigate in the "LEGO ISLAND 2.ico" and the "T-online\setup.exe" BUT that was contained in every Installshield 6.X Release from all sources. May be some education or test keys. Maybe leftovers?

In days of Ransomware you have to be sure what developer's ship into your box and if they are aware of such things. So we did a procmon and Sandbox analyze of all the files.

However ORIGINAL sample from Installshield/FLEX net from year 2000 had those things too so all fine we guess.

 

 

We did not found any other suspicious information in the setup.exe from the supplier or the IkernelUpdate.exe binary.

 

Solution workaround:

To SEQUENCE an Installshield 6.X supply on APPV 4.6 under Windows 7 64BIT.

  1. Download the Installshield 6 runtime from Flex:

http://support.installshield.com/kb/files/Q108322/IkernelUpdate.exe

  1. Pre Install the IkernelUpdate.exe on your sequencer machine before you sequence!
  2. From that point open the Sequencer and Install the Software which comes with Installshield 6. It will see that the correct version is already installed and skip the check.

     

     

     

 

Microsoft Framework 4.6.1 for W7 WSUS Integration

 

Identify Framework 4.6.1 with Registry Key

https://msdn.microsoft.com/de-de/library/hh925568(v=vs.110).aspx

Blog Framework 4.6.1 WSUS

https://blogs.technet.microsoft.com/wsus/2016/01/20/microsoft-net-framework-4-6-1-coming-to-wsus/

Important: 

  • When you synchronize your WSUS server with Microsoft Update server (or use Microsoft Update Catalog site for importing updates), you will see that there are two updates with .NET Framework 4.6.1 being published for each platform. The difference in the updates is scoped to the different applicability logic for targeting different computers. Please read the details included in the description of the respective update to get more information. We recommend that you import both the updates, if you plan to deploy .NET Framework 4.6.1 in your Enterprise.
    • One of the .NET Framework 4.6.1 updates will install only on computers that have an earlier version such as .NET 4, 4.5, 4.5.1, or 4.5.2 installed
    • The other .NET Framework 4.6.1 update will install on those computers that either have .NET 4.6 installed or no .NET Framework installed.