MSI: The System Administrator has set policies to prevent this installation

Hi everyone

Today I wanted to talk a problem I seen on newer Windows Server 2019 in a RD setup.

Some user were having problem with a GPO for software installation (per user).

After some diagnostic I found on all my 2019 that the MSI system is restircted now by default.

If you stumble upon this bug;

enter image description here

Then you must be like me, and you have a registry to change.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
“DisableMSI”=dword:00000000

Now it should work.

Windows 10 Enterprise LTSC 2021 is out !

Hi everyone

I wanted to share a new, which is almost one month old.. but it’s worth nothing, it’s the new ISO for LTSC is now out 🙂

It inherit the feature of Windows 10 21H2 !

The servicing seem longer too, especially the IoT’s version. As such I suspect it will be one of the last LTSC version as Windows 11 is now here.

What’s new in Windows 10 Enterprise LTSC 2021

Windows 10 release information

Windows RDS | Publishing RADC shortcut on the DesktoP (part 2)

Hi

Today I will talk a small tip to be transparent to the users, and thus to enhance a tip I already gave in the past, as seen there; Windows 2019 RDS | Publishing RADC shortcut on the Desktop

In my older blog post I was creating a shortcut to only the RADC’s folder from the start menu, but on the desktop.

Today I wanted to be more granular and create shortcut for each applications on the user desktop. The user experience is greatly enhanced that way.

It’s a 3 steps GPO to do, but first we need to generate our .ico and .rdp’s files to use.

Go inside a computer that as the RADC’s farm installed correctly, and navigate inside the folder; %AppData%\Microsoft\Windows\Start Menu\Programs\Work Ressources (RADC)

From there select the shortcut you want to deploy, like Word, and click property.

From the property windows, check the path of the argument, it’s where our .rdp and .ico are. The shortcut created are just mstsc.exe “path/to/local profile/”. It should be a path liks, %AppData%\Roaming\Microsoft\Workspaces\{….-….-….-….}\Ressources\Word.rdp”

Copy the .RDP you want and the associated .ICO, which are cached there too.

I usually copy them to a folder where all computer can read, like a sub folder in NETLOGON.

From there we start our GPO.

1. Create a GPO, in my example, “RADC – Desktop Word shortcut”

2. Create a file copy to copy the .rdp. Under user\Preference\Windows parameters\Files. The source is like \\dc\netlogon\source\Word.rdp, the destination is a administrative folder on the computer, like c:\it\word.rdp.

3. Create a file copy to copy the .ico. Same source and destination’s folder as the previous one.

4. After that we create a shortcut, under preference too.

We use target as %DesktopDir%\Word, target; c:\it\Word.rdp, and we select the the target icon as c:\it\Word.ico.

I use to copy the files for a reason, if you DC become available for a short period of time, it’s more efficient to simply copy the files locally and create a shortcut to those local’s files.

5. After that we use the same security to apply this GPO’s to as the group you make Word visible with in your RADC’s console.

Voila, the shortcut should be visible easily after that. It’s more work in the start, but after that it’s less call to find the resource in my own opinion.

Thanks for the reading

Push Acrobat Reader via GPO

Hi everyone

Today I will share some step necessary to push by GPO Acrobat Reader if you need it in your environment.

You can download the latest Acrobat Reader installer for offline installation.

For that you need to get to the enterprise portal; https://get.adobe.com/fr/reader/enterprise/

After that you need to extract the .exe, as installation GPO need a .MSI.

Go in a command prompt where your download is, and type such command;

AcroRdrDCxxxxxxxxxx_en_US.exe -sfx_o”C:\Temp\Acrobat” -sfx_ne

After that we got our folder with the correct files. Copy that where your computer can access it. I tend to use the netlogon subfolder on my side, but it can be anywhere.

Next step is to modify the .MST to include the correct’s option. For that you need to use the Acrobat Wizard, available there; https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/index.html (Direct download; https://ardownload2.adobe.com/pub/adobe/acrobat/win/AcrobatDC/misc/CustWiz2000920067_en_US_DC.exe)

With the wizard please open Acrobat.MST that you have in your folder where you uncompressed the data (c:\temp\acrobat from my example)

In the first section I click to Accept the EULA, and in the next section I click to enable silent’s mode, to have the GPO per machine. Click save.

Now we need create the GPO, click in advanced mode. Point the software installation package to your Acrobat.MSI, and after that go in the deployment option, and click to add the .MST.

Make sure the other files from the download are in the same folder.

After that it should work 🙂

GPP for Printers and print driver / Mapping problem, part 2

Hi everyone

In my last post I talked about the print driver restriction, but you can fall into another case, where the computer are not updated at all which will cause another problem, they would not be able to connect to the printer share at all…

This may happen for some reason, like LTSC/LTSB IoT device which are restricted for Windows Update, or older OSs.

The registry key to use on your printserver for the time you remediate to the problem is; RpcAuthnLevelPrivacyEnabled

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print

RpcAuthnLevelPrivacyEnabled (DWORD) to 0.

1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface.

0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected.

Reference: Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)

GPP for printers and print driver / Mapping problem

Hi everyone

Following KB5005652 from Microsoft that fix some security flaw (CVE-2021-34481) it’s now reported that some GPP can have difficulty to map the printer.

If it cause problem a registry key can be changed to allow the mapping and driver installation.

Keep in mind that registry key don’t need a restart, so it can be enable and disabled easilly in your GPO sequence.

The registry is: RestrictDriverInstallationToAdministrators

The location is: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

You need to set it to 0 (DWORD)

It can be scripped that way too;

reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

You can put it back on 1 after your last GPP has applied.

Thanks

Modern Authentication for office on older OS (Windows 2008R2 or 7)

Hi

Today I seen some report, and I tested with some older OS, and the modern authentication now seem broke.

I wanted to discuss it, as not much site talk about the issue.

In my test any Office supported for O365 is impacted, so it really target the underlying OS.

The issue is an blank Windows appear, and it never load the content to authenticate.

I join an printscreen of the error;

Some older post from last year talk about ADAL registry key, but touching it just remove the blank windows, so it’s of no use.

In my case I migrated those system to a newer OS and now it work good, but I just wanted to share the bug if you fall into it.

Thanks

Windows 11 ISO now available !

Hi everyone

A good new, Microsoft now released the first set of ISO for Windows 11 (build 22000.132)

Please see there for the link; Announcing Windows 11 Insider Preview Build 22000.132

To quote the article, the new changed added is;

Chat from Microsoft Teams is now available for Windows Insiders in the Beta Channel. We’re also excited to begin rolling out one-to-one and group audio and video calling, with many of the features that you’ve come to expect. You can create and join meetings. You can toggle your microphone and camera on or off and choose your preferred speakers, mic, and camera with device settings. You can manage meeting information and options. You can share your screen, see the roster of participants, admit meeting participants from the lobby, chat and see people’s video in a gallery view. We’re excited to bring this experience to a growing network of people!

The new Snipping Tool for Windows 11, updated Calculator app, and updated Mail and Calendar apps are rolling out to Windows Insiders in the Dev Channel – see this blog post here for details!

Thanks