Packer – Vmware Tools + Windows Server + VMTools service not installing correctly

I had a frustrating issue with Packer, specifically with VMware Tools installation.

During the Packer install, I load up a script and have VMware Tools 12.1.5 installed. It seems to install successfully, But I noticed that the VMTools service is not running. I have to re-run setup64.exe via the GUI and do a repair, then I see the service exist and runs, and Packer can discover the IP address of the VM to finish it.

The Solution

I used a older autounattend.xml which i never checked the time zone.
Setting the correcting time zone the trick:

<TimeZone>W. Europe Standard Time</TimeZone>

Important information before upgrading to vSphere 6.7 (KB53704)

This article provides important documentation and upgrade information that must be reviewed before upgrading to vSphere 6.7.


Resolution


Compatibility considerations

TLS protocols

These products are not compatible with vSphere 6.7 at this time:

  • VMware NSX
  • VMware Integrated OpenStack (VIO)
  • VMware vSphere Integrated Containers (VIC)
  • VMware Horizon

Environments with these products should not be upgraded to vSphere 6.7 at this time. This article and the VMware Product Interoperability Matrixes will be updated when a compatible release is available.

Upgrade Considerations

Before upgrading your environment to vSphere 6.7, review these critical articles to ensure a successful upgrade
For vSphere

Upgrades to vSphere 6.7 are only possible from vSphere 6.0 or vSphere 6.5. If you are currently running vSphere 5.5, you must first upgrade to either vSphere 6.0 or vSphere 6.5 before upgrading to vSphere 6.7.

For vCenter Server

For Distributed Virtual Switches

RVtools 3.10 Released

Version 3.10 (February, 2018)
– Upgraded RVTools solution to Visual Studio 2017
– Upgraded RVTools to .Net Framework version 4.6.1
– Upgraded Log4net to version 2.0.8, Waffle.AD to version 1.8.3
and NPOI to version 2.3.0
– Connection error when TLSv1.0 and TLSv1.1 are disabled and only TLSv1.2 is
enabled is solved by using .Net Framework 4.6.1
– vInfo tab page new columns: The latency-sensitivity setting of the virtual
machine, Change Block Tracking (CBT) and disk.EnableUUID values
– vDisk tab page new columns: SCSI label, unit number and sharedBus
– vHost tab page new columns: Assigned License(s), ATS heartbeat, ATS locking
values. 0 = disabled 1 = enabled, Host Power Policy shortname, CPU Power
Management current policy and CPU power hardware support
– When Export to xlsx is executed a metadata worksheet with version number of
RVTools and date time stamp is added to the output xlsx file
– All columns in the RVTools export xlsx file(s) now have a filter
– When export to csv newline characters are replaced by spaces
– When started from cli and login fails an error message and login box was
displayed. Now RVTools will exit with exit code -1, without showing the error
message and login form.
– Added an example PowerShell script with which you can merge RVTools export
xlsx files
– Added a example PowerShell script to start Export all to xlsx for multiple vCenters
– vDatastore tab page: For NFS datastores the address column is now filled with
remote host and path info
– vDatastore tab page new columns: Datastore Cluster Name, Cluster capacity and
Cluster free space
– The upper limit on the Health check for number of VMs on a datastore is now
9999
– vHealth tab page: new column “message type” which can be used as a filter in
Excel
– vHealth tab page: hbrdisk.RDID files are no longer reported as possible zombie
files
– vHealth tab page: low disk space messages no also show the free space in MB.
– All tab pages: Refresh or auto-refresh will respect your sort order
– CLI export2xls parameters changed to export2xlsx (old parameter will still work)
– Bug Fix: invalid “Horizontal Alignment” value in xlsx style sheet.
– Bug Fix: Calculation of total snapshot size was not always correct
– Bug Fix: Child snapshot hierarchy was not always correct
– Default installation directory is changed to C:\Program Files
(x86)\RobWare\RVTools without the version number

Documentation

Download

New MVA learning paths for IT pros

Learn about the new paths for IT pros:

  • PowerShell: Beginner. Step up your IT pro game with foundational knowledge of PowerShell. Learn to use the command line to solve an issue, automate your infrastructure, and more.
  • PowerShell: Advanced. Go beyond the basics with scripting, reusable tools, and cmdlets—all taught by the architect and inventor of PowerShell, Jeffrey Snover.
  • Security for IT Pros. Beef up your security know-how with practical tips and tricks from the Microsoft security team.
  • DevOps for IT Pros. Your devs need you! Learn more about application performance and support monitoring with Microsoft Azure.
  • Introduction to Windows Server 2012 R2. Command this leading-edge server with tutorials on installation, roles, Microsoft Active Directory, storage, performance management, and maintenance.
  • Windows Server 2012 R2 Security and Identity. Build upon your security knowledge with Windows Server 2016 fundamentals, like Active Directory, basic PKI, and BYOD concepts.
  • Windows Server 2012 R2 Compute. Discover everything you need to know about virtualization and storage with courses on IP address management, server networking, Microsoft Hyper-V, and more.

Windows ADK 1703 and Windows 10 Creators Update 1703

Introduction

Microsoft have released both Windows 10 version 1703 and ADK 1703 last week, one is on MSDN the other on Microsoft’s download site.

Download the media

Two Know Issues:
OSD – App-V tools are missing in ADK 1703 when being installed on Windows Server 2016 (sometimes)

OS Deployment – Installing ADK 1703 on Windows Server 2016 could fail

End of DirSync and AAD Sync Support

Last week marks the end of support for the legacy synchronization tools which are used to connect on-premises Active Directory to Office 365 and Azure AD.  Specifically Windows Azure Active Directory Sync (DirSync) and Azure AD Sync are the tools which are transitioning out of support at this time.  Note also that version 1.0  of Azure Active Directory (AAD Connect) is also transitioning of support.  The tools were previously marked as depreciated in April 2016.

The replacement for the older synchronization tools is Azure Active Directory Connect 1.1.  Customers must have this version of AAD Connect deployed. This is the tool which is being actively maintained, and receives updates and fixes.

Azure AD will no longer accept communications from the unsupported tools as of December 31st 2017.

If you do need to upgrade, the relevant documentation is below:

Upgrade from DirSync

Upgrade from Azure AD Sync

RVTools 3.9.3 vSphere 6.5 Supported

Version Info

Version 3.9.3 (March, 2017)

  • Bug fix: unhandled exception in decrypt function solved

Version 3.9.2 (February, 2017)

  • Migrated RVTools to use .NET Framework version 4
  • Migrated RVTools to use NPOI 2.1.3.1
  • Support for vSphere 6.5
  • Improved logon performance
  • RVTools will no longer write messages to the Windows eventlog
  • All VM related tab pages now have a new column: OS according to the VMware Tools
  • All tab pages now have a new column: VI SDK Server
  • All tab pages column vCenter UUID renamed to VI SDK UUID
  • vInfo tab page: new column VI SDK API version
  • Export to Excel will now use xlsx format
  • Export to Excel all columns are now auto sized
  • Excel worksheet names will use same name as the tab page names
  • Annotations fields can now be excluded! See preference window
  • vPartition tab page new column: Consumed MB
  • vHealth _replica directories are excluded for zombie checks
  • *_sesparse.vmdk files are excluded for zombie checks
  • New tab page with license information
  • New PasswordEncryption application added with which you can encrypt your password
  • RVTools command line interface accepts now encrypted passwords
  • Bug fix: URL Link to online version info issue solved.

http://www.robware.net/rvtools/

Keeping WSUS Happy using PowerShell

Some time ago i found a great WSUS cleanup script. I used this at my demo lab and customer sites. WSUS need a little help Winking smile

  • Someone need to deny all patches that are superseeded, this does not happen automatically.
  • Someone needs to cleanup old content, computers, patches and such, this does not happen automatically.
  • Someone needs to care for the database, this does not happen automatically.

https://github.com/DeploymentBunny/Files/tree/master/Tools/Invoke-WSUSMaint

image

The script will do the following

Connect to a database

you might need to change this in the script.

#For Windows Internal Database, use $WSUSDB = ‘\\.\pipe\MICROSOFT##WID\tsql\query’
#For SQL Express, use $WSUSDB = ‘\\.\pipe\MSSQL$SQLEXPRESS\sql\query’

Get the Superseeded Updates

Here is the Posh that fixes that:

$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value ‘None’ -Verbose
$SuperSeededUpdates | Deny-WsusUpdate –Verbose

Cleanup WSUS

We run each step sepratly, however, you can change that and run everything in one line…

Cleanup the DB

Last part runs sqlcmd using a .SQL file from MSFT Gallery, and yes, you can download and install the PowerShell tools for SQL and use that instead. Most of your customers dont have thoose tools installed, so sqlcmd.exe it is

Source: https://deploymentbunny.com/2016/02/03/working-in-the-datacenter-keeping-wsus-happy-using-powershell/

The Windows Server Update Services console gives Unexpected Error after KB3159706

The Windows Server Update Services console gives Unexpected Error after KB3159706

Solution:
Manual steps required to complete the installation of this update

  1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume “C” as the system volume):
    "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
  2. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

    HTTP activation

  3. Restart the WSUS service.

If SSL is enabled on the WSUS server

  1. Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
    takeown /f web.config /a
    
    icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f
  2. Locate the Web.Config file in the following path:
    C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config
  3. Make the following changes in the file.

    Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.

    <services>
              <service
                    name="Microsoft.UpdateServices.Internal.Client"
                    behaviorConfiguration="ClientWebServiceBehaviour">
                   <!-- 
                      These 4 endpoint bindings are required for supporting both http and https
                    -->
                    <endpoint address=""
                            binding="basicHttpBinding"
                            bindingConfiguration="SSL"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            binding="basicHttpBinding"
                            bindingConfiguration="SSL"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                   <endpoint address=""
                            binding="basicHttpBinding"
                            bindingConfiguration="ClientWebServiceBinding"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            binding="basicHttpBinding" 
                            bindingConfiguration="ClientWebServiceBinding"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
              </service>
        </services>
  4. Add the multipleSiteBindingsEnabled=”true” attribute to the bottom of the Web.Config file, as shown:
    </bindings>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
    </system.serviceModel>

https://support.microsoft.com/en-us/kb/3159706

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Translate »