Office 2010 Professional Plus fails with unexpected restart on Windows XP

The Situation

Office 2010 Professional Plus (32-bit) deployed to Windows XP Professional Service Pack 3 (32-bit) clients with System Center Configuration Manager (SCCM) 2007 R2 (64-bit). Office 2010 configured with Office Customization Tool (OCT) according to Microsoft guidelines.

The Problem

Upon completion the installation would initiate a forced reboot without prompting the user or giving any warning. After the reboot the Office 2010 installation would continue, but since it already completed before the reboot, this would be interpreted as a modification, prompting the user to select Add/Remove components, change product key etc. This, however, was not visible to the user since the program was configured to run without user interaction in SCCM. The result was that the Configuration Client (CcmExec) would wait for setup.exe for the maximum allowed run time and then terminate setup.exe, logging the installation as a failure. The whole process looked like this in the SCCM Advertisement Status report:

Time Message State Name Message Name Message ID Record ID
10.11.2011 12:37 Accepted Program received 10002 1164453
10.11.2011 12:37 Waiting Waiting for content 10035 1164454
10.11.2011 12:54 Running Program started 10005 1164461
11.11.2011 08:24 Failed Program failed (unexpected restart) 10021 1165171
11.11.2011 08:29 Running Program started 10005 1165174
11.11.2011 13:28 Failed Program failed (run time exceeded) 10070 1165445

Screenshot from SCCM

At 11.11.2011 08:29 Office 2010 restarts the installation after the reboot, even though it actually succeeded before the reboot, and the reboot is just to complete the installation. This is interpreted as a modification to the existing install and setup.exe prompts the user for what modifications to make. The user cannot see this, however, because he cannot interact with the program. CcmExec lets setup.exe run until the max run time is reached and then terminates setup.exe (11.11.2011 13:28) logging the install as a failure.

The Office 2010 setup log, located in %systemroot%System32Temp indicates that the install is successful, but that a restart is needed.

The Solution

To work around this problem it is necessary to suppress the reboot. This is done by adding the following to the MSP file in OCT (or the equivalent to config.xml):

image

With this setting in the MSP file the installation of Office 2010 will not be “fooled” by its own restart and complete successfully. You will first receive a status of Program completed successfully (reboot pending), until you initiate a restart on your own. After this restart the status will change to Program completed with success. Office 2010 seems to be fully functional even without performing this restart immediately, but the advertisement status in SCCM will not change until you restart.

Notes

Reports from other who have experiences similar issues indicate that the forced restart only happens on Windows XP computers, not Windows 7. I have not tested this myself.

References

OEM/BIOS Activating a Lenovo X1

I wanted to reinstall a Lenovo X1 portable computer. While preparing to wipe the machine I used ProduKey from NirSoft to extract the product keys for the installed software. This particular machine was sold with an OEM license, for which the product key was affixed under the machine. I quickly noticed that the key printed on the label did not match the one extracted from the machine with ProduKey. That meant that the machine was BIOS or OEM activated.

I now had two choices; I could bring the OEM activation with me over to my new install or just use the key printed on the sticker. The last option would have been the easiest, but that’s not how I roll. So how to “extract” the OEM activation?

A friend of mine had previously gone through just this scenario with a bunch of HP machines so I knew that the activation was dependent on a digital certificate, distributed by Lenovo with the machine and signed by Microsoft. Unfortunately the certificate file had been deleted by Lenovo setup. But the Lenovo recovery partition (Q:) included a WIM file called cdrivebackup.wim. This WIM was used by the recovery system to reinstall the machine in the event a failure occurred. It probably included the needed certificate. But first I had to make the contents of the recovery partition visible so I could easily copy the files to another computer and mount the WIM. This was accomplished by these two commands:

  • echo y | icacls “Q:*” /grant Administrators:F /T
  • attrib -R -A -S -H “Q:” /S /D

I then copied the entire contents of the Q drive to a memory stick and mounted the WIM with DISM on another computer:

  • dism.exe /Mount-Wim /WimFile:h:LenovoRecoveryFactoryRecverycdrivebackup.wim /index:1 /MountDir:D:wimmount /ReadOnly

Now it was time to try and find the certificate (software license certificate have an xrm-ms extension):

  • dir d:wimmount*.xrm-ms /s

This command yielded many files but only the one called lenovo.xrm-ms in the d:wimmountswworkOEM was of interest. I copied the file to a memory stick and proceeded to wipe the machine and reinstall Windows 7. After Windows 7 was installed I created a new folder under %windir%system32oem and copied the certificate into it. Now I could install the certificate and product key;

  • cscript %windir%system32slmgr.vbs -ilc %windir%system32oemlenovo.xrm-ms
  • cscript %windir%system32slmgr.vbs -ipk 237XB-GDJ7B-MV8MH-98QJM-24367

Now, the product key is kind of interesting. This key will be accepted as a valid key by Windows, but will not be able to activate the machine without the certificate file. It’s kind of like a KMS client key, but instead of a KMS Host it needs a certificate. As far as I can tell this key is Lenovo specific so I hope I haven’t infringed on any copyrights etc. by posting it here.

Morgan

Poor sound quality in Spotify

I love Spotify, but recently I have been plagued by poor sound quality. Specifically I experienced clipping, popping and variations in volume level during playback. As far as I could tell this affected all the songs I played in Spotify. At first I thought the problem was specific to Spotify, but after doing some tests with Grooveshark and Windows Media Player I discovered that the problem affected all apps playing sound. After a little digging I discovered a workaround for the problem.

Open the Sound properties:

image

Select Properties for the Default Device, the select the Enhancements tab:

image

Select Disable all enhancements. If you are playing music it will momentarily pause and then continue, hopefully (as it did for me) with now crystal clear quality.

Happy listening!

Last.FM profile: www.last.fm/user/morgands

Morgan

Script to install Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1

Here is a quick script to just install, or install and enable the Windows 7 Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1. I created it for use with the software deployment functionality in System Center Configuration Manager, but it is not limited to that.

' InstallRSAT.vbs
' v 1.0 (15.06.2011)
' by Morgan Simonsen, Atea
' 
' Detects system architecture, and installs and enables RSAT for Windows 7 with SP1, depending on submitted arguments.
'
' Usage:
' InstallRSAT.vbs <Install|InstallAndEnable>
'
' Install: just install RSAT, must be manually enabled
' InstallAndEnable: install and enable RSAT (all components)
'
' If no arguments are submitted; Install will be used.
'
' Arguments are CASE SENSITIVE!!!
 
'Enable/disable debugging
strDebug = 0
 
Set objWSHShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
'Get script arguments
Set objArgs = WScript.arguments
 
If objArgs.Count = 0 Then
    ' No arguments submitted, defaulting to install (and not enable)
    strInstallAction = "/Install"
Else
    strInstallAction = objArgs.item(0)
    Select Case strInstallAction
        Case "/Install"
            'Install action selected
        Case "/InstallAndEnable"
            'InstallAndEnable action selected
        Case Else
            'Invalid argument submitted; quitting!
    End Select
End If
 
strScriptPath = objFSO.GetParentFolderName(WScript.ScriptFullName)
 
'Determine CPU Architecture
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")
 
Set colProcessors = objWMIService.ExecQuery("Select * from Win32_Processor")
For Each objProcessor in colProcessors
    strProcessorArchitecture = objProcessor.Architecture
Next
 
'strProcessorArchitecture = objWSHShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%")
strWinDir = objWSHShell.ExpandEnvironmentStrings("%WINDIR%")
 
strWUSA = strWinDir & "system32wusa.exe"
strDISM = strWinDir & "system32dism.exe"
strx86Package = strScriptPath & "Windows6.1-KB958830-x86-RefreshPkg.msu"
strx64Package = strScriptPath & "Windows6.1-KB958830-x64-RefreshPkg.msu"
 
Select Case strProcessorArchitecture
    Case "0"
        strProcessorArchitectureHumanReadable = "x86"
        strLogFile = chr(34) & strWinDir & "LogsRSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
        objWSHShell.Run (strWUSA & " " & strx86Package & " /quiet /norestart /log:" & strLogFile),0,True
        If strInstallAction = "/InstallAndEnable" Then
            Call EnableRSAT()
        End If
    Case "9"
        strProcessorArchitectureHumanReadable = "x64"
        strLogFile = chr(34) & strWinDir & "LogsRSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
        objWSHShell.Run (strWUSA & " " & strx64Package & " /quiet /norestart /log:" & strLogFile),0,True
        If strInstallAction = "/InstallAndEnable" Then
            Call EnableRSAT()
        End If
    Case Else
        'Unknown architecture; quitting!
End Select
 
Function EnableRSAT()
            objWSHShell.Run (strDISM & " /Online /Enable-Feature " &_
            "/FeatureName:IIS-LegacySnapIn " &_
            "/FeatureName:IIS-IIS6ManagementCompatibility " &_
            "/FeatureName:IIS-WebServerManagementTools " &_
            "/FeatureName:IIS-WebServerRole " &_
            "/FeatureName:IIS-Metabase " &_
            "/FeatureName:RemoteServerAdministrationTools " &_
            "/FeatureName:RemoteServerAdministrationTools-ServerManager " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-CA " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-OnlineResponder " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-NIS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-LDS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-Powershell " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-DHCP " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-DNS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Dfs " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Fsrm " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-StorageMgmt " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-HyperV " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-RDS " & _
            "/FeatureName:RemoteServerAdministrationTools-Features " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-BitLocker " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-Clustering " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-GP " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-LoadBalancing " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-SmtpServer " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-StorageExplorer " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-StorageManager " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-Wsrm"),0,True
End Function
 
Function Debug(data)
    If strDebug = 1 Then
        WScript.Echo data
    End If
End Function

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Computer naming schemes

I often get asked what I recommend for server/client naming schemes. Although there is no definitive answer; this always depends on your organization and what your specific requirement are, here are some pointers:

Things you would often want to include in the name of a machine:

  • Your organization name or an abbreviation of it: <org>
  • The machine type; laptop, desktop, workstation, server etc.: <type>
  • The computers MAC address: <MAC>
  • Asset tag: <asset tag>
  • Make/Model: <model>
  • The name of the user who owns/uses the machine: <username>
  • The department it belongs to: <dep>
  • A running number: <n>
  • The OS the machine is running: <OS>

You can combine these any way you want; using hyphens or other separators, or not. Here are a few I often use:

  • <org>-01234 (eg. BigFirm-56798)
  • <org>-<type>-01234 (eg. BigFirm-l-87980)
    V=Virtual
    W=Workstation
    L=Laptop
    K=Kiosk
    etc.
  • <org>-<asset tag> (eg. BigFirm-A5B98)
  • <org>-<MAC address> (eg. BigFirm-AABBCCDDEEFF)
  • <org>-<model>-01234 (eg. BigFirm-HP8100-89476)
  • <org>-<username>(-<type>) (eg. BigFirm-BobH-V)

If you have any suggestions of either complete schemes or things you like to include in your machine names, please leave a comment and I will update the article.

Also, remember that Windows computers use both DNS hostnames and NetBIOS names. NetBIOS names are limited to 15 characters, but DNS hostnames are not. Windows will not stop you from using names that are longer than 15 characters, but the NetBIOS name of the machine will be limited to the first 15 characters of the name you choose. If the part of your name that makes it unique is beyond the 15th character you will have more than one machine on your network with the same NetBIOS name. Furthermore, although Windows itself will work with a name longer than 15 characters, many tools will not. An example of this is MDT 2010.

Happy naming!

Remote Desktop on Linux?

With the momentum behind desktop virtualization; both with VDI and Remote Desktop Sessions (formerly Terminal Services), more and more people are looking for ways to access the Windows Desktop from platform other than Windows. Citrix offers the Citrix Receiver which supports virtually all platforms, but if you want to use the Remote Desktop Protocol (RDP) your choices are limited. This is a list of the RDP clients I have found for Linux:

Unfortunately none of these support more than RDP v5.1, which do not offer any of the newest features such as multi monitor support etc.

SHA1 Thumbprints for trusted .rdp publishers

Remote Desktop Connection (RDC) has a Group Policy setting that determines which publishers are to be considered trusted when launching connections (typically .rdp files served in various ways).

The publisher is identified by the SHA1 thumbprint of the certificate of the publisher (the certificate used to sign the .rdp file). You get the thumbprint from the certificate:

image

The setting is located under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Setting:
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

Description:
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.

If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.

If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.

Notes:

You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.

This policy setting overrides the behavior of the “Allow .rdp files from valid publishers and user’s default .rdp settings” policy setting.

If the list contains a string that is not a certificate thumbprint, it is ignored.

As you can see; no mention of how the thumbprint is to be entered!

I found out the hard way that you have to remove all spaces and convert all letters to uppercase for the thumbprint to be valid. You are not informed if the format you enter is incorrect, it is just silently ignored if not recognized as a valid thumbprint.

This quick PowerShell command will do these two operations:

(“<your thumbprint here>”).ToUpper().Replace(” “,””)

If this Group Policy setting is not in effect, either because you have not set it or the thumbprint is incorrect/invalid, your users will get a warning when connecting, even if the certificate used to sign the .rdp file is trusted:

image

Error: A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

It is interesting to note that the rdpsign.exe command line utility that is used to sign .rdp files manually, requires that the thumbprint of the certificate must be provided in just this way: http://technet.microsoft.com/en-us/library/cc753982(WS.10).aspx

More info:

A note on copying the thumbprint

If you look at the highlighted/selected thumbprint in the image above you will see what looks like a leading whitespace. If you select the whole string (not as above), you will get a strange leading character in your thumbprint. Have a look at this zoomed image:

image

I do not know what character this is, but it invalidates the thumbprint string if you paste it into the SHA1 thumbprint field in your GPO. Even stranger is that it does not show up in the pasted text in the GPO object; it just “looks” right. As I said, I have no explanation, but remember to skip the leading whitespace when you copy your thumbprint.

This is how it should look:

image