posted
24/01/10
By Fredrik Wall
When working with MDT folders you want to sort
the folders by name to make It look better.
This is not a task you do in the Workbench.
I found a great script for this by Michael Niehaus
at Microsoft. It can be found here.
It will sort every folder in the Deployment Share structure.
The script will sort the structure by making a _TEMP_
folder and move the folder there and then move them
back sorted one by one.
You can do this manually as well in the Workbench
but It’s a big job then.
In my folder structure the comments will be deleted
this way.
If I move (copy, paste, delete old folder) a folder
in the Workbench I will get the same result.
The property “Enable this folder” seems to work just fine
with moving folders.
Is this a known bug/feature?
I will write a script that fixes this for me later on next
week. Have to do another script first 
posted
23/01/10
By Fredrik Wall
This is a follow up on my last blog post about
using PowerShell from a Windows 7 machine
against a MDT 2010 solution (server).
It’s a how to use the Workbench on the
Windows 7 machine to manage a MDT 2010 solution
on a remote server.
First of all you need to go in to the Workbench
and the components section.
Then select Windows Automation Installation Kit x86 or x64
and download it by push the download button. It’s a large
file ~1 GB.
And when It is downloaded, select it again (it’s now under the downloaded section) and push the install button.
Now choose Open Deployment Share on the right side of the workbench.
The path should be like \\server\deploymentshare$
Now you got the same view on your Windows 7 machine
as on the MDT 2010 server.
I love this
But I don’t love the WAIK part, 1 GB of installation to be able to
do remote administration is not so good!
Technorati Tags:
MDT 2010,
Deployment
posted
05/01/10
By Fredrik "DXter" Jonsson
Yesterday in my last post Always include your smart card drivers in your deployment image! I said that you should always include your mini drivers for your smart cards in your deployment image. Dalle thought that I should do a follow up with a step by step on how to do so.
Personally, I really like and use the Gemalto .NET cards. So first we go to http://catalog.update.microsoft.com/ and search for “Gemalto .NET”.
In this example we to save the cab file on my desktop.
If we take a look at my desktop, we can clearly see that I now have a new folder called "Gemalto – Input – Gemalto Minidriver for .NET Smart Card" with a cab file in it.
Now we need to prepare our cab file. We extract the content of our cab file using Windows Explorer (or WinRAR) and remove the original cab file.
Now we have our prepared driver that is ready to be injected into our WIM-file. On my desktop I have a Windows 7 Enterprise x64 WIM image. I open up DISM and mount the the image to my mount directory with the command dism /mount-wim /wimfile:install.wim /index:1 /mountdir:c:\mount
If we open up C:\mount we can clearly see that the our WIM-image has been mounted in our mount folder.
First we query our mounted WIM-file for drivers to confirm that it doesn’t have our Gemalto .NET driver with the command dism /image:c:\mount /get-drivers.
Clearly, we have only one OEM driver right now. Now lets try to add our driver using the command dism /image:c:\mount /add-driver /driver:"Gemalto – Input – Gemalto Minidriver for .NET Smart Card" /recurse. Now DISM will search that folder for any drivers and will add them to our image.
Lets try dism /image:c:\mount /get-drivers again to confirm that our driver has really been installed.
Now our Gemalto .NET driver is injected in our WIM-file! Sweet! Now all we need to do is to unmount our image and commit the changes using the command dism /unmount-wim /mountdir:c:\mount /commit.
Thats it folks! Now our image has our Gemalto.NET minidriver installed and you can straight away import the image to your WDS/MDT/SCCM deployment solution. Now when you insert your smartcard in a deployed client, it will automatically install the Gemalto.NET driver from the local driver store. Pretty cool huh?
Like Raymond Stantz in the Ghostbusters said: “Well that wasn’t such a chore now, was it?” 
// Fredrik “DXter” Jonsson
posted
04/01/10
By Fredrik "DXter" Jonsson
One of the cool things in Windows 7 and Windows Server 2008 R2 is the dynamic installation of card modules through WSUS/Windows Updates. This means that if you insert a smart card into your Windows 7 box it is automatically installed through Windows Update. This is really cool and can simplify smart card installations a lot for home users and external partners.
Now people ask, what about the Gemalto .NET cards? They are using the Microsoft Base CSP and their drivers are included in Windows Vista. Yes, it is true that the Base CSP and the drivers for Gemalto .NET are included in Vista. But they are not included in Windows 7! Only the Base CSP is installed by default in Windows 7 / Windows Server 2008R2!
For a regular user, this usually is not a problem. Windows 7 can even install the necessary mini driver at the login prompt and will do so by default. But administrators may have bigger problems. Lets go through the requirements for this dynamic installation of smart cards to work:
1. The client has access to Windows Update/WSUS using the local network or internet.
2. The card is compliant with the Microsoft Base CSP and has it’s card modules available on Windows Update.
3. The system automatically installs drivers for your hardware through Windows Update (which is disable by default on Windows Server 2008 R2)
The funny thing for administrator is this: Say that you have a security policy that says that administrators can only authenticate them self using smart cards. They try to login to Windows Server 2008 R2 box and can not login since the drivers for the card are not installed and will not be installed automatically (by default). In other words, you need to authenticate with your smart card to be able to install the the mini driver for your smart card. The same thing applies if the card module is not on Windows Update or if the machine has no network or internet access to be able to install the driver.
So what happens if I add my card drivers to the driver store in my MDT/WDS solution? Won’t it be installed when the client is being installed? No. The UPNP scan only reports available hardware and install the necessary drivers for the exact hardware the client is using. If the smart card is not inserted during installation, the drivers for it will not be installed!
How do we resolve this issue? Well, if we have SCCM we can make the driver package for Gemalto .NET a mandatory package that will be installed with the operating system no matter what. If you don’t have SCCM, a very easy way to deal with this is to inject the drivers to your WIM image using offline servicing. In other words:
Always include your smart card drivers in your deployment image!
Update: A step by step guide can be found here: http://poweradmin.se/blog/2010/01/05/adding-your-smart-card-drivers-to-your-wim-image-using-offline-servicing/
// Fredrik “DXter” Jonsson
posted
18/10/09
By Fredrik Wall
My good friend Fredrik “DXter” Jonsson will join
me from now on and be Co-Author for this blog.
He is one of the best I know on PKI and Ubuntu.
And he is also very good on Active Directory and
Deployment.
DXter will do a presentation of him self as fast has
he can
Welcome my friend and thank you for being my Co-Author.
