How to determine which version of .net framework is installed?

Reference: http://support.microsoft.com/kb/318785

Microsoft .net Framework is a software package that is used by many applications, it runs in a software environment as opposed to hardware environment.

PowerShell: how to get version of .net framework on a remote computer: https://gallery.technet.microsoft.com/scriptcenter/Detect-NET-Framework-120ec923

To query the local Registry using PowerShell, execute the below command in an elevated PowerShell session.

(Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full’  -Name Release).Release

You can then use the table below to reference the installed version of .NET. For instance, if the returned value is 379893, then .NET 4.5.2 is installed.

Bare Metal Restore and Backup script

http://www.alexwinner.com/articles/divers/123-backupscript2008r22012.html

http://www.alexwinner.com/articles/divers/122-wbsbaremetalrestore.html

Windows Deployment services or MDT ?..

WDS starter guide : http://technet.microsoft.com/fr-fr/library/jj648426.aspx

Solution accelerator: MDT “Microsoft deployment toolkit” : http://technet.microsoft.com/en-us/library/ee376932.aspx

Script center and WDS: http://gallery.technet.microsoft.com/scriptcenter/Windows-Deployment-WDS-8bb013b7

WDS and MDT better together?

WDS is for network deployment, MDT can create images that can be uploaded to WDS or deployed individually as a DVD boot image:

http://technet.microsoft.com/en-us/video/deploying-windows-7-with-windows-deployment-services.aspx

MDT is the way to go. WDS just delivers the images. With MDT, you can manage your image creation process as well as the imaging process. So yes, with MDT you can create a single image and push it to any number of different hardware models and inject the drivers as needed at image time. You can also inject program installations and fixes and updates. You can also use MDT to backup and restore profiles if you just wanted to refresh a computer. It’s very powerful and well worth the learning curve. Their are some very good tutorials out there that will get you started.

The Microsoft Deployment Toolkit (MDT) can also manage device drivers, however MDT is a task based process that allows you to do much more. MDT can run custom scripts, install software, packages and updates and call Windows Update or WSUS to make sure any new updates are installed. This makes it possible to have a thin base image that goes on all machines while allowing you to install software based on department or personal needs and have all the latest updates installed without the need to update your base image frequently or have multiple images to cover all possible scenarios in your organization.

MDT also has the ability to use other tools during deployment, such as the User State Migration Tool (USMT), the Application Compatibility Toolkit (ACT), the Microsoft Assessment and Planning tool (MAP) and the Microsoft Security Compliance Manager (SCM).

Additionally, the Litetouch PE images that MDT creates can be used with WDS to allow network booting and multicast deployments while still using the flexibility of MDT.

These videos are a great way to see how MDT can improve your deployments:

http://prajwaldesai.com/integrating-windows-deployment-services-with-microsoft-deployment-toolkit/

MDT 2013 installation: http://blog.itvce.com/?p=4730

Many more videos and articles and free tools to help with Deploying Windows with MDT can be found on the Deliver and Deploy Windows 7 and Deliver and Deploy Windows 8 pages of the Springboard Series on TechNet.

Hope this helps,

What is the difference between MBR and GPT partitioning ?

In Microsoft Windows Operating Systems, there are two types of disk partitioning architectures, MBR and GPT. The main difference between them is how they access disk sectors and logical blocks. MBR or Master Boot Record was the first partitioning architecture invented for disk drivers that had the capacity lower then 2 TB (terabytes). GUI or GUID Partition Table was designed to cover the MBR size limit. Both architectures are in use today but there are some main differences between them. In this post, I will talk about the differences between these two disk partitioning types.

Data is divided into several blocks of information, that’s why partition tables were invented. Partition tables keep track of the mappings between sectors and logical numbering blocks. Imagine that you have a file stored on your disk drive. The file is segmented into several pieces of information (study the networking tutorials from IT training day to understand how this is done), each segment receives a label and this information is stored in the partition table. By checking the partition table, devices are able to reconstruct the whole information.
Master boot record was invented when only x86 computers existed. On a MBR disk you can create 4 partitions or three primary and one extended. Of course, the extended one can be partitioned further. One big problem of using a MBR architecture is the possibility of data corruption. There is only one partition table for each partition. The next image taken from Microsoft’s website will illustrate the MBR architecture:
You can see from the image that there are four partitions (three primary and one extended). The primary partitions are C,E and F. Each of the primary partitions have 1 partition table. The extended partition contains the logical drives (G, H, … n).
The Master Boot Code contains a small piece of code that is executed. This structure is automatically created when a disk is partitioned as a MBR. The executed code does the following: scans the partition tables for the active partition(the partition where the Operating System is stored). The code also finds the location of the first sector from the active partition. It loads the boot sector code from the active partition into the memory and then transfers control to the executable code in the boot sector. If the master boot code doesn’t locate the boot sector code from the active partition, the following messages can be displayed: Error loading operating system, invalid partition table or missing operating system.

The 0x55 AA is a 2 byte structure that is used to mark the end of a MBR architecture. It is also called a signature.

GUID Partition Table – this type of partitioning is supported by hard drives that have more than 2 TB storage capacity. A basic disk that uses GPT partitioning, can have up to 128 primary partitions. This technology also supports CRC (Cyclic Redundancy Check), reliability and backup. This is how a GPT architecture looks like (from Microsoft’s website):

You can see that GPT architecture uses a large part of the MBR architecture but also has other features. It contains GUID partitions (primary GUID partition) which can identify the type of data that is stored on the partition and the disk type. For each GUID partition table there is a backup partition. It also contains a GUID partition table header and a backup GUID partition table header. Read more about this on Microsoft’s website:
http://msdn.microsoft.com/en-us/library/aa363785%28VS.85%29.aspx

Start programs elevated from a batch file

If you use batch files to automate tasks on a Vista/Windows 7/Windows 2008,2008r2 computer, you have probably encountered situations when you needed to start a program ELEVATED (as Administrator).

For example, if you want to share a folder automatically from a batch file, you would use the “net share” command. However, unlike many other programs that ask for the administrator’s approval, net share does not do that and simply returns the error code 5 (“access denied”) if it was started by a standard user.

How to force that program to start elevated from a batch file?

There are multiple elevate.exe programs available for free on Internet, I selected two of them:

Usage:  elevate [(-c | -k) [-n] [-u]] [-w] command

Options:
-c  Launches a terminating command processor; equivalent to “cmd /c command”.
-k  Launches a persistent command processor; equivalent to “cmd /k command”.
-n  When using -c or -k, do not pushd the current directory before execution.
-u  When using -c or -k, use Unicode; equivalent to “cmd /u”.
-w  Waits for termination; equivalent to “start /wait command”.

Notes:
Both the hyphen (e.g., -w) and slash (e.g., /w) forms of switches are valid.

When -k is specified, command is optional.  Omitting command in this case will  simply open an elevated command prompt.

Normally, an elevated command processor will not honor the current directory  of an unelevated parent process, thus potentially creating problems with
relative paths.  To address this problem, when the -c or -k switches are used,  elevate will issue a pushd command to the new command processor to ensure that
it uses the current directory of its parent process.  Specifying the -n switch  will disable this feature.

Examples:
elevate -k
elevate /w HashCheckInstall.exe
elevate -k sfc /scannow
elevate /c del %SystemRoot%\Temp\*.*
elevate -c -w copy foo*.* bar

Why this utility?

There are other similar utilities available; for example:
* http://wintellect.com/cs/blogs/jrobbins/archive/2007/03/27/elevate-a-process-at-the-command-line-in-vista.aspx
* http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

Copy the file Elevate.exe into a folder where Windows can always find it (such as C:/Windows). To use it in a batch file, just prepend the command you want to execute as administrator with the elevate command, like this:

  elevate net share ...
elevate -noui "c:\batch.bat"

and it should run the command net share as administrator. Of course, it does not relieve the administrator from the duty to approve the request (unless you have enabled the guiet mode of UAC or disabled the UAC altogether).

The syntax of the Elevate command is as follows:

  elevate [-opt1] [-opt2...] [path\]file[.exe] [param1 [param2...]]

Where -optN can be one of the following:

-?         - Display the help screen and exit
-info      - Open the web page with more information (the web page you are reading now!) and exit
-wait4idle - Wait for the target process to initialize before returning
-wait4exit - Wait for the target process to finish before returning
-noui      - Don't display any messages, even if an error occurs

After the options, the following arguments should be entered:

file       - The file name of the program to launch elevated
paramN     - Optional parameters (as expected by the program being launched)

For example, if for some reason you want to run Notepad as administrator, and continue only after you exit Notepad, you would use a command like this:

  elevate   -wait4exit   notepad

If you use the elevate command while being logged in to Windows as a user that does not have a split token, that is as a non-administrator or a guest user, it will ask for the administrator’s password to continue. If you use it as the true administrator (that is, if UAC is disabled, or it you’ve launched the batch file itself as administrator), then no administrator’s approval would be required and it would launch the program as usual.

Can Elevate.exe be used on a Windows XP or Windows 2000 computer, even though they do not have UAC or users with the split tokens? Yes, it can! In such a case, if the batch file is executed by the administrator, then Elevate.exe runs the program as usual, without requiring any additional approval. If run by a restricted user, Elevate.exe has the same effect as the Runas  command of Windows XP/2000: it gives the user an option to enter a different user’s credentials to lunch the program.

The return code of the elevate command depends on the result of its execution and whether you have specified the -wait4exit option or not. If the -wait4exit option is NOT specified, then elevate returns code 0 if it started the target process successfully, or an error code as reported by Windows. For example, if Windows could not find the target file, it usually returns code 2. If the file was found, but the administrator did not approve the request to start the program elevated, the return code is 5. And so on.

However, if you have specified the -wait4exit option on the command line, then if the target process was started successfully, the elevate command would wait for it to finish and return the exit code from that process. The returned value in such a case depends on the program being launched be the elevate command. As with other commands, you can access the return code in a batch file via the ERRORLEVEL variable.

Tip: how to extend the shell context menu for directories by an ‘Open Elevated Console here’ entry by adding the following registry entries:

[HKEY_CLASSES_ROOT\Directory\shell\Open Elevated Console here]
@=”Open Ele&vated Console here”

[HKEY_CLASSES_ROOT\Directory\shell\
Open Elevated Console here\command]
@=”c:\\path\\to\\elevate.exe  /K \”title %1 && color 1a && cd /D %1\””

Performance tuning guidelines for Windows 2008 R2,2012

http://msdn.microsoft.com/en-us/library/windows/hardware/dn529134

How to script DCOM permissions and WMI security for non-admins ?

The objective is to allow WMI queries on a computer for a non-admin user/group ?

the group to allow is mydomain\wmiquery-users

the scripts requires, dcomperm.exe and wmisecurity.exe

Authorize WMI users and set Permissions on Win7, Win2008 R2:http://technet.microsoft.com/en-us/library/cc771551.aspx

1st step: Set up DCOM permissions:

@echo off
CLS
echo.
echo Windows computers – Set up DCOM Permissions – Oct 2011
echo __________________________________________________________________________________
echo.
==========================================================================>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Show current DCOM permissinos – current values on %computername% BEFORE…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% BEFORE…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
pause
echo.
echo ————————————————————————
echo Set new DCOM permissions – new values on %computername%…
echo Set machine access permission list…
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r
echo Set machine launch permission list…
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo Set machine default permission list…
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo.
echo Set new DCOM permissions – new values on %computername%…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
echo ————————————————————————-
echo Show current DCOM permissinos – current values on %computername% AFTER…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% AFTER…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
goto end
:end

2nd step: Set up WMI Security:

@echo off
CLS
echo.
echo Windows computers – Set up WMI Security – Oct 2011
echo _________________________________________________________________________
echo.
echo ————————————————————————————->.\logs\Set-WMISecurity_%computername%.txt
echo Set up WMI Security on %computername%…>>.\logs\Set-WMISecurity_%computername%.txt
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R >>.\logs\Set-WMISecurity_%computername%.txt

goto end
:end

Postes de travail – Choisir sa stratégie de déploiement

Microsoft a publié sur son site TEchnet un intéressant article comparant les quatre stratégies
de déploiement de postes de travail Windows 7: