Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
xsisbest1 Absent Member.
Absent Member.
1812 views

OES Client MDT Silent unattended install with no prompts

So I've come so very close to having a perfectly unattended install but the Novell Client on Windows 7 continues to give me troubles.
With Windows 10 v1803 (or v1709) I can install the client in my base image and still have it autologin via my sysprep file (<autologon>true</autologon>) but with the client installed on Windows 7 it always stops the autologon and says "Username or password is not valid". I even used netplwiz.exe to login to admin auotmatically before imaging, during my task sequence, used scripts to change password to nothing, to something... I tried everything I could think of to try and get it to autologon and continue my mdt install but the Novell client and Windows 7 said oh no you isn't.. I just noticed they have SP4 IR8a so I'll give that a shot tomorrow but I've been using IR8 up until today.
With Windows 10 running perfectly fully unattended I tried to seek out a solution for this issue and I've found a 99 % solution but I'm still not satisfied.

I've followed some tutorials around the nets and have found for this issue that you may need a couple hotfixes or Microsoft patches but those are somewhat old and with me doing MDT, I have a fully patched ready to go OS and I have said patches already installed.
Next you need to install your certificate which is pretty easy to do. You install your client on a machine, click all the prompts including checking "Trust this software" and finalizing the install. You then go to certmgr.msc and browse to Trusted Publishers and then Certifificates and you will see the Micro Focus cert. Double click and export to a file and save as you like.. I save as nwclient.cer and saved it in my Novell Client applications folder in my mdt.
I then created a task sequence to import that cert right before the apps install in my deployment by using certinstall.exe -f -addstore "Trusted Publishers" nwclient.cer and it installs the certificate.
Next I setup my Novell install to use a unattend.txt file that has all my settings and run setup.exe /NCFS:unattend.txt and it installs my Client.
Now, the tutorials say that importing the cert will make this a fully unattended install but I cannot get it to stop prompting if I "Trust this software" and I have to click Install or Don't install to move forward... therefore ruining my perfect unattended deployment. Other than that one prompt, it finishes the install and suppresses all other prompts including reboot. I reboots my mdt and I'm good to go.
I have yet to find a solution for this and yes, the cert is getting installed completely and it still prompts to install.... I even reinstalled with the certs already installed and it still prompts no matter what. I saw that you can use another program called autoit", or something like that, but I'll have to read more up on that. It pretty much creates a script that can suppress the prompt but I can't believe I can get Zen to be fully unattended and the client is a no go. I would greatly appreciate any help on this!
Labels (1)
0 Likes
9 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: OES Client MDT Silent unattended install with no prompts

xsisbest <xsisbest@no-mx.forums.microfocus.com> wrote:

> but with the client installed on Windows 7 it always stops the autologon
> and says "Username or password is not valid".


Not sure what the explanation is for that, since we expect a Windows
AutoAdminLogon configuration to be supported and "pass through" Client
for Open Enterprise Server same as it does on a machine which doesn't
have the client installed.

Are you possibly configuring an eDirectory AutoAdminLogon in addition
to the Windows account AutoAdminLogon? netplwiz.exe or control.exe
userpasswords2 would definitely only be setting up the Windows
AutoAdminLogon policy, but if you had enabled any of the
eDirectory-specific AutoAdminLogon policy settings, maybe the
workstation is reporting a failure to perform the eDirectory login.

Perhaps make sure AutoAdminLogon isn't enabled under
[HKEY_LOCAL_MACHINE\Software\Novell\Login]. Otherwise, if this was
happening on Windows 7 versus Windows 10 machines in front of me, the
next step would be comparing the NCCredProvider debug logs to see what
NCCredProvider thought of the Windows AutoAdminLogon policy in each
case.

> I then created a task sequence to import that cert right before the apps
> install in my deployment by using certinstall.exe -f -addstore "Trusted
> Publishers" nwclient.cer and it installs the certificate.


For a Windows 7 machine, if you were having that issue, it sounds like
Microsoft KB2921916 hotfix is needed. i.e. Even if the certificate is
correctly imported, Windows 7 didn't properly handle the Trusted
Publisher certificate if it was also an SHA256 certificate.

For a Windows 10 machine, seeing this symptom makes me suspect that
the certinstall.exe command line might be installing to a
user-specific "Trusted Publisher" store, instead of the machine store
that Windows is actually consulting for the "Trusted Publisher"
processing. I can't seem to easily find a certinstall.exe command
line description to say what it does by default.

Try using the specific steps in the documentation with CERTMGR.MSC, at
least as a troubleshooting step to see if having the certificate in
the correct store eliminates the symptom:

Section 2.6.4, Importing the Novell, Inc. Certificate as a Trusted
Publisher on a Single Machine
https://www.novell.com/documentation/windows_client/windows_client_admin/data/bqgnrgi.html#bqgo3fj

Note we're saying the steps of enabling display of "Physical
certificate stores" and then selecting the "Local Computer" store for
"Trusted Publishers" are key here, and that using even CERTMGR.MSC to
successfully import the certificate but WITHOUT following these
specific steps would also lead to the same symptom you're describing.

Alan Adams
Client for Open Enterprise Server
Micro Focus
alan.adams@microfocus.com
0 Likes
xsisbest1 Absent Member.
Absent Member.

Re: OES Client MDT Silent unattended install with no prompts

Thank you very much for your input.

for the autologon issue I ended up just removing the client on my Windows 7 machine and installing during the sysprep phase. During sysprep it auto logs into the admin account no problem. Granted that's with no password as it's in audit mode but I have it set in my unattend.xml the admin password and autologon and it again works perfectly fine on Windows 10 but not on 7 when going into the oobe phase. Removing the client immediately remedied this issue but then as a result, during the install, I get hit with the Do you trust this publisher and I have to click Install. Either way I'm left with a non working unattended install.

I did notice on the import directions that you posted that I did not choose options and select Physical machines and then go to the Local Computer/Certificates. I just clicked Trusted Publishers/Certificates and it was right there. The only issue I have with this is I need to export that certificate properly first and then import it again and see if that does the trick. Problem is I'm not seeing documentation on correctly exporting it. Also, on the import; is my command line correct? I noticed i said certinstall.exe which is not right it's actually certutil.exe... so certutil.exe -f -addstore TrustedPublishers "C:\novell\nwclient.cer"
Should I now need to import to TrustedPublishers/LocalComputer instead or something to that effect? I'm not familiar with cert installs so I know that command can't be right but maybe I'm importing it into the wrong spot. I've found documentation somewhere that said the above command is what I want but it's obviously not working for me. And I don't want to have to open certmgr.msc manually during my install too as that would defeat my unattended install as well. I need a command line for installing it but not sure "trustedpublishers" is the correct location if it needs to be under a sub category of "localmachine". Hope that makes sense.
0 Likes
xsisbest1 Absent Member.
Absent Member.

Re: OES Client MDT Silent unattended install with no prompts

SO I went a different route on this and just exported the registry file that points to this certificate and imported it that way instead of certutil or certmgr. It works just the same and unfortunately with the same results. The cert is going into Trusted Publishers/Local Computer/Certificates just as it explains in the documentation you posted. It imports just fine and yet it still prompts for the install. This is a Windows 7 machine and I haven't tested on Windows 10 but was hoping to get this one resolved before moving on. The hotfix it requires from Microsoft is from 2015 and I already have it installed so I can't re-install it. I guess I could remove then install again but not sure why that would change anything. I can't believe I'm the only one having this issue either but I can't find hardly any info on this other than what we have already. And it's quite simple to follow along too so I'm positive I'm doing it correctly.
0 Likes
Knowledge Partner
Knowledge Partner

Re: OES Client MDT Silent unattended install with no prompts

For Windows7, from my experience, you need to have this one
https://support.microsoft.com/en-us/help/2921916/the-untrusted-publisher-dialog-box-appears-when-you-install-a-driver-i
installed and active (i.e. box has been bounced after installation). Then something like
certutil -f -addstore "TrustedPublisher" c:\setup\novell.cer
(executed with elevated rights, of course) always allowed for a really silent client install.
0 Likes
xsisbest1 Absent Member.
Absent Member.

Re: OES Client MDT Silent unattended install with no prompts

That's the same hotfix I referenced in my post that I already have installed. I can install the certificate as well and it shows up right where it needs to be in Trusted Publishers/Local Computer/Certificates and yet it still prompts me.
I've even pre installed the cert in my image, not installed and script install during sysprep etc... No matter what I try it will always prompt me to install. Both the hotfixes that are out there are over 3 years old and should be installed on most systems if your patching them. I did just force install them and am re-creating my image so we'll see but I don't have high hopes.
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: OES Client MDT Silent unattended install with no prompts

Exporting the certificate is described earlier on the same
documentation page, and is done on a machine where you have used the
"Always trust Micro Focus" option previously. In CertMgr.msc you are
able to view the Trusted Publisher store and export the certificate
that was imported by Windows itself in response to the "Always trust
Micro Focus" option having been selected.

Same as when manually importing the certificate using CertMgr.msc, you
will have to enable display of "Physical certificate stores" and use
the "Local Computer" store for viewing the "Trusted Publishers" in
this export case, too. Since that is where Windows has imported the
certificate, so that you can see the certificate listed & export it
from there. The default export format of DER-encoded X.509 is fine;
any format that the Microsoft Certificate Manager will be willing to
re-import should also be fine.


certutil.exe -f -addstore "TrustedPublisher" "C:\Micro Focus\cert.cer"

Yes, this command line, issued from a Run as Administrator security
context, will import the certificate into the correct physical Local
Computer store.

Testing this just now on Windows 7 SP1 x64 with current Windows
Updates as of June 25 2018 DID NOT show success at suppressing the
prompt. As expected, since KB2921916 is a hotfix, and is not part of
the updates Microsoft pushes via Windows Update.

After applying KB2921916 to the Windows 7 SP1 x64 machine, the
certutil.exe-imported certificate was then honored and suppressed the
publisher verification prompt during future Client for Open Enterprise
Server 2 SP4 (IR8a) installation attempts, as expected.


If having the certificate in the proper "Local Computer" physical
store and ensuring KB2921916 has been applied to the Windows 7 machine
still does not result in Microsoft's SETUPAPI.DLL recognizing that
Micro Focus-signed software is a trusted publisher on this machine,
the only other logical explanation for that is that it's not the
correct certificate for the version of Client for Open Enterprise
Server that is being installed.

i.e. It can't be the certificate from "just any" previous installed
product; it does have to be the certificate that was used to sign the
version you're intending to install /now/.

e.g. If intending to install Client for Open Enterprise Server 2 SP4
(IR8a), it would have to be the certificate from Client for Open
Enterprise Server 2 SP4 (IR3) or later, if not the certificate from
IR8a itself. The certificate can be different for different releases,
as certificates expire, renew, or change ownership.

The certificate you're expecting for successfully installing IR8a is a
certificate issued to "Micro Focus (US), Inc." with a thumbprint of
debb4eb098729d67e3a199e4de44cff2a2df8381 and validity period of August
2015 to August 2018. If you intentionally or unintentionally had any
certificate other than that one as the certificate you were attempting
to import for suppression of the publisher prompt, it would explain
the symptoms continuing to occur even with all other steps correct.

Alan Adams
Client for Open Enterprise Server
Micro Focus
alan.adams@microfocus.com
0 Likes
xsisbest1 Absent Member.
Absent Member.

Re: OES Client MDT Silent unattended install with no prompts

Yes that's the I've been installing. I did manually force install that KB2921916 update this time so we'll see what happens. I'm imaging right now and will report back my success.. IF that's all it was was to force install it I'm going to be mad that I spent so much time trying to figure something out that was right in front of my face. But everytime I went to install it said it was already installed on my machine. And I did install IR8a using the check mark for Always Trust. I exported the cert right after so I know it's the correct one. Thanks againf or your input and help! I plan to make video tutorials of all my struggles as it seems there is very limited help when it comes to Novell/Zenworks issues. Or at least most of it is very out dated.
0 Likes
Knowledge Partner
Knowledge Partner

Re: OES Client MDT Silent unattended install with no prompts

Strange enough. The hotfix btw. has (to my knowledge) never been released via Windows updates, but anyway:
Can you see the entire chain for the cert in question, i.e. "DigiCert" -> "DigiCert EV Code Signing CA (SHA2)" -> "Microfocus (US), Inc."?
How long is is valid? Maybe you've just exported a wrong cert by accident...
0 Likes
xsisbest1 Absent Member.
Absent Member.

Re: OES Client MDT Silent unattended install with no prompts

So after force installing that KB2921916 update my install is fully unattended 🙂 🙂 🙂 Thank you so much for the info. I can't believe I didn't try that sooner but I guess I needed to learn the hard way. Hopefully this helps anyone else struggling with this but just go here and request the hotfix: https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=2921916&kbln=en-us

Then create a batch file with this info. I put both the batch file and the .msu file on c drive and created a batch file called hotfix.bat. Inside put this:

@echo on

expand -f:* "C:\Windows6.1-KB2921916-x64.msu" %TEMP%

pkgmgr.exe /quiet /n:%TEMP%\Windows6.1-KB2921916-x64.xml

del "C:\Windows6.1-KB2921916-x64.msu"

exit

Do a little dance when you realize you don't get prompted to trust this publisher 😄
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.