Silent Belgium e-ID
I am trying to install Belgium e-ID middleware silently by using provided msi file:
http://eid.belgium.be/nl/je_eid_gebruiken/hulp_nodig_/problemen_met_de_installatie
and using this command:
msiexec /passive /norestart /i BeidMW_64_4.1.18.msi /qn /l*vx c:\logs\beid64bit.log
I also imported fedict_codesiging.cer certificate.
But when trying to deploy this application using SCCM I am getting error code.
I have tried to deploy it then again but this time visible instead of hidden and I see that installer pops out a window for installing smartcard and this is probably what causing the installer to give error when it is hidden.
Anybody have any tips or ideas on how I can suppress this ?
PS: I also tried to install this windows update but it does not help
0 Comments
[ + ] Show comments
Answers (3)
Answer Summary:
Please log in to answer
Posted by:
dunnpy
8 years ago
When you say that imported the fedict_codesiging.cer (sic) - where did you import it to?
Which certificate store and what commnand line did you use for this?
It sounds like the certificate is in the wrong place, or is not valid.
Also the command line you are using for the MSI has contradictory switches. 'Passive' shows the progress bar, but 'qn' means that no user interface is shown. Check the switch list here.
That shouldn't affect the issue with the cert, but something else to bear in mind.
Which certificate store and what commnand line did you use for this?
It sounds like the certificate is in the wrong place, or is not valid.
Also the command line you are using for the MSI has contradictory switches. 'Passive' shows the progress bar, but 'qn' means that no user interface is shown. Check the switch list here.
That shouldn't affect the issue with the cert, but something else to bear in mind.
Comments:
-
I downloaded the certificate from the same site where the msi were.
So I belief I am using the right cert. I am importing it to the trusted publishers with a small powershell script
I will try to import it manually and use only /passive /norestart /i for now.
Gonna test it
brb - comicsserg 8 years ago -
Ok, I checked if certificate is valid so this can't be an issue.
I am now using the right msi switches but I still get the window :/ - comicsserg 8 years ago-
OK, it might be where the certifcate is then - try and add it to the Local Machine Trusted Root Certification Authorites and re-test the installer. - dunnpy 8 years ago
-
see my answer to rileyz - comicsserg 8 years ago
Posted by:
comicsserg
8 years ago
Top Answer
Yea, I found out that there is a new update from microsoft KB3125574 that includes the fix from KB2921916.
I have tested it out and it works on a PC where KB3125574 is installed.
So good news :)
This is the steps I have now in a script to install eID silently:
Prepare:
1) install eid manually on a PC and then extract the certificate driver from the local machine Trusted Publisher Store
I have tested it out and it works on a PC where KB3125574 is installed.
So good news :)
This is the steps I have now in a script to install eID silently:
Prepare:
1) install eid manually on a PC and then extract the certificate driver from the local machine Trusted Publisher Store
2) Make sure the PC includes this Microsoft Update KB3125574
Then in script:
1) add certificate to the TrustedPublisher Store
2) Add driver silently using Manage-Driver.ps1 script from rileyz post:
http://www.itninja.com/blog/view/app-v-5-and-drivers
3) Install Belgium e-ID software using this switches
Start-Process -FilePath "msiexec.exe" -ArgumentList "/norestart /i $ScriptFolder\BeidMW_64_4.1.18.msi /qn /l*vx c:\logs\beid4.1.18.log" -Wait
Thanks everyone for the help!
Then in script:
1) add certificate to the TrustedPublisher Store
2) Add driver silently using Manage-Driver.ps1 script from rileyz post:
http://www.itninja.com/blog/view/app-v-5-and-drivers
3) Install Belgium e-ID software using this switches
Start-Process -FilePath "msiexec.exe" -ArgumentList "/norestart /i $ScriptFolder\BeidMW_64_4.1.18.msi /qn /l*vx c:\logs\beid4.1.18.log" -Wait
Thanks everyone for the help!
Posted by:
rileyz
8 years ago
Read this and copy bits of my powershell code you'll need.
http://www.itninja.com/blog/view/app-v-5-and-drivers
Make sure you import the cert to the Local Machine account in Trusted Publisher store (kinda what Dunnpy said but in reference its the Trust Publishers store).
I would get the cert from the cert store, not from the website - this means you know you are working with the correct cert.
*ie, tick that box to trust the cert, then extract it from the store yourself.
Once you have the cert, test - you use script import to the correct store.
Then use DPInst to inject into WIndows driver store, it should run ok without prompting for the cert.
If you get the above working ok manually, then you can automate it.
(:
Comments:
-
thanks I will try it now - comicsserg 8 years ago
-
nothing works :/
I was testing and apperantly I need to:
1) install hotfix https://support.microsoft.com/en-us/kb/2921916
2) reboot the PC otherwise step 3 won't work
3) then when it booted I can use the above method to install it silently :S
This kinda sucks when you have to deploy the software to 10K PC's :S - comicsserg 8 years ago-
-
SCCM - comicsserg 8 years ago
-
Easy Bruv!
One way you can do it is deploy the HF to all workstations or just your chosen collection.
Next create a collection where the HF is detected, and apply the app install to the collection.
You might get some failing because its still pending the reboot, but but can force the reboot in the HF install if you want? Or just let it retry. But SCCM should pick up the pending reboot for the HF and wait - if not you can use a batch for the HF and exit /b 3010 - that will let sccm know its pending a reboot. - rileyz 8 years ago
-
If that approach works, at least you have a way forward. Delay your software roll-out by a few days and set to deploying the patch. Every machine is shutdown/rebooted at the end of the day (in theory ;-) ) so you'll have a number of machines good to go for the deployment.
You could even create a dynamic SCCM collection to deploy e-ID to. Those that have KB2921916 in Add/Remove Programs and are a member of whichever big collection you planned to deploy to. Remember that ARP entries are collected during a hardware inventory, so if you have a weekly schedule on that inventory you may want to reduce schedule times, or force an inventory on the collection regularly. - dunnpy 8 years ago-
thanks guys for helping :)
I added a post to the software tips for the people who may have had the same issue:
http://www.itninja.com/software/belgian-government/belgium-e-id-middleware/4-3954 - comicsserg 8 years ago -
High five, glad you got it resolved (:
Dont forget to mark this as answered. - rileyz 8 years ago -
do you know how can I mark it as answered? Is it just by editing the title? - comicsserg 8 years ago
-
Looks line it's been done, so all good. - rileyz 8 years ago