/build/static/layout/Breadcrumb_cap_w.png

Scripting Question


Silent installation NetExtender 8.0.241

09/20/2016 5941 views
Previously, i managed to install the version 7 with the help of your tips.
-Install on a new pc and check always trust this publisher
-Export the certificate
-Install the certificate before installing the main software
It work well, but is anyone test the new 8.0.X version and managed to get it install silently?

Thanks!
1 Comment   [ + ] Show comment

Comments

  • Same here. Not like I have not done this before for epson printers and Virtual box, Importing the cert just does not work with this! We are trying to install 8.0.241. Both the MSI installer which is signed by Dell and the EXE installer that comes off the portal page and is signed by SonicWall fail with this method on Windows 7 Ent. I have opened a support ticket with Sonicwall. Anyone else having this issue ever find a way around it?


Community Chosen Answer

2
FOUND THE SOLUTION!
There is a hotfix for this!
Came across this article: http://www.commprod.com/ININ/Blog/2016/March/~/media/Images/ININ/blog/3-10-16-CIC-troubleshooting.pdf

It highlights both a windows update AND a hotfix that is required to get around this problem. (We already had the update deployed)

This is the required hotfix: https://support.microsoft.com/en-us/help/2921916/the-untrusted-publisher-dialog-box-appears-when-you-install-a-driver-in-windows-7-or-windows-server-2008-r2

Installing that hotfix allowed it to work on Windows 7 Enterprise in our environment!

I deployed the hotfix as an application in SCCM using a VB wmi detection script with the /norestart command line option, but required a reboot via SCCM. (prevents hard reboot but adheres to enterprise reboot config.)

Distributed the cert via GPO.  Done!
Answered 02/22/2017 by: CheezWiz
Senior White Belt

  • Which WIndows Update is required? The linked article is not available anymore.
    • The original pdf is not there in the first link, but the hotfix link in the third paragraph is still good.
      • Yes, i used the hotfix, but the certification window is still shown, so i wanted to check the required windows update you have described.
        Can you please give me the KB***-number?
      • dorak, that hotfix and distributing the publisher certificate via GPO is what fixed it for us. The windows update is the one mentioned in the string of conversation further down the page: https://support.sonicwall.com/sonicwall-secure-mobile-access/kb/205362 as it is quite old, It had come down to all of our machines via standard patching practice. You most likely already have it out there.
      • dorak, Just verified, Thank goodness for email archives: "I seem to have found a solution to this.
        We had found numerous articles, even one on your site, touting the importance of installing KB3033929:
        https://support.sonicwall.com/sonicwall-secure-mobile-access/kb/205362

        However, we already had that installed on our systems. I kept looking for issues with SHA-256 signing after installing that patch and came across this article:
        http://www.commprod.com/ININ/Blog/2016/March/~/media/Images/ININ/blog/3-10-16-CIC-troubleshooting.pdf

        Which also mentioned the need for a hotfix KB2921916

        It thoroughly explains the need for both in order to achieve silent deployments of SHA-256 signed drivers in Windows 7."

        So it was just the Patch from their helpdesk article and the Hotfix, plus distributing the publisher cert.
      • I've checked the windows update, it is already installed.

        Although i've got the windows update, installed the hotfix and inserted the certificate, the problem was showing up at two different test clients.

        But now i've testet the whole installation process on an new test client and it worked. I think there were some bad settings on the first two test clients.

        My Problem is solved, thanks for your help.

All Answers

1
What OS are you installing onto?

The same trick should still work, the installer is a MSI - I just googled it and downloaded, but not played with it yet.

What issue are you having?

Updated: Just tested it, works fine, just import the cert before the silent install.
Updated again: see above, good work CheezWiz.

Answered 09/21/2016 by: rileyz
Red Belt

  • Windows 7 x64 and i tested it with psexec to perform as LocalSystem. What is the name of the certificate? The goal of this is to perform the installation from a task sequence in SCCM 2012.
    • Just do a normal GUI install on the msi, then pull the cert yourself. Check out this link as it will give you an idea: http://www.itninja.com/blog/view/app-v-5-and-drivers

      After that you can look at my script to see the command you need to run to import the cert as part of your TS.
      • Thanks
      • I just test the script provided and the certificate is installed in TrustedPublisher with the name "Dell Software .Inc" Deliver by "Symantec Class 3 Extended Validation Code Signing CA - G2" and expire the 2018-04018, but when i run the gui again the driver is not trusted. Maybe i do not export the right certificate?
      • Dont use my script to import, create your own script - mines created for app-v and drivers. That aside, is the cert in the computer account - Trusted Publishers?

        If it is, then the next thing to check is the trust chain, I did notice that the cert had a root auth issue, so you might need to add the root cert to fully auth complete the auth chain.

        Anyway, you should have enough info to complete what you need to do now, good luck.
      • Yes the cert is in the Trusted Publisher
        I cannot find which root certificate i need to add in the root.
        Currently i have Symantec Class 3.... and Verisign Class 3...
  • Hi, Did you need to install all 3 certs manually for the installation to run? I only installed the new cert as with previous versions but still getting the prompt.
  • I did exactly the same as I did for version 8.0.238 but still getting the prompt. Any ideas?
    • Same here. Not like I have not done this before for epson printers and Virtual box, Importing the cert just does not work with this! We are trying to install 8.0.241. Both the MSI installer which is signed by Dell and the EXE installer that comes off the portal page and is signed by SonicWall fail with this method on Windows 7 Ent.
      • Have you checked this? Maybe the cert is SHA256 and its not able to use it because of this bug.

        Update: I just checked the cert and it is SHA256.

        https://support.sonicwall.com/sonicwall-secure-mobile-access/kb/205362
      • Not sure why I have no reply button under your post rileyz, but we had added that patch to our base images way back in 2015. Unfortunately, not that simple.. 8( Hopefully support will have an answer. I will update here with what they tell me.

        Additionally, the signing cert for the exe installer they present on the portal page of the device is sha1 and it still has the same issue.
      • That's a ITninja quirk, just look up for the first reply button and it will shove the post at the bottom. Humm intriguing, Im going to download it and have a look - Challenge Accepted! btw, you should check out AppDetails.com, I'll be retiring from this site soon and heading over there.
      • *Shrugs, just tested it with NetExtender.Windows.8.0.241.MSI signed 6 Jan 2016 8:37:04pm and cert serial number 44 f1 59 ba 29 1d bd fb e9 29 16 47 12 bd 66 81. Works fine for me with Windows 7 fully patched. Have you downloaded the patch just to apply it to ensure its installed?
      • I am there with you on AppDetails! Thanks for sharing that. Had not seen it yet.

        Well thanks for giving it a shot.
        Just so you know I am not crazy, a pic is worth a thousand words: https://drive.google.com/file/d/0B_nRTFXI0vHJRzFNUFhTT0VVYzQ/view?usp=sharing

        That Oracle cert works fine to get past a driver prompt for VurtualBox, but it is a SHA1. That certainly seems to point to what you found about sha256 certs.

        I will try applying the patch again, just in case (edit: says it is already installed). I am trying to determine if there are any GPOs that could affect this that have been applied at some level to our domain as well.

        We are also seeing the same behavior on Windows 10 and 8.1.
      • FOUND THE SOLUTION!
        There is a hotfix for this!
        Came across this article: http://www.commprod.com/ININ/Blog/2016/March/~/media/Images/ININ/blog/3-10-16-CIC-troubleshooting.pdf

        Which points to this hotfix: https://support.microsoft.com/en-us/help/2921916/the-untrusted-publisher-dialog-box-appears-when-you-install-a-driver-in-windows-7-or-windows-server-2008-r2

        Installing that hotfix allowed it to work on Windows 7!
      • Good work CheezWiz, think everyone has had a go at getting this resolved. Blah to HF and under the radar, guess that's Microsoft for you.
      • No joke rileyz, thanks for pointing me in the right direction! Not sure I am liking the layout of the other site. I really liked appdeploy back before it became what it is now. I'm old though... lol
0
For me this is working fine to our windows 10 clients, but not to windows 7, they fail at 
Error: Install NIC - UpdateDriverForPlugAndPlayDevices failed
I'm using a Win 7 created cert for the Win7 deployment and a Win 10 created cert for the Win 10, originally I was using the Win 10 cert for both, but neither method is working on Win 7
Any ideas?
Answered 01/12/2017 by: clintoj
White Belt

  • Same here. Not like I have not done this before for epson printers and Virtual box, Importing the cert just does not work with this! We are trying to install 8.0.241. Both the MSI installer which is signed by Dell and the EXE installer that comes off the portal page and is signed by SonicWall fail with this method on Windows 7 Ent. I have opened a support ticket with Sonicwall. Anyone else having this issue ever find a way around it?
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ