Network Deployment and Pre-Configuration

This topic covers various ways that customers can deploy USB over Network to computers over a network.

Administrative rights are required to install the program!

Administrative Installation

An administrative installation is the first step in preparing an MSI installer for deployment over a network.

To invoke an administrative installation, you use the /a command line switch. For example:

msiexec /a "usb-over-network-server-64bit.msi" TARGETDIR="C:\SharedFolder"

Once the admin install is deployed to the shared folder, there are a number of ways that it can be used to install the product onto a workstation: pulled interactive installs from the workstation, non-interactive (aka "quiet") installs from the workstation, or pushed installations using tools such as Active Directory and PSEXEC.

Manually launch the installer on the client

One easy way to pull the installation from an administrative image is to run it manually. This involves sitting at the client machine and launching the installation interactively from the site on which it is being shared.

The main advantage of the manual install method is that you can choose the options desired during the installation, such as the path to which you want the program to be installed and desired shortcuts.

Launch the installer on the client using "quiet" mode

This command will install Server:

%Comspec% /c msiexec /i usb-over-network-server-64bit.msi /qn ADDLOCAL=ALL

This command will remove Server if installed:

%Comspec% /c msiexec /x usb-over-network-server-64bit.msi /qn

Here's an explanation of the arguments used the command-line example above:

%Comspec%
This is an environment variable provided by Windows. It points to the command interpreter, cmd.exe.
/c
This is a switch passed to cmd.exe telling the shell to wait until the msiexec.exe command completes before proceeding. Without this switch, the shell will execute subsequent commands before the current command finishes.
msiexec.exe
Windows installer runtime. When you double-click on an msi file (e.g. foo.msi) you are implicitly running "msiexec /i foo.msi".
/i
Instructs MSIEXEC to install the .MSI listed after the switch. There is an /x switch that uninstalls the .MSI specified after the /X switch.
/qn
Specifies a UI level for the action. "/qn" specifies no UI whatsoever, suppressing all prompts and therefore useful for silent installations. When attempting to debug, you can switch this to "/qb", which will display basic modal dialogs.

For further details about command line options available for msiexec, please refer to Command-Line Options in the MSDN Library.

Public properties configurable in MSI

There are several public MSI properties with which you can configure USB over Network.

Property name Description
CHECK_FOR_NEW_VERSION Check for new version periodically. If this property is present and contains 0, the program will not check for new version.
INSTALLMENUSHORTCUTS Install shortcuts in Start menu. Remove this property to prevent installing shortcuts.
INSTALLDESKTOPSHORTCUTS Install shortcuts on Desktop. Remove this property to prevent installing shortcuts.
OPEN_URL Open quick start and uninstall URLs at the end of install and uninstall. If this property is present and contains 0, URLs will not be open.
ADDLOCAL Components to be installed. Available values: Drivers_srv_f, User_srv_f.
REMOVE Components to be removed. Available values: Drivers_srv_f, User_srv_f.
LICENSE_KEY License key. Double quoted, single-line string.
LICENSE_SERVER_PATH Network address of the License Server. If this property is set, license checkout will be performed via the License Server. Double quoted, single-line string.
LICENSE_SERVER_PORT TCP-port of the License Server. Number, 33033 by default.

Configuring properties via command line

Here's an example of the command line syntax you can use to override the default values of these public properties:

%Comspec% /c msiexec /i "\\network path\usb-over-network-server-64bit.msi" CHECK_FOR_NEW_VERSION=0 OPEN_URL=0 INSTALLDESKTOPSHORTCUTS=""
CHECK_FOR_NEW_VERSION=0
Never check for new version;
OPEN_URL=0
Do not open quick start URL;
INSTALLDESKTOPSHORTCUTS=""
Do not place program shortcuts on desktop upon installation.

Configuring properties via VBS script

Here is a sample Visual Basic Script that sets CHECK_FOR_NEW_VERSION and OPEN_URL to 0.

Being changed, MSI file becomes unsigned!

'InjectProperties.vbs

Const MSIDBOPEN_DIRECT = 2
Const ForReading = 1

Dim WI, DB, View

argCount = Wscript.Arguments.Count

If (argCount < 1) Then
   Wscript.Echo "USAGE: InjectParameters.vbs <file.msi>"
   Wscript.Quit 1
End If

'Update PROPERTY table
Set WI = CreateObject("WindowsInstaller.Installer")
Set DB = WI.OpenDatabase(WScript.Arguments(0), MSIDBOPEN_DIRECT)

'Do not check for new version
Set View = DB.OpenView("DELETE FROM Property WHERE Property.Property='CHECK_FOR_NEW_VERSION'")
View.Execute
Set View = DB.OpenView("INSERT INTO Property(Property,Value) VALUES ('CHECK_FOR_NEW_VERSION','0')")
View.Execute

'Do not open URLs
Set View = DB.OpenView("DELETE FROM Property WHERE Property.Property='OPEN_URL'")
View.Execute
Set View = DB.OpenView("INSERT INTO Property(Property,Value) VALUES ('OPEN_URL','0')")
View.Execute

DB.Commit
View.Close

How to install on multiple systems using Push techniques

When dealing with just a few machines, you might prefer to sit at each one, log in using an account that has local administrator rights for that machine, and run a generic batch routine posted to the network share.

However, this becomes time consuming when you have more than just a few machines. All of the methods described so far fall into the category of "pull" type installs, for which you use the client machine to pull the installer down from the server. Next we'll switch to a discussion of "push" type installs, in which you push the installation to client machines, using either a server or another workstation used for this purpose.

There are many commercial tools on the market for facilitating enterprise level software installation. One of the most commonly used tools is Microsoft's Active Directory, included with Windows Server. It is beyond the scope of this paper to cover installations with Active Directory, but Windows Server Active Directory at Microsoft.com contains details about it if that is one of the scenarios you will be using.

For this discussion, we're not going to assume that you have an enterprise server available, and will instead describe some freeware tools you can use to push installs over a network using either workstations or servers. Here are the two tools we'll be describing:

  1. AT or SOON commands to schedule processes.
  2. PSEXEC or similar tool to "push" batch routines.

Using AT or SOON to start a process at a workstation

AT is built into the command processor. The AT command schedules commands and programs to run on a local or remote computer at a specified time.

SOON is a version of AT with the advantage that instead of running processes at a specific time, it runs them 'soon,' given a delay (you don't need to know what time it is, useful when scripting). At the time of this writing, SOON.EXE is a free Microsoft download.

Here are examples of how you would run these commands:

AT <\\targetPC> 4:30 /INTERACTIVE<\\myPC\myShare\quietInstall.bat>

and

SOON <\\targetPC> 60 /INTERACTIVE<\\myPC\myShare\quietInstall.bat>

Executing processes on a remote system is an obvious security concern. There are two caveats with the above approach, both stemming from Windows security. First is establishing privileges at your desk system to start a batch routine on a remote system. Second is subsequently establishing privileges at the remote system to access network resources when running that batch routine. A quick way to test whether you have the first problem is to start a command prompt at your desk, assuming that you sit at myPC and the remote system is targetPC, and enter: AT<\\targetPC> or DIR<\\targetPC\C$>

If you see an "Access denied" message, you have to work around the first security issue.

Because most workstations will allow a network administrator access to their remote scheduling services and root drives, the simplest workaround is to log on at your desk using a domain administrator account (log on to myPC asdomain\domainadmin). If this is not an option, use an account that has local administrative privileges at each workstation.

Available options are:

  • Make a dummy account that has the same privileges as every other user account in your office, except that it is added to "administrators" pool on workstations (not servers).
  • Have your network administrator add your account to each workstations "administrators" group (not servers). Both of these can be achieved via Active Directory policies.
  • Design your batch routines so that your domain admin can run them from his desk, with the obvious shortcoming that you can't test them as easily while you write them.

If this discussion seems too complex for your immediate needs, skip to the next section, which introduces a shareware push application called PSEXEC.EXE

The second issue with AT or SOON is that once you get the batch routine to execute at the remote workstation, the remote station might not have access to network resources. That means the shell running your batch at targetPC might not have access to the network resource <\\myPC\myShare> .

This is perplexing, since targetPC most likely is logged in to a user account on your domain. However, when the command processor runs your batch routine through the scheduler, it executes with Local System privileges. The workaround is to add NET commands to your batch routine. When the batch routine executes with localsystem access, the batch routine itself opens a privilege pipe to the network resource you're after. That looks something like this:

net use * <\\myPC\myShare> /user:domain\username password /persistent:no

Using PSEXEC to start a process at a workstation

Another alternative to using AT and SOON is PSEXEC. In many situations, PSEXEC is easier to work with, because it collapses the two Windows security issues into just one: "Can PSEXEC.EXE execute a command at the remote system or not?"

At the time of this writing, PSEXEC.EXE is a freeware download from Sysinternals.

Running of the batch routine at a workstation using PSEXEC looks like this.

psexec \\targetPC -u domain\username -p password -i -c -f \\myPC\myShare\quietInstall.bat

In the example above, domain\username has local administrative privileges to that machine.

If it is simply not an option to create an account that has local admin privileges on the workstations, then your sysadmin will have to run AT, SOON or PSEXEC for you. You can set up this line to accept arguments, so that when you supply your domain admin with a batch routine, she can run it with her domain\username and password as arguments:

psexec \\targetPC -u %1 -p %2 -i -c -f \\myPC\myShare\quietInstall.bat

Using perl to run the batch routine on many systems

Here is a sample PERL routine that uses AT to schedule a batch routine. The machinelist.txt is a simple text file in this format:

# begin contents of \\myPC\myShare\machinelist.txt
targetPC1
targetPC2
targetPC3
# end contents of \\myPC\myShare\machinelist.txt

Here is a sample Perl routine that parses the list of workstations above to install the program at each of them:

# begin contents of \\myPC\myShare\\machineLoop.pl
open (FILE, "< machineList.txt");

@lines = <FILE>;
@lines = reverse(@lines);
print "\n";
while ($line = pop @lines) {
    chomp($line);
    $cmdline = "AT \\\\$line 12:00 /INTERACTIVE '\\\\myPC\\myShare\\quietInstall.bat'" ;
    print "Running: $cmdline\n";
    system ("$cmdline");
}
close FILE;
# end contents of \\myPC\myShare\many.pl

Optional exercise: you could alter this sample script in Perl or Python to use SOON.EXE or PSEXEC instead of AT.