Invoking PDQ Deploy from MDT

Hey all, here’s a slick little script that I use to start PDQ Deploy deployments during an MDT imaging. PDQ Deploy does not currently have an officially sanctioned and documented way to kick off deployments remotely (ask their support team for more info on that), but it can be done.

netsh advfirewall set allprofiles state off
ipconfig /registerdns

psexec.exe \\pdq.host.fqdn -h -accepteula ipconfig /flushdns
psexec.exe \\pdq.host.fqdn -h -accepteula pdqdeploy.exe Deploy -Package 
"New PC Setup" -Targets $env:COMPUTERNAME

start-sleep 30
while(test-path "C:\Windows\AdminArsenal\PDQDeployRunner\service-1.lock"){
start-sleep 30
}

So, let’s look at this step-by-step:

netsh advfirewall set allprofiles state off
ipconfig /registerdns

This disables the firewall of the machine you’re imaging. This ensures that it’s not going to block PDQ Deploy from connecting. Then it tells the machine to register itself with DNS. This is so PDQ Deploy can look it up via hostname for the deployment. If your DNS is broken you have bigger issues.

psexec.exe \\pdq.host.fqdn -h -accepteula ipconfig /flushdns
psexec.exe \\pdq.host.fqdn -h -accepteula pdqdeploy.exe Deploy -Package "New PC Setup" -Targets $env:COMPUTERNAME

This section flushes the DNS cache on the PDQ Deploy server so that it has a fresh and accurate DNS entry (which we just registered prior) for the target machine. Then, it uses psexec to start pdqdeploy.exe, telling it to deploy a package by the name of “New PC Setup” (you can change this to whatever package you want), targeting $env:COMPUTERNAME, which is the machine being imaged.

start-sleep 30
while(test-path "C:\Windows\AdminArsenal\PDQDeployRunner\service-1.lock"){
 start-sleep 30
}

Lastly, this is the cute part. The script sleeps for 30 seconds while the deployment is going on. This gives the PDQ Runner service time to connect and start doing its thing. Part of its thing is creating a file called service-1.lock that is present as long as the PDQ deployment is still in progress. We watch for this file to exist and re-check every 30 seconds. Once it’s gone, that means the PDQ deployment is complete and MDT can move onto the next step.

Notes here:

  • You need a copy of psexec in the Scripts folder of your DeploymentShare. You will want to do a command step in your MDT task sequence to copy it somewhere useful on the target machine, like so:
xcopy "%SCRIPTROOT%\PsExec.exe" “C:\WINDOWS” /Q /H /E /I /Y
  • pdq.host.fqdn should be the FQDN of your PDQ Deploy server.
  • MDT normally runs commands as the local admin account on the machine being imaged, but appears to run some things (like this step) as either the user defined in customsettings.ini or bootstrap.ini (not sure which currently). With that said, you’ll need to ensure that the defined account is registered as a console user within PDQ Deploy.

Update 04/02/2018: The PDQ blog has a great entry (that I wrote) that goes into more detail about this and a couple other methods of skinning this cat. I also hosted a webcast on the subject.

Deploying Encompass SmartClient with PDQ Deploy

I work in the financial services industry, and we’re no strangers to horrible software. I’ll talk about some of the other pieces in other posts, but as a starter, let’s look at Ellie Mae’s Encompass.

Encompass is a glorified web browser that connects to their API. Honestly, it doesn’t really matter how it does what it does. What matters to a sysadmin?

“What does it take to deploy? My company spent $XXX on PDQ Deploy/SCCM/flash drives for the poor sods who work our help desk.”

Joke’s on you, because not only do they not distribute a deployable installer, the one they do distribute is actually a download/install manager (with no silent/unattended switch) that requires local admin rights. That installer then downloads and runs a handful of other installers that actually install the Encompass SmartClient. Did I mention that run-as doesn’t work either?

I work for a company of about 300 and am part of a 3-man IT department. Going desk to desk, interrupting users, switching accounts, and installing this was not going to happen (to say nothing of the hundred or so users who are out of state or work remotely). This is the solution I came up with. It’s not especially pretty, but it more or less works. The one prerequisite not included in this is .Net Framework 3.5. Make sure you have that or it won’t start.

  1. Download and run the Encompass installer from elliemae.com/getencompass360. You’ll need to run this from an account with local admin rights. Once you hit install for the “Encompass Prerequisite”, it’ll run the install manager and start downloading executables. From there, you can grab the installers for the constituent components from %LOCALAPPDATA\Applications\. These will change, but here’s a copy of what our package tree looks like right now. Also included is a sanitized export of the PDQ Deploy package .xml file. You’ll need to replace “YOUR_PDQ_DEPLOY_SHARE.COMPANY.TLD” with the appropriate path. If you can’t afford/use PDQ Deploy, here’s a batch script to install everything. Sorry, Powershell purists. I’m lazy. Run it in the encompass_install folder.
    @ECHO OFF
    ECHO Installing Encompass SmartClient and prerequisites:
    ECHO Installing Visual Studio (1/6)...
    START /wait msiexec.exe /i "VC2005SP1\vcredist_x86\VCREDI~3\vcredist.msi" ALLUSERS=1 /qn /norestart /log output.log
    ECHO Complete.
    ECHO Installing Anyuni PDF Converter (2/6)...
    START /wait PdfConverter\Install.exe -s
    ECHO Complete.
    ECHO Installing Encompass Document Converter (3/6)...
    START /wait BlackIce\DocumentConverter.exe /s
    ECHO Complete.
    ECHO Installing EPD Converter (4/6)...
    START /wait EPDInstaller\EPDInstaller.exe /qn /norestart
    ECHO Complete.
    ECHO Installing SmartCore Base (5/6)...
    START /wait sccoreinstaller\sccoreinstaller.exe /qn /norestart /log sccore.log
    ECHO Complete.
    ECHO Installing SmartCore Client (6/6)...
    START /wait encsc\encsc.exe /qn /norestart /log core.log
    ECHO Complete.
    ECHO Importing Encompass SmartClient registry settings...
    START regedit.exe /s encompass.reg
    ECHO Complete.
    PAUSE
  2. Since I didn’t have a convenient little bundle to deploy, I used a combination of USSF and brute force to figure out the silent switches for everything. Most of the installers break down to .msi files, so it’s not as bad as you’d think. In the PDQ Deploy package, I’ve also added switches to write log files for each step.
  3. You’ll need to either have your users enter the client ID themselves or add it to the registry. I recommend not giving them the opportunity to break anything. Here are they keys to add (we did it through group policy):
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Ellie Mae\SmartClient\C:/SmartClientCache/Apps/Ellie Mae/Encompass]
    "AuthServerURL"="https://hosted.elliemae.com"
    "SmartClientIDs"="XXXXXXXXXX"
    "AutoSignOn"="1"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Ellie Mae\SmartClient\C:/SmartClientCache/Apps/Ellie Mae/Encompass]
    "AuthServerURL"="https://hosted.elliemae.com"
    "SmartClientIDs"="XXXXXXXXXX"
    "AutoSignOn"="1"

    Replace XXXXXXXXXX with your client ID.

  4. From here, you should be good to run. The first time you open the client after entering the client ID, it’ll take a minute or so and update itself. Once this is complete, the client should be usable.