Deploy OpenVPN with SCCM

[VertigoRay]

I'm attempting to deploy OpenVPN with SCCM to a set of users on WinXP SP3 x86. Unfortunately, the installer seems to fail when being run silently (openvpn-2.2.0-install.exe /S) as the System account. I don't believe that Driver Signing is the issue. I'm using DriverSigning-Off.exe & DriverSigning-On.exe as found on the reboot.pro forum (http://bit.ly/jlpBO9).

Code: Select all

C:\Temp>driversigning-off
RegOpenKey sucess
RegQueryValue sucess
Seed=543f9f7b
Hello, World
CryptAcquireContext complete.
An empty hash object has been created.
The data has been hashed.
The data has been hashed.
The hash has been retrieved.
Hash: 1a 37 c3 28 15 a8 2d fd 84 cd e 64 c9 f7 a1 fb
Create md5 hash completed without error.
RegOpenKey sucess
RegSetValueEx sucess
RegOpenKey failure
RegSetValueEx failure
RegOpenKey sucess
RegSetValueEx sucess

Those two failures at the bottom would bug me if the output wasn't identical to the Local Admin.

The three commands that work as the Local Admin are:

Code: Select all

DriverSigning-Off.exe
openvpn-2.2.0-install.exe /S
DriverSigning-On.exe

When the commands run as NT Authority\System, install.exe fails to exit. It simply hangs before installing the TAP driver. Unfortunately, I don't know where the install.exe log file is (if there is one), and am kind of stuck without being able to get some feedback. Has anyone had similar issues?

Note: I've tried both options provided by http://wpkg.org/OpenVPN ... neither are successful.

[Yamaha]

Hi @all!
We want to using OpenVPN for our mobile Clients (Win7 Laptops)
For installing we want to use SCCM 2012 R2 and the MSI packages of OpenVPN.
So i created an Application and put the MSI package in this Application.
But when i am deploying a new computer or distrubute this Application to an existing
computer, it fails. Is there any command line paramteres for this MSI-Package?
Thanks for Info!
BR Jürgen

[VertigoRay]

"it fails" ... that's pretty vague. Supply error codes and logs if you want to avoid a lot of back and forth when asking for support like this. Especially with SCCM.

If you want to see what SCCM is doing, I suggest you use psexec to open a CMD as the System, then run your command line without the silent switch. Additionally, you could use the msi `/log` switch to spit out a log file and submit the log file here and I (we) could tell you exactly what's going on. Also what error is the SCCM client giving you? More importantly, what error is listed for the client in the depoyment status on the server?

I'm using the exe for 2.3.2 because I have to support the MI GUI to allow users to authenticate to the service, since this isn't (wasn't; I don't re-investigate regularly) a thing in OpenVPN normally. Silent install with the .exe is done as shown:

Code: Select all

openvpn-install-2.3.2-I001-i686.exe /S

Unfortunately, this is a bit of a simplification since

[VertigoRay]

This forum keeps truncating my post, so you get two posts!

Unfortunately, this is a bit of a simplification since I have multiple steps to install, but this discussion is about silent installation, so I'll stick to that. I should also mention that the cert used to sign the driver is not trusted -- this is most likely where you are failing. You have to add the OpenVPN Certificate to the TrustedPublishers. Here's the Win7 code for that:

Code: Select all

certutil -addstore TrustedPublisher ".\OpenVPN Certificate.cer"

I don't remember where I got the .cer file, but I'm sure Google can help you with that.

[Yamaha]

Thanks for your answer!
I can install this msi install package on every Computer (Admin rights given) without errors.
In SCCM Reports i found errors:

Code: Select all

14.04.2014 14:39:31	29	Install OpenVPN Client		11903	The task sequence execution engine failed to install application that was specified in the 'Install Aplication' action.	16389	App - OpenVPN ClientScopeId_502C4957-1344-4151-AE84-CAAF26AA377F/Application_9a39564d-d2d5-4bf5-8190-5becaf32a0c1
14.04.2014 14:39:32				11135	The task sequence execution engine failed executing an action	0	
14.04.2014 14:39:32	29	Install OpenVPN Client	Install Software	11135	The task sequence execution engine failed executing an action	-2147467259	... 2d5-4bf5-8190-5becaf32a0c1'=''
Completed installation job.
Step 2 out of 2 complete
Sending error status message
   Setting URL = http://DE******.*****.local, Ports = 80,443, CRL = false
   Setting Server Certificates.
   Setting Authenticator.Set authenticator in transport
   Setting Media Certificate.
Sending StatusMessage
Setting message signatures.
Setting the authenticator.
CLibSMSMessageWinHttpTransport::Send: URL: DE*****.*****.local:80  CCM_POST /ccm_system/request
Request was successful.
hrInstallation, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\installapplication.cpp,899)
pInstall->InstallApplications(saAppNames, sContinueOnError), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installapplication\main.cpp,277)
Install application action failed: 'App - OpenVPN Client'. Error Code 0x80004005
Install application action cannot continue. ContinueOnErrorFlag is set to false.
Install Static Applications failed, hr=0x80004005
14.04.2014 14:39:32				11141	The task sequence execution engine failed execution of a task sequence	-2147467259	
14.04.2014 14:39:32				11141	The task sequence execution engine failed execution of a task sequence	0	
14.04.2014 14:54:45				11170	The task sequence manager could not successfully complete execution of the task sequence	0	
14.04.2014 14:56:03				10018	Program rejected (wrong platform)	0	

What me make wondering is the last entry: Program rejected (wrong platform) 0
Do you know where the log file for this deployment is stored? So i can post this, too!

Thank you!

BR Jürgen

[VertigoRay]

Log for the App: C:\Windows\CCM\Logs\AppEnforce.log

Looks like you're deploying this App within a Task Sequence. I'm not sure why you're doing that, but I'm assuming it's part of an OS deployment. Going with that assumption: you're probably attempting to install OpenVPN into WinPE and not the base OS; which is why you're getting the . You should probably make sure you've rebooted to the OS after the wrong platform error. If you can't figure out the order of operations in the TS, I suggest you just install the OS and tack this App on as a required application for post OS deployment.

[Yamaha]

Thank you for your answer!

Log for the App: C:\Windows\CCM\Logs\AppEnforce.log

Looks like you're deploying this App within a Task Sequence. I'm not sure why you're doing that, but I'm assuming it's part of an OS deployment. Going with that assumption: you're probably attempting to install OpenVPN into WinPE and not the base OS; which is why you're getting the . You should probably make sure you've rebooted to the OS after the wrong platform error. If you can't figure out the order of operations in the TS, I suggest you just install the OS and tack this App on as a required application for post OS deployment.

Yes, the deploying of OpenVPN is part of an OS Deployment within a task Sequence. This was the log-file from the OS Deployment.
The other way is that i created a device collection and deployed OpenVPN Application to this device collection. When i putting a device into this collection, the
installation fails, too. I will check the log files and post this.

Thanks a lot

BR Jürgen