Configure Chrome for ADFS Single Sign On

In order to allow chrome to pass credentials to web services linked to ADFS, you can just add the Fqdn of your adfs server to the following chrome policies.



both values are Strings (Reg_SZ)

enter the values without protocol information:

Note that if you do not use Chrome ADM files to manage the entries via GPO, you can still use the entries by entering the paths manually (as administrator).

The key to create (if you don’t use Gpos) is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome


Cannot install Print driver – A policy is in effect on your computer…

In our test environment, after installing KB3170455 on client computers, I would not be able to install the print driver from the internal print server and would get this error message.

Although uninstall of the KB from the client would in most cases fix the problem, this is not an acceptable solution. After checking what was effectively happening, I found out that the driver was no more considered a Packaged driver by the client and thus failed to install. The issue was not happening on a patched Server with the same client config.

Applying kb3000850 to the Windows 2012r2 server fixed the problem.

see,-2016 for more info.



Java JRE 1.8 upgrade and removal tips




Java is a big family (really ?)

Java JREs are made available through what Oracle calls “Families”: actual families would be 1.7 and 1.8, which are also referred to as Java 7 or Java 8 respectively.


Each updated package would have a specific version, such as 1.8.112.



Default installation folders:


For version 1.7, the default installation folder for 32 bits version is Program Files (x86)\Java\jre7. If you install version 1.7.51 on top of 1-7.45, the previous version will be entirely replaced by the newer one in the very same jre7 folder.

For actual version 1.8,  the default installation folder is Program Files (x86)\Java\jre1.8.0_111 and  if you install version 112 on top of this one, it will use its proper folder, jre1.8.0_112. This means that Installation of new versions of Java JRE do not fail anymore when Internet Explorer or Firefox are opened. Just need to be carefull when Uninstalling them though… !


Install modes: Normal vs Static

When you install a JRE by default it installs under “normal” mode.

You can alternatively install the JRE by specifying STATIC=1 on the command line, which would make the package Static, which means it won’t be removed if you update to a later version of the SAME Family.

While for version 7 you could detect if the installation was done as Static based on the folder path, this is no longer the case as version 8 uses full path for all types of installation (version 7 static would install not in JRE<n> folder but in JRE<version>, ie JRE1.7.0_45 for instance instead of JRE7)

You will need to check the registry:

HKLM\Software\Wow6432Node\Javasoft\Java Runtime Environment\1.7.0_045\MSI\

verify the Mode (S equals Static). If Mode is not set, then the install is standard.

This is also true for version 8, so do not think that since the installation folder is the one also used by static install, this becomes a static installation automatically. If you need a static install you need to specify it in the config file, ie STATIC=Enable.


Use of the Java Setup installer instead of -extracted- MSI

With the recent versions of the Java Jre (8.xx), Oracle has decided that you should not use the extracted Msi anymore for install and recommends to use the setup with a config file for the deployment.


Issues with the command line installer


The setup being a command line that spawns subprocesses, it is advisable to force your deployment script to wait for the setup to finish before it continues with other things. When using the Sccm application model for instance, the check for installation success would be made before it actually finishes and trow an error message.


Once your have created your config file, you need to refer to it by full path in order for the program to find it. This is particularly important with Sccm where you usually use relative paths. A better option might be to pass the arguments to the command line at launch instead of though a config file.

Removal and automatic removal of previous versions

When you install a higher version number of the Same Family on the same machine, the previous version will be replaced entirely.

You can install different families on the same machine without having the other family removed, ie upgrading 1.8.111 to 1.8.112 would remove 1.8.111 but not an exising 1.7.45 version for instance.

First note that there is no change concerning Static installs, those are not replaced during installation of more recent versions.

By default, the removal of previous versions is automatic and targets the versions to be removed based on a web page accessed during the installation. In an enterprise environment, though, you are most likely to use a system account or not have web access with the account running the installation, so the removal will not work.

You can use workarounds in order to detect which versions are installed and remove them before you install the latest version.

Note that since the installation will now use a separate folder for install in all situations, install failures will be minimized. You don’t need to stop Internet Explorer or Firefox in order to upgrade Java anymore.


Uninstalling Flash Player will reset mms.cfg

While some people have decided to get rid of Flash Player all together, most of us still need to provide the updates to our clients.

The deployment can be easy or not, depending of the update package itself, so I usually test before deploying anything.

When things go wrong, it is sometimes necessary to uninstall flash player and reinstall it.

One side effect of this is that the uninstall will mess with your mms.cfg file: see the note from Flash deployment guide below…


Beginning with Flash Player 11.5, uninstalling the Flash Player resets the AutoUpdateDisable and SilentAutoUpdateEnable settings in mms.cfg to their default values, which are:

  • AutoUpdateDisable=0
  • SilentAutoUpdateEnable=0

If you are running the Flash Player uninstaller as part of your deployment process, redeploy any custom changes that you have made to either AutoUpdateDisable or SilentAutoUpdateEnable.


So make sure you don’t uninstall the previous version of Flash Player “just to be safe” when you upgrade, or at least, verify that the mms.cfg file you use is properly redeployed to your clients after the update.

Wmi Win32_Product alternative for Sccm users

In order to query the list of installed programs on computers, you will often find resources on internet pointing

to the Wmi class Product.


Even though this class seems to just query the Msi repository to get you the results you are looking for, it will effectively start a Msi repair to get the result. If for whatever reason a package source is missing you will get an error message.

You can find more information about this issue here:

You can use the vbs script from Darwin Savoy or change your script to use Win32reg_addRemovePrograms as recommended by Microsoft.


If you use SCCM, you have another option, which is to use the spécific Sms_InstalledSoftware Class (see below).


get-wmiobject -Namespace ‘root\cimv2\sms’ -Class Sms_InstalledSoftware | Where {$_.ProductName -match “Java”} | |%{$_.ProductName}


wmic /namespace:’\\root\cimv2\sms’ Path Sms_INstalledSoftware where “ProductName like ‘%Java%'” get ProductName

I just wonder how many people are still using this class as of today and why Microsoft did not fix this behaviour yet…


Adobe CC PDapp error, Licensing issues and Disk space eaten by logs

One customer reported having problems when launching Adobe CC applications. Launching any application would cause a popup error to appear, and after clicking OK, some applications would start while most would not.


Once opened, the applications that could run would report that they were soon reaching the end of the trial period for the Adobe CC components.

At server level, the license would be shown as Active for this same user, so I knew there was nothing wrong at that level.

After searching a bit, I found out that PDapp.exe is in fact a module that is being used for checking updates. Even though we had disabled checking the updates in our package, it seems that the module was crashing before being able to read the config.

I found a suggestion about upgrading Apple Application Manager component on Adobe forums and gave it a try. After the upgrade, the licensing check started and the applications were again available and properly licensed.


On a side note, when looking at the logs i found that Adobe CC and specifically PDapp.exe had created dozens of files in the user profile, in this folder:

C:\Users\YourUserNameHere\AppData\Local\Temp\  (PDapp***.log)

I had to delete about 35 GB of logs. I will need to see if those come back now that the problem has been resolved, but if you use adobe products and your disk space is shrinking, you know where to look.



Firefox: Prevent Access to MarketPlace

In order to prevent your enterprise users to go to MarketPlace in the latest versions of Firefox, use the following setting in mozilla.cfg

// Disable Firefox MarketPlace
lockPref(“browser.apps.URL”, “\”\””);