标签:useful start creat cti its pac cal p12 scripting
Visual Studio is primarily designed for installation from an internet-connected machine, since many components are updated regularly. However, with some extra steps, it‘s possible to deploy Visual Studio in an environment where a working internet connection is unavailable.+
The Visual Studio setup engine will only install content that is trusted. It does this by checking Authenticode signatures of the content being downloaded and verifying that all content is trusted before installing it. This keeps your environment safe from attacks where the download location is compromised. Visual Studio setup therefore requires that several standard Microsoft root and intermediate certificates are installed and up to date on a user‘s machine. If the machine has been kept updated with Windows Update, signing certificates are automatically updated, and during installation Visual Studio will refresh certificates as necessary to verify file signatures. +
For enterprises with offline machines that do not have the latest root certificates, an administrator can use the instructions here to update them. Alternatively, the necessary certificates are downloaded during the creation of a network layout to the certificates
folder and can be manually installed by double-clicking the certificate file and then clicking thru the certificate manager wizard. If asked for a password, leave it blank.+
If you are scripting the deployment of Visual Studio in an offline environment to client workstations, you should follow these steps:+
Copy the Certificate Manager Tool (certmgr.exe
) to the installation share (for example, \\server\share\vs2017
). certmgr.exe
is not included as part of Windows itself, but is available as part of the Windows SDK.
Create a batch file with the following commands:
certmgr.exe -add -c certificates\manifestSignCertificates.p12 -n "Microsoft Code Signing PCA 2011" -s -r LocalMachine CA
certmgr.exe -add -c certificates\manifestSignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
certmgr.exe -add -c certificates\manifestCounterSignCertificates.p12 -n "Microsoft Time-Stamp PCA 2010" -s -r LocalMachine CA
certmgr.exe -add -c certificates\manifestCounterSignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
certmgr.exe -add -c certificates\vs_installer_opc.SignCertificates.p12 -n "Microsoft Code Signing PCA" -s -r LocalMachine CA
certmgr.exe -add -c certificates\vs_installer_opc.SignCertificates.p12 -n "Microsoft Root Certificate Authority" -s -r LocalMachine root
Deploy the batch file to the client. This command should be run from an elevated process.
certificates
folder?The three .p12
files in this folder each contain an intermediate certificate and a root certificate. Most systems that are current with Windows Update will have these certificates already installed.+
ManifestSignCertificates.p12
contains:
ManifestCounterSignCertificates.p12
vs_installer_opc.SignCertificates.p12
certificates
folder not installed automatically?When a signature is verified in an online environment, Windows APIs are used to download and add the certificates to the system. Verification that the certificate is trusted and allowed via administrative settings occurs during this process. This verification process cannot occur in most offline environments. Installing the certificates manually allows enterprise administrators to ensure the certificates are trusted and meet the security policy of their organization.+
One way to check on the installing system is to follow these steps:+
If the certificates names were not in the Issued To columns, they will need to be installed. If an intermediate certificate was only in the Current User Intermediate Certificate store, then it is only available to the user that is logged in and could be needed to be installed for other users.+
Having installed the certificates, deployment of Visual Studio can proceed offline without additional special steps, using the instructions here.+
There are several options you can use to customize your network layout. You can create a partial layout that only contains a specific set of language locales, workloads, components, and their recommended or optional dependencies. This may be useful if you know that you are only going to deploy a subset of workloads to client workstations. Common command-line parameters for customizing the layout include:+
--add
to specify workload or component IDs. If --add
is used, only those workloads and components specified with --add
will be downloaded. If --add
is not used, all workload and components will be downloaded.--includeRecommended
to include all the recommended components for the specified workload IDs--includeOptional
to include all the recommended and optional components for the specified workload IDs.--lang
to specify language locales.Here are a few examples of how to create a custom partial layout.+
vs_enterprise.exe --layout C:\vs2017offline --lang en-US
vs_enterprise.exe --layout C:\vs2017offline --lang en-US de-DE ja-JP
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --includeRecommended
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --add Microsoft.VisualStudio.Workload.ManagedDesktop --add Component.GitHub.VisualStudio --includeRecommended --lang en-US de-DE ja-JP
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --add Microsoft.VisualStudio.Workload.ManagedDesktop --add Component.GitHub.VisualStudio --includeRecommended
vs_enterprise.exe --layout C:\vs2017offline --add Microsoft.VisualStudio.Workload.Azure --add Microsoft.VisualStudio.Workload.ManagedDesktop --add Component.GitHub.VisualStudio --includeOptional
Administrators may deploy Visual Studio onto client workstations as part of an installation script. Or, users who have administrator rights can run setup directly from the share to install Visual Studio on their machine.+
\\server\products\VS2017\vs_enterprise.exe
\\server\products\VS2017\vs_enterprise.exe --quiet --wait --norestart
When executed as part of a batch file, the --wait
option ensures that the vs_enterprise.exe
process waits until the install is completed before returning a exit code. This is useful where an enterprise administrator wants to perform further actions on the completed install (for example, to apply a product key to a successful installation). where one needs to wait for the install to finish to handle the return code from that install. If you do not use --wait
, the vs_enterprise.exe process will exit before the install is complete and it will not return an accurate exit code that represents the state of the install operation.+
If you used the --wait
parameter, then depending on the result of the operation, the %ERRORLEVEL%
environment variable will be set to one of the following values:+
Value | Result |
---|---|
0 | Operation completed successfully |
3010 | Operation completed successfully, but install requires reboot before it can be used |
Other | Failure condition occurred - check the logs for more information |
As product updates become available, you may want to update the network install layout to incorporate updated packages.+
Note: The VS 2017 bootstrappers available on http://www.visualstudio.com will download and install the latest VS 2017 release available whenever they are run. If you download a VS bootstrapper today and run it 6 months from now, it will install the VS 2017 release that is available at that later time. If you create a layout, installing VS from that layout will install the specific version of VS that exists in the layout. Even though a newer version may exist online, you will get the version of VS that is in the layout.+
If you need to create a layout for an older version of Visual Studio 2017, you can go to https://my.visualstudio.com to download "fixed" versions of the Visual Studio 2017 bootstrappers for supported versions, which will allow you to create a network install layout for that older version. +
If you experience a problem with your offline installation, we want to know about it. The best way to tell us is by using the Report a Problem tool. When you use this tool, you can send us the telemetry and logs we need to help us diagnose and fix the problem.+
We have other support options available, too. For a list of those, see our Talk to us page.+
Install certificates needed for Visual Studio offline installation
标签:useful start creat cti its pac cal p12 scripting
原文地址:http://www.cnblogs.com/endv/p/7357367.html