inpadi Services Documentation

inpadi is a cloud-based service and client management platform for installing, patching, and decommissioning client computers.

Each client must run the inpadi Agent so it can communicate with the service and execute scripts and jobs. The agent is installed automatically when a client is deployed with inpadi Reinstall. On existing computers, the agent can be installed through a script or a downloadable installer package.

inpadi Services is hosted and operated by inpadi ApS.

From the inpadi GMS administration system, you can manage backups, monitoring, application installation, application patching, one-time and scheduled scripts or jobs, compliance reports, license inventory, and more.

To access inpadi GMS, open https://gms.inpadi.com and log in with the username and password provided to you.

SMS validation is required. Management tools can be used from only one source IP address at a time. If you log in from several IP addresses, access from the first IP address can be blocked.

There is a limit of five login attempts, including SMS validation. After five failed attempts, access is blocked for 15 minutes. If the login page is accessed before the 15 minutes have passed, the timer restarts.

The failed-login counter is reset 15 minutes after the last failed login. A successful login does not immediately clear the failed-login counter; it remains until it expires.

Main views in inpadi GMS

• GMS - General Management System: the main administration view for managing clients, files, jobs, templates, uploads, logs, and reinstall profiles.
• MonitorBad: shows active monitoring alerts and provides acknowledgement or start-service actions where available.
• Monitor: shows monitored systems, service status, monitoring profiles, alert settings, and service history.
• Monitor Graphs: shows service and MikroTik interface history as one-hour, 24-hour, and one-year graphs.
• Ping Health: shows client-reported latency, packet loss, and jitter for network targets.
• AD Admin: shows Windows Active Directory domain users and supports controlled edits such as mobile, email, password, and enable/disable state.
• System Status: shows all systems with selectable and regex-based columns for operational reporting.
• Software: shows detected software inventory by client, software name, architecture, and uninstall key.
• Compliance Status: shows whether compliance requirements are met and can trigger remediation jobs.
• Backup: shows client backup status reported by configured backup servers.
• Running Jobs: shows online clients with active jobs and allows a running job to be stopped.
• Choco: maps detected software to Chocolatey package IDs and downloads package files for customer software deployment.
• License and License2: show customer, computer, monitored-system, router, owner, partner, and product-style license counts.
• Incident Management: can be used to document and register incidents.

Some background knowledge may be required to use all functions. For help, contact inpadi support at support@inpadi.com.

GMS Job Editor

This section gives a few examples of how to use the GMS interface.

Important: GMS does not ask for confirmation. If you change or delete a script, the related function might stop working.

The left side of the page shows the list of systems and GMS system folders. The next column shows the contents of the selected folder or server. The right side shows the Job ID, template selector, and editor window.

The file browser groups content into folders, schedules, queue files, other files, and system files. Files can be downloaded, edited, uploaded, deleted, or saved as new jobs depending on the selected folder and user access. The editor supports normal save, save-and-run for immediate .que execution, and template insertion from the customer Templates folder and the global /Autoupdate/Templates folder.

When a client is selected, the header also exposes operational shortcuts such as deleting the client, opening the realtime log viewer, opening monitor graphs when Monitor.db exists, and opening MikroTik graph or Winbox actions for MikroTik clients.

The GMS interface is designed for technical users and super users. There are several areas you need to understand before making changes.

System folders

• _Software: upload scripts and installation files. The current upload limit is about 200 MB.
• ReInstall: installation scripts used when deploying a new computer.
• ReInstall_OS: installation scripts for operating systems.
• ReInstall_ADGroups: used when Active Directory groups control software installation.
• Templates: templates shown in the drop-down list on the right side.
• _Graveyard: old computers, deleted profiles, and similar items.
• _DocHtml: a place for notes or similar documentation.

ReInstall profiles: The ReInstall folder can contain subfolders. These subfolders are profiles and are shown when you log in to the ReInstall WinPE image. To create a profile, select ReInstall and enter a Job ID such as mkdir::Office2016PCs

When a profile is selected for a client, the client receives all current jobs in that profile folder. New jobs added to the profile are also pushed to all clients that are members of the profile. A client's profile membership is shown in the client folder as profilename.profile. Delete that file to remove the client from the profile.

If several clients are selected with the system checkboxes, a saved job can be written to all selected clients. When a job is saved inside a reinstall profile, GMS also copies the new profile script to existing clients that already have the matching .profile membership marker.

_Graveyard: This folder contains deleted or reinstalled computers, profiles, and other system objects that may be useful to restore. Items in _Graveyard expire after three months.

DoneJob: Selecting DoneJob opens completed job logs and reports. The history view can filter by file name, use date ranges, include monthly ZIP archives, and optionally show rolling differences between report versions.

For more information about writing client jobs, see GMS_Job_Script.

This guide explains how to write jobs and scripts in inpadi GMS.

GMS job handling and execution are based on the script extension, such as .que or .DB.

The scripts must be written for the operating system on which the inpadi Agent is running.

• On Windows, scripts are executed as CMD scripts and should use CRLF (\r\n) as the newline format.
• On Linux and macOS, scripts are executed as Bash scripts and should use LF (\n) as the newline format.

This guide does not cover Linux scripting in detail. The built-in script functions clientfile= and neededfile= are the same for all operating systems. maxruntime= sets the maximum runtime for a script. For example, maxruntime=5 stops the script after five minutes.

Using another scripting language: Upload the script to the client folder in GMS, or to the _Software folder if it must be available to several systems. Download it to the client with clientfile=scriptname, for example clientfile=joindomain.ps1. A PowerShell script can be executed with:

@powershell -ExecutionPolicy unrestricted -File "myscript.ps1"

Uploading a small file from a client to the DoneJob folder: Echo the following command from a script:

echo upload::filename

Use this only for small files under 10 MB because it is memory intensive for the client. It cannot be used as a client-file backup method; other GMS functions are available for backups.

Uploading large files from a client:

echo largefileupload::c:\dir\somefile.big

The file is uploaded to a folder named ClientUpload in the client folder. This function can be used, for example, to collect memory dumps for analysis.

Recommended practice for repeated or scheduled scripts: Reference a master script with ScriptRef= followed by the script name. The referenced script must be placed in the client folder or in the _Software folder. The server materializes the referenced script into the delivered job so the client executes the current master content. Using ScriptRef lets you update the master script without editing every client job.

ClientFile= attachments are resolved from the client folder first and then from the customer _Software folder. For signed-job clients, referenced scripts and client-file hashes are included in the signed payload metadata.

Backend result markers can be written to job output. pkg:Success marks the expected success text, pkg:RetryCount controls retry attempts, pkg:delayretry delays a retry, and pkg:MailError sends failure logs to a configured email address. WaitForReboot:: tells the server to wait for the client to reboot before releasing more jobs, and pausemonitor::minutes pauses monitoring for a client for the requested number of minutes.

Special commands

These commands are entered in the Job Editor name field and then saved:

• delete.srv: moves the selected client to the _Graveyard folder. If the client comes online again, it is restored from _Graveyard.
• mkdir::: creates a new profile in ReInstall. Select or enter the ReInstall folder and save the job name as mkdir::NewProfile.
• .profile: associates a client with a profile. Select or enter the client and save an empty job with profilename.profile.

Default job script

::Title=Default job description must be the first line.

# Remove # to activate function!
# Server backend instructions (GMS Server)
#pkg:Success= // A text string found in script output
#pkg:RetryCount= // Set a number of package retries
#pkg:MailError= // If pkg:Success is not fulfilled by package output, send an error to this email address

# Package actions to client (GMS Client)
#JobID= // Job name; recommended for scheduled jobs
#NeededFile= // HTTP URL to an internet resource
#ClientFile= // File on the GMS server in the client folder or _Software folder
#maxruntime= // Script max runtime, such as 10s for 10 seconds or 5m for 5 minutes

# Script commands for backend actions (from GMS Client script to GMS Server)
#echo notifymail:: // Email address to send the job log to
#echo pausemonitor:: // Pause server monitoring for X minutes

inpadi Monitor is built to be as simple as possible.

The first time inpadi GMS Monitor starts, it finds services that are set to start automatically and are currently running. These services are added to the monitoring list automatically.

The service-monitoring list is named MonitorServices.txt and is placed in the GMSClient directory: Program Files\Tachodata\GMSClient.

To add a service to monitoring, add the service's short name on a new line in the file. If the server does not query for a job within 30 seconds, it is marked as down.

The Monitor view shows monitored clients and service state. The server detail view can pause or resume monitoring, acknowledge a bad service, start a stopped Windows service by queuing net start, and assign default or service-specific alert profiles.

The MonitorBad view is the operations queue for current bad items. It shows the affected server, service, current status, and last change time, with links for supported actions such as acknowledgement or starting a stopped service.

Ping tests

To ping hosts, create a text file named ping.txt in the inpadi GMS client directory. Add the desired hosts to the file.

• Each host is pinged twice every 10 seconds.
• Each test has a one-second timeout.
• If one or both ping attempts succeed, the host is marked as alive; otherwise, it is marked as dead.
• If many hosts are added and several do not respond, alerts from that host can be delayed. Spread ping tests across several hosts when possible.

URL tests

To test URLs, create a text file named URL.txt in the GMSClient directory and add the desired URLs.

• Syntax examples: url::test - http://inpadi.com::inpadi or url - http://inpadi.com.
• The test string after :: must be present on the page.
• The test runs every 10 seconds.

Disk monitoring

inpadi Monitor monitors all fixed disks and alerts when:

• Free space falls below 15%.
• Free space changes from 0% to 10%.

Event-log monitoring

inpadi GMS Monitor checks Application and System logs for errors and warnings and sends them to the inpadi GMS server. A rule set determines which events trigger alerts. The triggers are currently controlled by inpadi ApS. In a future version, customers will be able to control these triggers for their own systems.

inpadi GMS Monitor can also be controlled from GMS.TD. This is currently used internally by Tachodata. GMS.TD uses the same access restrictions as the monitor, but it is not limited to monitor clients.

The GMS.TD client also shows the history of monitored services.

Alert actions

Alert actions are configured in a file named AlertTo.txt.

• Email: mail::mail@address.tld, for example mail::info@inpadi.com.
• Action: action::actionName, for example action::StartStoppedServices.
• SMS: sms::phone, for example sms::4542131728.

• Actions are executed after tests have failed for 60 seconds.
• Email alerts are sent after two minutes.
• SMS alerts are sent after two minutes between 06:00 and 23:00, and after five minutes outside that period.

Alert targets are resolved in this order: a selected monitor profile, a service-specific <service>-AlertTo.txt, the client AlertTo.txt, the customer AlertTo.txt, and finally the global /Autoupdate/AlertTo.txt. Services can be skipped with *-SkipAlert.txt files or the global not-monitored-service configuration.

Module example

The first line must start with Monitor*:*:*[yourTestNameScriptID]*:*:*. The last line must be *****END OF TEXT CHUNK*****. The monitor program or script must be placed in the same folder where GMS-Client.exe runs.

@echo off
echo Monitor*:*:*EH-Random-Test*:*:*
echo Service MonitorTest RUNNING
echo Service SomeOtherTest Not_Running_Due_To_Some_Reason
echo *****END OF TEXT CHUNK*****

On the GMS server, a file named monitor.db must exist in the client folder and use this syntax:

scriptNameOnClient::timeBetweenLoopsIfJobExits
Example:
randomstuff.cmd::10s

You can specify a maximum script runtime by adding an extra :: field to the monitor.db file. The default maximum runtime is five minutes.

randomstuff.cmd::10s::10m

A monitor job does not need to stop. It only needs to follow the required start and end line format; you decide when data should be returned. Valid time units are ns, us, ms, s, m, and h.

A Monitor.rul rule should exist that can match the monitor output. The regular expression must return two outputs: a service name and a result that can be compared with the Monitor.rul rule.

Monitor.db can contain NeededFile= lines to download files from websites to the client. It can also contain ClientFile= lines to download files from the client folder on the server.

Profiles can be created in [Customer/_AlertProfiles] and must end with .profile. A profile is similar to AlertTo.txt and can contain mail::, sms::, and action:: entries.

New - 2018-12-11: Nested profiles. Profiles can contain profile::/customer/_AlertProfiles/alert.profile. If the same SMS, email, or other action appears more than once, the first match is used. This is important when setting alert time windows.

New - 2018-12-11: Alert send windows. Alert profiles can include an open time window for mail:: and sms:: lines.

sms::45XXXXXXXX::CET*Sat, 09:00|21:00*Sun, 09:00|21:00*06:00|22:00

The line is split by *. CET means Central European Time, and CEST means Central European Summer Time. Daylight saving is not currently supported. Sat, 09:00|21:00 means alerts can be sent on Saturday from 09:00 to 21:00. 06:00|22:00 is the fallback time if the day is not listed. If no fallback time is set, the fallback is 00:00|23:59. If a conversion error occurs, the system always falls back to 00:00|23:59.

Example monitor jobs

Hyper-V Replica monitor:

neededfile=https://v.inpadi.dk/Res/Hyper-V-Replica-Monitor.txt=Hyper-V-Replica-Monitor.ps1
neededfile=https://v.inpadi.dk/Res/Hyper-V-Replica-Monitor-cmd.txt=Hyper-V-Replica-Monitor-cmd.cmd
Hyper-V-Replica-Monitor-cmd.cmd::15m::60m

SuperMicro hardware monitor:

neededfile=https://v.inpadi.dk/Res/SuperMicro/IPMICFG-Win.exe=IPMICFG-Win.exe
neededfile=https://v.inpadi.dk/Res/SuperMicro/pmdll.dll=pmdll.dll
neededfile=https://v.inpadi.dk/Res/SuperMicro/SuperMicro-HW-Mon.txt=SuperMicro-HW-Mon.cmd
SuperMicro-HW-Mon.cmd::5m::60m

Resource monitor:

neededfile=https://v.inpadi.dk/Res/MonitorSystemLoad.txt=MonitorSystemLoad.ps1
neededfile=https://v.inpadi.dk/Res/MonitorSystemLoad-cmd.txt=MonitorSystemLoad-cmd.cmd
MonitorSystemLoad-cmd.cmd::2m::60m

Monitor graphs are available from monitored systems in GMS and from the Monitor detail view. The graph page lists services for the selected server and shows one-hour, 24-hour, and one-year images for each service. Short-range graphs refresh more often than long-range graphs.

Individual graph images are served through /Admin/MakeMonitorGraph and support a server, service, range, or explicit from/to interval. Numeric values, percentages, boolean states, and text states are normalized so they can be drawn consistently.

Current data is read from the monitor time-series database first and falls back to MonitorHistory.txt when needed. Raw monitor samples are kept briefly, five-minute rollups are kept for about two days, and hourly rollups are kept for about 400 days.

inpadi Ping Health

inpadi Ping Health makes it easy to monitor latency and packet loss to important network resources.

Create a file named pingtargets.db in GMS, either in the client folder or in _Software. The file must contain IP addresses or host names, one per line. The GMS Client automatically uses the default gateway as a target and monitors it when pingtargets.db exists on the server side.

To view the statistics, open the Ping Health menu. The table shows client, host, one-minute minimum, maximum, average, and loss, plus one-hour minimum, maximum, average, loss, and jitter when the client has reported those values.

If a file named Compliance.txt exists in the customer root folder, the client's ComputerInfo_windows.Report is evaluated against each line in that file every time the client reports to the GMS server.

If all lines are found, the client is compliant. Otherwise, it is not compliant.

The compliance result is stored in the client's DoneJob folder. Failed checks are tracked in Compliance.bad, which is also used by other services such as Net Access to decide whether a client meets required conditions.

For example, you can check the antivirus scanner service and its running status to verify that antivirus clients are installed and running.

To force a client to report ComputerInfo_windows.Report again, remove the report from the client's DoneJob folder. The client will rerun the report within a minute.

If a Compliance.txt file is placed in a profile folder, and the client is a member of that profile, the file is added to the client's compliance check.

You can execute scripts when compliance checks fail by appending an asterisk and a script name to the compliance check. All scripts must be in the ReInstall folder. Profile folders can also be used for scripts.

Microsoft Office 365 ProPlus*Office365DK/1.9.Office365dk.que

In this example, if "Microsoft Office 365 ProPlus" is not found, the job Office365DK/1.9.Office365dk.que is copied from the ReInstall folder to the client.

Rules

• || means OR and is evaluated in the compliance string. Example: Windows 10 Pro||Windows 10 Home.
• !! means NOT and must appear at the beginning of the string. Example: !!Windows Vista.
• ?? means IF. Example: ??Windows 10 Pro??Build 1809.

Rules cannot be combined. You can still execute scripts when the rule does not return true.

!!Adobe Reader*Uninstall_Adobe_Reader.que
Windows Defender||Symantec Antivirus||Sophos||Chili*install_AV.que

If you need compliance checks beyond what the default ComputerInfo_Windows.report supports, add your own checks in a script named cdc.cmd. Place it in _Software or in the client root folder. A script in the client root folder overrides the script in _Software. The cdc.cmd script is a normal command-line script.

macOS clients can use the same pattern with cdc.darwin when custom inventory or compliance data is needed.

System Status is the broad system inventory view. It lists accessible systems with columns such as name, TCP/IP connection state, country, client time, last connection time, operating system, CPU architecture, and selected report fields.

The Change view window controls which fields are shown. Rules are loaded from the current user's Admin/Users/<user>-SysStatus.txt file and fall back to Admin/Users/Default-SysStatus.txt. A rule has this format:

Name*/*Selection Filter*/*RegEx filter

Global and user rules can be enabled or disabled. New rules can use regular expressions, which makes the view useful for reporting on specific inventory lines inside client reports.

The Software view reads each client's _Installed.db report and builds a searchable software table. The table shows client, software name, architecture, and uninstall key when that information is present in the report.

Use the table filters to find installed applications across one customer or all customers you can access. The uninstall key is useful when preparing removal jobs or mapping software to Chocolatey packages.

The License view counts systems for licensing and partner reporting. In the all-customer view it shows customer name, total count, computers seen in the last 31 days, monitored systems seen in the last 31 days, routers seen in the last 31 days, legal owner, partner, and totals.

For one customer, the report breaks the same counts down by system. The 31-day counts are based on recent client activity, monitored-system count is based on Monitor.db, and router count is based on MikroTik router configuration files.

License2 presents the same license data in a product-style format with product name and amount rows. This is useful when the data must be exported or copied into an external billing workflow.

AD User Manager shows Active Directory users collected from domain controllers that report DoneJob/All_users_list.csv.Report. The table includes customer, SAM account name, email address, mobile number, last logon date, distinguished name, password-expired state, changed date, and enabled state.

When access allows it, the edit popup can queue domain-controller actions to set a user's password, update mobile number, update email address, disable the account, or enable the account. Password changes are masked in logs and the server waits briefly for the queued command result.

This view is also used to verify that self-service password reset and Admin Portal users have the required email and mobile attributes in Active Directory.

Running Jobs shows online clients that currently have an active job. The table lists client, job ID or name, a kill action, and the UTC job start time.

The client link opens the selected client in GMS. The kill action creates a stop job for the running process when the server has enough job information to do so.

The Choco page is used by admins with the <Choco> access marker to map locally detected software names to Chocolatey package IDs. The mapping files are kept under /Autoupdate/bin/ChocoPackage.

The page compares detected software against the Chocolatey package list, shows match quality with color-coded suggestions, and can download .nupkg files into /Autoupdate/Bin/ChocoPackages. Packages or names that should not be suggested can be placed in the ignore folder.

The public Chocolatey cache endpoints cache upstream package requests for a day and rewrite community package URLs to the inpadi cache hosts where appropriate.

The realtime log viewer opens from the log icon in GMS. It connects through the /LogWS WebSocket, can watch one client or all clients under a customer, and includes a regular-expression filter and log limit.

The combined history view is available from a client's DoneJob folder. It can filter by file name, restrict by date range, include matching files from monthly ZIP archives, and show a rolling diff between report versions. This is useful for tracking inventory, monitor, and compliance changes over time.

Newer clients advertise protocol features such as signed-jobs and signed-control. When supported, GMS sends signed envelopes for managed job files such as .que, .db, and emergency.txt.

Job-signing keys are stored under /Autoupdate/Admin/JobSigning. Public keys can be exported for DNS or served through /Signing/PublicKey?key_id=....

Signed payloads include materialized ScriptRef= content and hashes for ClientFile= attachments. Legacy clients still receive compatible materialized jobs with a generated JobID= when one is missing.

The client protocol also handles long-poll job delivery, encrypted job download, job completion logs, report uploads, monitor data, large-file uploads, and reboot-wait state.

The client-side component of inpadi Services is the inpadi Agent. It communicates with the server and executes jobs and scripts queued on the server.

The inpadi Agent keeps an HTTPS job channel open to GMS and asks the server for work. When a job is available, the agent downloads the encrypted job payload, executes it with the operating-system script runner, and returns the job log to the server as a completed job.

The JobID= keyword sets the visible job ID or name in logs. If a legacy job does not include JobID=, the server adds one before the job is delivered.

A watchdog is installed as part of the agent. The watchdog checks whether the inpadi Agent is running and starts it if it has stopped. The watchdog also reports to the server.

The inpadi Agent starts other tasks, such as monitoring and performance-related services, when those services are configured.

The agent updates itself when updates are released by inpadi ApS.

If the inpadi Agent needs a proxy to access the internet, use these commands:

setx HTTP_PROXY http://server:port /m
setx HTTP_PROXY http://server:port

To install the inpadi Agent on existing running computers, create a CMD script, copy the commands below into it, save the file, and run it.

The script can be distributed to systems and installed through Active Directory Group Policy.

A silent installer can also be downloaded from https://v.inpadi.dk/Cust/customername.

Commands for the CMD install script:

set customerMasterPassword=
set customerName=
if exist "c:\program files\inpadi\GMSClient\gms-client.exe" goto EXIT
if exist "c:\program files\tachodata\GMSClient\gms-client.exe" goto EXIT
if exist "c:\program files (x86)\inpadi\GMSClient\gms-client.exe" goto EXIT
if exist "c:\program files (x86)\tachodata\GMSClient\gms-client.exe" goto EXIT

md "%ProgramFiles%\inpadi\GMSClient"
cd /d "%ProgramFiles%\inpadi\GMSClient"
set p1=-urlcache -split -f
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" set p2="https://v.inpadi.dk/Patch/GMSClient/windows/amd64/gms-client.exe"
if not "%PROCESSOR_ARCHITECTURE%"=="AMD64" set p2="https://v.inpadi.dk/Patch/GMSClient/windows/386/gms-client.exe"
set p3=gms-client.exe
certutil.exe %p1% %p2% %p3%
if not "%errorlevel%"=="0" @powershell -NoProfile -ExecutionPolicy unrestricted -Command "Invoke-WebRequest -Uri %p2% -OutFile %p3%"
if not "%errorlevel%"=="0" @powershell -NoProfile -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('%p2%', '%p3%')"
echo [Config] > gms.ini
echo Username=%customerName%\%COMPUTERNAME% >> gms.ini
echo Password=%customerMasterPassword%>> gms.ini
sc create GMSClient binPath= "%ProgramFiles%\inpadi\GMSClient\GMS-Client.exe" start= auto
sc start GMSClient
goto EXIT

:EXIT

All inpadi Agent download links:

OSX x86: https://gms.inpadi.dk/Patch/GMSClient/darwin/386/GMS-Client
OSX x64: https://gms.inpadi.dk/Patch/GMSClient/darwin/amd64/GMS-Client
Linux x86: https://gms.inpadi.dk/Patch/GMSClient/linux/386/GMS-Client
Linux x64: https://gms.inpadi.dk/Patch/GMSClient/linux/amd64/GMS-Client
Linux arm: https://gms.inpadi.dk/Patch/GMSClient/linux/arm/GMS-Client
Linux arm64: https://gms.inpadi.dk/Patch/GMSClient/linux/arm64/GMS-Client
Windows x86: https://gms.inpadi.dk/Patch/GMSClient/windows/386/GMS-Client.exe
Windows x64: https://gms.inpadi.dk/Patch/GMSClient/windows/amd64/GMS-Client.exe

Running the inpadi Agent on Linux: Use at your own risk. Download the correct gms-client binary for the Linux and CPU combination, then add this line to /etc/crontab:

* * * * * root ps ax |grep -v "grep" |grep gms-client || /gmsclient/gms-client &

Computers with the inpadi Agent installed can be reinstalled remotely.

Clients are identified by the inpadi Install ID, or IID. The IID can be created in two ways:

1. A hardware ID containing vendor, serial number, MAC addresses, and other hardware identifiers.
2. A vendor name, serial number, and secret token written on the boot media.

Option 1: The hardware ID is generated automatically by the inpadi install client. In some cases it can fail, for example if the computer is placed in a dock that was not present when the hardware ID was generated.

Option 2: This option is used when you know the vendor and serial number of a computer that you might not physically have, such as new computers added to a company.

For option 2, a secret file named Inpadi_Install_ID.Secret must exist in the root of the boot media, such as a USB drive or fixed disk. The same file must also exist in the root of the company profile in GMS. The file must contain only one line: the secret.

inpadi Reinstall - Client boot and installation

Clients can boot and install with inpadi Reinstall in several ways. During installation, the client tries to retrieve packages from another client on the local network if one is available. This speeds up downloads and reduces bandwidth usage on external network links.

1. Create a USB key with MBR and EFI support

Note: This script only works on computers installed with inpadi and where 7-Zip is installed.

1. Download https://v.inpadi.dk/Res/inpadi_boot.usb.key.zip.
2. Extract it to c:\reinstall.dk.
3. Start a command prompt as administrator.
4. Run cd /d c:\reinstall.dk.
5. Run create-inpadi-boot.cmd.
6. Find the USB drive ID in the output. The example below assumes disk 1.
7. Run create-inpadi-boot.cmd 1.
8. Wait for completion and check for errors.

2. Use USB key boot

1. Download https://v.inpadi.dk/public/winpe.iso.
2. Format the USB key with FAT32.
3. Open winpe.iso and copy all files to the root of the USB key.

If some USB keys or computers have boot problems, create a USB key that contains both UEFI and MBR boot:

Start CMD as administrator, then run:
diskpart
list disk - Locate the drive number for the USB key (x)
select disk x
clean disk
convert mbr
create partition primary size=1024
format fs=fat32
assign letter=q
create partition primary
format fs=ntfs quick
assign letter=w
active
exit

Open winpe.iso and copy all files to both Q: and W:, the two USB key partitions.

3. CD/DVD boot

Download and burn https://v.inpadi.dk/public/winpe.iso.

4. Network boot

1. Create a TFTP server on your network. Some firewalls also support TFTP.
2. Download https://v.inpadi.dk/public/inpadi-ipxe.pxe and place it in the TFTP server root.
3. Set the DHCP boot file option to /inpadi-ipxe.pxe.

5. Create an inpadi boot stick from an inpadi-installed computer

1. Download https://v.inpadi.dk/Boot/inpadi_boot.usb.key.zip.
2. Extract the contents to c:\reinstall.dk.
3. Start a command prompt.
4. Run cd /d c:\reinstall.dk.
5. Run create-inpadi-boot.cmd.
6. View the USB stick ID.
7. Run create-inpadi-boot.cmd ID. Example: create-inpadi-boot.cmd 1.

Add boot drivers to the boot key

Create a folder named inf on the USB drive. Place the driver files that need to be loaded during boot in that folder.

Install users

The default user is the same as the customer tenant name. The password is located in reinstall.txt in the customer folder.

If more users are needed, create a new file in the root of the tenant folder in GMS with the name newuser_reinstall.dk, where newuser is the desired username. When logging in with a sub-username, use tenantname\newuser. The password is located in newuser_reinstall.txt.

This guide explains how to boot from an inpadi USB drive.

Step 1: Insert the USB key

Insert the bootable USB key into an available USB port on your computer.

Step 2: Restart or turn on your computer

Restart your computer, or turn it on if it is powered off.

Step 3: Open the boot menu or BIOS setup

Use the relevant steps below to open the boot menu or BIOS setup on Lenovo, Dell, or HP computers, or to restart Windows and use UEFI boot via USB.

Lenovo

1. Turn on or restart your Lenovo computer.
2. Press F12, or Fn + F12 depending on your configuration, several times as soon as the Lenovo logo appears.
3. If that does not work, press Enter and then select F1 to enter BIOS.

Dell

1. Turn on or restart your Dell computer.
2. Press F12 several times as soon as the Dell logo appears to open the boot menu.
3. Alternatively, press F2 to enter BIOS setup.

HP

1. Turn on or restart your HP computer.
2. Press Esc several times as soon as the HP logo appears to open the startup menu.
3. Press F9 to open boot device options.

Restart Windows and use UEFI boot via USB

1. Make sure the bootable USB key is inserted.
2. Open the Windows Start menu.
3. Click the Power button and hold Shift while clicking Restart. This opens the advanced startup options.
4. Select Troubleshoot > Advanced options > UEFI Firmware Settings.
5. Click Restart to reboot into UEFI settings.
6. In UEFI settings, go to the Boot section and select the USB key as the primary boot device.

Step 4: Select the USB drive as the boot device

Use the arrow keys to select the USB key in the boot menu or BIOS setup, then press Enter.

Step 5: Follow the on-screen instructions

After selecting the USB drive as the boot device, follow the on-screen instructions to complete the boot process.

Step 6: Log in and start the installation

When the inpadi USB environment has booted, follow the instructions to remove the boot drive, log in, and run the deployment script.

Shared folders are supported when a customer has multiple folders or companies.

The master, or owner, company must have a file named ownedFolders.txt in its root folder. This file must list each folder that is allowed to access the owner company's _Software folder.

The slave, or sub-company, must have a file named legalOwner.txt. This file must contain one line only: the master folder name.

When a client needs to download a file with clientfile=, it searches these locations in order:

1. The client-named folder.
2. The company _Software folder.
3. The master company folder.

Note: If one of the required files is not configured correctly, the client cannot download the file.

To make a client a template, create a file named client.is.template in the root of the client folder.

If you have jobs that must run for each template machine when it starts, create a ReInstall folder in the template machine and place the scripts there. The scripts are then executed on each machine that uses the template.

All clients are scanned for missing Windows updates every 24 hours.

To disable this scan for a client, add a file named WindowsUpdate.Disabled on the client.

Self-service password reset for customer Active Directory domain users.

When enabled, inpadi customers can use self-service password reset for their Active Directory domain passwords.

The customer must have Microsoft Active Directory and a domain controller with the inpadi Agent installed.

The customer's domain controller must be enabled in _DomainControllers_ForPasswordHelp for inpadi GMS users.

Users must have an email address and mobile phone number specified in Microsoft Active Directory. This can be verified in the inpadi GMS view named AD Admin. From this view, it is possible to set email address, mobile number, and user logon privileges.

How to use the Password Reset service

1. Go to the self-service URL: https://gms.inpadi.dk/selfservice, or open https://gms.inpadi.dk and select Password Reset.
2. Enter the user's email address and submit the form.
3. inpadi GMS looks up the email address, finds the user's mobile number, and sends a link to the phone if the number is found.
4. On the phone, open the link, enter the new password twice, and submit it. The password must comply with the company password policy.
5. inpadi GMS sends the password-change request to the associated Active Directory domain controller for validation and processing.
6. Wait for acknowledgement that the password change was successful. If it is not successful, retry from step 4.
7. The user should then be able to log in with the new password. There may be a short delay while the change is processed and distributed.

To make it easier to use Let's Encrypt certificates on your services, inpadi provides a free SSL proxy. It automatically issues certificates for all public names used against your public IP address and handles renewals automatically.

1. Download the proxy from https://gms.inpadi.dk/Res/inpadi-SSLproxy.exe.
2. Create a folder, for example c:\inpadi-SSL, and copy inpadi-SSLproxy.exe into it.
3. Run the program once and then stop it. This creates the configuration files you need to edit.
4. Edit DestinationHost.txt and specify the destination URL, for example http://localhost:8080 or https://remote.server.tld:443.
5. Edit hostname.txt and enter the public URL for your proxy. This is the default URL used if someone opens https://yourip.
6. Decide whether you need HTTP access to the backend server. The file only.ssl redirects port 80 to port 443. Delete the file to enable HTTP support without SSL.

Create a Windows service:

cd /d c:\inpadi-SSL
sc create inpadi-SSL binpath= c:\inpadi-SSL\inpadi-SSLproxy.exe start= auto
sc start inpadi-SSL

For questions, email info@inpadi.com.

Please note: ports 80 and 443 must not be bound to anything else. The inpadi SSL proxy uses both ports. Both ports must also be NATed through the firewall because port 80 is required for Let's Encrypt validation.

SSL in front of Terminal Server Gateway or other non-standard HTTP services: use https://gms.inpadi.dk/Res/TSGW.exe. It cannot redirect from HTTP to HTTPS, but it tunnels all HTTPS traffic to the internal HTTP service. This allows Terminal Services Gateway to use HTTP with SSL offload through TSGW.exe.

inpadi SSL proxy and TSGW.exe are free to use and are provided without warranty or support.

For LetMeIn to work, you currently need a MikroTik firewall.

The firewall must be added to inpadi GMS. Use this installation script on the firewall:

{
:local username "customer/firewallname";
/tool fetch mode=https url="https://gms.inpadi.dk/Mikrotik\?routerID=$username&newClient=yes" output=file dst-path="enable-inpadi.rsc";
import file-name=enable-inpadi.rsc;
}

The customer must also have a domain with a domain controller added to inpadi GMS.

Please note: the firewall and domain controller must be in the same customer.

On the domain controller, create a folder named letmein. In GMS on the domain controller, save this job: mkdir::letmein.

Place the required resource files in that folder:

resourcename.res
Firewall::LetMeInAddrList::file*vpn-instructions.txt::vpn.png

• Firewall: the firewall to which the address list should be opened.
• LetMeInAddrList: the name of the address list on the router.
• vpn-instructions.txt: the file containing instructions for the user.
• vpn.png: an image that represents the application for the end user.

Final step: contact inpadi at info@inpadi.com and request that LetMeIn access be enabled for the domain controller.

Admin Portal is a customer-facing activation flow for selected Active Directory users. It is served through /adminportal, and custom hostnames can redirect users directly to that route.

The user enters an email address, GMS validates it against domain-controller user exports, and a short-lived email token is issued. After the token is accepted, the user selects an available home server and GMS queues an Active Directory command that extends the account expiration by seven days.

Customer-specific Admin Portal content is stored under the customer's _AdminPortal folder. The portal can use custom Frontpage.html, Emailpage.html, Endpage.html, Activepage.html, an email.txt template, and an optional PostScript.que. Daily logs are written under _AdminPortal/log.

MikroTik Management

To add a MikroTik device, use the following script. Replace customer/firewallname with the company name and firewall name.

{
:local username "customer/firewallname";
/tool fetch mode=https url="https://v.inpadi.dk/Mikrotik\?routerID=$username&newClient=yes" output=file dst-path="enable-inpadi.rsc";
import file-name=enable-inpadi.rsc;
}

Some MikroTik routers have issues with the script above. In that case, fetch the script and paste it into the firewall by using this URL:

https://v.inpadi.dk/Mikrotik?newClient=yes&routerID=Customer/RouterName

Current script support

• .que files are executed as normal scripts. Command output is placed in DoneJob just as it is for normal clients.
• .db schedules are handled as expected.

In-script features

• JobID=: the job ID or name of the executed script.
• ClientFile=: works like it does for computers. It references a file in the client folder in GMS or in the _Software folder.

Dynamic DNS name

The dynamic DNS name consists of the customer name and firewall name in this format:

customer-firewall.vpn.cust.inpadi.dk

If the router has a different public IP address from the one it uses for internet access, save that address in public.ip.address:

1. Select the customer.
2. Select the firewall.
3. In Job Editor, enter the script name public.ip.address.
4. In the editor data, enter the public IP address. The first line is used as the IP address; the rest of the file is ignored.

The client public IP address is updated when the firewall logs in to inpadi through the management VPN tunnel.

Let's Encrypt certificates for MikroTik VPN

inpadi can install Let's Encrypt certificates in a MikroTik router for VPN using the dynamic DNS name.

Ask inpadi staff to assign certificate creation to the firewall. Hint: inpadi/IGMS-VPN-CERTBO.

inpadi automatically renews the certificate and binds it to the SSTP and OpenVPN configuration in the PPP configuration.

Interface traffic graphs

All interfaces on MikroTik devices are monitored, and bandwidth usage is collected. Graph data can be viewed by clicking the graph icon next to the firewall name in inpadi GMS.

MikroTik Winbox admin access

You can manage the MikroTik router by clicking the Winbox icon next to the firewall name. When you click the icon, a file is downloaded to your PC. Run the file; it creates a WebSocket connection and connects Winbox through it.

Note: this is currently supported only on Windows.

Router backup

In the global Templates drop-down list, there is a script named MikrotikExport_20240416.1000.20240416.1300.180.db. Rename it to 20240416.1000.20240416.1300.180.db and save it to the router. The configuration export script runs every three hours.

Backup and export files are placed in the client's DoneJob folder.

inpadi Net Access

Create a file named NetAccessKey.txt in the customer root folder.

File example:

fkldjt0984rlkds::Service:Bitdefender Endpoint Agent Running

Custom client gateway

If you need to use Net Access on a gateway other than the default gateway, add the gateway to NetAccessKey.txt:

fkldjt0984rlkds::Service:Bitdefender Endpoint Agent Running::1.2.3.4:1234

In this example, the client queries http://1.2.3.4:1234/... if Service:Bitdefender Endpoint Agent Running is found in the ComputerInfo report file.

fkldjt0984rlkds is the keyword that adds the client to the firewall address list.

A MikroTik firewall rule that adds the client to an address list could look like this:

/ip firewall mangle add action=add-dst-to-address-list address-list=NetAccess address-list-timeout=2m chain=forward content=fkldjt0984rlkds src-address=185.55.196.13

Time View is a consensus-time action service in inpadi.

The time consensus is calculated from at least 100 online clients. If fewer than 100 clients are online, consensus time is skipped. Consensus time is the average time of the middle 60% of all online clients in inpadi.

The time difference between each client and the consensus time can be seen in Time View.

To run an action when a client's time is too far from the global consensus, add a file named Time.Action under the relevant client.

Example:

$timediff > 600*shutdown -s -t 1 -f
$timediff < -600*shutdown -s -t 1 -f

$timediff is the variable that contains the current difference value.

The command after * on each line is executed on the client. In the example above, if the client is more than 600 seconds ahead of or behind the consensus time, the client is shut down.

Keep at least one second in the shutdown command. Some clients have been seen shutting down with zero seconds, leaving the shutdown job on the server. This can cause the client to shut down again after it starts.

inpadi iping.exe utility

inpadi ping statistics utility v.1.1 - Freeware - info@inpadi.com - THE SOFTWARE IS PROVIDED "AS IS"
Program parameters can be placed in config.txt in the same folder as iping.exe.
The program can be installed as a service:
sc create iping binPath= "C:\Users\LocalUser\iping\iping.exe" start= auto
Usage: iping.exe [ip] [ip] [...] [-log]
Example: iping 1.1.1.1 google.com -log

-log parameter

The -log parameter saves the last one minute of statistics in a log file in the same folder as iping.exe.

Run as a service

The program can run as a service. See the example shown when you run iping.exe without parameters.

Note: config.txt must not exist when you want to display help. If the file exists, the program runs instead of showing help.

config.txt

When using config.txt, enter each parameter on a separate line.

-log
8.8.8.8
dr.dk

Download: iping.exe

NeededFile=https://v.inpadi.dk/Res/LGPO/LGPO.exe=LGPO.exe

https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/

----------------------------------------------------------------------------------------------------------------------------

LGPO.exe v1.00 - Local Group Policy Object Utility

LGPO.exe is a command-line utility that is designed to help automate management of Local Group

Policy. It can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted "LGPO text" files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file. (The syntax for LGPO text files is described later in this document.)

LGPO.exe has four command-line forms: for importing and applying settings to local policy; for creating a GPO backup; for parsing a Registry Policy file and outputting "LGPO" text; for producing a Registry Policy file from an LGPO text file.

All output is written to LGPO.exe's standard output, and all diagnostic and error information is written to its standard error. Both can be redirected to files using standard command shell operations. To support batch file use, LGPO.exe's exit code is 0 on success and non-zero on any error.

Importing and applying settings

In this mode, LGPO.exe applies the contents of the supplied input files to local policy. Note that it does not clear or remove settings that are not specified in the input files, with the exception of the /ac command.

The command-line syntax for this mode is:

LGPO.exe command [...]

Where command is one or more of the following, each of which can be repeated:

/g path	Import settings from one or more Group Policy backups anywhere under the directory specified by path.
/m path\registry.pol	Import settings from a Registry Policy file into Computer (Machine) Configuration.
/u path\registry.pol	Import settings from a Registry Policy file into User Configuration.
/s path\GptTmpl.inf	Apply the specified security template.
/a[c] path\audit.csv	Apply an Advanced Auditing backup (CSV) file. With /ac, LGPO.exe clears existing Advanced Auditing settings before applying the settings from the CSV file, and copies the file to the local group policy subdirectory so that the settings appear in the local group policy editor.
/e name|guid	Enable a Group Policy client side extension for local policy processing. Specify a GUID, or one of these names: zone - Internet Explorer zone mapping extension; needed for Site-ToZone Assignment List policy. mitigation - Mitigation Options extension; needed for the Untrusted Font Blocking policy (Windows 10).
	audit - Advanced Audit Policy Configuration; ensures gpupdate also applies advanced audit policy settings.
/t path\lgpo.txt	Apply registry-based commands from an "LGPO text" file.
/boot	Reboot after applying policies.
/v	Verbose output.
/q	Quiet output (no headers).

Registry Policy files, security templates, and Advanced Auditing backup files are typically named "registry.pol," "GptTmpl.inf," and "audit.csv," respectively, so the syntax above uses these names. The files you use do not have to conform to this pattern, though. The /g option searches the specified path directory for files with these exact names and imports them. "Registry.pol" files must be in a "Machine" or a "User" directory.

Use of this LGPO.exe mode requires administrative rights.

In this example (ignore the line wrap), LGPO.exe imports settings from two Registry Policy files into

Computer Configuration, another Registry Policy file into User Configuration, a security template and an Advanced Audit backup file, after clearing existing auditing policy. It also enables the IE zone mapping extension so that Site-To-Zone Assignment List policies are properly processed. It writes verbose output to lgpo.out and any error information to lgpo.err.

LGPO.exe /e zone /m .\Win10\machine.pol /m .\Win10\IE11.pol /u .\Win10\user.pol /s .\Win10\GptTmpl.inf /ac .\Win10\audit.csv /v > lgpo.out 2> lgpo.err

This command searches C:\GPOBackups for files named registry.pol, GptTmpl.inf, and audit.csv files and imports them all into local policy. Like the previous example, it also enables the IE zone mapping extension and writes verbose output to log files.

LGPO.exe /e zone /g C:\GPOBackups /v > lgpo.out 2> lgpo.err

These are the GUIDs of Group Policy client side extensions referenced in the Windows 10 (TH1) ADMX files that might be needed with the /e option:

{2A8FDC61-2347-4C87-92F6-B05EB91A201A} MitigationOptions

{346193F5-F2FD-4DBD-860C-B88843475FD3} ConfigMgr User State Management Extension.

{3610eda5-77ef-11d2-8dc5-00c04fa31a66} Microsoft Disk Quota

{426031c0-0b47-4852-b0ca-ac3d37bfcb39} QoS Packet Scheduler

{4bcd6cde-777b-48b6-9804-43568e23545d} Remote Desktop USB Redirection

{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3} Internet Explorer Zonemapping

{4d968b55-cac2-4ff5-983f-0a54603781a3} Work Folders

{7b849a69-220f-451e-b3fe-2cb811af94ae} Internet Explorer User Accelerators

{BA649533-0AAC-4E04-B9BC-4DBAE0325B12} Windows To Go Startup Options

{C34B2751-1CF4-44F5-9262-C3FC39666591} Windows To Go Hibernate Options

{C631DF4C-088F-4156-B058-4375F0853CD8} Microsoft Offline Files

{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} TCPIP

{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} Internet Explorer Machine Accelerators

Exporting local policy to a GPO backup

To export the computer's local policy in the form of a GPO backup with an optional GPO display name, run LGPO.exe with this command line syntax:

LGPO.exe /b path [/n GPO-display-name]

LGPO.exe creates a subdirectory under path with a newly-generated GUID for the directory name, and exports local policy settings into that backup directory. The path directory must exist and be writable. If you specify a GPO display name that contains spaces, it must be quoted. The name is shown in the Import Settings Wizard in Active Directory Group Policy Management. If you do not specify a display name, LGPO.exe uses "Local Policy Export."

Use of this LGPO.exe mode requires administrative rights.

The GPO backup incorporates results from "secedit.exe /export," "auditpol.exe /backup," and the Machine and User registry.pol files under System32\GroupPolicy. If either registry.pol does not exist, LGPO.exe creates an empty registry.pol for the backup.

Parsing a Registry Policy file to LGPO text

The format of Registry Policy files is a documented, binary file format, normally produced by Group Policy editors such as GpEdit.msc. However, there have not been any good viewers or editors for directly manipulating those files. LGPO.exe defines a custom, Notepad-editable "LGPO text" file format to specify registry-based settings. LGPO.exe can read the content of a Registry Policy file and output it in LGPO text format. You can redirect this output to a file, edit it, and then import the modifications directly into local group policy using the /t option described earlier, or produce a new Registry Policy file incorporating your changes using the syntax described later in this document. You can also combine the LGPO text from multiple Registry Policy files into a single LGPO text file and product a "merged" Registry Policy file with it.

LGPO.exe /parse [/q] {/m|/u} path\registry.pol

Registry Policy files do not contain information indicating whether they are for Computer or User configuration. Use /m to indicate that the file should be interpreted as Computer Configuration, or /u to indicate User Configuration. This is important if you later apply the settings using the /t option described earlier. LGPO.exe writes the LGPO text to standard output, where you can redirect it to a file.

You can also skip the redirection and output the content to the console for immediate viewing. LGPO.exe writes diagnostic and error information to standard error. With the /q option it writes to standard error only to report errors.

In this simple example, LGPO.exe converts the contents of a Registry Policy file and produces an LGPO text file from it. Standard error is not redirected, so diagnostic and error information is shown in the command shell console.

LGPO.exe /parse /m .\Win10\machine.pol > Win10Machine.txt

Building a Registry Policy file from LGPO text

With the /r and /w options, you can build a new Registry Policy file from an LGPO text file.

LGPO.exe /r path\lgpo.txt /w path\registry.pol [/v]

Note that because Registry Policy files do not contain information indicating whether they are for Computer or User configuration, those indicators in the LGPO text file are not used. The /v option produces verbose output.

LGPO text file format

The registry-based policy input files are Notepad-editable text files, and can be Unicode (little-endian - the Windows default) or ANSI text. Unicode input files must have a Byte Order Marker (BOM) in the first two bytes of the file. Most Windows tools that create Unicode files (including Notepad) automatically insert the correct BOM in the file.

A file can consist of any number of entries. Each entry consists of four consecutive lines:

Configuration

Registry Key

Value Name

Action

Configuration must be either "Computer" or "User", for Computer or User Configuration, respectively. It's case-insensitive, but leading/trailing whitespace is not allowed. Registry Key specifies the name of a registry key (not including the base key); e.g.,

SOFTWARE\Policies\Microsoft\some policy

Value Name is the name of the registry value to modify. The value (Default) can be used to denote the key's default value. (A dummy value such as "*" should be used for the CREATEKEY and

DELETEALLVALUES actions.)

Action specifies what action to take, and must look like one of the following:

DELETE	Deletes the value (reverting a policy to "not configured")
DWORD:n	Sets the value to a REG_DWORD value n. E.g., DWORD:1 Values can be specified in hexadecimal by prepending "0x"; e.g., DWORD:0x1000
SZ:text	Sets the value to a REG_SZ (text) value text. E.g., SZ:Authorized users only!
EXSZ:text	Sets the value to a REG_EXPAND_SZ (expandable text) value text. E.g., EXSZ:%USERPROFILE%\Desktop
MULTISZ:text	Sets a multi-string value. Use the character sequence \0 to separate multiple strings. Example: MULTISZ:One\0Two\0Three
BINARY:data	Sets a binary value. Use comma-separated, two-digit hex values on a single line. Example: BINARY:00,ff,01,fe,02,fd,03,fc
CREATEKEY	Create the key, but do not create any values. (Use "*" on the Value Name line.)

DELETEALLVALUES Delete all values from the registry key. (Use "*" on the Value Name line.)

Because the Action must be specified on one line, the SZ, EXSZ, and MULTISZ string specifiers each support the escape sequences \r, \n, and \\, to indicate carriage return, line feed, and backslash, respectively.

The four lines of an entry must be on consecutive lines. Entries can be separated by blank lines or by comment lines. Blank lines cannot contain any whitespace. Comment lines must begin with a semicolon character. Here is some sample content:

; Revert the Intranet zone's "Java Permissions" setting to "not configured"

Computer

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1C00

DELETE

; Set the Trusted Sites zone's "Java Permissions" setting to "High Safety" Computer

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1C00

DWORD:0x10000

; Enable "Prevent ignoring certificate errors"

Computer

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

PreventIgnoreCertErrors

DWORD:1

; Set IE's "Disable AutoComplete for forms" in User Configuration

User

Software\Policies\Microsoft\Internet Explorer\Main

Use FormSuggest

SZ:no

; Removes all "allowed remote assistance helpers"

Computer

Software\Policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit

*

DELETEALLVALUES

; Create an empty registry key

Computer

SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging

*

CREATEKEY