Aidan Finn, IT Pro

Microsoft OM 2007 (the successor to MOM 2005) RC1 is now available on the Connect website. Improvements over the beta include:

• Improved install process
• Major usability improvements made to the UI
• Updated Management Packs and new Active Directory MP
• Ability to Gateway
• Certificate manage non-trusted devices
• Support for more deployment topologies including multiple management servers
• Improved stability

You will need to uninstall the beta release to install RC1.  As promised, RC1 can be upgraded to RC2 and then to RTM.

OK, it’s not really much of an infrastructure story, but things have been slow in the MS world over the last few days.  Windows Media Player 11 was released late last night.  There’s a 32 and a 64bit edition.  For someone like me who just listens to the odd MP3, CD or ESPN broadcast, there’s not much of interest other than a nice new slate grey skin.  I’m told that media junkies will appreciate it, especially some new library functions.

I’m preparing to finally sit the 70-296 exam to upgrade my MCSE (about time).  I’ve done my brushing up and all I need now is an opening to actually sit the exam … come on Prometric!  I’m starting to work on Windows 2003 SP2 beta and Windows Deployment Services.  I hope to get a good bit done on that this weekend.  It’s looking much bigger than I originally anticipated.  Some documentation will appear on here when I’m done.  I’ve also started reading Mark Minasi’s (and co) new "Mastering … " book on Windows 2003 SP1 and R2.  It’s excellent.  The list of contributors is a real who’s-who in the Microsoft Windows world.

Betanews is reporting that starting from today, any downloads for Microsoft Office will require you to go through a validation process, regardless of your licensing.  Today it appears that only downloading templates is affected.  Starting in January, it appears all downloads will be affected.

If your copy is installed with a known stolen license key then you can expect some very bad things to start happening after going through this process.

I’m doing some stuff on VMware at home that requires a Windows 2003 SP1 RIS installation.  I set up my test domain with a DC and workstations.  I got RIS ready and started up a client in PXE mode only to get thisL

VXE-E53:  No boot filename received

PXE-M0F: Exiting Intel PXE ROM
Operating System not found

I’ve been working with RIS since 2003 and I thought I’d seen everything.  Don’t get me wrong, I think it’s been an excellent but underused part of Windows Server.  I used it for 2 years to build PC’s on the network that I designed and managed.  I googled about for a while and found plenty of people looking for help on this problem without any joy.  And then I found a blog entry by a Mark Michaelis that resolved the problem.

I had to add two scope options onto my DHCP server that I’d not seen before:

• 066 Boot Server Host Name: <RIS Server IP Address>
• 067 Bootfile Name: OSchooseri386startrom.com

I fired up the client again and everything worked.  Thanks Mark!

A quick update:

Note that my RIS server was also my DHCP server.  DHCP was previously installed and authorised.  This may have caused the above problem.  I also had another problem once I had succesfully laucnhed the RIS client.  The client failed to read configuration data for the RIS service.  I unauthorised and reauthorised DHCP and this resolved the problem.  RIS worked perfectly after this (and quite quickly too I must add).

Oh, I’ve only had a quick read, but anyone planning on using Windows Deployment Services (the succesor to RIS in Windows 2003 SP2 and Longhorn) will need to be familiar with the above two DHCP scope options.

My current client is in the process of deploying a new Windows 2003 Active Directory and a Citrix PS4 environment.  Requirements for the Citrix environment are:

• They want to use mandatory profiles (if at all possible).
• They wish to use controlled start menus and desktops.
• They want to install all applications on each server.
• They want to publish the desktop to users via WYSE terminals.
• They want to control access to licensed applications.
• License controls should be done via Domain Global or Domain Local groups.

Hmm. 

A well known Citrix expert consultancy firm recommended that they use scripts to build a users start menu and desktop based on group membership.  Nasty!  I like scripts but this would be a pain to own and maintain over time.  I first became aware of the Citrix requirements at a progress meeting yesterday.  I listened quietly and then I had a what was either a brainwave or a brain fart that evolved a bit.

• A single startmenu and desktop would be hosted on a DFS file share (replicated on the LAN).
• Shortcuts for all applications would be installed in the start menu (and desktop as neccessary).
• Shortcuts for restricted access programs would be permissioned using a suitably named domain group.
• The program folders for the restricted programs would be secured using the same groups.
• Users logging onto the Citrix servers would get the shared start menu and desktop via redirected folders and loopback group policy processing.
• ABE (Access Based Enumeration) would be installed on the hosting machines and configured for the replica shares.

One of the guys gave this a test and it worked.  A user with restricted access only downloaded the shortcuts they should have had access to.  I was expecting to see loads of USERENV errors in the application log on the server but there were none.  It appears to work really nicely.  I’m now wondering if we need ABE in this equation.  We’ll see how it goes in future testing.

Although it’s a great product, many have justification to be worried about the soon (November 1st) automated deployment of IE7.  IE7 will be made available via Automatic Updates and the Microsoft updates catalogue (SMS and WSUS).  Many are asking how to block this automatic installation.

• If you use automatic updates enabled on your PC then you can block the IE7 installation using a blocker toolkit.  Unlike the XP SP2 blocker, there is no timeout or timebomb.  You will still be able to manually install IE7 if you wish.  There is an ADM file so you can use group policy to control the blocker (reinforce the block setting) and also to remove the block setting if you want.
• Anyone with automatic updatews enabled and who does not have local administrative rights will not download nor install the product, regardless of whether the blocker toolkit is installed or not.
• If you maintain control over automatic update approval then you can prevent the installation by choosing to deselect it.
• Anyone using SMS has complete granualr control should IE7 appear in the catalogue for the Inventory Tool for Microsoft Updates.
• The WSUS team have revealed that IE7 will download as an Update Rollup.  You should choose to maintain manual control over update rollup authorisation (Options – Automatic Approval Options) if you are using WSUS (the current version being V2.0) and do not want to automatically deploy IE7.  You can choose to decline the update when it appears.

Microsoft released a security patch or "security upgrade" for Windows XP SP2 machines with wireless NIC’s:

• WPA2 can be configured using group policy.
• A wireless computer can be configured not to broadcast the networks it wishes to connect to.
• A vulnerability for "parked" or disconnected wireless clients has been resolved.
• You must now manually choose to join an ad-hoc network instead of being automatically joined.

Make sure you test the update before deploying.

Credit goes to Michael Kassner for the alert.

• Enhanced performance through a new scanning engine.
• Streamlined, simplified user interface and alerts.
• Improved control over programs on your computer using enhanced Software Explorer.
• Multiple language support with globalization and localization features.
• Protection technologies for all users, whether or not they have administrator rights on the computer.
• Support for assistive technology for individuals who have physical or cognitive difficulties, impairments, and disabilities.
• Support for Microsoft Windows XP Professional x64 Edition.
• Automatic cleaning according to your settings during regularly scheduled scans.

You’ll see that the MS burb says it supports x64.  Well, I ran it in beta on x64 and it brought my machine to it’s knees.  Mark Russinovich reported a similar experience soon after his laptop joined the Microsoft network.  Maybe this has been fixed. *fingers crossed*

I was very impressed with it on x64, especially the Internet Explorer fixing function.  It compared well with other products, sometimes it caught things they didn’t and vice versa.

If you don’t have an anti spyware solution now then this free option might be for you.  Forefront Client Security will include this engine when it goes live (around April next year).  This corporate solution will likely include mangement from a central console and possibly via Group Policy.  I hoping to get on the beta program which has started on a limited basis.

You can see a comparison of the various anti-malware solutions from Microsoft on their website.

One thing I do like about Defender … it uses Automatic Updates to its definitions.  This will be a bandwidth saver for those who install it on company networks.  It also simplifies your distribution mechanism.  This will make it a viable solution for those who want to run it along side a cheap or free AV product.

A new version (2.0) of the SMS 2003 Desired Configuration Monitoring feature pack has been released.  DCM 2.0 allows administrators to audit servers and desktops to ensure that they comply with approved configurations.  Reports can be generated to idenity non compliant machines.  This new version sports a new user interface for defining models.

Modelling is a key component of Microsoft’s Dynamic Systems Initiative for design, monitoring and control and we will to see more and more of this concept, e.g. Capacity Planner, Operations Manager 2007, etc.