I was chilling at home building a new computer with my RTM version of Vista. Joined it to my home domain. I tried accessing Live.com. first thinking live.com was down. Later I started wondering about my Comcast connection. Then I start doubting my router. So I thought for I while trying to figure out what was wrong. Only then did I decide to pay attention to the little orange shield in the task bar. I remember glazing over it earlier, but I disregarded it as an indicator of the firewall for some reason. Once I investigated the orange shield. I found myself in quarantine.

I forgot about NAP was enabled on my home network… Click on the screen shot below.

.

.

Gotta love it …

1. go into the VMM database to the table tbl_WLC_VObject, and change the ObjectState field of the problem VM, which probably has the value 104, to value 1

** At this point, i went direct to the table and edit the value manually. Of course I did this because this I a Lab environment.

update dbo.tbl_WLC_VObject
set ObjectState = 1
where Name = '<VM name>'

2. in VMM admin console, you're VM will now have the status missing, now just delete the VM and it's gone.

Answer found here on :  --> http://social.technet.microsoft.com/Forums/en-US/virtualmachinemanager/thread/872034ba-3545-4431-b9f6-07ee8c65188b 

Description: The Most Secure Way to Provision System Center Update Publisher (SCUP) Certificates for Client Machines and the WSUS/SCUP Server.

Supporting Article: http://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/f53e8ee3-dfc9-4d4b-92e6-447546150853

Notice the certificate that SCUP uses or will accept when configuring the certificate in SCUP in the Settings location within the console, SCUP will only accept .PFX Personal Information Exchange certificates. So this means that .CER certificates cannot be used with SCUP. If you use a certificate you configured for IIS and WSUS as the above article mentions, you have to export the certificate out to a .PFX certificate before SCUP will accept and can use it.

Since this wasn't mentioned in documentation I, or I can't find it, members on my Team, and I'm sure others, was exporting the .CER type certificate. Which does not work or is accepted my the SCUP product.  

So what should be known and what I've discovered is the following:

Must use a .PFX Personal Information Exchange certificate when importing a Cert into SCUP under the Setting Option. Since this is a .PFX cert which holds the Public and Private Key, you do not want to deploy this type of certificate on client machines. This would be like giving out your login id and password to everyone that gets the certificate.

What you want to do is export ONLY the Public Key portion of the PFX certificate, which then will be a .CER certificate built from the .PFX certificate and only has the Public Key. Then you can use Group Policy to deliver the certificate to clients.

So I would see the steps as follows:

On the WSUS/SCUP Server

Step 1. Click Start -> Run -> MMC

Step 2. File -> Add/ Remove Snap-In -> Add -> Certificates

Step 3. Choose Computer account -> Local Computer -> Add -> Close -> OK

Step 4. Expand Certificates (Local Computer) -> Expand WSUS -> Click Certificates

Step 5. Find the Certificate you created for use WSUS/SCUP, or Find the Self Sinning certificate automatically created by SCUP, Right Click it -> All Tasks -> Export. Must be a .PFX certificate.

Note and Remember: A .PFX Personal Information Exchange certificate holds the Public and Private Key. So 1. you don't want to deploy this type of certificate on client desktop computers. and 2. You do not need this type of certificate in the Trusted Publishers and Trusted Root Certification Authorities store. The .CER type certificate will work just find and does not have the Public Key associated with it.

Step 6. Click Next -> No, do not export the private key -> Next -> Select Base-64 encoded X.509 (.CER) -> Provide a location to export the certificate to -> Next -> Finish, to export the certificate.

Note: Base-64 encoded X.509 (.CER) is the highest encryption method that you can export to a (.CER) certificate.

For Provisioning the Certificate on the WSUS/SCUP server.

Step 7. Expand Certificates (Local Computer) -> Expand Trusted Publishers -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.

Step 8. Expand Certificates (Local Computer) -> Expand Trusted Root Certificate Authorities -> Click Certificates -> All Tasks -> Import -> Next -> Browse to the cert.CER file you just exported -> Next -> Ensure Place all certificates in the following store is selected. -> Next -> Finish, to complete importing the certificate.

Now you only have Public Key in the "Trusted Root Certificate Authorities" and "Trusted Publishers" these stores.

Note: When you Import your own .PFX cert or using the Self-Signing Cert SCUP creates in the WSUS\Certificate Store, You now only have the Public Key for this Cert in one location on the WSUS/SCUP server. This is the most secure way of configuring the SCUP certificate.

Step 9. Perform Steps 7 and 8 to import the certificate manually on client machines. Or you can use Group Policy to deploy the cert.cer to client machines.

I posting a Workaround for a issue I found and notice that other people running into. So far I not seen or found a root cause or a fix. But this work around is the best I have discovered and better than rebooting the Hyper V host to resolve the issue.

Link to the Article on Tech Net:
URL: http://social.technet.microsoft.com/forums/en-US/virtualmachinemanager/thread/ac48fd59-3de9-4191-8466-25bedee3f5b1

Workaround:
Though I have not found the root cause, but I did find something of a workaround that quickly brings the Hyper V host back to a functional state.

When I see the error of :

Error (2912)
An internal error has occurred trying to contact an agent on the servername.domain.com server.
(No more threads can be created in the system (0x800700A4))
Recommended Action
Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent.

I go to Services and Restart the "Windows Management Instrumentation" Service. Restarting this services also restarts the following services: (if they are on your server)

• Hyper V Virtual Machine Management
• Virtual Machine Manager Agent
• Hyper-V Image Management Service
• Hyper-V Networking Management Service
• IP Helper
• EMC PowerPath Service 5.1.2
• SMS Agent Host

Due to the type of services that are also restarted when doing this, and if the Hyper V host is in production. I would suggest doing this with caution and sending a user awareness notification for the temporary outage. Though the outage is small depending on how long it takes for certain services to start.

Because the Hyper-V Image Management Service is restarted. Users will not be able remote control a virtual machine or may be kicked off the VM remote control session. And if you are doing this while TS into the Hyper V host server, you may lose TS connectivity momentarily.

Problem Statement:

I am getting an error, that is causing the hyperV to be unstable. I have 3 hyperV servers in my test env, runnning about 45 clients. All 3 are reporting this error at some point through the day. This often means that I need to restart the service hyperV Virtual Machine manager, and obviously during that time the SCVMM server (which is a VM client within these 3) looses contact until the service is restarted.

Article and Solution: http://social.technet.microsoft.com/Forums/en-US/virtualmachingmgrhyperv/thread/02adb29a-c3b8-41c5-80fc-99e6a67d39fc 

Answer:

The problem is a known bug and is fixed in Windows 2008 SP2.
The problem is due to having a virtual machine configured with a SCSI adapter that does not have a drive attached to it. I had virtual machines with this configuration. since removing the un used SCSI adapter, my Hyper V service does not stop and restart.
So go thru each VM and remove any SCSI adapters that does not have a drive associated with it.
Hope this helps you guys.
Thanks

Recently I found some of my virtual machines stuck in a starting state. When I right click on the VMs that's stuck in the starting state, I only receive the following options: Connect...; Settings...; Rename... and Help. (screen shot below).

I was unable to force Shut down the VM or Stop the VM using the context menus. Even after stopping and restarting all three of the Hyper-V services,

1. Hyper-V Image Management Service
2. Hyper-V Networking Management Service
3. Hyper-V Virtual Machine Management

the VMs are still in the stuck state and still will not stop or continue to start.

I rebooted the Hyper-V server host, and the VMs are stay in the stuck state. I took a look at the Tasks manager to see if I saw either of the services using an abnormal amount of memory or anything out of the ordinary. Nothing really stood out as being strange. But I did notice a series of services running with the name of "vmwp.exe" with the description of Virtual Machine Worker Process. About as many as I had VMs configured on the Hyper-V host. I noticed that most of the processes was consuming around 4,000k to 5,000k of Memory (Private Working Set) or more. But 6 of these processes was only using just about 500k or 600k of memory. This was the exact amount of VMs I had stuck in the starting state.

So I decided to kill one of the processes that was around 500k, and as soon as I did, one of the VMs in the starting state kicked off like it was starting for the first time showing the starting percentage indicator then the VM started and status changed to Running. I didn't get a snap shot of the processes running with low memory for a VM that was stuck in the starting state, but I have posted a snap shot of what I'm referring to below.

Weird! This is how I resolved this issue I had. So hopefully this will help someone else, if anyone else if having this issue, and if so hopefully we'll find the right solution.

 
Click the Image above to enlarge view.

It's up on us again, MMS 2009 and I'm going to try and be there to talk about how you can enable and configure your environment to protect your network with Network Access Protection against virtual machines on virtual private networks that have connectivity to the physical network. The presentation I plan to give will show how to enabled a protected network from virtual environments.

I will show you how to automate a complete solution, enabling you to deploy virtual machines with WDS using SCVMM 2008, Hyper V and SCCM 2007 on a Windows Server 2008 Active Directory Network with Network Access Protection (NAP) enabled. I will show a demo on an automated provisioning process that will allow deployed virtual machines to receive the System Center Configuration Manager client using Active Directory Group Policy and WMI filtering as the discovery method. This allows targeting of virtual machines with specific group policies to allow Windows Software Updates Services (WSUS) & ConfigMgr Software Update Point (SUP) client installation configurations to automate the client installation.  

As we all know virtual machines can be configured with a private internal network adapter which does not allow the virtual machine to connect to the physical network, and wouldn't matter if the virtual machines are unhealthy, or with a externally facing network adapter that is connected to the physical network and if joined to the corporate domain those virtual machines will have access to the physical network and resources the Hyper V host is sitting on. In the event when a administrator deploys his/her virtual machine that is connected to the physical network, this solution can automate discovery of virtual machines and protect your network from virtual machines that may be un-patched or un healthy.

I will show the virtual machines go in quarantine soon after a WDS deployment and how the virtual machine will automatically receive the System Center Configuration Manager client, following the client installation, all required software updates are installed as well which will be followed by a post configuration custom software update developed with System Center Custom Update Publishing Tool. 

This solution addresses the possibility of un-patched virtual machines being deployed to a corporate enterprise network. This solution integrates software updates management, automated client deployment for the Configuration Manager client, WDS for operating system deployments, Active Directory Group Policy as the targeting method, custom software updates with SCUP, and Network Access Protection for systems health validation. This solution also has the potential of reaching 99% client coverage within an enterprise, provided standards and standard configurations are put in place and adhered to.

Getting to 99% coverage on client deployments was not possible until the introduction of System Center Configuration Manager 2007 and its newest feature, WSUS/Software Update Point Client Installation, in my opinion. I wrote a article for this solution, You can find it Here!.

Network Access Protection (NAP) is a new set of operating system components in Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 that provides a platform for system health validated access to private networks. This solution will show how to extend the platform to also validate virtual machines deployed on virtual networks that inter-connect with the physical network. 

The NAP platform provides an integrated way of validating the health state of a network client that is attempting to connect to or communicate on a network and limiting the access of the network client until the health policy requirements have been met. These policy requirements can also be extended to include virtual private networks for network environments that allow administrators to deploy and manage their own virtual machines that will have access to the corporate physical network.

I see the requirements as to validate access to a network based on virtual machines system health, a network infrastructure needs to provide the following areas of functionality:

· Health state validation

· Network access limitation 

· Automatic remediation 

· Ongoing compliance 

· Virtual machine discovery - how is this done? I will have more on this at MMS 2009 in Las Vegas and on my blog soon after.

I'll let you know if and when its official that I'll be there at MMS in 2009...

System Health Validator Placement

I'm writing this post in response to some Configuration Manager 2007 Network Access Protection questions I received during the MMS 2008 conference.

"Where to place the System Health Validator Point Role (SHV) be in the ConfigMgr 2007 hierarchy?" The quick simple answer is at the Central Site in the hierarchy, or at the Site where your ConfigMgr administrators will perform daily administrative duties on. Some companies may have a Site or Reporting Site setting on top on the Central Site of the hierarchy, as shown below.

For the above design, you will want to install a System Health Validator Point Role (SHV) from the Central Site just the same as if you do not have a Reporting Site setting over the Central Site of the hierarchy.
Installing a SHV and all subsequent additional SHV’s from the Central Site is recommended and provides centralized management of all SHV settings and configurations for System Health Validator. Below is a list of reasons to install all SHV’s from one Site or the Central Site server.
All SHV settings and configurations are set by modifying the Systems Health Validator Point Component from the Components Configurations Node under Site Settings from within the ConfigMgr Console. Settings and configurations set here applies to all SHV’s that are installed from the same site.
Note: The SHV and the Site server have no bi-directional communication with the Site server it is installed from. So the SHV can actually be installed on any Site within the hierarchy, but will have no benefit or additional functionality by doing so. Please don’t make the mistake in thinking that you will need a SHV per Site. One SHV can facilitate one hierarchy.
You can stage up to 4 NPS/SHV servers that clients can communicate with. Clients will use the first NPS/SHV server in the clients Trusted Server Group. Below shows the configuration settings of the SHV/NPS URL’s that clients will communicate with when send NAP SOH requests.
To see the below list on a client, run the below command line in an elevated command prompt on a Vista system:
C:\> netsh nap client show group

Names have been changed to protect the innocent…

Trusted server group configuration:
----------------------------------------------------
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer1.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 1
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer2.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 2
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer3.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 3
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer4.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 4

The System Health Validator can be installed on to a Windows Server 2008 running the Network Policy Server service (NPS) that is joined to any domain or forest other than the domain the Site server is joined to. In the case where the NPS server is joined to separate domain forest than the Site server is joined to, the NPS servers, by default the NPS servers will query for client health state reference in the forest the server is joined to.
This means if you have a Site server joined to forest A, and one NPS server joined to forest A, and another NPS server joined to forest B. The NPS/SHV servers will query and validate client’s health state from the domain the NPS server is joined to. The picture below shows this representation.

This can cause your Windows NAP infrastructure to validate only a subset of your clients and will only validate client’s compliance that is in the same forest as the NPS/SHV server. Previously I mentioned modifying SHV properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings. On the Health State Reference Tab, you have the option to specify a Domain suffix where you want the SHV/NPS servers to query for client health state reference. When this option is set to a specific Active Directory forest FQDN example: corp.contoso.com, this tells all SHV’s installed from the Site to publish to the same domain forest root.
This provides centralized management of all SHV’s and its settings. And you will want all your SHV’s configured with the same setting and configurations. As clients hit the first SHV/NPS server when sending SOH requests (SOH = Statement of health), they will be validated by the first SHV in the list, and will fail over to the next SHV/NPS in the list with the first NPS server in the list hits maximum connections, and you will want the next SHV/NPS to validate clients with the same validation settings and configurations.
If you setup a SHV at each Site in a hierarchy, you will be actually duplicate administrative work that is not required. You will have to go to each Site and configure the properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings.

If you have access to Microsoft Connect, get R2 for System Center Configuration Manager 2007 SP1. Its out and you and get a hand on preview of some of the feature R2 will bring. Download not from Microsoft Connect.

Some how I stumbled on a web page I never seen been for, which is cool. The official home page for System Center Configuration Manager. As you'll notice on the front page that it does not say 2007. most likely because the site is not dedicated to that specific version. It looks to me that its focused on system management in general. I believe as the growing demand increases around desktop management, there will always be a need for a product to manage desktops remotely and in a unified way. Check out the original Home Page for System Center Configuration Manager. 

I see links all over about this new piece of documentation released.  But, there’s a really good story here that I think a lot of us are missing.  This is a great story about how Microsoft listens and reacts to community feedback – at least the documentation team for System Center Configuration Manager does.

As a community, we’ve worked with this team for a long, long while.  The lines of communication have always been two-way and the partnership has always been fruitful and valuable.

For example…here’s the actual announcement from Carol Bailey about the new docs to Ed and Mike at 1E…posted by Ed to the SMS list today…

Read more here: --> http://myitforum.com/cs2/blogs/rtrent/archive/2008/07/03/how-to-configure-isa-ssl-bridging-for-system-center-configuration-manager-internet-based-client-management-the-real-story.aspx

Friday, May 23, 2008   |   5 Comments   |  

For a prospect customer there's nothing better than a real-world implementation to realize the potential or a certain technology. And this is very true in an almost unexplored technology like virtualization.

Microsoft, which eats its own dog food since the Virtual Server 2005 era, just announced the complete migration of both MSDN and TechNet, two of the most popular web sites in the world, on virtual machines.

Microsoft kept the back-end database on physical boxes, but moved 100% of its IIS7 frond-ends on Hyper-V RC0 VMs with 4 virtual CPUs and 10GB RAM.
The virtualization hosts (no mention of the brand obviously) are powered by 2 Intel quad-core CPUs and 32GB RAM (2GB are reserved for the Windows Server 2008 parent partition).

Follow the link below to learn more.
http://www.virtualization.info/2008/05/microsoft-migrates-msdn-and-technet-on.html 

System Health Validator Placement

I'm writing this post in response to some Configuration Manager 2007 Network Access Protection questions I received during the MMS 2008 conference.

"Where to place the System Health Validator Point Role (SHV) be in the ConfigMgr 2007 hierarchy?" The quick simple answer is at the Central Site in the hierarchy, or at the Site where your ConfigMgr administrators will perform daily administrative duties on. Some companies may have a Site or Reporting Site setting on top on the Central Site of the hierarchy, as shown below.

For the above design, you will want to install a System Health Validator Point Role (SHV) from the Central Site just the same as if you do not have a Reporting Site setting over the Central Site of the hierarchy.
Installing a SHV and all subsequent additional SHV’s from the Central Site is recommended and provides centralized management of all SHV settings and configurations for System Health Validator. Below is a list of reasons to install all SHV’s from one Site or the Central Site server.
All SHV settings and configurations are set by modifying the Systems Health Validator Point Component from the Components Configurations Node under Site Settings from within the ConfigMgr Console. Settings and configurations set here applies to all SHV’s that are installed from the same site.
Note: The SHV and the Site server have no bi-directional communication with the Site server it is installed from. So the SHV can actually be installed on any Site within the hierarchy, but will have no benefit or additional functionality by doing so. Please don’t make the mistake in thinking that you will need a SHV per Site. One SHV can facilitate one hierarchy.
You can stage up to 4 NPS/SHV servers that clients can communicate with. Clients will use the first NPS/SHV server in the clients Trusted Server Group. Below shows the configuration settings of the SHV/NPS URL’s that clients will communicate with when send NAP SOH requests.
To see the below list on a client, run the below command line in an elevated command prompt on a Vista system:
C:\> netsh nap client show group

Names have been changed to protect the innocent…

Trusted server group configuration:
----------------------------------------------------
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer1.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 1
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer2.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 2
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer3.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 3
Group            = MSIT
Require Https    = Enabled
URL              = https://NPSServer4.widget.contoso.com/domainHRA/hcsrvext.dll
Processing order = 4

The System Health Validator can be installed on to a Windows Server 2008 running the Network Policy Server service (NPS) that is joined to any domain or forest other than the domain the Site server is joined to. In the case where the NPS server is joined to separate domain forest than the Site server is joined to, the NPS servers, by default the NPS servers will query for client health state reference in the forest the server is joined to.
This means if you have a Site server joined to forest A, and one NPS server joined to forest A, and another NPS server joined to forest B. The NPS/SHV servers will query and validate client’s health state from the domain the NPS server is joined to. The picture below shows this representation.

This can cause your Windows NAP infrastructure to validate only a subset of your clients and will only validate client’s compliance that is in the same forest as the NPS/SHV server. Previously I mentioned modifying SHV properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings. On the Health State Reference Tab, you have the option to specify a Domain suffix where you want the SHV/NPS servers to query for client health state reference. When this option is set to a specific Active Directory forest FQDN example: corp.contoso.com, this tells all SHV’s installed from the Site to publish to the same domain forest root.
This provides centralized management of all SHV’s and its settings. And you will want all your SHV’s configured with the same setting and configurations. As clients hit the first SHV/NPS server when sending SOH requests (SOH = Statement of health), they will be validated by the first SHV in the list, and will fail over to the next SHV/NPS in the list with the first NPS server in the list hits maximum connections, and you will want the next SHV/NPS to validate clients with the same validation settings and configurations.
If you setup a SHV at each Site in a hierarchy, you will be actually duplicate administrative work that is not required. You will have to go to each Site and configure the properties for the Systems Health Validator Point Component from the Components Configurations Node under Site Settings.
If you have any questions on SHV setup of placement, please ask.

There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.

Members of this group

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.

This group is a member of

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.

Though the building alone covers a whopping 11 acres, you can't even see Microsoft (NSDQ: MSFT)'s new $550 million data center in the hills west of San Antonio until you're practically on top of it. But by that point, you can hardly see anything else.

Read more here.

The company says that a better firewall, IPv6 support, better onboard encryption, and network access protection make Windows Server 2008's security a primary selling point.

Microsoft is pushing the improved security of its Windows Server 2008 software package as one of the primary reasons why business customers should upgrade to the long-awaited product refresh as quickly as possible.

Free IT resource

• Virtualization TCO Calculator
• Sponsored by BEA

Related Stories

• Google CEO prefers an independent Yahoo
• Storage vendors line up behind Windows Server 2008
• Ballmer launches Windows Server 2008, lauds user base
• Popular Tags

» Back to special report: Microsoft's server big bang

[ Get the scoop on the entire Windows Server family in our special report ]

In addition to being fully designed under Microsoft's SDLC (security development lifecycle) initiative -- a program already credited with allowing Microsoft to ship its products with far fewer vulnerabilities than previous iterations -- Server 2008 has new features that should help customers address a range of important security issues, according to company officials.

Microsoft representatives claim that beefed-up firewall technology, support for the emerging IPv6 Internet protocol, improved onboard encryption and further integration with its Active Directory registry system, among other additions, represent a significant step forward for the release formerly-known as Longhorn in terms of its overall security standing.

The company has also finally delivered its NAP (network access protection) technology -- Microsoft's flavor of the access control tools identified more widely under the banner of NAC (network access control) -- that many security industry watchers have cited as a potential accelerant for device and user network authentication efforts.

Company officials said that the software maker was specifically set on defending the updated infrastructure technology against malware attacks while boosting ID and access control, adding encryption and document protection features, and enhancing the system's reporting and audit functions to handle compliance-related tasks.

Read more here.

Microsoft (NSDQ: MSFT) on Monday introduced its first operating system designed for manufacturers of handheld portable navigation devices.

Windows Embedded NavReady 2009, which is based on Windows Embedded CE, includes technologies for connecting PNDs to online services, mobile phones using Bluetooth, and Windows-based PCs. The OS includes online search through Microsoft's Live Search and also includes the software maker's Live Search Map service.

Read More here.

New customer/partner-ready content from Microsoft IT

Microsoft IT Showcase is pleased to announce the publication of Using Configuration Manager 2007 to Extend Software Update Compliance Across Networks, which discusses how Microsoft IT uses Microsoft® System Center Configuration Manager 2007 and Windows Server® 2008 Network Access Protection (NAP) to enforce software update compliance for client computers in the corporate network. Many thanks to Richard Dixon and Michael Kelley for their expertise, knowledge, and dedication in developing this comprehensive technical case study and webcast.

Using System Center Configuration Manager 2007 to Extend Network Health
Technical Case Study added: 06/06/08
Microsoft IT uses Microsoft System Center Configuration Manager 2007 and Windows Server 2008 Network Access Protection to enforce software update compliance for client computers in the corporate network. Configuration Manager ensures that computers connecting to the network meet the Microsoft IT software update policy requirements for system health.
Technical Case Study | TDM Webcast | WMA | MP3 | TechNet Radio

To learn more about how Microsoft does IT, please visit us!

External:  www.microsoft.com/technet/itshowcase
Internal:  http://itshowcase

Problems with SMS 2003 updates and Configuration Manager 2007.

The WSUS Offline Scan Catalog (wsusscn2.cab) fails to synchronize on a Configuration Manager 2007 or Configuration Manager 2007 SP1 site server using the Inventory Tool for Microsoft Updates (ITMU).  This prevents security update deployments to SMS 2003 clients.   This is a result of an issue with updated content published for the Office 2003 Service Pack 1 update.

The issue can be identified in the Wsyncmgr.log on the ConfigMgr 2007 site server running the Software Update Point role.

The below log line entries are form Wsyncmgr.log file...

Performing legacy sync
STATMSG: ID=6709 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" …
Started with command line: C:\Program Files\Microsoft Configuration Manager\bin\i386\updatewuscatalog.exe …
Processing security catalog C:\Program Files\Microsoft Updates Inventory Tool\PkgSource\wsusscn2.cab ...
Initializing catalog C:\Program Files\Microsoft Updates Inventory Tool\PkgSource\wsusscn2.cab for synchronization.
Pre-processing updates...
Error 0x80004005, Unexpected DeploymentAction for update 1293995. Returned from CreateUpdateNode
Updates summary: 0 processed, 0 matched, 0 outdated, 0 updated

Microsoft is working on resolving this with the highest priority.

For more information.

• http://www.microsoft.com/technet/security/advisory/954474.mspx

Microsoft came through for IT administrators.

They recently released RSAT (Remote Server Administration Tools) for Windows Vista SP1.

• http://www.microsoft.com/downloads/details.aspx?FamilyID=d647a60b-63fd-4ac5-9243-bd3c497d2bc5&DisplayLang=en (x64)

• http://www.microsoft.com/downloads/details.aspx?FamilyID=9ff6e897-23ce-4a36-b7fc-d52065de9960&DisplayLang=en (x86)

RSAT adds GPMC back into Windows Vista SP1 along with DHCP and DNS! (Woo Hoo!)

Requirements:

• Windows Server Update Service (WSUS)
• Configuration Manager Site with Software Update enabled
• Organizational Unit or Security Group
• 2 Configuration Manager ADM Templates
• Active Directory Group Policy Object

1. Windows Server Update Service (WSUS)
   1. Install the WSUS service on a Windows 2003 SP2 server
   2. Do not configure the WSUS service with the WSUS console at the completion of the WSUS installation.
2. Configuration Manager Site with Software Update enabled
   1. Start your ConfigMgr installation or push a Software Update Point Role on to the WSUS server.
3. Organizational Unit (OU) or Security Group (SG)
   1. Identify a OU or Security Group that will contain all systems expected to be managed by by your ConfigMgr site.
   2. Note: There can only be one OU or SG designated for 1 ConfigMgr site. You cannot have one OU or SG provisioning clients for multiple site codes.
4. 2 Configuration Manager ADM Templates
   1. Obtain the ADM Templates that comes on the Configuration Manager 2007 CD, located: on the CD\TOOLS\ConfigMgrADMTemplates
   2. One ADM template is named: "ConfigMgr2007Assignment.adm" and the other is named: "ConfigMgr2007Installation.adm"
   3. The ADM template named "ConfigMgr2007Assignment.adm" is used to place the ConfigMgr site assignment settings in the clients registry
      1. Those settings are shown below:
         1. The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
            • GPRequestedSiteAssignmentCode = <your site code>
            • GPSiteAssignmentRetryDuration(Hour) = <Retry Duration (hours)>
            • GPSiteAssignmentRetryInterval(Min) = <Retry Interval>
            • The image below shows the settings for the ConfigMgr2007Assignment.adm template after its imported into the GPO.
            • Click image to enlarge.
            • Description and uses of the above settings:
            • The "GPRequestedSiteAssignmentCode" is the site code your client should and will be assigned to. When the client is reassigned by any other method to a site code other than the site code specified in the GPO, these GPO policy settings will automatically reassign the client back to the site code you defined in the GPO policy.
            • The "GPSiteAssignmentRetryDuration(Hour)" is the amount of hours the client will keep attempting to reassign the client until successful or till reassigned to the site code specified in the GPO.
            • The "GPSiteAssignmentRetryInterval(Min)" is the interval the GPO policy will wake up and check to see if the client is assigned to the site code specified in the GPO.
         2. The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under:
         3. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ccmsetup in a Value Name: SetupParameters.
         4. The below settings is a string of the ccmsetup parameters that are to be set for the above setting, which is what the client will use when the installation starts.
            • /MP:msserver SMSSLP=smsslp.domain.com SMSSITECODE=XR2 FSP=smsfsp.domain.com CCMLOGMAXSIZE=100000 CCMENABLELOGGING=TRUE CCMLOGLEVEL=0 DISABLESITEOPT=TRUE DISABLECACHEOPT=TRUE CCMLOGMAXHISTORY=5 SMSCACHESIZE=9000
         5. NOTE: When a client installation starts, ccmsetup.exe will first look to the command-line first for the ccmsetup parameters. If it does not find ccmsetup command-line parameters, the ccmsetup.exe look to the registry for the ccmsetup.exe parameters, if the parameters are not found in the registry, the ccmsetup.exe will use Active Directory and assign the client based on ConfigMgr site boundaries. 
         6. The image below shows the settings for the ConfigMgr2007Installation.adm template after its imported into the GPO.
         7. Click image to enlarge.
         8. This type of client assignment basically forces the clients to remain assigned to the site of choice.
   4. Import these ADM templates, into a Group Policy Object targeting your OU or SG of your clients to be managed.
   5. A additional setting you must add to this GPO is the Windows Update URL the clients will use to scan for required offered updates.
   6. This setting location can be found with the local GPO Mgr or GPO Management Console. You can find this location for this settings in the path below.
      1. Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update
      2. The image below shows the setting in a GPO object that allows you to set the WSUS/SUP server for clients to use to scan for updates.
      3.   Click image to enlarge.
5. A Got Cha: Watch Out! The policies that these ADM templates places in the clients registry cannot be un-done by removing the GPO from the OU or SG.
6. If you ever want to reassign these clients that has been previously assigned and provisioned by the "Client Management GPO's" (I call this solution client management GPOs) You must either manually remove the settings by hand or script. Or you can drop the computer object in another OU or SG having different "Client Management GPOs applying these settings for another ConfigMgr site.
7. The reason why these settings don't go away when a GPO is removed, is because these ADM templates are not set in the Policies Hive of the registry. And settings set in the registry out side of the Policies Hive can't be removed with a GPO, Only changed or modified.
8. Active Directory Group Policy Object (GPO)
   1. Apply a Group Policy Object targeting the OU or SG with membership of all the systems you want assigned to a specific site.
9. Remember: One Client Management GPO per site.
10. Once the above setting and configuration are set, Publish the ConfigMgr client into WSUS.
11. To publish the ConfigMgr client to WSUS, from within the ConfigMgr console Navigate to the Site Management node > Then to the Site Settings Node > Then the Client Installation Methods node, Right client on Software Update Point Client Installation and click Properties.
12. At this point just simply enable the option "Enable Software Update Point Client Installation" shown below.
13. Click image to enlarge.
14. Also, ensure that no other AD policies are configuring the WSUS URL via any other policies in your environment. If clients receive policies from other GPO's to also configure the WSUS URL, that client will generate AD Group Policy Conflict and fail scanning for ConfigMgr. To ConfigMgr the client would seem broken and not communicating with the Site/MP.

Disclaimer: P.S.  When I say 100% I am, of course, referring to compatible online computers in the targeted OU

You can find documentation on this here: --> How to Install Configuration Manager Clients Using Software Update Point Based Installation

Let me know if you have any questions, I'll help you along in getting this setup.

“SCCM” is not the official acronym for Systems Center Configuration Manager 2007. "ConfigMgr" is. “SCCM” is not owned as a trademark by Microsoft and therefore we really cannot use it. But I have noticed that many people have picked up on it and continue to use it. Even me, for instance: my main blog site is named SCCMNAP.Com.

I added the acronyms for each of the Microsoft System Center Products I found here.

-----------------------------------------------------------------------------------------------------

I found a question that popped up a few times on discussions blogs:

Question:
I incorrectly configured the SUP on one of my remote sites and so all these clients are looking at the parent site for Software Updates. I've checked the WUAHandler.log and have seen the settings there. Now that I've got things correctly configured, I'm wondering how I can 'force' the clients to re-home to their local SUP instead. Do I need to reinstall the clients to apply the SCCM local policies for this?

Answer:
No you do not need to reinstall the clients. If clients are able to connect to the assigned MP, clients will automatically pick up the new WSUS URL and use it. Default ConfigMgr Site Policy interval is one hour. So after one hour your clients should re-home and use the new WSUS URL.

Question:
Is there any possibility, or third party tools, that will make me sure that 100% of computers that I want it to install the client, has the SCCM client installed... and if they don't, is there any way to initiate installation and to be sure 100% that the SCCM Client is installed.

Answer:
To ensure that all systems that are intended and targeted for the ConfigMgr client installation. The best client deployment method I have used here at Microsoft is using AD GPO that will apply 3 settings.

1. the ccmsetup parameters are place in the registry
2. the WSUS URL is place in the registry.
3. applies the ADM Client Assignment template.

Enable WSUS/SUP Client Installation. In the GPO add the WSUS URL for your SUP Site Role. As clients join the domain or connects to the network, the Windows Update Agent will scan against your WSUS server and the ConfigMgr client will be detected as not installed and WSUS will install the client treating the client as if it was a critical update.

The installation will start about 2 to 3 minutes after the client is detected as not installed. This method will also upgrade a client that is lower than the published version in WSUS. If a client is already installed with the right version, the client will be re-assigned to your site if not already assigned. Also as part of this GPO you will want to add the ADM Client Assignment template. This is comes with ConfigMgr 2007. This template will keep clients assigned to the site of choice.

Two things will happen automatically for you. If the client is un-installed for any reason, WSUS will re install the client on the next WSUS scan. If the client is re assigned to another site, the ADM template with automatically reassign the client back to the originating site code immediately.

Let me know if you need to help setting this up. Its the best client deployment method I recommend. Works great. Client upgrades would also be made simple as well. All an admin would have to do is publish the new latest client to WSUS, client upgrades will happen automatically on the next Windows Update scan.