Install Software Updates hang on Downloading update
by Mats Hellman on 14.Dec, 2011 under ConfigMgr, Windows 7
Today I ran into an issue where the Build And Capture hung on Downloading update 1. Some googling lead to a known issue in ConfigMGR 2007 SP2 and there is a patch to solve the issue.
http://support.microsoft.com/kb/2509007
Once I installed the patch Software updates were downloaded and installed to the capture computer. This issue seems to affect only Windows 7 captures and with software update packages containing more than 80 patches.
SCCM 2007 management point fails to install
by Mats Hellman on 27.Jul, 2011 under ConfigMgr, Systems Center, Windows
First time I ran in to this problem was in my new virtual test environment. The management point failed to install and MPSetup.log was reporting the WebDav settings were not correct. Looking at them in IIS Manager everything looked just like it should, everything was setup according to the prerequisite document on Technet.
I had to find the problem somewhere else, and I did. Apparently the settings in the GUI didn’t get written to Webdav_schema.xml, and someone was kind enough to document how to change them, so here is the link for future reference.
Setting up Windows Server DHCP for SCCM2007
by Mats Hellman on 27.Jul, 2011 under ConfigMgr, Systems Center, Windows, Windows Deployment
Every now and then I get the question about setting up your DHCP server for SCCM when the DHCP server doesn’t reside on the same host as the SCCM/WDS server.
So to get this working you need to set option 66 and option 67 in your DHCP server.
The options should be set to as following:
Option 66 (boot server host name): IP of your server, ex 10.0.0.1
Option 67 (bootfile name): SMSBoot\boot.sdi
There are many guides out there on this topic, but most don’t need or want to understand the inner workings of DHCP, they just want the filenames. So there you go.
Microsoft Techdays 2011–Finland
by Mats Hellman on 03.Apr, 2011 under Windows, Windows 7
I attended Techdays here in Finland 31 March and 1 April. This was a great event so I’m going to post a big thank you here to the people behind this event. The only thing I had trouble with was prioritizing which sessions to attend. There were just so many great speakers.
Things that really stuck were the session on Microsoft Intune by Salcom Group and the 7 ways to break into Windows 7 by Sami Laiho from Sovelto and Petri Paavola from Aalto Yliopisto and a really special session by Sami Laiho talking about WIOSKI.
Microsoft Intune
This is going to be big for any small companies. Remember I said this. Not because I’m really into cloud computing yet but the fact that any small-midsize company can easily get a management system for their computers.
Reporting is a big part of todays security, so getting reports on how many of your computers are patched is actually a big deal.
But the thing that I liked most about Intune was the fact that the license includes a copy of Windows 7 Enterprise, and when a new Windows version comes along you have the privilege to upgrade. This will effectively give small size businesses a chance to get BitLocker in use. And from a security perspective that’s a big deal.
One of the really great things is that since the whole system operates from the cloud the systems administrator can work from anywhere.
The remote assist feature is also a part of Intune but my personal opinion is that you’d be better of with something like TeamViewer.
Intune also includes Microsoft’s Forefront Endpoint protection, so technically you could ditch your current antivirus. I haven’t tried FEP but many who have says it can actually protect your computer from the malware and viruses you throw at it.
The pricing also looks quite affordable, at 11€ / workstation / month it’s really not that bad. You get a great system and you can ditch some costs, like Antivirus licenses and you’ll cut the management costs since you don’t have to keep your own servers. And that is a cost saver for SMB’s, since they are rarely able to keep them up to date and secured properly anyway.
You can find information about Intune here http://www.microsoft.com/windows/windowsintune/pc-management.aspx
7 ways to break into Windows 7
This was a really interesting seminar, thanks to Sami Laiho and Petri Paavola for this one, these guys really know how to take an audience.
The ways they break in isn’t in any way new, most of us know that if the systems physical security is compromised in any way, you can’t trust the system anymore.
The interesting part is that with simple disk encryption, like Bitlocker, most of the hacks can be stopped.
The hacks they did were simply to replace the Sticky keys (sethc.exe), Displayswitch.exe to cmd.exe. This way when Windows boots just press Windows+P or 5xShift to get a command prompt running with system privileges. After that just use net.exe to add your administrative user and the computer is yours.
This could, as I said be prevented with BitLocker because you can’t get to the encrypted drive and modify it from WinPE or a Linux LiveCD.
Even if BitLocker is enabled there are ways in if you don’t use pre-boot PIN codes. And since central management for the PIN code isn’t available yet many haven’t applied it. This hack was using a Linux distribution to access the computer by writing directly to the memory, using the FireWire port. The scary thing is that this isn’t something that’s only available on Windows based PC’s. Any computer that has a Firewire port activated can be hacked using the same tools.
In Windows Administrators can use Group policies to force Firewire drivers never to install but I’m not sure how to get this done in any other environment.
And if you think you’re safe because you don’t have a Firewire port, think again. There are PCMCIA cards supplying this port and any modern operating system will without a question install the drivers unless it’s denied to do so.
WIOSKI
This is basically a really smart way to run a KIOSK computer. What Sami has done is put together a bunch of scripts using only standard Microsoft techniques. It works by using two VHD’s (Virtual Hard drives). Using one differential and one master image.
Basically you first operate the master one, install anything you need and after that reboot the computer to the differential VHD. The next time the computer is booted anything on the differential drive get’s trashed.
So every reboot you have a fresh start and the computer is just as it was when the administration installed and approved it.
The installation is dead simple and the performance isn’t bad in any way since no virtualization is done.
The only downside is that the only Windows versions able to boot from a VHD file is Windows 7 Enterprise OR Ultimate. So you need a license for one of them.
Anyway, you can find the Wioski medias and a instruction video from the site http://www.wioski.com.
Thanks again for a great couple of days to the organizers.
Signing Tomcat CSR with Microsoft ADCS
by Mats Hellman on 08.Mar, 2011 under Active Directory, Windows
Today I got a request to sign a Tomcat server with our Microsoft PKI. After some trial and error I could not get the server to sign the certificate with the standard templates, Web server or Code Signing.
After some searching on the web I found a solution, use the Subordinate Certification Authority template. This is not ideal but it works. So anyone out there getting errors like
The certificate is not valid for the requested usage. 0x800b0110
Can use the Subordinate CA to sign the certificate in question.
If you have a better solution please post a comment.
