• Home
• About
• Advertise
• Contact
• Search

Install Software Updates hang on Downloading update

by Mats Hellman on 14.Dec, 2011 under ConfigMgr, Windows 7

Today I ran into an issue where the Build And Capture hung on Downloading update 1. Some googling lead to a known issue in ConfigMGR 2007 SP2 and there is a patch to solve the issue.

http://support.microsoft.com/kb/2509007

 

Once I installed the patch Software updates were downloaded and installed to the capture computer. This issue seems to affect only Windows 7 captures and with software update packages containing more than 80 patches.

Leave a comment

Microsoft Techdays 2011–Finland

by Mats Hellman on 03.Apr, 2011 under Windows, Windows 7

I attended Techdays here in Finland 31 March and 1 April. This was a great event so I’m going to post a big thank you here to the people behind this event. The only thing I had trouble with was prioritizing which sessions to attend. There were just so many great speakers.

Things that really stuck were the session on Microsoft Intune by Salcom Group and the 7 ways to break into Windows 7 by Sami Laiho from Sovelto and Petri Paavola from Aalto Yliopisto and a really special session by Sami Laiho talking about WIOSKI.

Microsoft Intune

This is going to be big for any small companies. Remember I said this. Not because I’m really into cloud computing yet but the fact that any small-midsize company can easily get a management system for their computers.

Reporting is a big part of todays security, so getting reports on how many of your computers are patched is actually a big deal.

But the thing that I liked most about Intune was the fact that the license includes a copy of Windows 7 Enterprise, and when a new Windows version comes along you have the privilege to upgrade. This will effectively give small size businesses a chance to get BitLocker in use. And from a security perspective that’s a big deal.

One of the really great things is that since the whole system operates from the cloud the systems administrator can work from anywhere.

The remote assist feature is also a part of Intune but my personal opinion is that you’d be better of with something like TeamViewer.

Intune also includes Microsoft’s Forefront Endpoint protection, so technically you could ditch your current antivirus. I haven’t tried FEP but many who have says it can actually protect your computer from the malware and viruses you throw at it.

The pricing also looks quite affordable, at 11€ / workstation / month it’s really not that bad. You get a great system and you can ditch some costs, like Antivirus licenses and you’ll cut the management costs since you don’t have to keep your own servers. And that is a cost saver for SMB’s, since they are rarely able to keep them up to date and secured properly anyway.

You can find information about Intune here http://www.microsoft.com/windows/windowsintune/pc-management.aspx

7 ways to break into Windows 7

This was a really interesting seminar, thanks to Sami Laiho and Petri Paavola for this one, these guys really know how to take an audience.

The ways they break in isn’t in any way new, most of us know that if the systems physical security is compromised in any way, you can’t trust the system anymore.

The interesting part is that with simple disk encryption, like Bitlocker, most of the hacks can be stopped.

The hacks they did were simply to replace the Sticky keys (sethc.exe), Displayswitch.exe to cmd.exe. This way when Windows boots just press Windows+P or 5xShift to get a command prompt running with system privileges. After that just use net.exe to add your administrative user and the computer is yours.

This could, as I said be prevented with BitLocker because you can’t get to the encrypted drive and modify it from WinPE or a Linux LiveCD.

Even if BitLocker is enabled there are ways in if you don’t use pre-boot PIN codes. And since central management for the PIN code isn’t available yet many haven’t  applied it. This hack was using a Linux distribution to access the computer by writing directly to the memory, using the FireWire port. The scary thing is that this isn’t something that’s only available on Windows based PC’s. Any computer that has a Firewire port activated can be hacked using the same tools.

In Windows Administrators can use Group policies to force Firewire drivers never to install but I’m not sure how to get this done in any other environment.

And if you think you’re safe because you don’t have a Firewire port, think again. There are PCMCIA cards supplying this port and any modern operating system will without a question install the drivers unless it’s denied to do so.

WIOSKI

This is basically a really smart way to run a KIOSK computer. What Sami has done is put together a bunch of scripts using only standard Microsoft techniques. It works by using two VHD’s (Virtual Hard drives). Using one differential and one master image.

Basically you first operate the master one, install anything you need and after that reboot the computer to the differential VHD. The next time the computer is booted anything on the differential drive get’s trashed.

So every reboot you have a fresh start and the computer is just as it was when the administration installed and approved it.

The installation is dead simple and the performance isn’t bad in any way since no virtualization is done.

The only downside is that the only Windows versions able to boot from a VHD file is Windows 7 Enterprise OR Ultimate. So you need a license for one of them.

Anyway, you can find the Wioski medias and a instruction video from the site http://www.wioski.com.

 

Thanks again for a great couple of days to the organizers.

Leave a comment

Shrink VHD in Windows 7

by Mats Hellman on 07.Dec, 2009 under Windows, Windows 7, XP Professional

I got a new HP Z400 Workstation to my office today and decided to recycle the old DC5800 to someone who needs a trusty workhorse and doesn’t work with memory intensive tasks like Virtual Systems like I do. Even if my old desktop was getting a new life I still wanted to keep it because I’ve installed many tools on it I still use and I like to do some Group policy testing on it.

I found the great tool Disk2VHD by Sysinternals. It converts your physical disk to a VHD file so you can use it in Virtual PC or some other virtualization software that supports Microsoft’s VHD format. Disk2VHD homepage http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Before you start this you may want to make a backup of your VHD file in case something goes wrong.

Shrinking the VHD for Virtual PC

So I captured my old hard drive and moved it to my new workstation. The file was only 80Gb as Disk2VHD makes it a dynamically expanding disk. Everything looks fine so far. The problem is that Virtual PC only supports 127Gb drives or smaller and my physical drive was 250Gb so booting the drive in Virtual PC didn’t work. I had to get it resized to under 127Gb to get it booting. Googling around I found a few tools but none of them worked the way I needed them to. I had to get my drive size under 127Gb. Some researching later I found that the computer management console, disk management, in Windows 7 was able to mount and shrink my VHD. So fingers crossed I started compmgmt.msc and mounted the drive.

Right clicking on Disk Management and selecting attach Virtual Hard disk worked like a charm. So now let’s shrink the drive. Select your drive from the list and right click selecting Shrink.

After the query is done it will tell you how much it will be able to shrink the volume. If it’s still over 127Gb you can activate the drive in Computer Management and go delete some files. I had a lot of downloaded files I had to delete before I could get it to shrink under 127Gb. When the shrink operation is done we still have to shrink the vhd file. This just made our Windows partition smaller and now we want to get rid of the unused partition from the VHD file to get it under the magic 127Gb line.

VHDResizer to the rescue

All you need to do now is get the software vhdresizer and have it resize your vhd. You can get VHDResizer from http://vmtoolkit.com/files/folders/converters/entry87.aspx

 

Still no roses

I was hoping this would be the end of the journey and I would be able to boot the system. You could try it at this point but for some reason my system wont boot. I booted into the XP setup and ran FIXBOOT and FIXMBR and the system still won’t boot. So next I tried an Repair install. Victory!

The repair install fixed any issues but I’m tempted to go trough the same again to check where this really fails. I’m sure you can do this without the repair install.

But the result is the same, I have my old desktop OS back and can use the tools when I need to and I didn’t have to reinstall from scratch. If anyone else has had the same problems and solved them without repair install I would be curious to know what you did.

4 comments

Using Windows Server 2003 32-bit print server with Windows 7 64-bit clients

by Mats Hellman on 05.Dec, 2009 under Vista, Windows, Windows 7, XP Professional

I’ve seen this question come up on discussion forums and other support resources a lot since the release of Vista. Many organizations still use Windows Server 2003 to serve users print services. And the need to upgrade isn’t really behind the corner yet. I know, I feel the same. We still use a Windows Server 2003 R2 as a print server and it it 32-bit, not 64-bit.

Can a 32-bit server handle 64-bit drivers

Short answer, yes. The server uses it’s own 32-bit driver as a interpreter between the spooler and the printer but it can serve clients with the drivers they need. The server really doesn’t care if the drivers it serves to clients are 32 or 64 bit. It can store all of them on the filesystem.

How do I install the drivers?

I’ve been using Windows 7 RSAT(Remote Server Administration tools) to add the drivers to our print server. The important step is to upgrade your current 32-bit drivers. If the driver versions of the 32 and 64 bit differ the server wont recognize them as the same driver. So if you’re using old drivers on your server I’m sorry to say you’ll have to start by upgrading the 32-bit ones first. I suggest you download both the 32-bit and the 64-bit version of the driver when you’re out driver hunting. First upgrade the 32-bit drivers you want to add 64-bit drivers for. I did this directly on the print server and I removed any old versions of the driver. Next add the 64-bit driver. Adding drivers from RSAT is really simple so I won’t go trough it in any detail. Just open Print Manager

Right click drivers and select add driver, add your 64-bit driver. As you can see in the image booth Toshiba drivers have the same version number, the difference is only the Environment.

Group policy edits for Windows 7

Next we’re going to create a group policy to allow restricted users to install their drivers, and we don’t want UAC to disturb or scare them. Side note: if you’re thinking of disabling UAC take a look at a previous article here http://www.nixadmins.net/2009/12/04/why-uac-is-the-best-thing-that-ever-happened-to-windows/ .

Open your Group policy management console and create a new / or add these settings to an old policy. You’ll find the setting under Computer Configuration \ Policies \ Administrative templates \ Printers \ Point and Print Restrictions.

Set the policy to Enabled and set the Security prompts Do not show warning or elevation prompt.

Push the group policy setting to your clients, point to your printer and you’ll be able to install it as a normal user.

16 comments

Why UAC is the best thing that ever happened to Windows

by Mats Hellman on 04.Dec, 2009 under Server 2008 r2, Vista, Windows, Windows 7

You’ve probably heard, countless times, why the Windows UAC (User Access Control) is the worst function ever introduced in a Windows operating system. Today we’ll look at it from another point of view. I’m saying it’s the best function introduced in Vista and later. Why? Because it makes it easy to elevate your privileges without holding down the right CTRL button or looking for it in any menu. How? I’ll show you in a minute.

Using any operating system with administrative privileges is a bad idea. It doesn’t matter if your running OS X, Windows, Linux or something else. If you’re running your day to day tasks as an administrator(root) you’re not thinking straight. You should be using as little privileges as possible to get the job done, and here UAC does a beautiful job stepping in as a bridge into administrator land.

I run my Windows 7 as a ordinary user and have two separate administrator account for any admin work I need done. I haven’t had any problems running as a user since I started using Windows 7(never really used Vista that much). I can work efficiently as a user and elevate my privileges at any time if I need to.

UAC isn’t really there for the ordinary user it’s there to protect you as an administrator so you won’t make mistakes you might regret later. It makes you think about what you are doing, even if you are running as an administrator, touch something that’s crucial for the OS it will hit you with an prompt to remind you that this could have consequences. Find it annoying? Don’t. Use it, bend it to your will.

Using UAC to elevate privileges.

A typical situation is you start an installer and it asks you for the name and password for an administrative account. This worked long before Vista or Windows 7. But the great part with Windows 7 is that you can ask for elevated privileges REALLY easily.

Let’s take Active directory Users and Computers as an example. You can run it and browse your organizational units and you can se users without administrative privileges. If you need to open an account or reset a password you will have to elevate your privileges OR you can delegate the tasks to your restricted user or maybe even a co-worker who normally doesn’t work in IT(by creating custom MMC:s).

Anyway to elevate just hit the Windows Logo button, type Active Directory move to Active directory users and computers AND hit SHIFT+CTRL+ENTER. Instead of the program starting with your user privileges Windows tries to elevate and sees that your access token doesn’t have the required rights for this. So it shows you the prompt. Easy as 1,2,3.

This is something most corporate administrators are used to BUT I would like to see home users adapt to this workflow as well. In the example I used the builtin Windows search, but you can start up any program like this. Now that you have read how easy this is, PLEASE create an administrative user to use and remove administrative privileges from your normal account. I promise it will feel natural in a few days and you’ll be a lot safer using your computer.

4 comments

Next Page »

Advertising

Recent Posts

• Configuration Manager 2012 installation trouble
• Install Software Updates hang on Downloading update
• SCCM 2007 management point fails to install
• Setting up Windows Server DHCP for SCCM2007
• The tale of the broken hard drive

Archives

January 2012

December 2011

July 2011

May 2011

April 2011

March 2011

February 2011

January 2011

December 2010

November 2010

September 2010

May 2010

Login

Register

Log in

Browse by tags

Acrobat Active Directory Apache Apple ASP.NET CentOS Defragmentation Drivers Free Software Group policy Install iPad Linux Microsoft MSI OSX Redhat SCCM Security Service Pack 3 SSL VPN SSTP VPN Virtual PC VPN Windows 7 Windows Deployment Services Windows Server Windows Vista Windows XP WinPE

Ads

Ads