Jespers Bagh's IT Blog

KMS 1.2 Update for Windows 2008

noreply@blogger.com (Jesper Bagh) — Wed, 16 Sep 2009 07:39:00 +0000

As of the 24th of August the update for Windows 2008 has been published on Windows download center:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=d284f030-642f-443b-85ce-74ef449d5ab4

Enjoy

Key Management Service (KMS) 1.2 Update

noreply@blogger.com (Jesper Bagh) — Thu, 13 Aug 2009 10:59:00 +0000

For KMS hosts that are running Windows 2003 is available:

64 bit: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=1678151b-b577-476f-87da-df54024b98e2

32 bit: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f3a0d90c-b7fd-44cf-bf81-11587adc599f

The release of the update for Windows 2008 is not anywhere to be seen, but we should see it soon..

So if you KMS server is running Windows 2008, you still will not be able to register your Windows 7 & Windows 2008 R2 operation systems...

Windows Server 2008R2 and Windows 7 KMS failed activation

noreply@blogger.com (Jesper Bagh) — Tue, 11 Aug 2009 09:48:00 +0000

Should you have a lot of Windows 7 Enterprise or Windows 2008R2 failing KMS activation it is because it needs an updated component on the KMS host. Key Management Service 1.2 should be installed. Microsoft promised it on RTM. But it seems that it is late.

It should be released today on Microsoft download center, så search for KMS 1.2 later today.

Releasing operating systems, that cannot register... Not going to comment.......

Windows 2008R2 & Windows 7 KMS installation keys

noreply@blogger.com (Jesper Bagh) — Mon, 10 Aug 2009 12:16:00 +0000

Use these keys in the SCVMM templates, when you create one, if you are installing Windows 2008R2 or Windows 7 VM's

http://technet.microsoft.com/en-us/library/dd772269.aspx

Includes KMS client setup keys. Useful when creating SCVMM Guest OS profiles.

--snippet--

Manually Activate a KMS Client
By default, KMS clients automatically attempt to activate themselves at preset intervals. To manually activate KMS clients (for example, disconnected clients) before distributing them to users, use the Control Panel System item, or run slmgr.vbs /ato at an elevated command prompt. The Slmgr.vbs script reports activation success or failure and provides a result code. To perform activation, the KMS client must have access to a KMS host on the organization’s network.

Converting MAK Clients to KMS and KMS Clients to MAK
By default, Windows 7 and Windows Server 2008 R2 operating systems use KMS for activation. To change existing KMS clients to MAK clients, simply install a MAK key. Similarly, to change MAK clients to KMS clients, run:

slmgr.vbs /ipk

where KmsSetupKey is one of the setup keys shown below.

After installing the KMS setup key, activate the KMS client by running cscript c:\windows\system32\slmgr.vbs /ato.

Windows 7 Professional
FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4

Windows 7 Professional N
MRPKT-YTG23-K7D7T-X2JMM-QY7MG

Windows 7 Enterprise
33PXH-7Y6KF-2VJC9-XBBR8-HVTHH

Windows 7 Enterprise N
YDRBP-3D83W-TY26F-D46B2-XCKRJ

Windows 7 Enterprise E
C29WB-22CC8-VJ326-GHFJW-H9DH4

Windows Server 2008 R2 HPC Edition
FKJQ8-TMCVP-FRMR7-4WR42-3JCD7

Windows Server 2008 R2 Datacenter
74YFP-3QFB3-KQT8W-PMXWJ-7M648

Windows Server 2008 R2 Enterprise
489J6-VHDMP-X63PK-3K798-CPX3Y

Windows Server 2008 R2 for Itanium-Based Systems
GT63C-RJFQ3-4GMB6-BRFB9-CB83V

Windows Server 2008 R2 Standard
YC6KT-GKW9T-YTKYR-T4X34-R7VHC

Windows Web Server 2008 R2
6TPJF-RBVHG-WBW2R-86QPH-6RTM4

NB!: These note that these keys can only be used to install the OS and the client will search for a KMS host once installed and is OOB period.

The Cable Guy NAP on the Internet

noreply@blogger.com (Jesper Bagh) — Fri, 31 Jul 2009 12:25:00 +0000

Please read this article about Network Access Protection (NAP) on the Internet. Very good article on health checking computers connected to the internet. How to manage and check your mobile users.

http://technet.microsoft.com/en-us/magazine/dd744660.aspx

MDM Roadmap

noreply@blogger.com (Jesper Bagh) — Fri, 31 Jul 2009 12:20:00 +0000

From the SCMDM Blog about the roadmap:

We’ve recently been asked a few questions about the SCMDM roadmap and future versions. Here’s a quick overview of what is to come.
At the recent MMS and Tech Ed US 2009 conferences, the System Center Configuration Manager team revealed some important news regarding the future of device management. Here are a few of the key messages that were shared:
The next major release of Configuration Manager will have the major MDM functionality for device management including SW Dist, Inventory, Settings Management, reporting, etc;
Both desktops and mobile devices can be managed by a "single pane of glass";
Device Management will not require the use of a VPN server;
Corporate network access can be obtained by "then current" solutions supported by the mobile device client and server infrastructure;
Mobile device management will embrace the same "user centric" model as recently announced (more here);
Product roadmaps for both Configuration Manager 2007 (DM) and Mobile Device Manager both converge on this next version of Configuration Manager
While there are surely more details that everyone would like to hear, this should be great news for those wanting to hear a confirmation that Microsoft is committed to continuing and improving mobile device management. We’ll be sure to keep you updated with future developments on this blog, so watch this space!

Problems creating templates for 2008 and Vista in VMM ?

noreply@blogger.com (Jesper Bagh) — Fri, 31 Jul 2009 11:57:00 +0000

Create the virtual machine ON the Hyper-V box and not deploy a new machine via VMM. Then configure the virtual machine on the Hyper-V box. Remember to set the security to blank password and enable that it can use a blank password in local security policies.
When you have configured and installed applications, boot a last time and then go to the VMM console and create a template from the virtual machine you just created on the Hyper-V box.

I have tested that this works on several installations where I have seen the problem with creating Windows 2008 and Vista template that work in VMM.

I will create a nice guide and post it here later

MS09-031 Patch for ISA Server

noreply@blogger.com (Jesper Bagh) — Wed, 15 Jul 2009 12:45:00 +0000

Microsoft has released this information and hotfix:

Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)

http://www.microsoft.com/technet/security/Bulletin/MS09-031.mspx

Affected Software:

Microsoft Internet Security And Acceleration Server 2006 (KB970811)
Microsoft Internet Security And Acceleration Server 2006 Supportability Update (KB970811)
Microsoft Internet Security And Acceleration Server 2006 Service Pack 1 (KB971143)

This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.

Test it and install it now.

SCMDM Future

noreply@blogger.com (Jesper Bagh) — Thu, 16 Apr 2009 12:28:00 +0000

Guess what guys...

System Center Mobile Device Manager is not going to be called that in the next version.. It is going to be called System Center Configuration Manager version xxx :-)

Nice that the ears have been open, and listening..

I wonder if the licensing be sorted.. If you have 4000 CAL's to MDM and enterprise environment, do you then have 4000 CAL's and enterprise license to SCCM - Nice :-)

Multiple SMTP domains and MDM

noreply@blogger.com (Jesper Bagh) — Sun, 01 Mar 2009 15:29:00 +0000

If you have more than one SMTP domain in your internal exchange environment and want to be able to enroll devices from all of them (saving the users from entering the serveraddress), here is what you need to do:

Add a secondary IP to the external NIC of the ISA server (on the nic or in ISA NLB setup - virtual IP).
Add mobileenroll..com - ie. mobileenroll.domain.com and point it to your virtual IP (mobileenroll - a record - secondary IP).
Import a certificate to your isa server (if you are running an array, import it to all), with the name of the mobileenroll.yourdomain.com
Create a new listener for the new domain and point it to your secondary IP and new certificate
copy your exsting rule for the working mobileenroll and attach the new listener

Repeat this process for each SMTP domain your want to do domain enrollment for.

SCMDM SP1 Reset Feature

noreply@blogger.com (Jesper Bagh) — Fri, 27 Feb 2009 19:12:00 +0000

Hey.. I am working on a Microsoft System Center Mobile Device Manager 2008 project.. Just want to spread some goodies underway..

Among them is the ability for the users to reset their pin or poweron password.

This is a brand new feature of SP1 of great interest in an enterprise implementation. With this feature end users who have forgotten their device password or PIN, can recover (without wiping the device) and set a new device password or PIN. In this posting I will dive a little deeper and show how this all works on both the server and client side.

As nicely stated in the MDM Password Reset Client v1.0 download overview:
“MDM Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM. Password reset in MDM 2008 Service Pack 1 (SP1) enables a user who has forgotten his or her Windows Mobile device password to reset it by using MDM.
Password reset is supported on Windows Mobile 6.1 devices, starting with version 6.1.4. To use the feature, you must install the .cab file on the user’s Windows Mobile device as well as enable the feature in MDM by using Group Policy.
To reset the device password, the user chooses the password reset option, resets the device password, and then enters a one-time recovery password on the device to complete the process. The recovery password is stored on MDM servers and retrieved by the user when she or he has forgotten the device password.”

What is required?
Even though the client patch description mentioned above states it is first supported on Windows Mobile 6.1.4 or above device, the patch appears to install on some of my 6.1.1 devices. But “your mileage may vary” (YMMY) as they say.. The patch, available here, can be manually installed, but with MDM handy why not deploy it it out directly! Please note the installation failures on the devices that are below the 6.1.1 levels.
You also need the SCMDM 2008 SP1 installation on the back-end. Especially the changes on the DM server, SQL tables, and Self Service Portal (SSP) if you wish to use that for retrieving the reset password.

How it works:
After the client patch on the devices is installed and the device locked with a PIN, triggers a local generation of a password reset key. After 2 cycles of traffic to and from the Device Management server, that recovery password will have uploaded to the SCMDM side and be available for use. This can be verified with a cmdlet or on the MDM console by seeing that the “Display Recovery Password” action is no longer grayed out on the right hand side of the screen when a managed device is selected:
More details can also be found here on the overall user experience of this feature: http://technet.microsoft.com/en-us/library/dd252841.aspx
Client Functionality
These are actual screen-shots of a managed device that has the client patched installed.
In a locked state, the “Reset Password” option is no longer grayed out. Suggesting that the password reset key has been uploaded and ready to use:

After the “Reset Password” option is selected, a confirmation that the user can indeed retrieve the recovery password from an administrator or help desk.

It will then let the user create a new password. Using the same requirements that might have been enforced to the device.

Now the user must contact the administrator or help desk. In this example the administrator clicks on the “Display Recovery Password” in the MDM console and is shown the 20 digit Recovery Password that the device has uploaded into the MDM database.

The user must type in the 20 digit recovery password to validate the new password.

If there is a match with the recovery password stored on the device, the new password is granted and the device is unlocked!

Instead of the MDM console, the MDM Self Service Portal (SSP) could have been used. It also has a “Display Recovery Password” button at the bottom which will display the 20 digit recovery password:

The Password Recovery feature in the SSP is selectable by the administrator to be made available on the web site just as the Device Wipe and Device Enrollment features. Please see more information available here: http://technet.microsoft.com/en-us/library/dd261796.aspx.
Password Recovery References
SCMDM Cmdlets: http://technet.microsoft.com/en-us/library/dd261726.aspxSCMDM User Experience: http://technet.microsoft.com/en-us/library/dd252841.aspxWindows Mobile 6.x AKUs: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/31/windows-mobile-6-x-akus.aspxWindows Mobile 6.1.x Upgrades and Build Levels: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/24/windows-mobile-6-1-x-upgrades-now-available.aspx

NAP Design guide

noreply@blogger.com (Jesper Bagh) — Tue, 17 Feb 2009 09:50:00 +0000

Greg Lindsay (writer) and Allyson Adley (editor) won the Online Best of Show award for the NAP Design Guide at the Puget Sound Chapter of the Society for Technical Communication (STC) awards ceremony on January 29th.

Congratulations Greg and Allyson for the fantastic technical documentation on NAP!

It is a VERY good guide, that covers all areas you need in designing, deploying and managing the platform.

More NAP

noreply@blogger.com (Jesper Bagh) — Tue, 17 Feb 2009 09:40:00 +0000

Hey,

I just wanted to give you guys some more links to helpfull material that you can use for your NAP projects. Aswell as giving you some news on Windows 7 and Windows 2008 R2 integration.

In Windows 7, the NAP client user interface (UI) has been integrated into the Windows Action Center (previously known as the Windows Security Center). For example, Network Access Protection notifications appear in the list of messages when you click the Action Center message in the notification area of the Windows 7 desktop.

So you should start thinking about your design, and align it with your company standards regarding upgrading client OS's. You should start your PoC now on Windows 7, so you are ready to roll. Security wise you do get all the features you need built-in now.

-

If you want to play with a Network Access Protection with IPSec Enforcement virtual LAB please visit:
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032345136&EventCategory=3&culture=en-US&CountryCode=US
It is build on previous versions, but gives a good baseline for your future designs and thoughts on deploying NAP with IPSec enforcement.

VMM: Different administration Links

noreply@blogger.com (Jesper Bagh) — Thu, 08 Jan 2009 17:57:00 +0000

Here is a couple of nice links for administration of Virtual Machine Manager:

VMM Help, which is posted in the VMM TechNet Library (http://technet.microsoft.com/en-us/library/bb740766.aspx), contains several good sources of information for administering virtual machine self-service.

About Virtual Machine Self-Service: http://technet.microsoft.com/en-us/library/bb740785.aspx - Provides a conceptual overview.

About Self-Service Policies: http://technet.microsoft.com/en-us/library/bb740909.aspx - Gives a detailed description of the components of a self-service policy.

How to Set Up Virtual Machine Self-Service: http://technet.microsoft.com/en-us/library/bb740803.aspx - Provides an overview of all tasks involved in setting up virtual machine self-service and links to a detailed procedure for configuring self-service policies.

How to Troubleshoot a User Session on the VMM Self-Service Portal: http://technet.microsoft.com/en-us/library/bb740815.aspx - Tells how to access the Self-Service Portal as an administrator in order to see and manage the virtual machines as a specific self-service user would view them.

The no enforcement design for NAP

noreply@blogger.com (Jesper Bagh) — Tue, 30 Dec 2008 09:15:00 +0000

The following has been published on MS NAP Team blog. Please read it, it is very interesting, and if you are to implement secure wires, you might as well think about NAP.

http://blogs.technet.com/nap/

Copyright Joe Davies of the MS NAP Team:

The no enforcement design for NAP

Although NAP can be used to enforce restricted access for noncompliant NAP clients and non-NAP-capable clients, NAP can also be used to provide you with information about the overall level of health compliance on your network and correct system health problems automatically without notifying the user or restricting their access. This latter configuration of a NAP deployment is known as the no enforcement design and consists of deploying NAP in reporting mode with autoremediation enabled.

The value of the no enforcement design was echoed to me by attendees at a recent McAfee regional security event, where I helped present an overview of NAP and McAfee Network Access Control 3.0 integration to IT staff and security architects (this is the same presentation that I gave at McAfee’s FOCUS 08 event). Some attendees said that they were very interested in the no enforcement design of NAP because they did not want their users notified of noncompliance (via the NAP notification message) and definitely did not want their users’ access to be restricted. They would rather determine and fix any system health issues in the background without disturbing their users. One of the benefits of the no enforcement design is that you do not have to set up a restricted network with remediation servers.

To configure a no enforcement design, use the Configure NAP wizard in the Network Policy Server snap-in for the appropriate NAP enforcement method. On the Define NAP Health Policy page, select the Enable Auto-Remediation of Client Computers check box and specify that NAP ineligible computers are allowed full access. After the Configure NAP wizard is complete, modify the network policy for noncompliant NAP clients by selecting Allow Full Network Access for the NAP Enforcement settings.

Note
For the 802.1X enforcement method, specify the same VLAN or ACL settings for both full access and restricted access on the Configure Virtual LANs (VLANs) page of the Configure NAP wizard.

For more information, see the No Enforcement Design topic in Greg Lindsay’s excellent NAP Design Guide.

Windows 2008 hiberfil.sys - hmmm...

noreply@blogger.com (Jesper Bagh) — Mon, 29 Dec 2008 14:51:00 +0000

As you might have seen. There is a file on the %systemdrive% called hiberfil.sys and it has the same size as your physical memory, which can be VERY annoying.

It seems that W2K8 Server enables hibernation by default.

This is funny, since I'm not sure how many people actually hibernate a server. Nevertheless, it's something we need to deal with. Particularly for those who do most of their work in VMs.

In a VM where hibernation is normally replaced with the VM software's suspend feature, that can be quite a sizeable chunk of wasted space. In a production environment I would normally want to disable hibernation.

Trouble is, you can't disable hibernation anywhere in the GUI. It must be disabled from the command line using the command:

powercfg.exe /hibernate off

Please read these MS KB articles, for more details:

http://support.microsoft.com/kb/920730
http://support.microsoft.com/kb/929658
How to Disable Hibernation on Windows Vista

SCVMM 2008 Released

noreply@blogger.com (Jesper Bagh) — Mon, 24 Nov 2008 09:53:00 +0000

If you didn't know Microsoft Systemcenter Virtual Machine Manager 2008 has been released last month:

http://blogs.technet.com/virtualization/archive/2008/10/21/system-center-virtual-machine-manager-2008-rtms-and-what-i-m-hearing-from-customers-and-partners-about-microsoft-s-virtualization-solutions.aspx

Check it out. It looks totally different than previous versions, and I really like the self-service portal. It now has all the features you and your users need, to get an overview and administer their virtual servers.

So get moving.. Install it. apoint owners to virtual servers, and create the Self-service portal user groups and you are flying!

System Center Virtual Machine Manager

noreply@blogger.com (Jesper Bagh) — Fri, 03 Oct 2008 18:57:00 +0000

Also - please remember to follow the Microsoft System Center Virtual Machine Manager website or follow my blog for more details on release dates. 90 days after the launch of Windows 2008, Hyper-V 2008 was released, so why not make it 90 dates for the release of SCVMM 2008 ? :-)

Click Here for details on SCVMM2008.

One of the more exiting things is the possibility to manage your ESX environments, as well as your Hyper-V and Virtual Server environments. This make this the basis solution for support and manageability for Virtual Servers.

With SCVMM2008 Administrators have the ability to give users a web portal for his/hers virtual machines. Give the users the ability to "lease" environments, based on a point system. - You can make a basis server, give it 10 points, make a medium server, give it 20 points. And then assign the user 50 points. That means the user can deply two medium, one basis. 5 Basis servers, or what ever other combination the user makes.

Microsoft Hyper-V RTM'ed!

noreply@blogger.com (Jesper Bagh) — Fri, 03 Oct 2008 18:51:00 +0000

The standalone hypervisor, Microsoft Hyper-V Server 2008, was released today for download.

Hyper-V Server 2008 was built using the Windows hypervisor and other components, including base kernel and driver technologies. Microsoft Hyper-V Server 2008 shares kernel components with Windows Server 2008.
Microsoft Hyper-V Server 2008 contains a sub-set of components that make up Server Core deployment option of Windows Server 2008, and has a similar interface and look and feel. But as you know, Server Core has roles like DNS, DHCP, file. Hyper-V Server 2008 is just virtualization.
Because Hyper-V Server 2008 shares kernel components with Windows Server 2008, we don't expect special hardware drivers to be required to run Microsoft Hyper-V Server.
The maximum number of guest instances that can run on Microsoft Hyper-V Server 2008 is 128 (of course this is dependent on the hardware, memory and workloads). Additionally, each guest OS must have a valid license.
Hyper-V Server 2008 runs/upports all the guest OSes supported by its big brother, WS08 Hyper-V. See here for a complete list.
Windows Server licenses are not included with Microsoft Hyper-V Server 2008. Client access licenses (CALs) are only required for Windows Server and all Windows Server images that are virtualized, regardless of virtualization platform (e.g., ESXi). No CALs are required for Hyper-V Server 2008.

Cleartunnel SSL Plugin & Upstream Proxy

noreply@blogger.com (Jesper Bagh) — Tue, 16 Sep 2008 15:05:00 +0000

Update:

Collective Software has confirmed to me, that their Cleartunnel plugin for ISA Server does not work in a NON isa upstream proxy solution.

The only way to make it work is to use it in a ISA to ISA upstream proxy solution, and install Cleartunnel on both ISA servers and configure it as upstream on one and downstream on the other.

They have heard the scream from the customers, and are working on a solution in a future release.

Cleartunnel and non ISA Upstream

noreply@blogger.com (Jesper Bagh) — Wed, 03 Sep 2008 15:35:00 +0000

I have, in my LAB, been struggeling with getting Cleartunnel working. I have come to the conclusion that it does not work in a NON ISA Upstream Proxy setup.

The setup beeing :

Internal Network->ISA 2006 Enterprise with Cleartunnel Add-IN->Upstream Proxy server->Internet

Cleartunnel can only work in Full Bridge mode if it is the edge or downstream server to another ISA server.

At the present, there is no working solution, other than upstreaming to another ISA server or finding another solution in your external dmz...

Thought I might let you know..

ISA & TMG NAT behavior And MS08-037

noreply@blogger.com (Jesper Bagh) — Tue, 02 Sep 2008 10:33:00 +0000

Microsoft Security Response Center (MSRC) issued bulletin MS08-037 to address vulnerabilities in DNS resolvers caused by predictable UDP source port usage.

Problem:
After you install security update 953230 (MS08-037) on a Microsoft Windows-based computer, Domain Name System (DNS) queries that are sent from the computer across a firewall do not use random source ports.

MSKB 956190 addresses behavior observed when traffic crosses a NAT-based firewall and provides workarounds to mitigate this behavior.

Regards,
Jesper

NAP Training Solutions from Microsoft

noreply@blogger.com (Jesper Bagh) — Mon, 01 Sep 2008 11:55:00 +0000

Please check the NAP teams blog for Training solutions available from Microsoft E-Learning

http://blogs.technet.com/nap/archive/2008/08/29/nap-training-solutions-from-microsoft.aspx

WinCAT blog on NAP and 802.1X Enforcement

noreply@blogger.com (Jesper Bagh) — Mon, 01 Sep 2008 11:48:00 +0000

The Windows Server Customer Advisory Team (WinCAT) has posted this :

Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

Multicast w/IGMP Setup guide

noreply@blogger.com (Jesper Bagh) — Wed, 13 Aug 2008 10:52:00 +0000

Multicast and Multicast with IGMP is now included in SP1 - you only need to download the script files, because you still need to do the manual change of the NLB mode on the primary configuration storage server.

Please set aside time for this operation outside work hours.

You need these files (attached to this blog) : They are also to be found under kb938550 at Microsoft download.

csstools.js
debugtools.js
kb938550.wsf
utilities.js
vbtools.vbs

Use the following command on the primary configuration storage server:

cscript kb938550.wsf /array:"Your Array Name" /nlb:igmp /net1:"Network Name 1" /net1:"Network Name 2" /net3:"Network Name 3" /net4.... /net5.. etc.

That will set you NLB mode to Multicast w/IGMP

To set it to Multicast without IGMP use this command:

cscript kb938550.wsf /array:"Your Array Name" /nlb:multicast /net1:"Network Name 1" /net2:"Network Name 2" /net3:"Network Name 3" /Net4.... /Net5... etc.

I have included a sample script in the package attached.

Enjoy multicasting :-)

KB938550.zip