Alan Burchill author of the Group Policy Center blog has posted 2 great articles on Best Practices for Active Directory Structures.

Best Practice:Active Directory Structure Guidelines – Part 1

Best Practice: Group Policy Design Guidelines – Part 2

If you get tasked to do some system troubleshooting and you just want to get as many information possible from a client, then have a look at the Microsoft Product Support Report Tool and the Product Support Reports Viewer.

The Microsoft Product Support Reports Viewer 2.0 can be downloaded from here and the Microsoft Product Support Reports from here

First launch the Microsoft Product Support Tool, which is a self-extracting executable (no installation needed). Once launched you can select the diagnostics you want to execute, then select Next to get the Diagnostic (Data Collection) started. Note that depending on the diagnostics selected, this process can take a while (up to 25 minutes).

Once the Diagnostic process has completed you can browse, e-mail or save the results. When saving the results, all data is stored in a single CAB file.

The Microsoft Product Support Report Viewer provides an interface to view the collected diagnostic data, which consists of several individual XML files.

While the diagnostic tool was running on my client, I copied the content of the temporary folder that the tool creates within the users TEMP folder into another folder. (if you have many folders in your TEMP folder just sort by date, and open the one with the newest date).

Within that folder you will find a Tools folder which contains all the executables and scripts used by the Diagnosis Tool.

So next time you get one of these famous calls to help solving a system problem, consider using this tool to gather detailed system information data.

Today I spend a bit of time in refreshing my UAC knowledge, below a listing of the content I’ve been reading and watching.

Reading (Blogs & TechNet)
User Account Control in Windows 7 Best Practices
UAC Architecture
Inside Windows 7 User Account Control
The Windows 7 UAC Slider, and What You Can Do on Windows Vista Today
Engineering Windows 7 – User Account Control
UAC Prompt From Java: CreateProcess error=740, The requested operation requires elevation (ShellExecuteEx Runas Example)

UAC Group Policy Settings and Registry Key Settings

Video’s
Paul Cooke talks User Account Control
Windows 7 Security Overview

One of the objectives of deploying a new operating system within an Enterprise is to provide end users with a state of the art Operating System that builds the foundation for adopting new technologies and to increase end user productivity.

IT departments usually spend months in preparing an enterprise wide desktop deployment and by doing so they automatically get familiar with all the new functionality and features of the new Operating System. But what about the end users? Most end users are not involved in all the preparation and planning activities, hence they will only see the new Operating System on the day their PC is being migrated.

So unless one has recently bought a new home PC that has Windows 7 pre-installed, users will be confronted with a complete new User Interface. Windows 7 is far more intuitive than previous Windows Operating Systems,nevertheless users will need to go through a learning curve to manage their new device. Furthermore to boost end user productivity it is important that end users become familiar with the new features and functionality as otherwise there is a risk that they continue to use their device without using these.

To help Enterprises preparing their end users and IT support staff in creating the awareness and becoming familiar with the new features and functionality of Windows 7 and Office, Microsoft has put in place the Enterprise Learning Framework.

The Enterprise Learning Framework helps with:

• Raising Awareness: Helping employees understand how the new versions of Windows and Office will benefit them and helping to prepare employees before deployment
• Minimizing Disruption: Identifying a small, manageable number of learning topics to get employees up and running quickly with Windows 7, Windows Vista and the 2007 Office release
• Shortening Training: Concise learning topics requiring only a few minutes each from employees
• Gaining Productivity: Identifying the most important learning topics for improving productivity as employees continue to use Windows 7, Windows Vista and the 2007 Office release

The Enterprise Learning Framework portal allows IT departments prepare end user training content. The process of preparing the content is very straight forward.

• Choose Products
• Define User Profile
• Refine Topics

When completed the tool can automatically generate an e-mail message or Word Document that contains all the required training content. To avoid overloading end users with too much information at once, the tool allows to define the actual timeframe.

For more information or start preparing the end user training content visit the Enterprise Learning Framework portal.

If you’re planning to do some hands-on with MED-V I recommend that you have a look at these MED-V videos.

Nowadays we often hear the term Hard link in conjunction with Windows 7 deployments, this because the User State Migration Tool 4.0 aka USMT now provides support for hard links. The advantage of using hard links is that there is no explicit need to copy the data away from the machine before installing Windows 7. I plan to write about USMT 4.0 and the use of hard links in another post. The purpose of this article is to provide a practical understanding of what hard links are and how to create them.

So let’s start with a simple scenario. I have a file called doc1.txt stored in a folder called DATA which is located on my local C: Partition. Now let’s create a hard link for Doc1.txt. Microsoft provides two command line tools to create hard links, FSUTIL.EXE which exists since Windows XP and MKLINK.EXE which was introduced with Windows Vista. While FSUTIL is rather a multi purpose tool for all kinds of File System related configuration tasks, the purpose of MKLINK is specific to create symbolic and hard links.  For this demonstration I am going to use FSUTIL.EXE.

FSUTIL HARDLINK create c:\Linklocation\doc1.txt c:\data\doc1.txt

As shown in the illustration below, we now have a hard link created for Doc1.txt.

Now this might look like we have just created a copy of the file in a different folder, but that’s not the case as both files point to the same record in the MFT (Master File Table).  To better visualize hard links within Windows Explorer I recommend installing the hard Link Shell Extension.

Note that after creating the hard link the file symbol shown in the Windows Explorer has changed and now has a red arrow indicating that the file has a link. (this is only shown when you have the Hard Link Shell extension installed)

When looking at the File Properties, you will notice that there is now an additional Tab called Link Properties (This additional Tab is added by the Hard Link Shell Extension). The Link Properties tab provides information about the type of the link, the number of links and the linked files itself.

If now we open Doc1.txt located in C:\DATA with Notepad and add some additional text and then save the file, we will see that if we open Doc1.txt located in C:\LinkLocation the same content is displayed. But be careful, if you open and edit a file that has a hard link with Microsoft WinWord or Excel and save it, you will not see the added content within one of the other linked files, this because WinWord and Excel (and probably other applications as well) break the hard link. But only for the file that was edited, hence if you have a file that has 3 hard link references, then the other two files will remain linked.

In my next posts about Using Hard Links I will share some practical examples of using hard links plus share some insight on what is happening when using USMT 4.0 with hard links.

If you want to read more about hard links, I recommend reading the content listed below.

Additional Resources
MSDN – Hard Links and Junctions
Wikipedia = Hard Link
Engineering Windows 7 – Disk Space

Windows 7 introduces some improvements for Folder Redirection and User Profiles. If you are planning to use these technologies make sure to read the What’s New in Folder Redirection and User Profiles document.

Being generally interested in Group Policy Management I was more than happy to stumble upon this blog today called the Group Policy Center – A very nice blog with News, Tutorials, Tips and Tricks about Microsoft Windows Group Policy.

On march 4th Microsoft communicated on their Office 2010 Engineering blog that they are on Schedule with Office 2010 and will release it to manufacturing next month. For Enterprise customers Office 2010 will be available as of May 12th, consumers will get Office 2010 in June.

Microsoft Office 2010 Site

Planning, configuration, deployment and compatibility guides can be found here

Microsoft Office ONRAMP Site

Office OnRamp is the BPIO execution package that launches Office 2010 to the Enterprise business. Office OnRamp helps you drive the conversations you need to have with TDMs, ITPros and end users to renew EAs, drive Office 2010 deployment and win new EA business. OnRamp provides a complete set of orchestrated activities and marketing materials that give you the tools you need to demonstrate the value of Office 2010 in the BPIO framework and WIN!

Office OnRamp for TDMs:
Office 2010 Brochure for TDMs
Office 2010 TDM Pitch Deck for Office OnRamp
Office 2010 Client and Server Integration Whitepaper
Office 2010 Client and Server Integration Customer Ready Deck
Top New Capabilities for TDMs in Office 2010
Office 2010 End User and TDM Value Prop

Office OnRamp for IT Pros
Overview of 2010 for IT Pros
Tools for Planning Office 2010 Deployment
Security & Compliance
Application Compatibility for Office 2010
Office 2010 Deployment Considerations
Volume Activation for Office 2010
Web App Architecture & Deployment for Office 2010

Last Friday I met with some friends I used to work with in the past and we had some talk about Windows 7 and IPv6. One had mentioned that they would explicitly disable the IPv6 on the client systems, this because they would not use it and they wanted to avoid unnecessary network traffic on their LAN/WAN.

Back home I did some searches on the internet and found the below statement in the Support for IPv6 in Windows Server 2008 R2 and Windows 7 Microsoft TechNet Magazine article.

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.

I must admit that I haven’t looked at this in more detail myself, but for now I guess I would follow the advice above and leave IPv6 on, especially taking into account that some of our customers are considering using DirectAccess at some stage.

Another interesting article I recommend reading is IPv6 Autoconfiguration in Windows Vista which explains the IPv6 Autoconfiguration behavior in more detail.

If you’re planning on deploying App-V, but still busy with thinking of how you will get the virtualized applications to your end users I strongly recommend that you read the whitepaper “Choosing the right App-V Delivery Model” from Ment van der Plas.

The document provides an excellent overview of the different App-V delivery scenarios and their pros and cons.

Learn how to configure App-V; create, publish, and update virtual applications; and create and manage policies for virtual applicationss. The videos can be downloaded from here

Assume you are at a client site and plan to deploy a Windows Server (2008 / 2008-R2) or Windows Clients (Windows Vista / Windows 7) and want to check if they do already have KMS Services running on their network.

It’s very simple. Just open a command prompt and type the following command:

nslookup -type=srv _vlmcs._tcp

If KMS Services are present on the network the results will be listed as shown in the picture below.

Related Content
Upgrade your existing KMS Service to support Windows 7 and Windows 2008 R2
Volume Activation changes in Windows7
Fundamentals of Volume Activation

Intel vPro/AMT enabled systems allow you to remotely reboot a system from a redirected CD-ROM aka as IDE-R.  So if one of your users devices doesn’t boot its OS properly anymore, you can remotely boot that system with a diagnostics CD that you have stored on your local disk drive.

As long as that recovery CD has a text based interface such as the SystemRescueCD the system can be remotely managed through the remote VT100 terminal, but unfortunately that doesn’t work for graphical interfaces such as WinPE. So we need an alternative method to remotely manage that device. Since Microsoft’s own remote desktop (RDP) does not work under Windows PE, we are going to use VNC which is small and FREE.

Assuming that some of you might be interested to try this out themselves, here’s what you need:

• Intel  Manageability Developer Tool Kit
• Windows Automated Installation Kit (AIK) for Windows 7
• UltraVNC

You will need two clients, where one serves as your administration console and the other as the client which you are going to remotely manage. Make sure that at least the second client (the one that your remotely manage) have vPro/AMT enabled. Here’s a video that explains how to configure your client in SMB mode, which is good enough to test this scenario.

First install the Intel Manageability toolkit on the Administration Console client, which contains the Manageability Commander Tool and allows us to connect to the AMT enabled device, configure IDE-R and power on and off the machine remotely.  Register the client within the console through File, Add, Add Intel AMT Computer.

Once the client is registered click on the “Connect” button.

When the connection is established, select the Remote Control Tab and click on the “Take Control” button.

Now let’s move to the VNC Installation and configuration. Install UltraVNC Server and Viewer on the Administrator Console client.  When installed, start the VNC Server and configure it.  There are a lot of configuration settings available, configure at least the following ones: Authentication – set a password for full and view only access. Misc – To avoid graphics related issues, i proactively disabled Aero and Wallpapers. Query on incoming connection – Default Action set to Accept.

Now copy the following files located under C:\Program Files\UltraVNC\ into a new separate folder like C:\PE_VNC. These are the files that we will integrate into WinPE.

authadmin.dll
authSSP.dll
ldapauth.dll
logging.dll
logmessages.dll
SCHook.dll
vnchooks.dll
workgrpdomnt4.dll
MSLogonACL.exe
uvnc_settings.exe
vncviewer.exe
winvnc.exe
ultravnc.ini

The last thing we need to prepare now is the bootable ISO which includes WinPE. I assume you are familiar with creating a WinPE boot image, if not have a look at the Walkthrough: Create a Custom Windows PE image documentation on TechNet. Once you are at “Step 5 of the above referenced Walkthrough (Add Additional Customizations) you can add the VNC Server sources that you copied into C:\PE_VNC.

To avoid that you get the “Press any key to boot from CD” message when remotely booting the client from the redirected CD-ROM, you must remote the bootfix.bin file from the boot folder within your mounted image.

if you are familiar with WinPE, I also recommend that you look at the Walkthrough: Create an Optimized Windows PE Image. Optimizing your WinPE image can help you to reduce the size of your WinPE image, which helps reducing network traffic and boot time. By optimizing my WinPE image I managed to reduce its size from 152 MB down to 98 MB.

Now that we have our WinPE ISO file, let’s go back to the Intel Manageability Commander Tool. Select Disk Redirect menu, Change Target CD-ROM, Redirect to Image File and point to the previously created ISO file. Then select the Disk Redirect menu again and select Redirect Active.
Finally we can now boot the remote client from the redirected CD-ROM. Select Remote Command, Remote Reboot to Redirect CD.

Because now the whole ISO file content is being transferred over the wire, you will have to be patient, booting from a redirected CD-ROM can easily take a few minutes.  Remember that we removed the bootfix.bin file form WinPE, so if all goes well, the client will immediately boot into WinPE.

There is one thing which i have not yet figured out, and that is a convenient way how to find out the assigned IP address of the remote client, but maybe that is just an issue related to my test environment. So for the my own convenience I added some code to the startnet.cmd batch file, which displays the assigned IP Address.

Below you find the most important part of the startnet.cmd

: enable networking
wpeinit
: disable firewall
wpeutil disablefirewall

:: +——————————————————————–+
:: Start a minimized command prompt for troubleshooting
:: +——————————————————————–+
echo  * Starting a fallback console for troubleshooting…
start /min cmd.exe /k trouble.cmd

:: +——————————————————————–+
:: Launching VNC
:: +——————————————————————–+
echo  * Starting VNC…
x:
cd x:\vnc
start winvnc.exe

Echo  * Gathering IP Address
IPCONFIG |FIND "IP" > %temp%\TEMPIP.txt
FOR /F "tokens=2 delims=:" %%a in (%temp%\TEMPIP.txt) do set IP=%%a
del %temp%\TEMPIP.txt
set IP=%IP:~1%
echo %IP% >%temp%\ip.txt
echo The current IP address is "%IP%"

So let’s assume you know the IP address (the user was kind enough to read it for you) you can now initiate a remote desktop session through the VNC Viewer. I personally had an issue where the VNC viewer crashed right after establishing the connection with the remote client. I managed to get rid of that by setting the Connection Options to only use 256 Colors instead of Full Colors.

If all went well you should now be able to remote control your client.

I hope this was useful. As always, feedback and comments are more than welcome.

Alex

Instead of opening several windows, here’s an easy way to get a list of installed QFE’s. simply open a command prompt and type:

WMIC QFE

or

WMIC QFE get caption,hotfixid,installedon

or if you are looking for a specific update, enter the following command:

WMIC QFE | find “958559”

where 958559 relates to the MS KB number. If the QFE is installed, it will be listed.

Related posts:

3 seconds to get system serial number