Security is a State of Mind

How to create Granular Password Policies in Windows Server 2008

In this video, Chris Henley shows you a new feature in Windows Server 2008 Active Directory that allows you to set additional password policies beyond the domain settings.

http://technet.microsoft.com/en-us/windowsserver/bb896051.aspx

Additional information on Deployment, UDI, MDT, etc.

MDT 2010/ConfigMgr – UDI – Adding Applications To The Wizard

Improving Your Image: Sector-Based, File-Based, and Sysprep - What Makes the Most Sense? Part 1: Terms and Windows Tools Primer

Improving Your Image: Sector-Based, File-Based, and Sysprep - What Makes the Most Sense? Part 2: The Pros and Cons.

MDT 2010: Fix for "‘Multiple connections to a server or shared resource by the same user" Error

I've encountered this as a normal glitch and usually advise that the reference machine should be a member of domain and that the logged on user should be a domain administrator equivalent. The first suggestion results in negative reactions coz usually the Windows 7 reference machine should not be a member of the domain because the SYSPREP portion actually removes the domain membership. But hey, that's what worked for me.

I just saw this fix in the Microsoft Deployment Toolkit Team Blog (click here).

This issue is discussed in Support Article 977566.

This issue is fixed in MDT 2010 Update 1 (source "What's New in MDT 2010 Update 1?" document downloadable with MDT 2010 Update 1).

Microsoft Assessment and Planning Solution Accelerator 5.0 is Now Available!

Next steps: 

•  Download the MAP 5.0 Toolkit.
• Checkout the MAP Overview DEMO 
• Help us spread the word—share the download link with your friends.
• Send your comments to the MAP team.
• Visit the MAP Team blog for more news on the MAP Toolkit and other IT planning Solution Accelerators from Microsoft.

What's new with MAP Toolkit 5.0?

ü  Microsoft Office 2010 readiness assessment

ü  SQL Server discovery and assessment for consolidation

ü  Windows 2000 Server migration assessment

Microsoft Technology on the Singapore National Day Parade 2010 Live Feed Site

In collaboration with MediaCorp and NCS, Microsoft developed the Singapore NDP 2010 webcast site. This year's NDP will be held at 6 venues, all provided with HD live video feeds rendered through Silverlight Smooth Streaming technology.

The venues for NDP 2010 are

• Padang (main venue)
• Eunos
• Woodlands
• Choa Chu Kang
• Bishan
• Sengkang 

Features that viewers can enjoy in the site are

• Bing Maps - lets users select between the 6 locations
• PhotoSynth - provide a 360-degree panoramic view
• Facebook Connect - lets users share their thoughts using FB
• ShakeUp - a mini-game (web and phone) powered by Windows Azure and SQL Azure that lets users add points to their respective zones.

 Don't forget the date:
9 August 2010, 5:30 PM
http://ndp2010.mediacorp.sg/

Microsoft Deployment Toolkit 2010 Update 1 Released!

Microsoft just released Microsoft Deployment Toolkit Update 1. There were no featured deprecations from MDT 2010, and here are some of the improvements

• Support for User Driven Installation (UDI). To lower cost of ownership, Microsoft encourages self-service deployment, and with MDT 2010 and System Center Configuration Manager (SCCM) 2007 SP2 and MDT 2010 Update 1, self-service deployment is made much easier! I will review this UDI facility and write something up separately.
• Support for Microsoft Office 2010.
• Support for Upgrading from Previous Versions of MDT/BDD. Support from as far back as Business Desktop Deployment (BDD) 2007 Update 2 is available. Just install MDT 2010 Update 1, and your deployment share from older versions can be used already with a few mouse clicks. 

If you're using MDT 2010 or even lower, download the Microsoft Deployment Toolkit from the Microsoft Download Center and try it out now! You can also find in there the full list of improvements and a concise user manual. Get if from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3bd8561f-77ac-4400-a0c1-fe871c461a89

PHIWUG Internal Event: Windows 7 Deployment Deep Dive (Level 300)

During my vacation to Manila on the last week of June 2010, I was invited by the Philippine Windows Users Group (PHIWUG) to share my experiences on deploying Windows 7 in the enterprise space in Singapore. It's an email-invitation event, hence there was no public invite.

Windows 7 Deployment Deep Dive (Level 300)

For this PHIWUG event, our guest PHIWUG's very own Jay Paloma who is now Technology Specialist for Desktop Deployment at Microsoft Singapore. He will share with us his best practices on deploying Windows 7 across Enterprise accounts in Singapore. No marketing! Few PPT slides! All experience and best practices shared! 

• How do customers want their Application Compatibility Testing? Using ACT? What about remediation, is it still ACT or are there other solutions available?
• Is the WIM file format acceptable to customers? What about their 3rd party imaging and deployment solutions? Do we or do we not include Office in the image?
• How do customers want to deploy? LTI? ZTI? When can either solution be used?
• How Windows 7 deployment can be a lucrative business for your SI organization.

28 June 2010 | 6PM | Microsoft Philippines, 6750 Ayala Avenue Makati City

Problem Steps Recorder in Windows 7 Omits First Screenshots

Problem: You're creating a documentation and you're gathering screenshots using Windows 7 Problem Steps Recorder (PSR). The resulting file omits some screenshots at the beginning. What seems to be the issue?

Solution: PSR is configured by default to only store 25 screenshots. If it took you 30 screenshots to recreate a process, it will omit the first 5. To store more screenshots, go to PSR > Settings, then set a bigger number in Number of recent screen captures to store.

Note the following very important facts:

1. Note that the maximum num of pics you can store is 100. It is wise to record your procedures into smaller chunks. For example, I was tasked to get screen captures Microsoft Deployment Toolkit activities Add Standard Client Task Sequence, Add Sysprep and Capture Task Sequence, Deploy Reference Machine, Capture Reference Machine image. Instead all of them on one recording, I have taken recordings individually.
2. Settings are not persistent -- you need to reconfig this everytime you launch PSR

Windows 7 Network Location Prompt appears after installation

Ok, I used to think this is normal, but when customers started asking how to remove this annoying "Set Network Location" prompt that appears upon completion of Windows 7 installation through Microsoft Deployment Toolkit (MDT), I had to research.

To suppress the display of the Network Location prompt, Microsoft released a hotfix for this --- and is relatively new (this post is 15 June, the article was last reviewed 12 June)

Article ID: 2028749 - Last Review: June 12, 2010 - Revision: 5.0
A "Set Network Location" dialog box appears when you first log on to a domain-joined Windows 7-based client computer

The hotfix can be implemented in a couple of ways, all pertaining to the fact that it shuld be in the source WIM file

1. Inject the hotfix into the WIM file using Deployment Image Servicing and Management (DISM)
2. Import the hotfix into MDT
3. Implement the hotix into the Windows 7 Reference Machine then acquire the image.

As of the time of writing I am testing this hotfix into MDT and also in the reference machine. Will post updates once available.

UPDATE 2010 Aug 12: Hotfix works in my labs

TechEd 2010: Trends in Cybercrime 2010

http://www.msteched.com/2010/NorthAmerica/SIA339

Download: Windows 7 and Office 2010 POC Jumpstart Kit

Deciding Between Windows 7 32-bit or 64-bit

Your organization decided it will go to Windows 7, and you're responsible for directing this project. One question you will have to face sooner or later is if you will install 32-bit or 64-bit version of Windows 7.

Pros

• >=4GB RAM support. If your organizaton's standard RAM issued on machines is at least 4GB, then considering 64-bit is a good investment for you to maximize your hardware -- that is if your CPU itself can support 64-bit. Consider all other factors though, especially the ones below.

Cons

• 16-bit applications will not run. In fact, very old software will have issues running on very new OS, generally speaking.
• 32-bit drivers will have problems on 64-bit OS. Drivers should be 64-bit
• Signed kernel mode drivers only, no less. Unsigned ones will not work

Bottomline, whatever works on 32-bit will not always work on 64-bit, therefore your Application Compatibility Testing exercise needs to be performed on both 32-bit and 64-bit version of Windows 7. To check out if your application or driver works for Windows 7 64-bit, check out the Windows 7 Compatibility Center, don't forget to click on 64-bit Windows 7 under Select a system type to check if the app/device also works for 64-bit.

DO Consider 64-bit in your next hardware refresh cycle only if these conditions are met

• Your hardware and software supports Windows 7 64-bit
• Your standard RAM is >=4GB
• Your CPU supports 64-bit

Don't even consider 64-bit now if you have standard RAM of 1-2GB even if CPU can support 64-bit. If you're upgrading to at least 4GB RAM in the near future, balance out the extra effort in appcompat testing 64-bit vs. reinstalling Windows 7 64-bit after the RAM upgrade. Deploying Windows 7 is a lot easier than its predecessors, especially with regards to User State Migration, with the Hardlink Migration feature -- but that's an entirely different discussion already.

Singapore on Photosynth, and a couple of mine featured in Bing Maps

Microsoft has opened a contest that features Singapore tourist and heritage sites in Photosynth:

Photo360 is a contest that encourages competitors to participate in the picture taking and stitching photos of Singapore attraction sites into one big interactive 3D viewing experience called a Synth’ using Microsoft® PhotoSynth

Details http://labs.innovativesingapore.com/photo360/index.html

The cool thing is that a couple of my synths are now featured in Bing Maps

Merlion http://photosynth.net/view.aspx?cid=909dae51-b882-44e8-a7bb-743be809ee78

Singapore Flyer http://photosynth.net/view.aspx?cid=ccc6cd14-a2a0-47d8-8c19-8b7b092f6f0a

Microsoft Support: How to customize default user profiles in Windows 7 and in Windows Server 2008 R2

I was asked this question during the Windows 7 Deployment Hands-on Labs: will the Default User Profile be one of the user profile settings that would be backed up and restored by the User State Migration Tool? My reply would be: instead of using USMT to restore that Default User Profile (and end up with unmanaged, disparate Default User Profiles all around your Windows 7 deployed machines), why not implement the Default User Profile in your WIM Image so that you will end up with a single, uniform Default User Profile across all Windows 7 machine that you will deploy.

The steps how to do it are on this article: How to customize default user profiles in Windows 7 and in Windows Server 2008 R2.

In essence:

1. On the Windows 7 Reference Machine, logon using the local Administrator account or a user account that has local Administrator privileges, then make the necessary changes.
2. Create an unattend.xml that sets the CopyProfile parameter to "True" in the specialize pass. The parameter in unattend.xml is: <CopyProfile>true</CopyProfile>
3. Use the modified unattend.xml during Sysprep. The command is Sysprep /generalize /unattend:unattend.xml

From Windows XP to Windows 7 - Deployment Considerations

In the same way as my article From Windows XP to Windows 7 - Stuff You Will Encounter for the First Time, here are the considerations for deployment that you need to think about. These are new in Windows Vista, but then again most companies are going to Windows 7 straight from Windows XP.

• Windows Automated Installation Kit (WAIK). This is a suite of tools to prepare for and deploy Windows 7. This and MDT comprise the root of Windows 7 deployment, both of which are FREE for download from the Microsoft Download Center (http://download.microsoft.com).
• Windows Imaging Format (WIM). This is the imaging format used in Windows Vista and is continued and enhanced in Windows 7. WIM is file-based, hardware-agnostic operating system imaging and you will need to plan for making best use of this technology since it is, as I said, hardware-agnostic, meaning one image can be used across multiple hardware types. Imaging considerations include acquisition, application and maintenance.
• User State Migration Tool (USMT). This tool is part of WAIK and allows us to save and retrieve files and settings from Windows XP to our target operating system. This is most useful for enterprise deployments of Windows 7.
• Microsoft Deployment Toolkit (MDT) 2010. This used to be called Business Desktop Deployment (BDD). MDT automates and simplifies a lot of tasks in WAIK based on experience and deployment best practices. Quite frankly, it is much easier now to to perform a client refresh from Windows XP to Window 7, compared to deploying Windows Vista from Windows 7 -- my personal opinion!
• Bitlocker Drive Encryption. If you will deploy Windows 7 Enterprise or Ultimate, you have an additional consideration of whether you will use Bitlocker or not. Good news for us is that this system reserved partition is automatically created during Windows 7 setup, and that the option to set this up from Windows 7 deploying is available on MDT 2010!
• Volume Activation 2.0. From Windows Vista onwards, activating a volume license used a different system from its predecessors. For more information on VA 2.0, check out this article Volume Activation 2.0 for Windows Vista and Windows Server 2008.