Kurt Shintaku's Blog

The Forefront Integration Kit with NAP (Network Access Protection) has been released. This was previously a beta offering from the Solution Accelerator team.

Other Anti-Malware vendors such as Symantec, McAfee, & Trend all charge extra for the ability to integrate with NAC or NAP. In Level A or B pricing customers, there’s been much as $13/user on top of what is already being charged for their anti-virus software. Even worse, the security vendors that sell appliances to do NAC often quote as much as $30 *per port* to do in-line Network Admission Control. 

Microsoft includes full NAP/NAC support with Forefront Client Security at no additional charge.  Any customer with Windows Server 2008 also owns NAP licensing which is built into Windows Vista & Windows XP Service Pack 3.

More on Forefront Integration Kit for NAP:

• http://blogs.technet.com/secguide/archive/2008/05/05/microsoft-forefront-integration-kit-for-network-access-protection-deployed.aspx
• http://www.microsoft.com/forefront/fcs_nap_faq.mspx

This is a ‘must attend’ session for IT Professionals in any organization that has SharePoint 2007 in its environment.  World renown author and expert on SharePoint and Windows technologies, Rand Morimoto, will share best practices of what organizations with SharePoint 2007 from around the world are doing relative to:

• encrypting SharePoint document libraries

• managing SharePoint server and content virus protection

• providing realtime snapshot backup of SharePoint and SQL data

• enabling secured remote access to SharePoint sites and servers

• and monitoring SharePoint to maintain high availability and reliability of SharePoint environments.

Rand will cover key Microsoft technologies such as:

• ForeFront for SharePoint

• Windows Rights Management Services (RMS)

• System Center Data Protection Manager (DPM)

• ForeFront Intelligent Access Gateway (IAG)

• System Center Operations Manager 2007

This is an introductory session where Rand will describe what the technologies are and explain how they improve the overall successful operation, management, and support of a SharePoint 2007 environment.

SPEAKER:  Rand Morimoto, Ph.D., CISSP, MVP:  Rand is a world renown author of dozens of global bestselling books on Windows 2008, Exchange 2007, SharePoint 2007, SQL 2005, Windows Vista, and the like.  Rand’s company, Convergent Computing, is a Microsoft Certified Gold Partner with 65 consultants that help the largest companies in the world plan, design, and implement Microsoft technologies.  Rand keynotes over 50 conferences and conventions around the world each year and is the former Internet Security Advisor to the President of the United States.  For more information on Convergent Computing, see http://www.cco.com.

Language(s):
English.

Audience(s):
IT Professionals,Technology Decision Maker.

Duration:
60 Minutes

Start Date:
Wednesday, May 21, 2008 9:00 AM Pacific Time (US & Canada)

Registration:
If you are a customer of mine that is interested in participating, please contact me for registration information.

The Security Compliance Management toolkit consists of 12 desired configuration management (DCM) Configuration Packs that you can use with Microsoft System Center Configuration Manager 2007.

You can use the Configuration Packs to scan the computers in your environment to determine their level of compliance with baselines prescribed in security guides from Microsoft for Windows XP SP2, Windows Vista, and Windows Server 2003 SP2.

Customers can then use the DCM feature in Configuration Manger 2007 to produce reports that IT professionals can use to remediate security baseline settings and provide proof of compliance to a known baseline. Please note this is a Public Beta, the review period runs from April 3 to May 8, 2008.

After reading the documentation and using the tools, please provide feedback by completing the Security Compliance Management Beta survey on Microsoft Connect. The survey provides opportunities for written feedback. Alternatively, you can turn on the Track Changes feature in the Beta documents to use the Comment feature to include your feedback. Please e-mail commented documents to SCMBeta-AT-microsoft-DOT-com.

So, if you’ve been reading, you know that I executed a Repair Reinstall of Windows Vista.  (This is a rather traumatic action and a "weapon of last resort", not to mention the first Repair Reinstall that I’ve ever had to do in this entire decade I might add… so this is one of the reasons why I’m taking this so seriously.  It’s not something I’m accustomed to having to do.)

After doing a Repair Reinstall (Repair Reinstalls for those who aren’t aware, are essentially the last resort of IT Pros to repair and installation of Windows.  It involves taking the original media (DVD) and inserting the disc into the running installation of Windows, then from the graphical interface, running an ‘OS upgrade’ from the DVD itself. 

The result is a reinstallation of all operating system files onto the machine while a very strong attempt is made to preserve all the existing data/files, programs installed, configuration, etc.  If everything goes correctly, theoretically the workstation should be in essentially a flawless operational state, with all it’s old programs working just fine.

Well… of course this is theoretical.

I’ve now encountered three pieces of software that has required an "uninstall" and "reinstall" to get them to work properly post-Repair Reinstall.

• Zune Client 2.3 (couldn’t detect driver for Zune until a reinstall of the client occurred)
• Microsoft ISA Firewall Client 4.0 (wouldn’t work at all until it was reinstalled)
• Windows Live Writer (title couldn’t be cut & pasted or edited)

I’ll edit this list as I discover things.

I haven’t been able to install Windows Vista Service Pack 1.

There.  I said it.  I’ve had access to the SP1 "release bits" for ages as you might suspect and I haven’t been able to install it on my production machine and I’ve been incredibly bitter about it because my coworkers drool over the improvements that we’ve made to Windows Vista with SP1’s availability:

• Improved file copy speed
  (Incidentally, using the cmd netsh interface tcp set global autotuninglevel=disabled works VERY well now for network routers that can’t handle Vista’s dynamic TCP window throttling)
• Fewer User Access Control dialog boxes
• Better DirectX support (support for DirectX 9 & 10 hardware)
• Improved power efficiency
• Improved security

Because I’ve been able to install Windows Vista Service pack 1 on two other non-critical systems of mine, I literally seeth when I hear about malcontents complaining about SP1 "not being good enough" because dammit, at least you got to install it on your production machine – I haven’t even gotten that far.

Yessir, when I attempt the install, after the progress bar takes 1 hour to crawl across the entire dialog dialog box, I get an error that reads:

 
WTF? 

Sigh.  Whatever happened to striving for meaningful error messages?  Could it not find a file or registry entry?  Could it not write to the disk due to some sort of corruption?  What does this mean?  <entering forensics mode>

So if you go to http://go.microsoft.com/fwlink/?LinkId=101139 like it says (which incidentally isn’t hyperlink-enabled, meaning that on top of being inconvenienced by not being able to install the Service Pack, now you have to manually type in some long string of characters in to a Address/URL box in your browser.  Grrr. Why do we have Internet Explorer as an integrated part of the operating system if the Operating System dialog boxes aren’t going to be hyperlink-enabled?  Note-to-self:  Escalate with Core team.) the link takes you to a page that go through a set or purported resolutions:

1) "Run Windows Update to reset the installation of the Service Pack in the event that it was caused by a previously incomplete ‘update installation’." 
First of all – that’s highly unlikely and I hardly have any confidence that that’s going to work.  Sure enough, I retry running Windows Update and it does nothing.  So much for that.

2) "Check your hard disk for errors."
Okay.  That could be it.  Errors on the hard drive.  I’ve had my share of driver related blue screens (something’s wrong with my Compaq nc8430’s power management electronics resulting in a rare bugcheck screen that strikes at weird times)  So I run a Chkdsk/Scan for Errors against the System Partition… the only partition I have.  Nope.  Passes with flying colors.

3) "Run Check System Update Readiness (CheckSUR)"
This is new.  For those that haven’t seen this, this tool essentially goes through and validates that the file backups that Windows maintains in it’s manifests of "repair files" are consistent and uncorrupted.  (http://go.microsoft.com/fwlink/?LinkId=109180)

It also instructs me to:

• Type reg add HKLMCOMPONENTS /v StoreCorruptTimeStamp /t REG_SZ /d "0" /f, and then press ENTER. 
• Type reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionCheckSUR, and then press ENTER. 
• Download and install http://go.microsoft.com/fwlink/?LinkId=109180

This does indeed find some problems.  19 to be exact.  So I try the install of Service Pack 1 again.  It actually gets farther, but once again, no joy.  But at least it did something.

4) Run the Windows Vista Memory Diagnostic Tool.
Alright – didn’t expect this either.  Let’s check the memory for failures.

Annnnnd nothing.  Passes with flying colors.

5) "Run the System File Checker tool."
This I hadn’t tried as well.  Run SFC /scannow.  And this is what I get.

"Windows Resource Protection could not perform the requested operation."

Now, this I spent quite a while on because apparently MANY other people on the Internet have run into this problem – but not as a result of discovering that Service Pack 1 failed. 

So I proceeded to figure out why System File Checker had failed and how to get it working, and here’s what turned up:

• You can analyze the SFC log file, here http://support.microsoft.com/kb/928228/en-us.
  This didn’t do me much good other that to tell me that there’s some serious corruption in Windows and apparently the tool that’s supposed to fix it (SFC) can’t deal with it.
• Run a Vista startup repair. This can repair more than just startup problems http://www.vistax64.com/tutorials/91467-startup-repair.html
  This ended up doing nothing.

6) Restart the computer, close all apps, disable antivirus/antispyware, and try again.
Are you kidding me?  The ol’ "Reboot your computer" routine?  Like I didn’t try that in the beginning. <smirk>

——————–

So there you have it:  That’s as far as I was able to get in attempting to repair my system.  For IT techs everywhere, you know that there’s just one last way to fix a Windows Vista computer and that’s the method of last resort:

7) Do a Vista upgrade repair reinstall.
This gives you a new OS without changing settings, files, folders, other programs and the like. http://www.vistax64.com/tutorials/88236-repair-install-vista.html

I really didn’t want to have to do this because:

• It means having to test all my apps and all my devices to ensure everything in the way of programs, settings, and data "carried over" from the previous installation.
• It takes a verrrrrrry long time.  The installation may take as long as 2 hours as it backs up your settings, reinstalls, and restores your settings.

But the good news is that once I backed up all my data and did the repair reinstall, everything worked cleanly.  (Except for my Zune which required that I reinstall the Zune client software on my PC)

If you ever find yourself in a bind and need to get something in Windows Vista fixed, a repair reinstall is usually your last resort however I’ve never seen this NOT work.  A repair reinstall does a complete refresh of the installation of Windows Vista on your machine.  It preserves your settings, files, folders, and program installations. (It’s documented here:  http://www.vistax64.com/tutorials/88236-repair-install-vista.html)

The problem is that it leaves behind a lot of residual file ‘turds’.  If you ever have to do this, be sure the check the following to free up any disk space you may be wasting otherwise:

1. Windows Vista SP1 Disk Clean-up Tool
   http://www.maximumpcguides.com/windows-vista-sp1-disk-clean-up-tool/
   
2. $INPLACE.~TR and $WINDOWS.~Q folders for in Windows Vista
   The $INPLACE.~TR and $WINDOWS.~Q folders are more-or-less garbage and can be safely deleted.  If you don’t feel comfortable deleting them outright, fire up the Disk Cleanup utility (click Start and type Disk), select the Files discarded by Windows upgrade item, and then click OK.
   
3. c:WindowsPanther
   Delete this folder.  It is part of SYSPREP and where one puts their UNATTEND.XML file to control setup of the first post-SYSPREP boot.  It’s not necessary post-repair install.

I recovered something like 5GB of disk space after deleting the above folders.  Disk Clean Up freed up 1GB, $INPLACE/$WINDOWS’s deletions released 3GB of space, and Panther’s deletion released another 1GB.

Interestingly enough, if you do a repair installation (a.k.a. an Upgrade install over an existing installation) of Windows, Zune’s driver apparently disappears. 

I recently did a repair install myself (to be explained in a future post) and to my dismay, my Zune no longer synced when I attached it via the cable to the USB port of my laptop.  Windows stated that it needed a driver all of a sudden and when it searched Microsoft Update for the driver, it came back empty.  I pointed to the original install files and no joy:  Windows didn’t find the driver there either.

The obvious solution is to simply uninstall the Zune software and reinstall it, to make sure that the drivers got installed into the OS.  Of course I was a little worried:  I didn’t want to have to reinput all of my podcast URLs – especially since I had no idea where it stored this information on the drive.

Fortunately, all that configuration information remained after I uninstalled the software and reinstalled it.  And as expected, once I did that, Windows picked up my connected Zune immediately and started the process of syncing the new podcasts and clips I’d made available.

So the good news is that the workaround is simple.  The bad news is, why is getting the Zune driver such a pain in the butt?  Hopefully, I’ll be able to track the answer to that one down in a bit.

Anyway, here’s my list of currently active Podcast subscriptions for anyone that cares:

UPDATE 5/8/08:
Our marketing manager got this confused.  This gig ISN’T happening on May 29th.  It’s actually older content that’s already posted to the link, so if you want to go check it out, the video is there for viewing right now:
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032336305&EventCategory=4&culture=en-US&CountryCode=US

——————————

Using Visio 2007 to Plan, Design, and Monitor Your Infrastructure for Enhanced Security
Join us for the May 29 webcast. The session, presented by Sandy Sharma, will explore business reliance on technology, IT departments’ responsibility for mitigating security risks while maintaining seamless business environments, and more.

As business reliance on technology increases, IT departments are responsible for mitigating security risks while also maintaining a seamless business environment. Join this webcast as we explain how Microsoft Office Visio 2007 can help you plan, design, monitor, and enhance security in your organization by helping you visualize the availability of systems. We explore how Visio 2007 can assist you by providing visibility into security status and infrastructure plans. We also discuss how your organization can improve infrastructure management, minimize vulnerabilities, and enhance identity and access management.

Presenter: Sandeep Sharma, Senior Executive, Advaiya
Sandy Sharma has more than 15 years of business and technology consulting experience in a senior executive position. He has also served as a senior consultant, business strategist, and architect for large organizations. Sandy specializes in helping organizations achieve success through his practical knowledge of how to improve business processes and align business needs with technology.

Click here to register.
(http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032336305&EventCategory=4&culture=en-US&CountryCode=US)

The official MSN Video/Soapbox Vista Sidebar Gadget is now available for downloading and installing:

http://gallery.live.com/liveItemDetail.aspx?li=b4ea67a2-5cb6-4a15-8ae1-048cccaf8ffc&bt=1

Some of the Highlights of the MSN Video Vista Sidebar Gadget:

• Display Localized MSN Videos with links to MSN Video Destination Site
• Display Soapbox Videos and play natively Inline
• Localized for over 30 countries and languages
• Top-Level market Navigation
• Numerous Sort-by options
• Display Search terms
• Display Related Videos
• Customize number of thumbs and pages to show
• Auto-scroll Pages at defined intervals
• And much more……

The MSN Video Gadget allows you to dynamically track the viral and social trends of videos, using custom sorts of Categories and Search Terms:

• Most Viewed – This hour, Today, This Week, This Month, all Time

• Highest Rated

• Most Reviewed and Commented

• Most Bookmarked and Favorited

• Most Emailed

Have you ever wondered how much progress the Indexing Engine in Windows Vista has made across the space defined for searching?

 Indexer Status Gadget for Window Vista

This gadget displays status information for the Windows Search indexer.  It also allows you to pause and resume the indexer as well as quickly access the Indexing Options control panel. 

If you have installed the Windows Search 4 update for Vista (currently a "preview" release) you can also enable "Index Now" functionality.

LINK:   http://brandontools.com/files/folders/sidebar_gadgets/entry511.aspx