In MDT 2010 you can enable two settings that during deployment of your machines will patch them automatically using a WSUS server of your choice.
Take a look at your existing task sequence(s) and look for “Windows Update (Pre-Application Installation)” and “Windows Update (Post-Application Installation)” and choose to enable them both or just the latter.
In your customsettings.ini somewhere beneath the [Default] section add the row:
WSUSServer=http://WSUSServerName
It seems System Center Online Desktop Manager has been re-branded as Windows Intune, and it was just presented at MMS in Las Vegas. What Windows Intune do is to provide means to manage and monitor Windows 7 clients in the cloud. This is recommended for 25-500 PC:s.
What it does for you:
More at: http://www.windowsintune.com/
What you see in the score for your Windows Vista and Windows 7 machines, you know the score in System properties and Performance and information tools, really comes from the command line tool “winsat”. To find out some very detailed performance specs on your machine and the specific hardware parts such as hard drive, graphics card, memory and such you can run the command winsat with a number of switches.
For instance “winsat disk” runs performance tests on my disks and present it in detail with read/write speeds etc along with the score on each individual test. Give it a try!
If you think that you have come a far way making sure all users are running as standard users you must stop and rethink. Well, having all users as standard users is very good from many perspectives but with coming challenges your efforts must not stop there. A growing problem is the fact that more and more applications install in the user space, i.e. in the \users\username\appdata directory instead of the traditional “Program files”.
Also Windows 7 contain Windows Installer 5.0 which sports a new feature which makes the software vendors easily make Windows Installer (MSI files) that install software in the user space instead of program files, and thereby not requiring the user to be administrator or even require a UAC prompt for credentials for an administrative account.
The standard users of course think this is great, meaning they after all can install and run for instance Google Chrome without needing to ask that restrictive IT department. From the IT departments view this fact that standard users can install and run applications is a concern.
The answer to take care of this problem is simply the new Windows feature AppLocker. To be honest it is somewhat like Software Restriction Policies (SRP) but whatever bad things you have heard about SRP you can forget about them. AppLocker contains new features that make the implementation and ongoing management very easy compared to Software Restriction Policies. More about AppLocker in the AppLocker walkthrough.
I got a question the other day on a problem where a person is installing a set of applications during deployment of Windows 7, using MDT 2010. The problem is that one application requires to be run in Vista compatibility mode before it can even be installed, most likely due to a check in the installer for which Windows version is being used, a rather common compatibility issue.
One solution to this is to use Compatibility Administrator which is a part of ACT to create a so called “shim” which makes the installation go through, fooling the application that the OS is Windows Vista even though it is Windows 7. But, how do we get the shim applied during our deployment, which we want to automatic?
It is rather simple, just add a “run custom command” in the task sequence before the application is installed, which applies the compatibility shim to the machine, making the installation run through. Also note that you can run custom commands in the “applications” section in MDT2010, just add the command line to the path field and off you go!
I realize I have been very quite on blogging for a few weeks, mainly due to a visit to Microsoft in Redmond and the MVP Summit which was suceeded by a three week vacation with my family. Now I am at TechDays in Örebro, Sweden. Just got out from my session about AppLocker in Windows 7 which I think went quite smooth. The interest for TechDays is enormous and it has been a long day so far and it not over yet. I will attend a session on Windows 7 later today and will definetely not miss the party tonight. Still some jetlag though due to the vacation but I will struggle to get at least a couple of beers…
I also have a lot of catching up to do with my Inbox and other cool stuff that has been announced while I was on vacation, among many other things Microsoft has released some very interesting information on virtualization, read Mikael Nyströms blog post to get the summary,
There is this license tool that comes with Windows Automated Installation Kit and is installed by default. This unheard of tool is called Volume Activation Management Tool (VAMT). With this tool you can scan for instance all computer objects in Active Directory to see the license status of all client machines as well as servers.
You will see what type of key (KMS/MAK) the machine is using, transition licenses from MAK to KMS, see if the license is activated on each machine and you will also be able to identify which machine is the Key Management Server.
The current version of this tool is version 1.2 but 2.0 is coming. Version 2.0 is needed to activate soon to be released Office 2010 but it also sports new features such as a command line interface for automating scans without using the user interface.
This week Microsoft have made two really interesting announcemants, the first being the release of App-V 4.6 and the second one being MED-V 1.0 SP1. (Release Candidate). Take a look at this MS post for what is new in App-V 4.6 and what is new in MED-V 1.0 SP1. Also do not miss this post on how to sequence Office 2010 for use with App-V 4.6.
WinRE (Windows Recovery Enviroment) is included by default in Windows 7, and this allows you to boot to WinRE to access recovery tools such as Complete PC image restore, system restore or to access a command prompt to run other useful command. You can access WinRE by booting a Windows 7 machine and press F8 and choose “Repair your computer”.
WinRE being included in Windows 7 is great but what is even greater is if you replace WinRE with DaRT (Diagnostics and Recovery Tools) included in Microsoft Desktop Optimization Pack (MDOP) which is available to Software Assurance customers. By doing this you get additional types of useful tools such as the ability to reset the passwords of local account, hotfix uninstall, crash analysis, reach computer management or use Windows Explorer. Now this is great! :)
The guide on how to replace WinRE with DaRT can be found at bink.nu.
Issues joining a Windows 7 machine to a domain, where the domain controller handling the domain join request is having old NT4 rests on it, has surfaced. The problem is related to an old overload workaround when upgrading an NT4 domain to Windows Server 2000 or 2003 domain controllers. The KB article which provide the solution is now published, see KB2008652 for more information on the resolution. Note that the problem also applies to joining Windows Server 2008 R2 servers to the domain.