News Contact Company



September 17, 2012
Newsletter September 2012

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

September 2012

 

Lots of classes to present in this issue as well as some word of wisdom form our regular consultants. This month we have guest appearance by no other than master of group policy Jeremy Moscowitz. Jeremy is doing his Mastering Group Policy class in Stockholm November 13. Albeit the class is run in Sweden with our Swedish training facility LabCenter, this class is taught in English. Contact patrik.sandqvist@labcenter.se for info.

Kent Agerlund (ConfigMgr uber geek), has of course made sure that his epic class “Mastering System Center Configuration Manager 2012” is updated to cover SP1. If you are looking to implement ConfigMgr 2012, this is the world class training that not just gives you the basics, but goes deep, using the latest s/w available; SP1. Next session already in October in Dallas.

Next to ConfigMgr, the most sought after training today for System Center 2012 is for Operations Manager (SCOM). We offer our Mastering class with Kare Rude Andersen, experienced SCOM consultant, at two more occasions in 2012.

Geek Week System Center 2012 - Johan Arwidmark and Mikael Nystrom unleashed in five jam packed  days where you are in the admin seat of the System Center getting to deploy and roll Windows Server 2012, Windows 7 and Windows 8 (among other cool stuff). A session like no other training in the market.

Beside Jeremy contributing, both Johan and Kent as usual. but do not miss Hasain's important piece about the changes in Windows Server 12 and the Forefront product road map.

 

 

johan-arwidmark-soft-mugshot.png

Johan Arwidmark:

ConfigMgr 2012 SP1 is released - You better build that lab now

Jeremy Moscowitz:

Group Policy: ADMX files and why they cannot prevent user shenanigans

Kent Agerlund

Multi forest support in ConfigMgr 2012 Part ll ........

Hasain Alshakarti


The new Remote Access Server Role in Windows Server 2012 and Changes to Forefront Product Roadmaps

ConfigMgr 2012 SP1 is released - You better build that lab now

By Johan Arwidmark
Microsoft MVP – ConfigMgr

I bet that few of you missed the ConfigMgr 2012 SP1 beta announcement on September 10. Of course the beta is not for production, but there are so many goodies in this release so I encourage you to start playing with them in a lab. Among the updates in SP1 beta you find the following:

·        Support for Windows Server 2012 and Windows 8. Not only support for deploying Windows 8 and Windows Server 2012, but also to run site server roles on Windows Server 2012.

·        SQL Server 2012 Support. Supporting for running the primary site server (don’t use a CAS, ever, unless you have more than 100 000 clients), on SQL Server 2012 with CU2 or higher

·        Distribution point for Windows Azure. Yes, you read it right, you can have a DP in Azure

·        Administration via PowerShell. The single coolest feature ever to ConfigMgr. A bunch of cmdlets to ConfigMgr admin work via PowerShell. Just click the Application menu, and then select Connect via Windows PowerShell.

Listing the commands in the ConfigurationManager module.

·        Management of Mac OS X and Linux/UNIX. Deploying applications, configuring settings, antivirus, inventory and more.

·        Migration from CM 2012 SP1. You can easily migrate objects between primary sites, perfect for

·        Interop with Windows Intune. You can integrate with Windows Intune, managing both Intune and ConfigMgr clients

·        Configure folder redirection, offline files, and roaming profiles. Basically managing Windows RT devices, which are not domain joined, via ConfigMgr.

·        Multiple software update points per site.

·        Client notification from the CM Console. Being able to do instant work items from the console, scanning a client for virus, trigger a policy refresh etc. Think right-click tools  J

·        Email alerts. Not only for Endpoint Protection anymore, but for all alerts.

·        PXE Support Defaults. You don’t have to modify the boot images when enabling PXE on your DP.

·        WinPE Components. You can list the WinPE components in the boot image properties.

·        Task Sequence Deployment Types. When deploying a Task Sequence, you can set who can see the deployment, for example only make it visible from WinPE.

·        Deploy Windows To Go. Creating Windows To Go media from ConfigMgr 2012.

·        Windows 8 applications. Deploy standalone applications (.appx files) and links to the Windows Store.

Get the lab going!

To help you get your lab going I have created a hydration kit, a download for deploying a complete ConfigMgr 2012 SP1 Beta infrastructure running on Windows Server 2012 and SQL Server 2012 in either Hyper-V or VMware: One Domain Controller and one ConfigMgr 2012 SP1 Beta member server – Including pre-requisites like .Net Framework, SQL Server 2012 CU2 (or higher) and IIS - all fully automated.

Once configured, the total build time for the full ConfigMgr 2012 SP1 Beta lab environment is about 2 hours (on a decent laptop). 

Overview

To build the lab there are three steps you need to do

1.      Download the necessary software

2.      Prepare the Hydration Environment

3.      Deploy the virtual machines

Detailed instructions are found in this article:

The Hydration Kit for ConfigMgr 2012 SP1 Beta (with Windows Server 2012 / SQL Server 2012) is available for download

The CM01 task sequence, deploying ConfigMgr 2012 SP1 Beta on Windows Server 2012.

//Johan

 

Multi forest support in ConfigMgr 2012 Part ll - There can only be one Network access Account.......or.........

In part one I explained how you can get support for clients that are installed in an untrusted forest. In this post I’ll explain a slightly different scenario with two untrusted forest and local site systems installed in the untrusted forest. There is full support for installing user facing site system roles like a Management Point and a Distribution Point. The problem with installing a Distribution point in the untrusted forest is the Network Access Account. This account is being used when deploying operating systems and in some scenarios when clients are accessing the distribution point. Without a trust this process will fail due to the fact that the ConfigMgr agent will connect using the network access account created in the same forest as the primary site server.

Use Multiple Network Access Accounts

The solution is to create a local account on each Distribution Point with the same password. Instead of writing the name of the distribution point (which you cannot because you have multiple DP’s) I specify a variable which I will later create on the clients. Below is my account which is %SMSDPNetbios%\CM_NAA.

How to implement multiple network access accounts

The trick is to figure out what DP will be used by the client and to create the %SMSDPNetbios% and match that with the local Distribution Point. To solve that challange I use use this script (huge thanks to Claus Codam for assisting with the script) which will find the local DP and automatically create the variable on the client. That way the ConfigMgr client will use the local account on the DP server when accessing the distribution point.

How to implement the solution

You must run the script twice in order to get OSD running, first time while being in WIN PE and the second time when you boot into the “correct” operating system. To run the script in WIN PE add it to your boot image and create a prestart command like this cscript.exe GetDPNetbios.vbs 1 The script will read the smsts.log file and get the DP from the log file and create the environment variable. Once you have restarted in Windows create a run command step cscript.exe GetDPNetbios.vbs 2 This will once again create the environment variable but this time in the Windows operating system.

//Kent

 

 

 

 

 

 

 

 

 
Group Policy: ADMX files – What Microsoft never told you (and what you need to know)

Everyone. This is Jeremy Moskowitz, Group Policy MVP and founder of GPanswers.com and PolicyPak Software.

 

A lot of times people ask me: “Jeremy, when I use ADMX files, I find that it seems to work for a while, then just ‘stop’ working. Have you seen this?”

 

Or, another way people ask me is: “I want to ensure my users settings are locked down, so I created an ADMX file. But it doesn’t work the way I expect.”

 

So, if you want to see what the problem with ADMX files is (and one way to make you settings truly enforced) I’ve got a video (http://youtu.be/UK23JWVJm-c) demonstrating the problem (and a solution).

 

In short: ADMX files can’t prevent user shenanigans (but there is a free / commercial tool) which I show in the video which can make it a reality.

 

If you decide to come to my Group Policy class in Stockholm, taught by me, and hosted by my LabCenter.se friends, we’ll cover a huge amount of material in three days.

 

You’ll learn exactly why Microsoft created ADMX files over ADM files (it’s not as simple as you might think!) You’ll learn how to manage user and desktop, laptop and tablet settings with all the functions in the box, including Group Policy Preferences, Security settings,  Advanced Group Policy Management just tons more.

 

I don’t get a chance to come to Sweden that often. But I’ll be there very soon, and I know the seats are selling out with only a few left.

 

Windows 8 and Windows Server 2012 are right around the bend. I’ll be sure to talk about and show you exactly what you need to know, what’s changed, and where to be careful with Microsoft’s newest gifts. Of course, I’ll make sure you  fully understand our old friends Windows 7, Windows XP. Windows Server 2003 and Windows Server 2008 & R2 too.

 

PS: I wrote some new whitepapers which I think you’ll like too. I don’t want to give it all away here, but there’s some “deep, dark secrets” in there which most administrators don’t want to admit (even to themselves). So, even if you cannot make it my class in Stockholm, those free whitepapers are for you as my gifts. They can be found here (http:///www.policypak.com/itwhitepapers).  Download one or all three.

 

PPS: I can’t wait to meet you in Stockholm in November. It’ll be nice and cold there. But I promise you, the Group Policy training will be VERY HOT ! See you there.

 

PPPS: Remember, I'll be the one teaching the class, so the class will be in English. I promise you'll have a great time and learn a lot, or I'll eat a whole Reindeer.

 

// Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software

 // Jeremy


The new Remote Access Server Role in Windows Server 2012 and Changes to Forefront Product Roadmaps

The Windows Server 2012 Remote Access Server Role is designated to deliver a combination of DirectAccess and RRAS integrated management where you can deliver and manage DirectAccess and other VPN based remote access services from the same interface.
The new role both simplifies DirectAccess management for small and medium organizations and adds Built-in NAT64 and DNS64 support for accessing IPv4-only resources, support for DirectAccess server behind a NAT device, Load balancing, multiple domains support, OTP (one-time password) authentication using OAuth, IP-HTTPS interoperability and performance improvements, manage-out deployment support as well as reporting and monitoring.

 

The new Windows Server 2012 Remote Access replaces all current DirectAccess deployments using Windows server 2008 R2 and Unified Access Gateway UAG. For remote access, DirectAccess and Routing and Remote Access Server (RRAS) VPN in Windows Server 2012 provide secure remote access for Windows and cross-platform clients, as well as cross-premise access through site to site VPN.

Forefront Unified Access Gateway (UAG) 2010 continues to provide secure application publishing and cross-platform SSL VPN remote access for a range of mobile devices. This change is part of the announced changes to the roadmaps of some of the security solutions made available under the Forefront brand. Microsoft is discontinuing any further releases of the following Forefront-branded solutions:

- Forefront Protection 2010 for Exchange Server (FPE)

- Forefront Protection 2010 for SharePoint (FPSP)

- Forefront Security for Office Communications Server (FSOCS)

- Forefront Threat Management Gateway 2010 (TMG)

- Forefront Threat Management Gateway Web Protection Services (TMG WPS)

 

For a more detailed overview of the Remote Access technology in Windows Server 2012, its new and changed functionality, deployment and migration scenario, and links to additional resources, continue reading on the TechNet library http://technet.microsoft.com/en-us/library/hh831416.aspx.

 

//Hasain Alshakarti

Blog: http://secadmins.com

Twitter: http://twitter.com/Alshakarti

 

Where to find us......

 

Mastering System Center Config Mgr 2012 with Kent Agerlund Dallas  October 8-11
Mastering Windows deployment using MDT 2012 and ConfigMgr 2012 with Johan Arwidmark Calgary, Alberta     October 9-12

Mastering System Center Operations Manager 2012 with Kare Rude Andersen

Bellevue, WA

October 29

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

London (UK)
Berlin

October 22-26
November 12-16

Mastering Group Policy with Jeremy Moscowitz Stockholm, Sweden November 13-15

MVP Combo-The ultimate MDT2012 and ConfigMgr2012 training
with Johan Arwidmark and Kent Agerlund

Orlando, Fl

December 6-10

 

Full schedule at http://www.truesec.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement