[Today's post is provided by Yvette O'Meally]

The Configuration Manager Sustained Engineering team has re-released a number of Configuration Manager SP1 hotfixes due to a problem with the hotfix installer's ability to detect Windows Server 2008 SP2 and Windows Vista SP2.  This will cause Configuration Manager 2007 SP1 hotfixes to fail to install on those operating systems even though they are applicable.

Symptoms

If you try to install the original version of one of these Configuration Manager hotfixes on a system running Windows Server 2008 SP2 or Windows Vista SP2 you will get a popup with an error like this "This KB###### is for a different hardware platform." where ###### is the KB number of the hotfix you are installing.  The hotfix will fail to install.

Entries similar to the following would be displayed in the KB######.log file

0.171: CheckSystem: GetMachineType failed :STATUS_PLATFORM_MISMATCH
0.171: DoInstallation: CheckSystem Failed: 0xf00e 
0.187: This KB957255 is for a different hardware platform.
1.575: Message displayed to the user: This KB957255 is for a different hardware platform.
1.575: User Input: OK
1.575: Update.exe extended error code = 0xf00e
1.575: Update.exe return code was masked to 0x643 for MSI custom action compliance.

Resolution

If you have downloaded a Configuration Manager 2007 SP1 hotfix before June 16^th 2009 and you have either Windows Server 2008 SP2 or Windows Vista SP2 you will need to obtain the repackaged version of the hotfix.  The affected hotfixes are listed in the table below.

Please note that the product binaries inside the hotfix package are not affected.  The only changes are to the hotfix installer.

Thanks

--Yvette O'Meally

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's Post is provided by the Configuration Manager Writing Team]

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the following information lists the topics that are new or contain significant changes since the April 2009 update.  The latest content that has been updated on the Web has Updated: June 1, 2009 at the top of the topic.

In particular, you might want to check out the revised supported configurations, which now include support statements for SQL Server 2008 SP1, Windows Vista, Windows Server 2008 Service Pack 2, and Windows Server 2003 Service Pack 2.  Be sure to check out the details for the environments in which these are supported and whether any hotfixes are required:

• Configuration Manager 2007 Supported Configurations
• Configuration Manager 2007 SP1 Supported Configurations

We also have some new topics for the Configuration Manager 2007 SP2 features and changes, but because SP2 is still in beta, they are not published to the Web with this round of publishing updates.  Instead, download the help file from the Connect site, and then search for the topic "What's New in Configuration Manager 2007 SP2". 

We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for June 2009

The following information lists the topics that are new or contain significant changes since the Aril 2009 update:

Overview of Internet-Based Client Management

- Updated to include task sequences as one of the features that are not supported when clients are managed on the Internet.

Out of Band Management Console Issues

- This topic now includes a note at the top that references the Intel vPro Expert Center: Microsoft vPro Manageability Web site, which should be checked for issues that are specific to AMT (such as behavior differences between firmware versions, how to install and configure the Intel translator, and how to configure AMT).  This topic has also been updated to include the known issue of trying to run the out of band management console on Windows XP SP2 and Windows Server SP1. 

How to Enable or Disable Certificate Revocation Checking (CRL) on Clients

- Updated to clarify that client functions that run as a result of task sequence actions always check the CRL in a native mode site, even after following the procedures to disable CRL checking on clients.  This limitation will no longer apply in Configuration Manager 2007 SP2.

Ports Used by Configuration Manager

- Clarified that the configurable port TCP 9971 for the AMT management controller to the out of band service is used only for out of band provisioning, and is not used with in-band provisioning.  If you are using out of band provisioning, and the server running the out of band service point has the Windows firewall enabled, ensure that this port is allowed.

How to Create a Fallback Status Point in Configuration Manager

- Revised with clarifications such as the inclusion of security best practices for production networks; a reference to installing IIS for Windows Server 2008; which log files to check for successful installation; and how to install the fallback status on a new server.

Troubleshooting SQL Reporting Services Issues

- Corrections made to the troubleshooting item "Cannot run reports from the Configuration Manager console".

Delete Inactive Client Discovery Data Task Overview

- Removed incorrect references to the SMS 2003 Client Health Tool and replaced these with references to Client Status Reporting in Configuration Manager 2007 R2.

How to Remediate Non-Compliant Computers Using Software Distribution

- Revised so that the query works with multiple versions of SQL Server.

About the Network Access Account

- With the help of community content feedback, we realized that this topic was missing a link with instructions how to configure this account.  This reference has now been added.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Michael Cureton]

The System Center Configuration Manager team would like to announce the release of the public beta for Configuration Manager Service Pack 2.  This beta is now available for download for all customers. 

Service Pack 2 for Configuration Manager 2007 delivers new platform support for Windows 7 client, Windows Vista SP2, Windows Server 2008 R2 and Windows Server 2008 SP2.  In addition, Service Pack 2 delivers continued innovation with Intel vPro technology, support for Branch Cache enabled environments, and continued development for 64 bit architectures. 

You can access more information and download the beta by registering for the Configuration Manager 2007 Service Pack 2 Open Beta Program on Connect at https://connect.microsoft.com/InvitationUse.aspx?ProgramID=3005&InvitationID=%20CM72-HDRW-G3V6&SiteID=16. It can also be found in the Connection Directory sorting by "Connection Name" and is listed under System Center Configuration Manager 2007.

What's New?

New Operating System Support

• Windows 7
• Windows Vista Sp2
• Windows Server 2008 R2
• Windows Server 2008 SP2

New Features in Out of Band Management

Configuration Manager 2007 Service Pack 2 improves on the Intel AMT integration provided in Service Pack 1.  SP2 adds full feature support for computers that have the Intel vPro chip set and AMT firmware versions 4 & 5.  In addition to providing feature parity with SP1 and AMT firmware versions 3.2.1, 4.0 and 5.0, the following new features are supported:

• Wireless management with up to 8 wireless profiles (mobile ONLY)
• End point access control: 802.1x support
• Audit logging
• Power policy extensions
• Data storage

Asset Intelligence Certificate Requirement Removal

Configuration Manager Service Pack 1 introduced Asset Intelligence v1.5.  This version allowed customers to configure an online synchronization to ensure that their catalog was up to date with the latest Microsoft inventory for both hardware and applications.  This initial release required a certificate.  With Service Pack 2, the requirement to have the certificate has been removed, so any customer can configure their Asset Intelligence capabilities to connect online and update their catalog.  Software Assurance is not required for this functionality. 

64-bit Architecture Development

Service Pack 2 will also continue to deliver new support for x64 architectures, including the following:

• X64 support for Operations Manager 2007 Client Agent
• Update to Management Packs for 64-bit operating systems - SP2 will ship 64-bit performance counters (the management pack is a separate release)
• Remote control support added for x64 XP  and x64 Server 2003

Improved Client Policy Evaluation

• Faster policy processing
• More efficient software distribution configured to run at user logon

Branch Cache Support

• Support for scenarios where Windows Server 2008 R2 and Windows 7 Client are present and Branch Cache is enabled

We invite you to register for the Configuration Manager 2007 Service Pack 2 Open Beta Program on Connect at https://connect.microsoft.com/InvitationUse.aspx?ProgramID=3005&InvitationID=%20CM72-HDRW-G3V6&SiteID=16.

--Michael Cureton

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Carol Bailey]

I sometimes get questions from customers about values to set for the key sizes and validity periods for the certificates required for native mode and out of band management in Configuration Manager.  This has been a tough one for me to answer, because in the main, these values are external to Configuration Manager and they are PKI design questions with advantages and disadvantages for different values.  The higher the key size, the more secure the certificate is from attackers, but will require more processing to use.  The longer the validity period, the less certificate maintenance required (and potentially some service disruption), but the certificate is more vulnerable to being compromised.

Disclaimer:  The PKI-related information in this post is external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation.  However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.

Until recently, the best advice I could offer customers without their own PKI consultants, was to follow the example of Microsoft default values on certificate templates that closely matched their own certificates.  Then check any certificate requirements in our documentation (for example, some certificates have a maximum supported key size), and take into account any overheads associated with renewal.  

However, at MMS in Vegas this year, Chris Adams and Ben Shy from Microsoft presented an excellent breakout session that shared their experience about how they implemented native mode and Internet-based client management in Microsoft.  This session was called "Demystifying Native Mode Security to Deliver Internet-based Client Management" and one slide I was particularly keen that they shared with customers was their strategy for deciding the key size and validity period.  Their numbers are based on RSA research and how long it would take an attacker to compromise a certificate.  So the higher the key size, the more secure the certificate is (but remember that this comes at the cost of extra processing). Their simple matrix that they presented at MMS looked like this:

• Key length of 1024:  Validity period = not greater than 6-12 months
• Key length of 2048:  Validity period = not greater than 2 years
• Key length of 4096:  Validity period = not greater than 16 years

When you are deciding which values to use, we've already noted that you need to take into account any other restrictions - such as maximum supported key size by the application that uses the certificate.  However, you also need to take into account what your CA hierarchy can support. A CA cannot issue a certificate with a longer validity period than its own certificate.  This one is easy to remember, however, there's also a ticking time limit because a CA cannot issue certificates with a validity period that is longer than its own remaining validity period.

This means that ideally, you want to plan your validity periods very carefully when designing your PKI - taking into account factors such as the type of certificates that you want to use, the applications that will use them, your company's tolerance to security risks, and your renewal strategy.  However, in practice, you might have to fit your validity periods around your existing PKI design.  

Some examples:

• If you want to use a validity period of 10 years for your site server signing certificate, this will not be possible if your issuing CA has a certificate with a validity period of 5 years.
• If your issuing CA has a validity period of 5 years but has been up and running for 2 years, it will not be able to deploy certificates with a validity period of 4 years - until its own certificate is renewed.

More information:

For MMS customers who couldn't attend the session in person, unfortunately a recording of the session is not available but you can view the slide deck.  Search the MMS catalog by code (SY23) or keyword "Internet-based".

There are numerous articles that help to explain how validity periods are used and configured, but I found this one to be a very useful starting point: Renewing a certification authority.

For any key size limitations applicable to the certificates used in native mode and out of band management:

• Certificate Requirements for Native Mode
• Certificate Requirements for Out of Band Management

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.