Let's say you are a smaller department within a University and you want to manage your own machines, for any reason. Wouldn't it be nice if you had one console to look at that told you the status of your servers, even if there are only a handful of them? What about your desktops, are they patched? Do you know?
That is one of the scenarios SCE was designed for. You can learn more from the FAQ on the SCE Wiki.
Link to System Center Essentials Wiki - Frequently Asked Questions
Kevin posted a great write-up on SoftGrid and I just now have had a chance to read it. Nice work Kevin.
Kevin and I are thinking about including application virtualization in the Vista lab at Educause this year. Why? Because when it comes to dealing with compatibility, especially in computer labs, our customers could really beneift from a technology like virtualization.
Imagine you have a course that requires an application which only runs on XP and the vendor has no plans to release an update this semester. Do you re-image for each class? Hold the entire lab back just because of one application? What if you could completely virtualize the offending app and run it within an XP environment, utilizing the local resources (memory, proc, etc) from each workstation? I'm not talking about running XP as a virtual machine, with SoftGrid you virtualize just the application and deliver it through a stream to the desktop until it has been cached.
This technology just blows me away...
Link to Kevinsul's Management Blog : Playing with SoftGrid...
So, I know what I'll be doing this afternoon... :-) I put off testing this in beta as I tried out different setups of WDS and NAP. I suppose it's time to bring my SMS VHD back online!
Link to SMS 2003 Operating System Deployment Feature Pack Update
In education when we talk about NAP the question always comes up - well, couldn't someone leverage this or that to circumvent NAP and still get on the network? Ultimately that's the wrong approach in my opinion as users should see NAP as a tool employed to help users get/stay secure, not prevent them from accessing the network.
Once you've quarantined a machine you really need the infastructure to work quickly and seemlessly to prevent it from accessing resources other than what it needs for remediation, correct the issue, and get the machine back on the production network as soon as possible. Within the server and workstation environment we can drop the workstation to a quarantine DHCP scope and apply IPSEC rules that prevent it from accessing anything other than what it needs.
I just noticed on the NAP blog, we officially have taken the next step with a Cisco partnership to extend the technology to the network. This will allow for better control over quarantined machines and depending on how stringent the policy settings should also allow for tighter enforcement.
Link to Network Access Protection (NAP) : Cisco and Microsoft Unveil Joint Architecture for NAC-NAP Interoperability
I listened to a Port 25 webcast yesterday and they mentioned the ODF Converter project on Sourceforge. The project is Microsoft sponsored and community driven. I pulled down the converter but since I'm going to rebuild my WDS environment for RC1 and haven't had lab time today, I haven't had a chance to test it yet.
http://odf-converter.sourceforge.net/
This proves an interesting point, that once documents are based on XML they can be transformed in to other formats programmatically. So whether you want the content to be delivered in ODF or a custom wiki project it's mostly just a matter of transform. As issues are found or improvements are needed, the community can manage changes as needed.
I just spotted another reference on OpenXMLDeveloper. If you are interested in building out your own converters for custom tools this would be an excellent place to start reading.
This is important to desktop deployment because as we standardize desktop images, it's good to have a plan that includes backwards compatibility (docx was designed for compatibility with previous doc versions) and support for other formats, especially in education where so many different formats are used simultaneously.
I just read a great post on MSDN blogs regarding vhdmount, a tool in Virtual Server 2005 R2 SP1 Beta 2 (that's a seriously long name) that allows you to mount VHD files to the host operating system, and with the registry changes in this write-up you can associate the executable with the file type so when you double-click on a .vhd file it will automount. Sweet!
Link to Virtual PC Guy's WebLog : Double clicking on a VHD to mount it
So why does this matter to Windows client? Because in Vista, Windows Backup creates .vhd files when a full backup is performed. That's right, you can snapshot your machine, online, and it will create a VHD for you. You can test it yourself through the GUI or using the command line tool wbadmin. This is not a P2V tool. You cannot boot to the VHD, however I've been told you can mount the .vhd file on a virtual machine as a data volume if you need to extract just certain files. Well, this is just too cool not to try, so I gave it a shot this morning.
First, I ran a backup. I ran this completely online, while doing research and listening to streaming music. In Vista, Windows Backup leverages Volume Shadow Copy Service (VSS) so you don't need to use offline tools to backup your OS volume. I captured 11 GB in around 15 minutes, give or take, to my external HDD. I plan to post again later about wbadmin, it's a great tool.
Next, I downloaded and installed Virtual Server 2005 R2 SP1 Beta 2 from Connect. I found the vhdmount tool in c:\program files\Microsoft Virtual Server\Vhdmount. I executed vhdmount with a /p and pointed to the VHD file on my external. Success! The .vhd file mounted up like a charm and I have full read/write access!
Last summer Kevin Sullivan and I had a conversation about blogging. We had been to a series of meetings with customers and each of them had been nearly the same, it was a discussion on delegation of security in SMS 2003. It occured to us that we had no good way to publish what we knew about delegation and how it worked best in higher education, at least not in such a way that told people we were from Microsoft so had some idea what we were doing but in no way represented official Microsoft support.
Blogs were becoming very popular, Scoble and Channel9 were very active, and the TechNet community appeared to be perfect for our intent. We decided to start with a blog (Kevin's) focused on management technology based on the idea that any time we heard a reoccuring customer question or a question that we felt many people were working on, we would publish the answer and send a link in our response. This way our effort to assist people with architecture and design issues would hopefully reach a broader audience and in the future if somewhat caught us in passing we could always just say "sure, just go out to this URL and search for this keyword, I did a write-up a while back on exactly what you're looking for".
I really liked the results of this effort so I decided last winter to create my own blog instead of just posting to Kevin's. I had put off starting my own because 1. I felt it would be just another source of information in a landscape that is already increadibly widespread and 2. I'm not the type of person that feel's I have a lot to say that others would want to hear. Still, I could sense that blogging was a good thing and was worth a solid attempt.
So I started with the same theme as Kevin and told myself I would write 50 posts. If after 50 posts I found the exercise to be a waste of time then I would shut it down... Then last spring I reached post 35. I don't recall the topic, I just remember it was in a series of frequent posts and I noticed 35 go by on the ticker. I had just written on a couple of topics I found to be really interesting and it occured to me that blogging had become part of my workload and further I really enjoyed it. I don't know if 35 posts is a magic number but it was for me, that's when I decided to keep this going.
The theme of my blog has changed focus a little, I try to keep on the Windows client track but I also feel someone needs to let customers know Microsoft cares about other topics in education as well and I don't mind being that voice from time to time. Yesterday I finished a write-up on BitLocker and it was my 50th post. I titled this article 50 first posts because in the first 50 many times I felt like I was approaching blogging for the first time with every post, just getting a feel for my approach. I hope in the first 50 I learned enough to make the next 50 count for something!
As the second installment of my education FAQs for Windows Vista technologies, I have gathered a series of popular questions regarding BitLocker drive encryption. Tony Ureche, Program Manager, has been kind enough to allow me a blog interview based on questions I have received during customer discussions and feedback from the Windows-HIED listserv.
If you are not familiar with BitLocker, information can be found on the TechNet website and I would also recommend taking a look at the TPM specifications.
<Michael> Thanks very much for assisting with this write-up, can you give us a brief overview of your role at Microsoft?
<Tony> I am a Program Manager in Windows Security which is part of the Core Operating System Division. I am working on BitLocker, focusing on things like key management and FIPS certification.
<Michael> The most common question I hear is how to deploy BitLocker across an enterprise environment, especially when a workstation deployment solution is already in place such as unattended installs for faculty and staff machines. What should customers be thinking about to take advantage of BitLocker in a deployment scenario?
<Tony> Enterprises that have deployment mechanisms in place will only need small deltas to their configurations. WDS deployment is fully supported. Image-based deployments using unattended setup are also supported: When creating the reference image, the IT admin needs to ensure that the correct drive configuration has been applied and that the appropriate images for each volume will be pushed down. Once the images have reached the target machines, a small mod in the unattend.xml script is sufficient to ensure the correct install of the images in a way that allows proper BitLocker setup:
<Michael> What would happen if you tried to capture a BitLocker encrypted partition using an imaging tool?
<Tony> The image of a BitLocker-protected partition is encrypted. So capturing that would look like a pile of random bits or like a huge encrypted file.
<Michael> What does BitLocker mean for hard drive recovery in the event of a hardware failure?
<Tony> I the event of a hardware failure, the user may need to move the disk to another computer. In that case, the disk will need to go through a recovery process: using a recovery key or a recovery password – created when BitLocker was setup on that drive – the user will be able to unlock the volume and recover the data. The difference between a recovery key and a recovery password is that the former is a machine-readable key that can be stored on a USD thumb drive, while the latter is a human-readable set of digits that can be printed, stored as a txt file or stored in AD (and read back to the user by HelpDesk).
As for actual drive failure, the BitLocker team is working looking into offering an efficient solution -- note that in order to recover any data from the BitLocker-protected drive, the user is required to have knowledge of the recovery key.
<Michael> How does BitLocker work with EFS?
<Tony> BitLocker and EFS are complementary security solutions. Besides protecting the boot process, BitLocker encrypts the entire OS volume, with no additional granularity in regards to files or users. EFS on the other hand, offers per file/directory and per user granularity. Together, BitLocker and EFS offer a comprehensive solution for securing data on a laptop, desktop or server.
<Michael> BitLocker requires a separate 1.5 GB system partition for storing boot information unencrypted. Can you create the boot partition on an existing machine?
<Tony> The BitLocker team is working on offering solutions to address end-user scenarios that require an updated volume configuration where such configuration is not present.
<Michael> How much do you expect encrypting a drive to effect performance?
<Tony> Currently, on most common configurations, we expect that performance costs not to exceed 5-9%
<Michael> Finally, the second most popular question I’ve heard is what should Universities be thinking about in regards to drive recovery in unmanaged environments? Professor and student machines are often not in a domain and it is possible they will encrypt a drive and lose their pin number \ startup key, then ask the University for help.
<Tony> When recovery data cannot be stored in AD, users are strongly encouraged to save their recovery key and recovery password on one or more USB thumb drives and store them in a securely. Additionally, users should also print the recovery password and store it – perhaps in their wallet. Microsoft Ultimate Extras also offers a ‘digital locker’ that is being integrated with BitLocker such that a user may store his password online using this secure web service.
Thanks very much Tony, for your time. BitLocker will be an important tool for educators and it is really nice to have these concerns addressed. Drive encryption is critical in today’s IT environments especially for mobile users that have a risk of losing critical data after a laptop loss or theft. The schools and universities that embrace and plan for technical advancements such as this will have an edge on their competitors and will be prepared for students, faculty, and staff who choose to be early adopters of new tools and technologies in Windows Vista.
Yesterday I received the question - what products are now updated through Microsoft Update? I had to do a little more digging than expected to find the answer so I'm posting it here for reference. I ended up finding this FAQ off microsoft.com/security -
Link to FAQ
Which operating systems and programs does Microsoft Update support?The service currently delivers updates for these Microsoft programs and operating systems:
Windows Server System and related software products: