System Center Configuration Manager Team Blog

[Today's post is provided by Levi Stevens] 

Up until now we have released support announcements on the ConfigMgr Support Team blog from our very own Customer Support Services.  Moving forward, we will be announcing support for new configuration via our Configuration Manager Team blog directly from our finger tips to your eyes.  While we are on the topic, you might be wondering what to expect from our team when new versions of our dependencies release.  First, let's establish some terminology.  We consider our ‘externals' anything that our product is dependent on (or specific features are dependent on) that is not developed by our own development teams.  We have dependencies on platforms like Windows or SQL, or components like .NET Framework or the Bandwidth Intelligent Throttling Service (BITS).  We currently track over 26 external dependencies against our product.

Each time a new version of an external is going to release, our team assesses whether or not we will offer support for this new external.  Often this will involve some ‘scout' testing, some sanity check to see if there are any blatant issues and to size the cost to thoroughly test and validate the new release.  In some cases we need to release a hotfix to enable support, and in some cases we find no issues during test and can simply release a support statement.  As you can imagine the level of change affects our support approach.  For example, the release of Windows 7 required integration of a whole new WAIK and upgrading to a new toolset for imaging. This wasn't something that we could simply hotfix, so this level of support and change was rolled into our next service pack release (SP2 released on 10/22).

You should look to our Supported Configuration pages as your law for what is supported by Microsoft. In most cases we are specific about what we DO support, so if you are checking to see if a new Windows Service Pack is supported yet, if it is not listed, that means it is not supported.  When we do announce support, you can expect a new blog posting on our Configuration Manager Team blog and the official supported configuration page will be updated in the next document publishing cycle (quarterly).

In a few cases we document support implicitly.  For example, we document that BITS 2.5 as a minimum requirement in the ConfigMgr Prerequisites.  What does this mean when something such as BITS 4.0 releases? It means that our team is actively testing this new release and if we find issues we will document them.

How does ‘extended support' or an expired service pack impact support for new configurations?  We do not test or add support for new configurations on a product that reaches extended support (like SMS 2003 coming in January) or with ConfigMgr 2007 RTM (with no service pack).  If your company is planning on rolling out new platforms or components you should plan moving to mainstream supported products and service pack levels.

With that introduction, here are the support announcements for November 2009:

Windows Storage Server 2008 is now supported on Configuration Manager 2007 SP1 and SP2

System Center Configuration Manager 2007 SP1 and SP2 now support the Windows Storage Server 2008 operating systems for client installation.  Site system roles of a standard distribution point and a branch distribution point are supported.  Installations of the administrator console or other site system roles are not supported.

No software updates are required.

Windows Remote Management (WinRM) 2.0 is now supported on Configuration Manager 2007 SP1 and SP2

System Center Configuration Manager 2007 SP1 and SP2 now support installing Windows Remote Management 2.0 on site systems running the out of band service point role.

No software updates are required.

-- Levi Stevens

This posting is provided "AS IS" with no warranties and confers no rights.

The latest downloadable quarterly update for the Configuration Manager 2007 Documentation Library has been posted to the download center. The October 2009 version is the newest downloadable update available and contains new material and fixes to documentation problems reported by customers since the last update was published for the April 2009 version.

The January, April and October 2009 versions of the downloadable documentation help updates are now available on the Configuration Manager 2007 Help File Update Wizard download center page and additional, future quarterly updates will also be posted to this location.

The eagle-eyed among you might notice that we did not publish a quarterly update for July 2009. This was because at this time the help file contained a lot of pre-release content for Configuration Manager 2007 SP2 that was subject to change.

To get the most recent downloadable Configuration Manager Documentation Library help, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=71816b0f-de06-40e0-bce7-ad4b1e4377bb&displaylang=en.

For more information about the Configuration Manager 2007 Help File Update Wizard, see this post: "Need the Latest Configuration Manager 2007 Help File?" at http://blogs.technet.com/configmgrteam/archive/2009/02/03/need-the-latest-configuration-manager-2007-help-file.aspx .

Please contact smsdocs@microsoft.com if you have any questions or comments about this downloadable update.

-- Rob Stack

This posting is provided "AS IS" with no warranties and confers no rights.

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: October 1, 2009 at the top of the topic.

This month's updates contain new content for Configuration Manager 2007 SP2 and some updates to existing documentation. It also includes a list of changes in the documentation since April 2009 (see What's New in the Configuration Manager Documentation Library for October 2009).

We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for October 2009

The following information lists the topics that contain significant changes since the August 2009 update.

Configuration Manager 2007 SP1 Supported Configurations

- Updated to include Windows Server 2008 R2 and Windows 7.

Supported Operating Systems and Hard Disk Configurations for Operating System Deployment

- Updated with information about the operating systems that are not supported and those which can be deployed only by first capturing a Windows installation image (.wim) file using an image capture task sequence.

Supported Mobile Devices

- Updated to remove information about supported mobile device client operating systems so that it is now exclusively in supported configuration topics (Configuration Manager 2007 Supported Configurations). This means that customers have a consistent place to find supported version information and it reduces the risk of inconsistent information between topics.

About Heartbeat Discovery

- Updated to remove the incorrect information "Although you can configure Heartbeat Discovery to update client DDRs as frequently as you want, if you configure it to run less than once every 25 hours (the default client refresh cycle) the updated DDR will be reported no less than once every 25 hours". This restriction applied to an earlier version of the product and does not apply to Configuration Manager.

About the Site Repair Wizard and How to Back Up a Secondary Site

- Updated with the information that the Site Repair Wizard should not be used to recover a secondary site. The Product Group has confirmed that the recovery procedure doesn't work for secondary sites and will not be supported. If you need to recover a secondary site, reinstall it and secondary site configuration from the primary site will be replicated to it automatically when installation is complete. Because restoring a secondary site is not supported with the product, there is no point in backing up a secondary site by using the Backup Secondary Site Server maintenance task. To help avoid confusion, we have removed the procedural information in How to Back Up a Secondary Site.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

We released Service Pack 2 for Configuration Manager 2007 yesterday.  See the release announcement by Jeff Wettlaufer here. 

 SP2 provides:

• Windows 7 and Windows Server 2008 R2 support that enables customers to deploy and manage their Windows 7 client and server based systems.
• New options for Out of Band Management that includes the addition of updated firmware support along with support for key new features such as wireless profile management and 802.1X.
• Branch Cache support that enables customers to significantly reduce WAN utilization in branch office scenarios by leveraging new technology in Windows Server 2008 R2.
• Greater 64-bit support that includes Remote Control, App-V, and the 2007 OpsMgr agent.

For a full list of what is included in SP2 see the What's New in Configuration Manager 2007 SP2 topic in our documentation library.  The service pack can be downloaded here.  A 180 day evaluation version of the service pack can be downloaded here.

We'd like to thank all our customers who participated in our beta program and provided feedback to us.

--Michael Cureton

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post comes from the Configuration Manager Writing Team]

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content has Updated: August 1, 2009 at the top of the topic.

We have only a handful of topics that have been updated this month to correct a couple of broken links and a minor editing clarification.  The main change that I want to draw your attention to is the addition of a single but very important sentence in Certificate Requirements for Native Mode, which is the following for each of the native mode certificates: SHA-1 is the only supported hash algorithm  

When you install the Active Directory Certificate Services role on Windows Server 2008, the Configure Cryptography for CA page of the Add Roles Wizard allows you to change the default hash algorithm of sha1 for other algorithms, such as those from the SHA2 family, including the stronger algorithms of SHA-256 and SHA-512. Only SHA-1 has been tested for native mode communication in Configuration Manager 2007, and there are no plans to extend this support in the near future.  Therefore, all native mode certificates must be issued by a CA that uses SHA-1.

Disclaimer:  The procedures in this blog post are external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation.  However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.

How can you tell whether your certificates are using SHA-1 or another algorithm?  Check the properties of the issued certificate, by using the Certificates MMC.  In the Details tab, check the value of the Signature algorithm - it should say sha1RSA.  And on the issuing CA, check the properties of the CA, General Tab - it should display Hash algorithm: sha1 under the Cryptographic settings section.

From customer feedback on the forums (and verified with our own testing), we know that when the site server signing certificate is signed with an algorithm that is higher than SHA-1, the MPControl.log file on the management point displays CryptVerifyCertificateSignatureEx returned error 0xc000a000 instead of the expected CryptVerifyCertificateSignatureEx returned error 0x80090006.

If you have installed Active Directory Certificate Services with a hash algorithm other than SHA-1, you can reconfigure it to use SHA-1 by using the following procedure:

1. From a command prompt on the server running the CA, type the following: Certutil -setreg ca\csp\CngHashAlgorithm SHA1
2. Stop and restart Certificate Services.
3. If necessary, request and issue new certificates.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Carol Bailey]

We have recently updated the Configuration Manager Documentation Library for out of band management for SP2, including revisions to troubleshooting issues.  Some of these revisions are also applicable to Configuration Manager 2007 SP1, but we can't publish them with our monthly updates because of the new SP2 content.  Rather than waiting until SP2 is released, I'm including the revisions here that affect existing customers using out of band management in Configuration Manager 2007 SP1.

Configuration Manager Fails to Provision Computers with a Disjointed Namespace

Out of band management does not support AMT provisioning of computers that have a disjointed namespace. An example of a disjointed namespace is when an AMT-based computer has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com instead of in an Active Directory domain named corp.fabrikam.com.

Solution

There is no workaround to this requirement other than to align the DNS namespace with the Active Directory namespace.

Computers Fail to Provision Out of Band Because the Computer Has Been Discovered by Configuration Manager

If out of band provisioning is used and the AMT-based computer has already been discovered by Configuration Manager before the provisioning process starts, provisioning fails with Configuration Manager 2007 SP1. In this scenario, after running the Import Computer for Out of Band Management Wizard, the site code is incorrectly missing from the client record, which causes provisioning to fail.

Solution

This issue is addressed with Configuration Manager 2007 SP2. If you cannot upgrade to Configuration Manager 2007 SP2, a workaround to complete out of band provisioning in this scenario is to delete the client record in the Configuration Manager console before running the Import Computer for Out of Band Management Wizard. Alternatively, use in-band provisioning.

The Out of Band Management Console Fails to Connect to AMT-Based Computers That Were Successfully Provisioned Out of Band and Do Not Have an Operating System Installed

If the computer running the out of band management console cannot connect to an AMT-based computer that was successfully provisioned out of band and that does not have an operating system installed, it might be because there is no host record in DNS to resolve the FQDN to the IP address of the AMT-based computer. There is no DNS client supplied with versions of AMT that are supported in Configuration Manager 2007 SP1 and later. Therefore, other methods must be used to create and update this record in DNS. When an operating system is installed, this can update DNS directly or through a DHCP record. However, when provisioning out of band, the initial host name of the AMT-based computer will be a factory default name and might be used on multiple computers rather than be unique. Although your choice of FQDN is written to AMT during the provisioning process, AMT cannot update the initial DHCP record with this new computer name. This results in name resolution failing for the FQDN when the out of band management console tries to connect to the AMT-based computer, and the following entry is logged in the <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log file:

GetAMTPowerState fail with result: 0x800703E3

Solution

When an operating system is installed with the same FQDN that was supplied during AMT provisioning, a host record will be added to DNS either directly or by using DHCP and out of band management communication will then succeed. To manage the AMT-based computer out of band before an operating system is installed, you must manually create host records in DNS for these computers that resolves their FQDN supplied in the Import Computer for Out of Band Management wizard to their current IP address in AMT. You can locate their current IP address from the BIOS extensions, or if you know the MAC address, you can find the corresponding IP address from DHCP.

For new computers that are not yet provisioned for AMT, perform the following steps:

1. Create a DHCP reservation for this computer and supply the MAC address of the AMT-based computer.
2. Manually create a host record in DNS such that the host name matches the FQDN supplied in the Import Computer for Out of Band Management wizard and the IP address matches the address in the DHCP reservation.

IDE Redirection Fails When the Out of Band Management Console Runs as a Low-Rights User

IDE redirection requires that the AMT administrator using the out of band management console has local administrator rights on the computer used to run the out of band management console when this computer supports user account control (UAC). For example, this includes Windows Vista and Windows Server 2008.

To help identify this scenario, on the computer running the out of band management console, look for the following data in the Oobconsole.log file, with an entry that begins IMR_IDEROpenTCPSession<number> with user = and then contains user and drive information. This log file is located in the folder <ConfigMgrInstallationPath>\AdminUI\AdminUILog on the computer that runs the out of band management console.

fail with result:0x2, description:Invalid Parameter

Solution

Add the user account to the local Administrators group on the computer running the out of band management console.

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

We've recently updated our blog post for publishing the CRL on a separate Web server because the instructions were missing the variable <DeltaCRLAllowed> in the paths, which is needed for delta CRLs.

As a rule, I'm not fond of adding variables in documentation instructions when they are not needed for basic functionality, but this one is needed for delta CRLs.  I also added <CAName> so that you can publish CRLs from different CAs into the same location (for example, when you have a tiered CA hierarchy you must publish CRLs from each CA in the chain up to and including the root), and <CRLNameSuffix> according to best practices (http://technet.microsoft.com/en-us/library/dd379469(WS.10).aspx).

Updated: How to Publish the CRL on a Separate Web Server

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

[Carol Bailey gives us a recommendation for PKI reading material] 

Customers that are running Configuration Manager in native mode and support Internet-based client management might be interested in reading the following technical white paper that was originally published in 2005 but updated in June this year.  I particularly liked the section "Lessons Learned and Best Practices" -learning from the professionals is always a good use of time!

Microsoft IT Showcase: Deploying and Managing PKI inside Microsoft

Download Word document: http://download.microsoft.com/download/9/1/0/910a19a0-d06e-4b2e-b41d-00cb4f7f4ab4/0022_PKI_TWP.doc

Online Web version: http://technet.microsoft.com/en-us/library/cc964304.aspx

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

We have recently updated the Configuration Manager Documentation Library for out of band management in Configuration Manager 2007 SP2, including revisions to security best practices.  Some of these revisions are also applicable to out of band management in Configuration Manager 2007 SP1, but we can't publish them with our monthly updates because of the new SP2 content.  Rather than waiting until SP2 is released, I'm including the revisions here that affect existing customers using out of band management in Configuration Manager 2007 SP1.

We have also updated the recommended collection query for in-band provisioning. The previous query included computers with the AMT status of Not Provisioned and Detected. Note that Detected means AMT capability is detected but the out of band service point is unable to currently provision it for AMT because the AMT Remote Admin Account or the MEBx Account has been changed. This is usually an indication that you need to configure an AMT Provisioning and Discovery Account.

The new query excludes Configuration Manager clients that are blocked or not approved.  As a security best practice, provision only computers that you trust.  Blocked clients and unapproved clients are deemed to be untrusted.  This security best practice will be enforced in Configuration Manager 2007 SP2, but it is not enforced with Configuration Manager 2007 SP1, so the revised query automatically excludes these computers.  The revised query to use for the collection configured for in-band provisioning is as follows:

Select SMS_R_System.* from SMS_R_System inner join SMS_CM_RES_COLL_SMS00001 on SMS_CM_RES_COLL_SMS00001.ResourceId = SMS_R_System.ResourceId where (AMTStatus = 1 or AMTStatus = 2) and SMS_CM_RES_COLL_SMS00001.IsApproved = 1 and SMS_CM_RES_COLL_SMS00001.IsBlocked = 0

Security Best Practices for Out of Band Management in Configuration Manager 2007 SP1

Request customized firmware before purchasing AMT-based computers   Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your choice of values. For more information, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer. If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them yourself. For more information about manually configuring the BIOS extensions, refer to the Intel documentation or the documentation from your computer manufacturer. You can also refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001). Customize the following options to increase your security:

• Replace all certificate thumbprints of external certification authorities (CAs) with the certificate thumbprint of your own internal CA. This prevents rogue provisioning servers from attempting to provision your AMT-based computers, and you will not have to purchase provisioning certificates from external CAs. For information about how to locate the certificate thumbprint of your internal root CA, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.
• Use a custom password for the MEBx Account so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. This prevents rogue provisioning servers from attempting to provision your AMT-based computers with the known default password. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account.
• Change the value for the default provisioning server. Using the default name of ProvisionServer could present a security risk if a record with this name is configured to resolve to an IP address of the wrong computer or a rogue computer. Configuring the provisioning server value with an IP address is more secure than using a well-known name. However, an IP address cannot be used for multiple AMT-based computers if they will be provisioned by different sites. If you configure an alternative name rather than an IP address, you must configure DNS to perform name resolution. When you use name resolution for either ProvisionServer or a custom name, secure the DNS record to safeguard against the record being modified in such a way that it no longer resolves to the out of band service point site system computer. For more information, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.
• Configure an alternate port for server provisioning. Using a custom port is more secure than using the default port for out of band provisioning. If you will use out of band provisioning, configure your alternative port number on the Out of Band Management Properties: General tab.

Use in-band provisioning instead of out of band provisioning     Using in-band provisioning, especially in native mode, allows the client to use the trust relationship already established between the client and the Configuration Manager infrastructure. With out of band provisioning, untrusted computers can be provisioned if they supply the SMBIOS GUID (also known as the UUID) that has been specified in the Import Out of Band Computers wizard. Successfully provisioned computers have an account automatically created in Active Directory Domain Services and receive a certificate with server authentication capability from your enterprise CA. If a rogue computer is provisioned, the resulting network authentication results in an elevation of privileges and the account could be used to read information on the network that is secured for authenticated access (information disclosure). A certificate with server authentication might be misused to establish trust. It is also possible for attackers to create servers that impersonate valid DNS servers and provisioning servers so that AMT-based computers are misdirected to rogue provisioning servers. If you do not need to use out of band provisioning, do the following to help reduce these security risks:

• To help prevent rogue computers from being provisioned out of band: Do not use the Import Out of Band Computers wizard to add new computers to the Configuration Manager database; configure Windows firewall on the server running the out of band service point role to block the provisioning port (by default, TCP 9971); and do not register an alias for the out of band service point in DNS. For more information about the DNS alias, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS. Additionally, restrict physical access to the network, and monitor clients to detect unauthorized computers.
• To help prevent rogue servers from provisioning your AMT-based computers, use a custom password for the MEBx Account in the AMT BIOS extensions so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. For more information, see About the MEBx Account and How to Add an AMT Provisioning and Discovery Account.

If you cannot use in-band provisioning because the computer is new and has no operating system installed, consider using operating system deployment to install the operating system and install the Configuration Manager 2007 SP1 client so that the computer can be provisioned in-band. Unlike out of band provisioning, operating system deployment does not create an authenticated account in Active Directory Domain Services and does not request a server authentication certificate from your enterprise CA. For more information about operating system deployment, see Operating System Deployment in Configuration Manager. If you cannot use in-band provisioning because the computer does not have the Configuration Manager 2007 SP1 client installed or because the computer does not have a version of AMT that is natively supported by Configuration Manager, install the Configuration Manager 2007 SP1 client and upgrade the firmware to a supported version as appropriate. For more information about the AMT versions supported by Configuration Manager, see Overview of Out of Band Management.

Manually revoke certificates and delete Active Directory accounts for AMT-based computers that are blocked by a Configuration Manager 2007 SP1 site   Computers that are blocked by a Configuration Manager 2007 SP1 site continue to accept out of band management communication. When an AMT-based computer is blocked because it is no longer trusted, take the following manual action:

• On the issuing CA, revoke the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject.
• In Active Directory Domain Services, disable or delete the AMT account that was created for the AMT-based computer.

Control the request and installation of the provisioning certificate    Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you will have to export the private key and then use additional security controls while transferring and importing the certificate into a certificate store with restricted access.

Ensure that you request a new provisioning certificate before the existing certificate expires    An expired AMT provisioning certificate will result in provisioning failure. If you are using an external CA for your provisioning certificate, allow additional time to complete the renewal process and reconfigure the out of band management point.

Note

To help you identify when the AMT provisioning certificate is about to expire, Configuration Manager generates a warning status message with ID 7210 when the provisioning certificate in use is 40 days or less from expiration. This status message will be repeated once a day until the certificate is replaced with a validity period greater than 40 days or until the validity period is less than 15 days. When the validity period is less than 15 days, an error status message with ID 7211 is generated until the certificate is replaced with a validity period greater than 15 days.

If the provisioning certificate is revoked, delete it from the certificate store on the out of band service point site system server, and remove it from the out of band management component configuration properties    If you know that the AMT provisioning certificate is revoked, you must manually prevent it from being used to provision AMT-based computers by Configuration Manager because AMT-based computers do not check the CRL for the provisioning certificate. Delete the certificate from the certificate store on the out of band service point site system server. Then deploy a new provisioning certificate, and configure it in the Out of Band Management Properties dialog box. If you cannot immediately deploy a valid AMT provisioning certificate, remove the out of band service point role until you have a replacement certificate.

If you must revoke a provisioning certificate supplied by an internal CA, revoke the certificate in the Certification Authority console    There is no functionality to revoke the provisioning certificate in Configuration Manager 2007 SP1.

Use a dedicated certificate template for provisioning AMT-based computers   If you are using an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure that only Configuration Manager site servers have Read and Enroll permissions, and do not add additional capabilities to the default of server authentication. Having a dedicated certificate template allows you to better manage and control access to help prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you will not be able to create a duplicate certificate template. In this scenario, do not allow Read and Enroll permissions to computers other than Configuration Manager site servers that will provision AMT-based computers.

Use out of band management instead of Wake On LAN    Although both solutions support waking up computers for software updates and advertisements, out of band management is a more secure solution than Wake On LAN because it provides authentication and encryption using standard industry security protocols. It can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Choose Between Power On Commands with Out of Band Management and Wake-Up Packets for Wake On LAN.

Use a dedicated OU to publish AMT-based computers    Do not use an existing container or OU to publish the Active Directory accounts that are created during AMT provisioning. A separate OU allows you to better manage and control these accounts and helps to ensure that they are not granted more privileges than they need.

Use Group Policy to Restrict User Rights for the AMT Accounts    Apply restrictive user rights to the AMT accounts that are published to Active Directory Domain Services to help protect against elevation of privileges and to reduce the attack surface if an attacker gains access to one of these accounts. Create a security group that contains the AMT accounts automatically created by Configuration Manager during the ATM provisioning process, and then add this group to the following enabled group policy settings under \Computer Configuration\Windows Settings\Security Settings\Local Policy\User Rights Assignment:

• Deny access to this computer from the network
• Deny log on as a batch job
• Deny log on as a service
• Deny log on locally
• Deny log on through Terminal Services

Apply these group policy settings to all computers in the forest. Periodically review and revise if necessary the group membership to ensure that it contains all the AMT accounts currently published to Active Directory Domain Services.

Use a dedicated collection for in-band provisioning    Do not use an existing collection that contains more computers than you want to provision in-band. Instead, create a query-based collection by using the procedure for in-band provisioning in How to Provision Computers for AMT. When the site is in mixed mode, ensure that these computers are approved. For more information about approval, see About Client Approval in Configuration Manager and How to Approve Configuration Manager Clients.

Restrict who has the Media Redirection right and the PT Administration right   Granting someone the Media Redirection right is almost equivalent to granting someone physical access to the computer. While attackers still require physical access to open the computer, someone with the Media Redirection right could load an alternate operating system and use it to remotely attack data on the hard drive. The PT Administration right automatically includes all AMT rights, which includes the Media Redirection right.

Retrieve and store image files securely when booting from alternative media to use the IDE redirection function   When you boot from alternative media to use the IDE redirection function, whenever possible, store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access (for example, using NTFS permissions and the encrypted file system).

Minimize the number of AMT Provisioning and Discovery Accounts   Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer needed. Specifying only the accounts that you need helps to ensure that these accounts are not granted more privileges than they need and helps to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Determine Whether to Configure an AMT Provisioning and Discovery Account for Out of Band Management and About the AMT Provisioning and Discovery Account.

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's Post is provided by the Configuration Manager Writing Team]

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the following information lists the topics that are new or contain significant changes since the June 2009 update.  The latest content that has been updated on the Web has Updated: July 1, 2009 at the top of the topic.

We don't have as many updates for you this month, because we've been working on documentation for Service Pack 2 (to be included with Configuration Manager 2007 SP2 RC) and the SuperFlows.  The updates that we have come from customer feedback.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for July 2009

The following information lists the topics that are new or contain significant changes since the June 2009 update:

Configuration Manager 2007 General Supported Configurations

- Updated to include the support statement that Configuration Manager clients are not support with Network Address Translation (NAT), unless the site is configured for Internet-based client management and the client detects that it is on the Internet.

Configuration Manager 2007 SP1 Supported Configurations

- Updated to include a feature section for Out of Band Management.  This includes the versions of AMT that are supported, operating system limitations for the out of band management console, and the support statement that out of band communication to an AMT-based computer is not supported if it is running the Routing and Remote Access service in the client operating system.

Troubleshooting General Operating System Deployment Issues

- Updated with the new entry "Security Registry Keys for Native Mode Remain in Captured Images".  This issue was reported in the forums when a customer used a captured image from a native mode client that used a different CA hierarchy to the one used on the production network, and it resulted in the client being unmanaged.  This troubleshooting entry includes the prescribed additional steps to take if you capture an image from a native mode client.  .

Troubleshooting Task Sequence Initiated Operating System Deployment Issues

- Updated with the new entry "Task Sequence Always Performs Certificate Revocation Checking in Native Mode Site".  This issue documents how to identify a known issue with task sequences always checking the CRL in a native mode site, even after following the procedures to disable CRL checking on clients.  In this scenario, if the CRL cannot be accessed, all native mode communication will fail and the smsts.log file will record: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Yvette O'Meally]

The Configuration Manager Sustained Engineering team has re-released a number of Configuration Manager SP1 hotfixes due to a problem with the hotfix installer's ability to detect Windows Server 2008 SP2 and Windows Vista SP2.  This will cause Configuration Manager 2007 SP1 hotfixes to fail to install on those operating systems even though they are applicable.

Symptoms

If you try to install the original version of one of these Configuration Manager hotfixes on a system running Windows Server 2008 SP2 or Windows Vista SP2 you will get a popup with an error like this "This KB###### is for a different hardware platform." where ###### is the KB number of the hotfix you are installing.  The hotfix will fail to install.

Entries similar to the following would be displayed in the KB######.log file

0.171: CheckSystem: GetMachineType failed :STATUS_PLATFORM_MISMATCH
0.171: DoInstallation: CheckSystem Failed: 0xf00e 
0.187: This KB957255 is for a different hardware platform.
1.575: Message displayed to the user: This KB957255 is for a different hardware platform.
1.575: User Input: OK
1.575: Update.exe extended error code = 0xf00e
1.575: Update.exe return code was masked to 0x643 for MSI custom action compliance.

Resolution

If you have downloaded a Configuration Manager 2007 SP1 hotfix before June 16^th 2009 and you have either Windows Server 2008 SP2 or Windows Vista SP2 you will need to obtain the repackaged version of the hotfix.  The affected hotfixes are listed in the table below.

Please note that the product binaries inside the hotfix package are not affected.  The only changes are to the hotfix installer.

Thanks

--Yvette O'Meally

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's Post is provided by the Configuration Manager Writing Team]

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the following information lists the topics that are new or contain significant changes since the April 2009 update.  The latest content that has been updated on the Web has Updated: June 1, 2009 at the top of the topic.

In particular, you might want to check out the revised supported configurations, which now include support statements for SQL Server 2008 SP1, Windows Vista, Windows Server 2008 Service Pack 2, and Windows Server 2003 Service Pack 2.  Be sure to check out the details for the environments in which these are supported and whether any hotfixes are required:

• Configuration Manager 2007 Supported Configurations
• Configuration Manager 2007 SP1 Supported Configurations

We also have some new topics for the Configuration Manager 2007 SP2 features and changes, but because SP2 is still in beta, they are not published to the Web with this round of publishing updates.  Instead, download the help file from the Connect site, and then search for the topic "What's New in Configuration Manager 2007 SP2". 

We do value customer feedback and try to incorporate it when possible.  Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for June 2009

The following information lists the topics that are new or contain significant changes since the Aril 2009 update:

Overview of Internet-Based Client Management

- Updated to include task sequences as one of the features that are not supported when clients are managed on the Internet.

Out of Band Management Console Issues

- This topic now includes a note at the top that references the Intel vPro Expert Center: Microsoft vPro Manageability Web site, which should be checked for issues that are specific to AMT (such as behavior differences between firmware versions, how to install and configure the Intel translator, and how to configure AMT).  This topic has also been updated to include the known issue of trying to run the out of band management console on Windows XP SP2 and Windows Server SP1. 

How to Enable or Disable Certificate Revocation Checking (CRL) on Clients

- Updated to clarify that client functions that run as a result of task sequence actions always check the CRL in a native mode site, even after following the procedures to disable CRL checking on clients.  This limitation will no longer apply in Configuration Manager 2007 SP2.

Ports Used by Configuration Manager

- Clarified that the configurable port TCP 9971 for the AMT management controller to the out of band service is used only for out of band provisioning, and is not used with in-band provisioning.  If you are using out of band provisioning, and the server running the out of band service point has the Windows firewall enabled, ensure that this port is allowed.

How to Create a Fallback Status Point in Configuration Manager

- Revised with clarifications such as the inclusion of security best practices for production networks; a reference to installing IIS for Windows Server 2008; which log files to check for successful installation; and how to install the fallback status on a new server.

Troubleshooting SQL Reporting Services Issues

- Corrections made to the troubleshooting item "Cannot run reports from the Configuration Manager console".

Delete Inactive Client Discovery Data Task Overview

- Removed incorrect references to the SMS 2003 Client Health Tool and replaced these with references to Client Status Reporting in Configuration Manager 2007 R2.

How to Remediate Non-Compliant Computers Using Software Distribution

- Revised so that the query works with multiple versions of SQL Server.

About the Network Access Account

- With the help of community content feedback, we realized that this topic was missing a link with instructions how to configure this account.  This reference has now been added.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Michael Cureton]

The System Center Configuration Manager team would like to announce the release of the public beta for Configuration Manager Service Pack 2.  This beta is now available for download for all customers. 

Service Pack 2 for Configuration Manager 2007 delivers new platform support for Windows 7 client, Windows Vista SP2, Windows Server 2008 R2 and Windows Server 2008 SP2.  In addition, Service Pack 2 delivers continued innovation with Intel vPro technology, support for Branch Cache enabled environments, and continued development for 64 bit architectures. 

You can access more information and download the beta by registering for the Configuration Manager 2007 Service Pack 2 Open Beta Program on Connect at https://connect.microsoft.com/InvitationUse.aspx?ProgramID=3005&InvitationID=%20CM72-HDRW-G3V6&SiteID=16. It can also be found in the Connection Directory sorting by "Connection Name" and is listed under System Center Configuration Manager 2007.

What's New?

New Operating System Support

• Windows 7
• Windows Vista Sp2
• Windows Server 2008 R2
• Windows Server 2008 SP2

New Features in Out of Band Management

Configuration Manager 2007 Service Pack 2 improves on the Intel AMT integration provided in Service Pack 1.  SP2 adds full feature support for computers that have the Intel vPro chip set and AMT firmware versions 4 & 5.  In addition to providing feature parity with SP1 and AMT firmware versions 3.2.1, 4.0 and 5.0, the following new features are supported:

• Wireless management with up to 8 wireless profiles (mobile ONLY)
• End point access control: 802.1x support
• Audit logging
• Power policy extensions
• Data storage

Asset Intelligence Certificate Requirement Removal

Configuration Manager Service Pack 1 introduced Asset Intelligence v1.5.  This version allowed customers to configure an online synchronization to ensure that their catalog was up to date with the latest Microsoft inventory for both hardware and applications.  This initial release required a certificate.  With Service Pack 2, the requirement to have the certificate has been removed, so any customer can configure their Asset Intelligence capabilities to connect online and update their catalog.  Software Assurance is not required for this functionality. 

64-bit Architecture Development

Service Pack 2 will also continue to deliver new support for x64 architectures, including the following:

• X64 support for Operations Manager 2007 Client Agent
• Update to Management Packs for 64-bit operating systems - SP2 will ship 64-bit performance counters (the management pack is a separate release)
• Remote control support added for x64 XP  and x64 Server 2003

Improved Client Policy Evaluation

• Faster policy processing
• More efficient software distribution configured to run at user logon

Branch Cache Support

• Support for scenarios where Windows Server 2008 R2 and Windows 7 Client are present and Branch Cache is enabled

We invite you to register for the Configuration Manager 2007 Service Pack 2 Open Beta Program on Connect at https://connect.microsoft.com/InvitationUse.aspx?ProgramID=3005&InvitationID=%20CM72-HDRW-G3V6&SiteID=16.

--Michael Cureton

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Carol Bailey]

I sometimes get questions from customers about values to set for the key sizes and validity periods for the certificates required for native mode and out of band management in Configuration Manager.  This has been a tough one for me to answer, because in the main, these values are external to Configuration Manager and they are PKI design questions with advantages and disadvantages for different values.  The higher the key size, the more secure the certificate is from attackers, but will require more processing to use.  The longer the validity period, the less certificate maintenance required (and potentially some service disruption), but the certificate is more vulnerable to being compromised.

Disclaimer:  The PKI-related information in this post is external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation.  However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.

Until recently, the best advice I could offer customers without their own PKI consultants, was to follow the example of Microsoft default values on certificate templates that closely matched their own certificates.  Then check any certificate requirements in our documentation (for example, some certificates have a maximum supported key size), and take into account any overheads associated with renewal.  

However, at MMS in Vegas this year, Chris Adams and Ben Shy from Microsoft presented an excellent breakout session that shared their experience about how they implemented native mode and Internet-based client management in Microsoft.  This session was called "Demystifying Native Mode Security to Deliver Internet-based Client Management" and one slide I was particularly keen that they shared with customers was their strategy for deciding the key size and validity period.  Their numbers are based on RSA research and how long it would take an attacker to compromise a certificate.  So the higher the key size, the more secure the certificate is (but remember that this comes at the cost of extra processing). Their simple matrix that they presented at MMS looked like this:

• Key length of 1024:  Validity period = not greater than 6-12 months
• Key length of 2048:  Validity period = not greater than 2 years
• Key length of 4096:  Validity period = not greater than 16 years

When you are deciding which values to use, we've already noted that you need to take into account any other restrictions - such as maximum supported key size by the application that uses the certificate.  However, you also need to take into account what your CA hierarchy can support. A CA cannot issue a certificate with a longer validity period than its own certificate.  This one is easy to remember, however, there's also a ticking time limit because a CA cannot issue certificates with a validity period that is longer than its own remaining validity period.

This means that ideally, you want to plan your validity periods very carefully when designing your PKI - taking into account factors such as the type of certificates that you want to use, the applications that will use them, your company's tolerance to security risks, and your renewal strategy.  However, in practice, you might have to fit your validity periods around your existing PKI design.  

Some examples:

• If you want to use a validity period of 10 years for your site server signing certificate, this will not be possible if your issuing CA has a certificate with a validity period of 5 years.
• If your issuing CA has a validity period of 5 years but has been up and running for 2 years, it will not be able to deploy certificates with a validity period of 4 years - until its own certificate is renewed.

More information:

For MMS customers who couldn't attend the session in person, unfortunately a recording of the session is not available but you can view the slide deck.  Search the MMS catalog by code (SY23) or keyword "Internet-based".

There are numerous articles that help to explain how validity periods are used and configured, but I found this one to be a very useful starting point: Renewing a certification authority.

For any key size limitations applicable to the certificates used in native mode and out of band management:

• Certificate Requirements for Native Mode
• Certificate Requirements for Out of Band Management

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

http://blogs.technet.com/jasonlewis/archive/2009/05/18/screencast-system-center-updates-publisher-creating-an-update.aspx

His two previous SCUP screencasts can be found here:

• Installation
• Finding, Managing and Importing Catalogs

Jason plans to add several more screencasts to his SCUP series over the next 3 weeks so check back on his blog often or subscribe.

--Yvette

This posting is provided "AS IS" with no warranties, and confers no rights.