I finished creating the Silverlight deployment guide awhile ago, but after a number of reviews, revisions, and updates it is finally available for download. This guide is applicable to all versions of Silverlight, including Silverlight 3. The idea was that the guide would have a long life beyond SL 3 without revisions, while areas needing updated (i.e. version history, group policy settings) will continue to evolve on the Silverlight administration page.
Version 1 of the Silverlight deployment guide was geared at only the 1st release of Silverlight and didn’t include all of the improved windows update methods included with Silverlight 2. Some of the changes I’ve made to this document are:
- New sections for deployment using WSUS, SCCM, and manual advertisement
- Version table with the update ID numbers for Update rollup / Feature pack
- Updated text surrounding making a choice for deployment
- Updated logic and text around Silverlight’s built-in auto-updater
- Updated add-on section for IE 8
Download Silverlight Deployment Guide v2
When you create a policy with a custom ADMX template which uses a registry key outside of the standard 4 recommended locations (below) and open up your group policy editor using gpedit.msc, the policy will not be listed and you will get no error. The workaround is to use the group policy editor which comes with the group policy management console (i.e. right click on a policy in the GPMC.msc and choose edit). This one wasted a bunch of my time wasted, so hopefully you don’t have to go through the same.
Recommended Group policy locations:
HKLM\Software\Policies (computer settings, the preferred location)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies (computer settings, an alternative location)
HKCU\Software\Policies (user settings, the preferred location)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies (user settings, an alternative location)
One other note - this bug appears to have already been fixed in Win7 & Server 2008 R2.
Below is a list of all of the Silverlight 1, 2, and 3 installation switches available and their description. This will be included in the Silverlight Enterprise Deployment guide v2 which I’m writing - to be released soon. In the mean time, here they are for your assistance:
The Silverlight install executable file has a number of different switches to customize the installation. The syntax of the setup file is as follows:
Silverlight<version>.exe
/q = quiet install or upgrade. This installs or upgrades Silverlight without seeing the GUI. When Silverlight is installed quietly, by default privacy related features such as DRM protected media playback and the Silverlight auto-update feature will be configured to prompt the user for permission on 1st use of the respective features. The Silverlight auto-update feature requires administrative rights so non-admin users will not be prompted.
/doNotRequireDRMPrompt = turns off the 1st use prompt allowing DRM Playback without requiring any end-user intervention. This setting is automatically included when the quiet install switch is used. By default, DRM Playback is set to prompt on 1st use.
/ignorewarnings = non-fatal warnings will not be reflected in the quiet installer return code but will instead return zero indicating success. This is useful if in testing or custom installation software requires a zero return code.
/noupdate = disables the Silverlight internal auto-updater. The Silverlight auto-updater requires administrative rights, so in environments where users have admin rights this switch may be used to prevent administrative users from being prompted to install updates if you want to control when updates to Silverlight are distributed. Group policy can also be used to implement this setting via a custom ADMX (see Silverlight Deployment Guide)
/qu = quiet uninstall. This uninstalls Silverlight without seeing the GUI. Note: This will only uninstall the exact same version that it installed, so is typically only useful for testing scenarios.
Note: The /doNotRequireDRMPrompt and /ignorewarnings switches are only available with the version of Silverlight 2 GDR 2 (KB 960353 / 2.0.40115.0) or later.
I interviewed Kymberlee Price, IE security PM responsible for future research with ClickJacking. She gives us insight into what research the team is doing in this area as well other great insights into IE security.
For a complete breakdown of the contents of the interview, please view this post on TechNet Edge. Also, you can check out a great post Kymberlee wrote about ClickJacking on the IE blog.
Below is a list of the top 5 technical reasons why you should care about deploying Internet Explorer 8 now - and also some reasons why IE 8 is better than Firefox/Chrome.
Original article published on Edge here.
-
More Productivity – Get things done and browse faster and easier. Microsoft gathered a huge amount of data to understand how people use the browser and the tasks they accomplish. IE 8 is designed out-of-the-box to help get tasks accomplished quicker along with an overall increase in browser performance and reliability. Webslices and Accelerators are innovations you’ll want which no other browser have.
-
Performance – Overall page load times are faster than IE 6/7. Also, IE performs faster than Chrome or Firefox loading the entire page on half of the top 25 websites.
-
Reliability – If a tab crashes, only the tab will crash – not the entire browser. Easily recover all of your tabs/sessions in the unlikely event of the entire browser crashing. Chrome does tab isolation, Firefox does session recovery, IE 8 is the only one to do both.
-
Search – Automatically get more than just text visual search suggestions while you type along with a history of your previous searches for your favorite search plug-in such as Live search, Google, Facebook, or Wikipedia. Additionally, get a history of your previously visited websites and favorite sites as you type in the address bar.
-
Accelerators – Highlight text on a webpage and in one click do things like get a map of an address, define a word, send an email, do a search, share on a social networking site, or translate text into another language. Your company might develop a custom accelerator or find one of the existing ~100 which help your users.
-
Webslices – Get a small “slice” visual update for frequently updating content such as stock quotes, traffic, ebay auctions, and weather - dropped down from the browser favorites bar. Your company might also develop a custom webslice or find one of the existing ~30 which might help your users.
-
Better Security – Don’t let leave your company at a higher risk by using a competing browser or an older version of IE. IE is the best browser at protection from malware and were the 1st to innovate with far more security and privacy enhancements than I can list below.
- Smart Screen Filter – protects you against evolving threats. Cross Site Scripting (XSS) is the most common class of software vulnerability and IE 8 protects you against type 1 “reflective” XSS attacks. Phishing and malware protection is enhanced to be more effective over IE 7. IE 8 is currently the only browser on the market to protect you against click-jacking vulnerabilities.
-
In-Private Filtering – gives an added level of control and choice about the information 3rd- party websites can potentially use to track browsing activity.
-
Per-Site and Per-User Active X controls – allows the lockdown of individual Active-X controls to a specific site or user(s), therefore significantly reducing the attack surface for Active-X controls, minimizing your risk.
-
Domain Highlighting – automatically highlights the owning domain of whatever site you’re currently viewing. This helps users identify the real site they’re on when a website attempts to deceive them.
-
Granular Management – IE is the only browser which gives you the complete control to lockdown and fine tune features via group policy. There have been over 100 group policy settings added, bringing the total to ~1,400 policies (xlsx file) which allow you to easily control how you'd like to run IE in your environment.
-
Easy to Deploy – IE is the only browser on the market which allows the customization of the initial install package and gives you the support to deploy with so many options. IE 8 can be easily deployed using Windows Update, WSUS, SMS, SCCM, group policy, a network folder or even quickly slipstreamed into your existing Vista images. Furthermore, the Internet Explorer Administration Kit (IEAK) 8 allows customization of the installation package and builds upon the functionality and feedback received from IEAK 7.
-
Easy to Migrate – With the capability to emulate IE7 on the browser and websites having the capability to force IE 8 into IE 7 mode with a simple piece of HTML code, there should be little reason to not move from IE 7 to IE 8 while maintaining compatability with your existing sites. IE 8 is embracing open standards for browsing and will continue to do so; in the long run making it easier for developers and IT Pros to do fewer testing with their web applications and upgrades, such as future generations of IE. Additionally, there are some great resources to help with your migration:
Download IE 8 RTM
Attend locally or virtually the 1-day IE 8 Firestarter event March 26th
Attend the Internet Explorer 8 FireStarter event on Thursday, March 26th and learn the core of what all IT Pros and Developers need to know about IE 8. You will gain a deeper understanding of the new features, security, deployment best practices, compatibility and migration, and where IE stands with the competition.
Get the breakdown of the speakers and agenda at the following registration links:
Register for the local event in Redmond, WA or Register for the virtual event
You can also check with your local user group affiliated with INETA or Culminis (with support via User Group Support Services) to see if they will host a live streaming of this event of or host a re-delivery sometime after the event. Virtual attendees for the live event will be able to ask questions to the speakers through Live Meeting.
If you're able to attend the event in Redmond, there are plenty of things to give away for each of the attendees:
- Thrive Voucher/Card – Valid for one Microsoft Certification OR 1 TechNet Subscription
- IE8 Mug
- IE8 Sticky Notes
- Expression Blend Copies (Trial)
- TechNet Edge tee shirt
- TechNet Edge Sticker
- Pen
Also, we will be raffling off:
- (1) Zune
- (20) IE 8 Fleeces
This event has a limited number of seats and virtual attendees, so register now to reserve your spot!
NOTE: on the day of the event, please visit Mithun's blog if you desire to have an interactive chat session outside of Live meeting.
Wonder why you can't independently update Internet Explorer 8 on Windows 7? We discuss this and a number of other interesting topics with Jane Maliouta, program manager at Microsoft who is responsible for setup and deployment of IE8. View the detailed breakdown of the topics covered, download the video, or comment on the original post for this video on TechNet Edge. Note: the Windows 7 Beta (Build 7000) has a beta IE 8 build from ~October 2008.
Watch all of the TechNet Edge videos on IE 8
Download and Install IE 8
I'm not an Apple hater, but I couldn't resist posting this up. Hopefully, you'll get a laugh out of this Simpsons episode too. "Who dares question the boss we fired 10 years ago and then brought back?"
The full episode can be found here on hulu. Watch it before it gets pulled down for whatever legal reasons like it did from YouTube.
Today Windows Server 2008 and Vista released Service Pack 2 (pre-RTM) through the Customer Preview Program (CPP). MSDN and TechNet subscribers can download the SP2 CPP now, everyone else will have access this Thursday 12/14.
What’s pretty interesting is for the first time the same single service pack files can be deployed across the server (Server 2008) and the client (Vista SP1). Will this capability add any value in your organization or is it only a “that’s neat” type of response?
My colleague, Joey Snow, wrote up a good summary of what’s included with it and links to resources – which you can view his blog post on Edge.
OR go straight to download and evaluate the Vista SP2 / Server 2008 CPP beta bits
Want an easy way to know if Live, Yahoo, or Google search will return better quality results? There is an easy way to do this using this site: http://www.mysearchoff.com. It’s great to get simultaneous results from all three engines in a single page. I found this very useful when doing search engine optimization for keyword terms – you can figure out the ranking and see what the page looks like without doing 3x the work. Also, you can vote on what search engine results you think "wins" by clicking on the green checkbox icon in the top right and see the results of peoples' votes.
Also, another site MS employees use to compare Live Search to Google (side by side) is http://www.searchvote.com. Our internal one doesn't give any results for Yahoo and in my own opinion is not as good as the public - mysearchoff.com mainly because it has a voting/results feature and is more easy to display the results b/c you can resize the window.
Personally, I like the friendlier display output of Live Search better than Google Search (i.e. do a search on Barack Obama). Typically Google will have a larger number of results, but IMO this doesn’t matter since you don’t ever really get past the first few pages of results and the Live Search results are quality for those 1st pages the large majority of the time (and sometimes better than Google's). Try it out for yourself and see!
If you want to provide written feedback to Microsoft about Live Search, you can send it via this link: https://feedback.live.com/default.aspx?productkey=wlsearch
On a side but related note, Live Search gives you cash-based incentives to simply use their search engine (called SearchPerks!) and also cashback on products you purchase through Live Search. I'm not sure if this will help increase Live Search's ~8% market share of the search engine business, but it's certainly worth mentioning!
Update 12/12/08 - you can check out the Fall 2008 improvements made to Live Search by watching the video on Channel 10.
Microsoft disclosed Windows Server 2008 R2 today at PDC for the 1st time today. Here is a short summary of some of the new cool features in 2008 R2:
Virtualization
- R2 Hyper-V - client virtualization when used with Virtual Desktop Infrastructure (VDI), improved management via PowerShell 2.0 cmdlets, enhanced admin console, and integration with SCVMM
- Live Migration – No downtime to migrate VHDs between Hyper-V servers
- Presentation virtualization - remote apps look exactly the same as running locally, web page login for RAD (RemoteApp and Desktop), RAD control panel to connect to multiple machines
Windows 7 & Windows Server 2008 R2 better together
- Direct Access – no longer will you have to use VPNs, a seamless experience when transitioning between intranet and internet
- Improved RAD (RemoteApp and Desktop) experience – original high-quality audio redirection, multi-mon, video synced, and audio input recording
- Branch Office - BranchCache™ server significantly reduces bandwidth by caching frequently used content
- Bitlocker on removable drives – keep the data on your USB flash or eSata drives secure
Management
- PowerShell 2.0 – easily remotely run scripts on multiple machines
- More options for power management – Automatically and dynamically reduce the number of processor cores used (Core Parking) and/or their processor speed / power consumption
- AD updates – easily recover deleted objects, easier to perform common tasks
- Best Practices Analyzer (BPA) - built-in for each server role to help ensure proper & optimal configuration
Web
- Full .NET support on Server Core
- Easier administration – manage your SQL databases within IIS, integrated powershell task automation, built-in configuration editor
- FTP enhancements – FTP over SSL support, IPv6, virtual FTP sites
Scalability & Reliability
- 64 physical Core Support – and 256 logical cores support for a single OS instance
- DNSSEC – verify authenticity of a response from DNS
View the Windows Server 2008 R2 homepage at: http://www.microsoft.com/windowsserver2008r2
Download Windows Server 2008 R2 reviewers guide (Beta) for granular details on the changes.
Even in Beta 1 of Forefront Stirling you can check out the security policy capabilities the product has. I know what you’re thinking – “whoopee, more policies”, but what you can do with the policies in Stirling are quite impressive.
What can you do with Stirling policies?
For each policy, you can easily specify granular compliance settings for Forefront Client Security (FCS), Forefront Server for Exchange (FSE), and various other security state assessments AND specify granular automated actions to be taken to remediate - all from a single console. Some ideas for what you might do with Stirling policies:
- If a client doesn’t have the correct firewall or latest anti-malware updates, remediate this using NAP.
- Scan email using two engines and when a virus is found to be sent via email, clean the virus and initiate a full client virus and anti-malware scan using FCS
- Audit to verify your IIS 6/7 and SQL 2005 servers have appropriate security settings enabled
- If a client is doing a port scan or quickly sending a large number of emails, quarantine their computer using NAP, block their outbound internet access through TMG, scan their email for viruses with FSE, and do a full virus scan with FCS
In updates past Beta 1, you can eventually expect even more capabilities and integration with other Forefront products.
How does it work?
There are two major components – the policy and the target group. The policy contains all of the settings you are checking for and/or the remediation steps. The target group can be a user, group, computer, OU, or domain. A policy can be bound to one or more target groups and precedence can be set to determine priority if there are conflicts in policy settings. Under the hood, you have Enterprise Security Assessment Sharing (ESAS) and SCCM doing the majority of the communication work related to the policies – which I’ll cover in more depth in future posts.
What’s the catch?
In order to get this functionality working, you’ll need to have the core Stirling infrastructure in place and then utilize the vNext for FCS and FSE installed (if you create policies related to these settings). Also, for the NAP functionality to work – you’re going to need to set up a NAP infrastructure separately.
GET STARTED
Download Beta 1 software or VHDs
Working with Stirling Policies
Ok, when Adam did the Edge interview with Bob Muglia back in January at his office, he talked about having a 9 server infrastructure at home. Tina Wood actually went to his home and published a video today which shows this. Bob shows his server room with raised floors and a terminal server console which they have around their home to control various functions of his house. I guess being the geek I am, I got exited at the idea of having my own server "Rack P_ _ _" at home and thought I'd blog about it. Also, it is pretty cool to know my boss 5 levels up (Bob is directly under Steve Ballmer) is an IT guy.
The question we still don't have answered though is - does Bob use a Home Server?
Today at noon IE8 Beta 2 was released and I did an interview with James Pratt to do a quick run down of what's cool with IE8 for IT Pros. One item I didn't mention in my post on Edge is a summary link of IE8 features for IT Pros on the IE blog and also the IE resources page for IT Pros on TechNet.
We only have the single file format (wmv) to download (instead of psp, ipod, zune also) because you'll notice there is a combination of higher quality resolution screencast combined with the regular video and our automated program to create all these can't handle this format yet.
I had the chance to interview Mark about the future.. One thing he answers is - do you think we should or need to just scrap the windows code base and start over? A breakdown of everything which was covered can be found on Edge.
Interview with Mark Russinovich: the future of Sysinternals, Security, Windows
