I know this isn’t Mobile Device Manager specific but I thought it was something you’d appreciate hearing about nonetheless. The Solution Accelerator team is pleased to announce the immediate availability of the Microsoft Assessment and Planning Toolkit 5.0 Community Technical Preview (CTP). Designed to simplify and streamline the IT infrastructure planning process across multiple scenarios through network-wide automated discovery and assessments, this tool provides a quick and complete inventory of the current IT environment of any organization, hardware and device compatibility assessment, and actionable reporting of recommended hardware upgrades for migration.
The MAP Toolkit 5.0 CTP includes these new features:
· Heterogeneous Server Environment Inventory for Technologies including Windows Server, Linux, UNIX and VMware.
· Ability to determine usage of deployed System Center Configuration Manager, a member of the Core Client Access License Suite.
· Readiness assessment for migration or upgrade to Microsoft Office 2010.
Over 800,000 Microsoft customers and partners including Costco Wholesale Corporation, Continental Airlines, and Pella Corporation have already downloaded and used this toolkit to help plan for their server and PC deployments.
Additional MAP Toolkit Features include:
• Windows 7 Hardware and Device Compatibility Assessment.
• Windows Server 2008 R2 Hardware and Device Compatibility Assessment.
• Virtualization Candidates Assessment for Hyper-V Server Consolidation.
• Inventory of VMware Server Hosts and Guests.
• Enhanced Usability and Improved Inventory Performance.
• SQL Server Instance Discovery.
• Desktop Security Assessment for Anti-virus and Anti-malware Programs Installation.
• Forefront Client Security/NAP Readiness Assessment.
To give you a quick sample, here are a couple MAP 5.0 Inventory and Assessment Wizard screenshots:
Here’s what the System Center Configuration Manager Server Report looks like:
Next Steps
· Register for the MAP Toolkit 5.0 CTP and download. (Live ID required)
· Want to influence the future of MAP? Complete the survey and receive a free 4GB Solution Accelerator branded Memory Stick.* (Live ID required)
· Download other Windows Server 2008 R2 and Windows 7 Solution Accelerators for your IT planning, deployment, and management needs.
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
I asked the FixIt team for this a while back and they have delivered. Now if you ever run into the symptoms below the chances are good we can automatically fix it with just a few clicks of the mouse:
The Symptoms: When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following:
HTTP 401.1 – Unauthorized: Logon Failed
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
Additionally, an event message that resembles the following event message is logged in the Security Event log. This event message includes some strange characters in the value for the Logon Process entry:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: Computer_Name
Description: Logon Failure:
Reason: An error occurred during logon
User Name: User_Name
Domain: Domain_Name
Logon Type: 3
Logon Process: Ðùº
Authentication Package: NTLM
Workstation Name: Computer_Name
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: IP_Address
Source Port: Port_Number
The Cause: This issue occurs when the web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
The Fix: If you happen to come across any symptoms like this then take a look at the following Knowledge Base article:
896861 - You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
The cool part is that this KB article contains a link to a Wizard that will fix this issue for you automatically. All you have to do is download and run it. This Loopback issue impacts almost any product that uses IIS, including your very own favorite, System Center Mobile Device Manager.
Jarrett Renshaw | Content Quality Program Manager
Here’s a problem which we’ve seen a couple of times which can be caused by bad packages in software distribution. This problem can arise when Software Distribution is being used, and you notice that devices don’t seem to be getting packages, nor getting updated in the Software Distribution console. As well as this, the following message is logged in the MDM event log on the Device Management Server:
Event Type: Warning
Event Source: Device Manager
Event ID: 8041
Description:
Software Distribution service received insufficient query results from device {DeviceSID}.
Missing LocUri ./Vendor/MSFT/SwMgmt/Download?list=StructData.
You will also notice that in the Device History tab in the ‘./Vendor/MSFT/SwMgmt/Download?list=StructData’ URI will have returned a status of ‘Failed’.
Firstly, let’s look at what this means. ‘./Vendor/MSFT/SwMgmt/Download?list=StructData’ is part of the Download Configuration Service Provider, which you can find documented at http://msdn.microsoft.com/en-us/library/cc563003.aspx. This is described as “Parent characteristic for the components that are ready to download or are in the process of downloading”. So this stores information about packages which are in the process of being distributed, before they have finished installing.
The Device management server is requesting this information, so it can know which packages are in the process of being downloaded. In this situation, the data returned is showing an error – so we know the problem occurs on the mobile device itself when we ask for this info.
This situation can typically occur in situations such as:
- A package is distributed which requires user interaction, for example to click a button or agree to some terms. If the user cancels this or ignores it, the install may fail.
- A package is distributed which restarts the mobile device forcefully, before the install process has completely finished.
When a scenario like these happens, the package distribution process doesn’t finish installing the software and cleaning up the download list. Therefore, the device gets left in a state where the software installer has finished, but the data at ‘./Vendor/MSFT/SwMgmt/Download?list=StructData’ hasn’t been cleared up. We then get left with some orphaned information left in the download list, which causes the error which you see on the Device Management Server.
How to fix it
To stop the error & to get software distributing again, you need to do two things. Firstly, you need to clear up that orphaned data, then check your software packages to see which is the culprit.
To clear up the download list, we can use some provisioning XML:
- Download the _Setup.xml file which is attached to this entry
- Use ‘makecab.exe’ to convert this into a .cab file. The easiest way to do this is to load up the Visual Studio 2008 Command Prompt and run:
o Makecab _setup.xml SWDist.cab
- Now you need to install this cab on the devices. The easiest way to do this is to import the cab into the SCMDM Software Distribution console.
- Once it’s imported, click on the ‘File Information’ button & copy out the ‘File URI’.
- Email this link out to the mobile devices, click it & run the file!
After this has been applied to the devices, you should see software distribution working again & ‘./Vendor/MSFT/SwMgmt/Download?list=StructData’ will start reporting success in the MDM console. Remember to go and test out your packages afterwards!
Please note: As this change removes information about packages which are downloading, this process shouldn’t be done at the same time a new software deployment is being pushed out.
Rob Davies | Senior Support Engineer
You’ve heard about it and read about and now you’ll soon have the chance to try it out yourself. The System Center Online Desktop Manager beta is coming soon:
The System Center Online team has been working hard in preparation for its next beta release of System Center Online Desktop Manager, expected in the fall of this year. This exclusive beta will only be available to a select number of customers. Our last beta was only offered to a small audience and resulted in a lot of great feedback from the customers who participated. This time we are widening the scope to include a few hundred customers.
Here's what will be included in the upcoming release:
- Updates Management Workload: Manage the Microsoft updates from a web-based console. Review available updates, choose updates and deploy to selected computers or groups of computers. Imagine WSUS from the cloud.
- Policy Workload: Provides the ability to configure operational settings of the Windows Update and Anti-Malware agents installed on the client computers.
- Anti-malware Workload: Review anti-malware, anti-virus status and remedial actions from the SCODM console. Ensure managed computers have up-to-date signatures.
- Assets Workload: Collect detailed hardware and software inventory on managed computers. View this information in reports. Use the License reconciliation feature to load your Microsoft volume license agreement information and compare installed application quantities with licensed quantities.
- Alerts Workload: Helps you quickly and easily find problems (or potential) on your computers. You can also get help on how to solve the problem or how to start troubleshooting.
We are looking for customers who are interested in participating in the fall beta! If you are an IT Pro who manages an IT environment and are interested in participation, we'd like to hear from you.
For all the details see http://blogs.technet.com/systemcenteronline/archive/2009/09/23/system-center-online-desktop-manager-beta-is-coming-soon.aspx
Enjoy!
J.C. Hornbeck | Manageability Knowledge Engineer
The System Center Mobile Device Manager 2008 Security Configuration Wizard (SCW) includes three templates that you can apply to MDM servers to help enhance security by disabling functionality that is not required for the servers.
The SCW is an attack-surface reduction tool that is bundled with Microsoft Windows Server 2003. By using the SCW, you can create security templates that then can be applied to the server on which they were created or to other similarly configured servers.
The MDM SCW templates provided in this download are pre-configured by using SCW to disable functionality that is not required on each MDM server. The following SCW templates are included:
* DeviceManagementPolicy.xml - Template for MDM Device Management Server
* EnrollmentPolicy.xml - Template for MDM Enrollment Server
* GatewayPolicy.xml - Template for MDM Gateway Sever
For more information about using SCW, see "SCW Quick Start Guide" on the following
TechNet Web page: http://go.microsoft.com/fwlink/?LinkId=118378
Obtain the Server Tools here:
Resource Kit Tools - Server Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=0433b453-15a5-48ae-a343-6a1053f46251&displaylang=en
Network Service account requirements, as well as other security specific content:
Provide Network Service Permissions to the Certificate
http://download.microsoft.com/download/7/e/f/7ef580df-3666-4746-b5ad-67393983c819/SCMDM08Deployment.doc
Other Tools:
System Center Mobile Device Manager Resource Kit Tools
http://technet.microsoft.com/en-us/scmdm/cc304591.aspx
Other security content:
Security Best Practices in MDM
http://technet.microsoft.com/en-us/library/dd261854.aspx
MDM Backup and Recovery
http://technet.microsoft.com/en-us/library/dd261892.aspx
Security and Protection for Mobile Device Manager
http://technet.microsoft.com/en-us/library/dd252842.aspx
Clint Koenig | Support Escalation Engineer
Just an FYI that we published a new Knowledge Base article for System Center Mobile Device Manager 2008 last week.
I mentioned this issue here last week but we now have an official KB documenting it as well:
KB974680 - The Group Policy setting "Code Word" for System Center Mobile Device Manager 2008 is not correctly applied to Windows Mobile 6.1 mobile devices when the policy is Disabled
J.C. Hornbeck | Manageability Knowledge Engineer
Just an FYI that we published a new Knowledge Base article for System Center Mobile Device Manager 2008 last week.
I mentioned this issue here last week but we now have an official KB documenting it as well:
KB974606 - The Group Policy setting "Code word frequency" for System Center Mobile Device Manager 2008 is not correctly applied to Windows Mobile 6.1 mobile devices when the policy is "Disabled"
J.C. Hornbeck | Manageability Knowledge Engineer
When you disable the Group Policy setting Code Word by using Microsoft System Center Mobile Device Manager (MDM) 2008 Group Policy management functionality, some Windows Mobile 6.1 mobile devices may continue to use the previously set code word.
This group policy setting affects this Windows Mobile registry key when applied to the device:
HKEY_LOCAL_MACHINE\Comm\Security\LASSD\CodeWord
When this policy is set to Enable the Code Word value is set in this registry key, however when this policy is set to Disable the registry key is deleted. When the registry key is not found, the Windows Mobile device continues to use whatever code word was set previously.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem has not been corrected at the time of publication of this article.
The only workaround at this time is to not disable the policy. Using the Group Policy Management Console, rather than set the policy to Disable, always set it to Enable and specify your desired code word.
Note: Special thanks to our very own Dave Hattaway for contributing the preceding information.
J.C. Hornbeck | Manageability Knowledge Engineer
When you disable the Group Policy setting Code word frequency by using Microsoft System Center Mobile Device Manger (MDM) 2008 Group Policy management functionality, some Windows Mobile 6.1 mobile devices may continue to ask the user to enter a code word after a number of incorrect password attempts.
This group policy setting affects this Windows Mobile registry key when applied to the device:
HKEY_LOCAL_MACHINE\Comm\Security\LASSD\CodeWordFrequency
When this policy is set to Enable the frequency value is set in this registry key, however when this policy is set to Disable the registry key is deleted. When the registry key is not found, the Windows Mobile device reverts to the default behavior, which is to ask the user to enter a codeword after 8 incorrect password attempts.
This issue is fixed in System Center Mobile Device Manager 2008 Service Pack 1 but the following workaround is also available:
Important: The following workaround applies only to the English version of Microsoft System Center Mobile Device Manger 2008. There are no workarounds for other language versions of the product at this time.
Warning: Serious problems might occur if you modify system files incorrectly. These problems might require that you reinstall server software or components of server software. Microsoft cannot guarantee that these problems can be solved. Modify the system files at your own risk.
Important: The following workaround requires you to modify an important system file. Make sure that you back up the referenced file before you modify it. Make sure that you know how to restore the system file if a problem occurs. Do not proceed with the following procedure if you do not know how to back up and restore a file. Revert to the original file if you encounter any problems with the workaround.
The following steps modify the ADM template file that includes the Code word frequency Group Policy setting. When you have successfully modified the file, you can use the Code word frequency Group Policy setting to correctly update managed devices.
1. On the computer on which you have installed the MDM Administrator Tools, navigate to the %windir%\INF folder.
2. Type the following at a command prompt to make a backup copy of the mobile.adm file:
copy mobile.adm mobile.adm.bak
3. In a text editor, such as Notepad, edit the mobile.adm file to change the MIN setting for Policy_CodeWordFrequency
REPLACE:
POLICY !!Policy_CodeWordFrequency
EXPLAIN !!Explain_CodeWordFrequency
PART !!Part_CodeWordFrequency NUMERIC
KEYNAME "SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKLM\Comm\Security\Policy\LASSD"
VALUENAME "CodewordFrequency"
MIN 1
MAX 4294967295
DEFAULT 8
END PART
END POLICY ;;!!Policy_CodeWordFrequency
WITH:
POLICY !!Policy_CodeWordFrequency
EXPLAIN !!Explain_CodeWordFrequency
PART !!Part_CodeWordFrequency NUMERIC
KEYNAME "SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKLM\Comm\Security\Policy\LASSD"
VALUENAME "CodewordFrequency"
MIN 0
MAX 4294967295
DEFAULT 8
END PART
END POLICY ;;!!Policy_CodeWordFrequency
4. Save the file and exit the text editor.
5. Using the Group Policy Management Console, instead of setting this policy to Disable, set it to Enable and set the value to 0.
To apply the new setting to managed devices, you must update the Code word frequency Group Policy setting in MDM. To refresh the setting in MDM, in MDM Console, run the following cmdlet:
Update-MobilePolicyCalculation <device>
Where <device> is the managed device on which you want to update the Group Policy setting. New settings are pushed down to managed devices during the next synchronization with MDM.
Note: Special thanks to our very own Dave Hattaway for contributing the preceding information.
J.C. Hornbeck | Manageability Knowledge Engineer
I was looking around Facebook the other day and thought “Wow, there sure are a lot of companies out here, sharing information and whatnot” and then I thought hey, why not me too. After all, if there’s another avenue that can be opened up that might make it easier for people to exchange information and solutions surrounding Microsoft System Center products then I’m all for that.
So I signed up, added a couple friends and proceeded to create our new group. The group, appropriately named Microsoft System Center, will focus on all the products I work with, including Ops Manager/MOM, Config Manager/SMS, App-V/SoftGrid, Mobile Device Manager, VMM/Hyper-V, MED-V and WSUS.
Now I know what you’re thinking: “Great, another site I have to keep up with” but this isn’t meant to replace the Twitter presence or this blog, but rather it will offer an alternative way to consume much of the same information. I’m all about options after all ;)
So if you’re on Facebook, or plan on signing up, stop by and say Hi.
Note that just like Twitter and this blog, this group is not meant to be a forum to request technical support, but with any luck we'll soon have many members more than willing to help their fellow System Center users out.
I hope you find this group helpful and informative, and if you have any feedback be sure to let me know.
J.C. Hornbeck | Manageability Knowledge Engineer
We’ve recently been asked a few questions about the SCMDM roadmap and future versions. Here’s a quick overview of what is to come.
At the recent MMS and Tech Ed US 2009 conferences, the System Center Configuration Manager team revealed some important news regarding the future of device management. Here are a few of the key messages that were shared:
-
The next major release of Configuration Manager will have the major MDM functionality for device management including SW Dist, Inventory, Settings Management, reporting, etc;
-
Both desktops and mobile devices can be managed by a "single pane of glass";
-
Device Management will not require the use of a VPN server;
-
Corporate network access can be obtained by "then current" solutions supported by the mobile device client and server infrastructure;
-
-
Product roadmaps for both Configuration Manager 2007 (DM) and Mobile Device Manager both converge on this next version of Configuration Manager
While there are surely more details that everyone would like to hear, this should be great news for those wanting to hear a confirmation that Microsoft is committed to continuing and improving mobile device management. We’ll be sure to keep you updated with future developments on this blog, so watch this space!
Rob Davies | Senior Support Engineer
As you may know, with the Service Pack 1 release of SCMDM we introduced support for virtualization of our server roles. This allows you to run the Windows Server 2003 x64 guest OS in a Hyper-V environment. We wanted to clarify that this applies to the virtualization of the Device Management and Enrollment Server SCMDM roles, but does not apply to the Gateway Server role.
The architecture of the Gateway server requires two network cards, one for the internet and one for the internal network, which the SCMDM VPN monitors traffic on. We recommend that this should not be implemented on a virtual machine due to the complications that this introduces. Therefore the supported setup is to use a physical server with 2 network interfaces for your SCMDM Gateway Servers. For more information about the Gateway Server role and its requirements, please see http://technet.microsoft.com/en-us/library/dd252779.aspx.
Rob Davies | Senior Support Engineer
Here’s an interesting issue that a one of our top Support Escalation engineers by the name of James Geater ran into a while back. It can be a tricky one to troubleshoot as the cause of the issue isn’t obvious so I thought it would be worth a quick post here:
========
When using System Center Mobile Device Manager to distribute software, the installation may complete normally but the application fails to run with a signature failure of some kind. I say “some kind” because the exact error may vary depending on the application.
This can happen if the files used by the application are altered during the installation. For example, if the date/time stamp is changed at the time of install, possible from the file getting renamed, you can see this exact issue. This is because altering the file invalidates the digital signature.
To verify this look at the files in the source and compare them to the ones on the device. Look closely at the size and the Date/Time stamp. If there’s a discrepancy, copying the original files from the source onto the device may server as a workaround to the issue.
========
Thanks James!
J.C. Hornbeck | Manageability Knowledge Engineer
We are happy to announce that we now support System Center Mobile Device Manager 2008 SP1 with a Windows Server 2008 Enterprise Edition Certificate Authority. We’ll be documenting this on TechNet in the near future but we wanted to let you all know that this is now fully tested and supported.
For this to work on the device side, we require Windows Mobile build 6.1.4 or later. For earlier Windows Mobile 6.1 builds, you can install update KB951840 from http://support.microsoft.com/kb/951840/.
So now you can deploy SCMDM with a Windows Server 2008 issuing CA in a Server 2008 functional level domain. For the complete list of system requirements for SCMDM please see http://technet.microsoft.com/en-gb/library/dd261866.aspx.
Rob Davies | Senior Support Engineer
Here’s another webcast on System Center Mobile Device Manager 2008 in case you haven’t already seen it. This one is about an hour and a half long and discusses how to successfully (and cost effectively!) implement this product in the enterprise. I have the event description and a link below:
Language(s): English.
Product(s): Windows Mobile.
Audience(s): IT Professional.
Duration: 90 Minutes
Event Overview
System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.
Presenter: Patrick Salmon, Mobility Architect, Enterprise Mobile
To read more and to register online see TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
J.C. Hornbeck | Manageability Knowledge Engineer
