January’s Config Manager Newsletter
Each month, right after Patch Tuesday, I put together a newsletter for my customers and for all of Microsoft PFE in general. While I can’t post the current edition of the newsletter as it would not be fair to my customers that have paid for it I will post last month’s newsletter. I will try and post this on a monthly basis but it will be the previous month’s newsletter. There also maybe some formatting issues but I will work on them.
|
||||||
I will be in the office this month. No planned trips at this point.
January 2009 Released Patches:
This alert is to provide you with an overview of Security Bulletins released by Microsoft on January 13th, 2009.
New Security Bulletins:
Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:
MAXIMUM SEVERITY |
BULLETIN NUMBER |
Title |
Products Affected |
Replaces |
Distribute With |
Restart |
Critical |
Vulnerabilities in SMB Could allow Remote Code Execution (958687) |
All currently supported versions of Windows |
MS08-063 |
ConfigMgr-WSUS |
Yes |
|
Summaries for these new bulletins may be found at the following page:
https://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx
Customers are advised to review the information in the bulletins, test and deploy the updates immediately in their environments, if applicable.
The Microsoft Security Team has created a new Blog that will explain more in-depth detail about each Security Bulletin that comes out. If you really want to know the ends and outs of the vulnerabilities then this blog is for you.
Keep up to the minute with the Microsoft Security Teams Blog.
This is a new section that will list blogs that deal with Config Manager and related products. The list below are blogs that I will usually visit on a regular basis and when I am doing research on a customer’s issues. I will be adding to the list as I find new blogs that contain helpful information. I subscribe to the RSS feeds on a lot of these. If you run across any that you would like to see on the list please let me know.
· SMSandMom, SoftGrid, and WSUS blogs
· Michael Wiles Blog
· Carlos Santiago Blog
· Steve Rachui Blog
· Russ Slaten Blog
· Michael Niehaus Blog
· The Deployment Guys Blog
· Jeff Gilbert Blog
· Paul Thomsen Blog
· Donnie Taylor Blog
· Greg Ramsey Blog
In this section I will hight a Blog entry that I think stands out and might help you in your day to day activites with Config Manager. This months entry comes from Jeff Gilbert’s blog.
At the end of October Jeff blogged about how to “Deploy SQL Server 2005 SP2 using an OSD Task Sequence”. There is a Part 1 and a Part 2 to complete the blog entries. Part 1 goes over how to create the SQL 2005 package, but part2 really gets to the meat of the issue with lots of screen shots and steps on how to make this work correctly. Now that SP3 has released I think that this would be a good blog entry to review if you are thinking about deploying SP3 with Config Manager. I know that Jeff shows how to do it with SP2 but I am sure that most if not all of the steps will work correctly with SP3. I plan to test this in my enviroment over the next couple of weeks and will let you know how it goes in the next newsletter.
· The System Center Config Manager Documentation Library has been updated, this link will take you there.
· Here is the link to the System Center Configuration Manager TechCenter web page.
· This link to Microsoft Connect will take you to the System Center Service Manager beta that is now available. A whitepaper outlining the Service Manager vision is here.
· This link will take you to some Training Video’s for the Intel vPro AMT integration with Config Manager SP1.
· This link will point you to the App-V Extensibility Today Before the SDK Document.
· Here is a link to the Creating Customer Reports by using CM07 SQL Views document.
· Version 4.5 of the System Center Updates Publisher can be found here.
· Here is the link for the Third Party Custom Catalogs for CM07.
· This link will take you to the Configuration Packs available for DCM.
· CM07 R2 is now out and the eval can be downloaded from this link.
· PreLoadPkgOnSite tool has been released to the web.
· Config Manager SP1 can now be downloaded from this link and ICP’s can be found here.
· Custom Error Codes for Config Manager can be found here.
· This link will explain what all the CM07 logs are for, and here is a list of the CM07 Icons and what they are for.
· Config Manager Software Updates Synchronization SuperFlow is now available at this link.
· The Config Manager Toolkit is now out and the CM07 SDK has been released.
· Here is a link to the Config Manager 2007 Technical Library, the CM07 Reviewers Guide PDF file is here, and CM Software Update Guide Whitepaper is at this link .
· Here is a link to all SMS 2003 Service Packs ( SP1, SP2, and SP3).
· Here is a link to the SMS 2003 Documentation, the SMS 2003 Technical Library, and the SMS 2003 Scripting Guide.
This month we take a look at the last item in R2: Forefront Client Security Integration.
Microsoft Forefront Client Security provides unified virus and spyware protection for business desktops, laptops, and server operating systems. You can use desired configuration management to monitor the Client Security agent on clients managed by Microsoft System Center Configuration Manager 2007 R2 sites.
System Center Configuration Manager 2007 R2 provides insurance that this critical service is running and in a state to provide up to date protection from security threats. R2 contains the Forefront Client Security – Client Health DCM baseline and several supporting configuration items. These CI’s assess the state of the FCS agents on the machines managed by SCCM 2007 R2. The SCCM administrators will be notified when a machine is determined to be in an unhealthy state or non-compliant so that action can be taken to restore these services and/or the correct agent configuration.
Reports are available to give a global view of the overall state of the FCS clients. These reports allow the SCCM admin to quickly identify machines that may not be protected because of a service or configuration problem with the FCS client.
No changes are made to the FCS product to support this work. FCS monitoring in SCCM R2 assesses the health of the FCS agents on SCCM clients and reports any issues that are found. Malware events and other data regarding malware found by the FCS agent are not monitored or reported on. Administrators use their existing FCS infrastructure for notification of this type of information.
To monitor the Client Security agent, you import the configuration pack included on the Configuration Manager 2007 R2 CD, assign the baseline to a collection that contains computers running the Client Security agent, and then monitor the compliance evaluation reports as you would for any other configuration baseline. No additional installation or configuration is needed.
Configuration Manager 2007 does not actually report back about malware or viruses detected; those alerts are monitored by Client Security as long as the Client Security agent is operating correctly.
Prerequisites for Forefront Client Security Reporting
In order to implement the functionality of the Forefront Client Security Configuration Pack, we need to make sure that the Desired Configuration Management Client Agent is enabled. Additionally, clients also have to have .NET Framework 2.0 installed on the clients we wish to monitor.
The above information is taken from the “Config Manager 2007 R2 Install and Features” document. If you need this document please let me know.
Please follow the steps below to install the Config Manager RTM eval bits for testing:
· Start with a baseline of Windows 2003 SP2
· .NET Framework 2.0 is required. The .NET Framework 2.0 is available for download at: https://go.microsoft.com/fwlink/?LinkID=56407
· Install SQL 2005 and apply SQL 2005 SP2
· Hotfix number 932303 addresses a known WMI issue where the Configuration Manager 2007 console stops responding. You should apply the hotfix to the site server and to all Configuration Manager 2007 consoles. The KB Article for the hotfix is available on the Microsoft Support site at https://go.microsoft.com/fwlink/?LinkId=83055. This fix can now be downloaded from this link.
· Install WSUS 3.0 RTM. You can download it from here.
· Install Config Manager 2007 RTM.
Once your RTM site is working follow these steps to upgrade that site to SP1:
· Upgrade WSUS 3.0 to WSUS 3.0 SP1 which can be downloaded from this link.
· Apply the Windows 2003 Schannel Hotfix KB Article number 942841.
· Apply the Windows Remote Management Tool to run the Out of Band Console. This can be downloaded from here.
· Apply the MMC Update from KB Article number 940848.
· Install the CM07 SP1 upgrade.
Once you Config Manager site is at SP1 you can down install the R2 eval bits. No PreReqs are needed, just SP1.
New SMS 2003 and SCCM 2007 Knowledge Base Articles
Hotfixes
· We have a new support option available on the Microsoft Help and Support website. Customers can now request hotfixes on the website. Click here for the website.
· 961328 has been released as a hotfix. This hotfix corrects a PKI Provisioning issue that was not working on 2.2 ATM systems. The KB on this is not public yet but the hotfix is done.
· 960065 has been released as a hotfix. This hotfix corrects a problem where Updates are not deployed to some clients when you use WSUS or SUM to deploy updates in System Center Configuration Manager 2007 Service Pack 1. The KB on this is not public yet but the hotfix is done.
· 960804 has been released as a hotfix. This is A hotfix rollup package addresses some issues with the Out of Band Management (OOB) feature in Configuration Manager 2007 Service Pack 1. The KB on this is not public yet but the hotfix is done.
· 958598 has been released as a hotfix. This hotfix corrects the problem of the Audit Message for “Create a Task Sequence Package” does not identify system, component and user name. The KB on this is not public yet but the hotfix is done.
· 957255 has been released as a hotfix. This hotfix corrects an issue where the Wake On Lan Manager did not consider DST when calculating the next wake time. The KB on this is not public yet but the hotfix is done.
· 959038 has been released as a hotfix. This hotfix corrects a problem where a task sequence would continue to execute even if a failure exit code was returned. The Reports would also show a success for the failed installation. The KB on this is not public yet but the hotfix is done.
Config Manager 2007 SP1/R2 Updates and Hotfixes:
· KB956944 - Error message when you use the System Center Configuration Manager 2007 Service Pack 1 console to connect to a Configuration Manager 2007 site server that is not running Service Pack 1
· KB959812 - Operating System Deployment (OSD) tasks may fail randomly in System Center Configuration Manager 2007 Service Pack 1-based systems (959812)
· KB959040 - System Center Configuration Manager 2007 Service Pack 1 systems cannot provision AMT 2.2/2.6 clients in PKI mode and AMT 2.1/2.5 clients in PSK mode (959040)
· KB956194 - Distribution Manager in System Center Configuration Manager 2007 Service Pack 1 may require several hours after startup before it begins to process packages
· KB958021 - Error message in the Configuration Manager console when you create a new task sequence: "The task sequence cannot be created" (958021)
· KB958808 - User data from the USMT may be deleted unexpectedly by the task sequence engine during the operating system deployment process in System Center Configuration Manager 2007 SP1 (958808)
· KB954716 - The SMS_EXECUTIVE service of System Center Configuration Manager 2007 on a child site server may crash when it handles the .sha file and sends inventory data to its parent site (954716)
· KB956733 - Some attributes of a System Center Configuration Manager 2007 client may be missing after it is configured as a branch distribution point (956733)
· KB957325 - The Inventory Data Loader component cannot process hardware inventory data from System Center Configuration Manager 2007 Service Pack 1 clients if one or more properties contain more than 256 characters in the NOIDMIF files (957325)
· KB955842 - The System Center Configuration Manager 2007 Service Pack 1 hardware inventory may recognize an x64-based client as an x86-based client (955842)
· KB954718 - You cannot use the Out of Band Management console in Configuration Manager 2007 to connect to computers that use versions of Intel AMT that are earlier than version 3.2.1
· KB955126 - The SMS_Executive service process (Smsexec.exe) in System Center Configuration Manager 2007 may crash if you have Intel AMT-related software installed
· KB955388 - Error message when you use the Microsoft System Center Configuration Manager 2007 SP1-based Configuration Manager Configuration Manager console to check software distribution point settings
· KB955355 - A distinguished name that contains more than 100 characters and that is discovered from Active Directory for an AMT host causes the SMS_EXECUTIVE service to crash in System Center Configuration Manager 2007
· KB956337 - System Center Configuration Manager 2007 Service Pack 1 is unable to remove AMT user ACLs during the provisioning process for AMT 2.x computers
· KB957576 - Status message ID 7404 is reported frequently in an installation of System Center Configuration Manager 2007 R2 that uses SQL Server 2008 as the site database
· KB957469 - FIX: The Out of Band Power control function does not work for clients that have the Intel AMT 4 or Intel AMT 5 chipset in System Center Configuration Manager 2007 Service Pack 1
· KB957879 - The ConfigMgr Service Manager tool in Configuration Manager 2007 Service Pack 1 cannot query the SMS_SITE_SQL_BACKUP service, and you receive an "Error communicating with component" error message(957879)
· KB956941 - You cannot take some actions when you take remote control of a Windows Vista-based client computer that has User Account Control enabled in System Center Configuration Manager 2007 Service Pack 1(956941)
· KB957183 - You cannot add a group as an AMT user account in Configuration Manager 2007 Service Pack 1 if the group name has more than 20 characters(957183)
· KB955114 - The SMS_Executive service process may crash when the System Center Configuration Manager 2007 SP1 Hierarchy Manager handles the site control (.ct2) file from child sites that are running the RTM version of Configuration Manager 2007
· KB955955 - A task sequence that contains many packages may take longer to run after you install System Center Configuration Manager 2007 Service Pack 1 or hotfix 949225
· KB956465 - The SMS_EXECUTIVE service process restarts unexpectedly when a limit is set for the maximum transfer rate between two sites in System Center Configuration Manager 2007
· KB 954474 - System Center Configuration Manager 2007 blocked from deploying security updates
· KB 954214 - The SMS_Site_Component_Manager service stops unexpectedly when you try to install Configuration Manager 2007 Service Pack 1 or reinstall a specific component after an unsuccessful installation attempt
Config Manager 2007 Post-RTM Updates and Hotfixes:
· KB955115 - The "Client Push Installation" operation fails when both multiple management points and customized ports are configured in a System Center Configuration Manager 2007 site
· KB 950527 - Windows Vista SP1, Windows Server 2008, Windows Server 2003 SP2, and Windows XP SP3 are not listed as supported platforms for software distribution, update management, or desired configuration management in System Center Configuration Manager 2007
· KB 946519 - Every even task sequence reports exit error code 183 if you advertise several task sequences to a Systems Management Server client in System Center Configuration Manager 2007
· KB 945306 - Execution requests may remain in the WaitingDisabled state after a task sequence that uses operating system deployment is run in System Center Configuration Manager 2007
· KB 944542 - The "wake on LAN" feature does not work as expected if a site server uses a non-daylight saving time zone in System Center Configuration Manager 2007
· KB 945898 - The System Center Configuration Manager 2007 Offer Status Summarizer does not process advertisement status summary data
· KB 942700 - The task sequence does not run on the protected branch distribution points in System Center Configuration Manager 2007
· KB 944342 - Users cannot modify advertisements that they created in the System Center Configuration Manager 2007 Administration Console
· KB 942536 - You cannot move created objects into a folder or out of a folder if the folder was created on a secondary site of System Center Configuration Manager 2007
· KB 946518 - Inventory data is not completely removed after you delete a system resource in System Center Configuration Manager 2007
· KB 945501 - Some users do not receive a program that is advertised to a user group in System Center Configuration Manager 2007
· System Center Configuration Manager 2007 Documentation Library (November 2007)
SMS 2003 Post-SP3 Updates and Hotfixes:
· KB 942212 - The SMS Executive service process for Systems Management Server 2003 stops repeatedly
· KB 941214/KB 941395 - A hotfix rollup package that provides an updated Client.msi/Client.msp is available for Systems Management Server 2003
· KB 940619 - After you install Systems Management Server 2003 Service Pack 3, the Client Configuration Manager may return incorrect error codes when a remote client computer is unreachable
· KB 934206 - You cannot use the software inventory method to collect files from a mobile device after you install Microsoft Systems Management Server 2003 Service Pack 3
· KB 941820 - NetMeeting Remote Desktop Sharing does not work correctly on a computer that is running the SMS 2003 Service Pack 3 Advanced Client
· KB 936465 - In a three-tier SMS 2003 hierarchy, packages may not be decompressed or copied to the distribution point of the secondary site
· KB 943457 - Some newly added access accounts of a Systems Management Server (SMS) 2003 package may be missing on the child sites
· KB 907311 - Only one of the multiple distribution points is added to a package in a multi-tier SMS 2003 hierarchy
· KB 939332 - SMS 2003 with Service Pack 3 cannot deploy a package to client computers that are running Windows Vista with Service Pack 1
· KB 945639 - The new collection that you created by using the Distribute Software wizard in SMS 2003 does not appear in the user interface
· KB 945635 - Systems Management Server 2003 clients cannot download a software package from a BITS-enabled Configuration Manager 2007 Service Pack 1 distribution point on a Windows Server 2008-based computer
· KB 939872 - Reports that use the v_Add_Remove_Programs view stop responding and cause high CPU use in SMS 2003 SP3
· Microsoft SMS 2003 SP3 Asset Intelligence Catalog Update (February 2008)
Administrator Console Updates and Hotfixes:
· KB 940848 - A hotfix rollup package is available for Microsoft Management Console (MMC) in Windows Server 2003 (XP fix available also)
· KB 941132 - FIX: You receive a NullReferenceException exception when you run a .NET Framework 2.0-based application that uses the ShowDialog method, and the method specifies an IWin32Window owner (x64 only - included in .NET 2.0 SP1)
· KB 932303 - FIX: The WMI service stops responding on a computer that is running the .NET Framework 2.0 and System Center Configuration Manager 2007 (included in .NET 2.0 SP1)
· KB 913538 - A WMI enumerator object is canceled before the client computer can finish using the enumerator object on a Windows Server 2003-based or Windows XP-based client computer
WMI Updates for SMS Clients:
· KB 933061/KB 933062 - An update is available that improves the stability of the Windows Management Instrumentation repository in Windows XP/2003
· KB 913538 - A WMI enumerator object is canceled before the client computer can finish using the enumerator object on a Windows Server 2003-based or Windows XP-based client computer
SQL Server 2008 Update:
· KB 958136 - Cumulative update package 2 for SQL Server 2008
SQL Server 2005 SP3 Update:
· KB 959195 - Cumulative update package 1 for SQL Server 2005 Service Pack 3
SQL Server 2005 SP2 Update:
· KB 958735 - Cumulative update package 11 for SQL Server 2005 Service Pack 2
Click on these links for the Config Manager On Demand Webcasts and the Audiocasts for Config Manager.
TechNet Webcast: Configuration Manager SP1 and R2 Overview (Level 300)
Wednesday, February 27, 2008 3:00 PM Central Time
Presenter: Jeff Wettlaufer, Senior Technical Product Manager, Microsoft Corporation
Microsoft System Center Configuration Manager 2007 shipped recently, but we are not done yet! This year, we will also release a service pack and an R2. In this session, we cover the changes we are making in the System Center Configuration Manager 2007 Service Pack 1 (SP1) timeframe, in addition to the following System Center Configuration Manager 2007 R2 release. We briefly introduce System Center Configuration Manager, but our focus is on the new elements to support Windows Vista Service Pack 1, Windows Server 2008, in addition to some additional changes for Asset Intelligence and Intel AMT Integration.
https://www.microsoft.com/events/series/detail/webcastdetails.aspx?seriesid=37&webcastid=1032369054
TechNet Webcast: Information About Microsoft February Security Bulletins (Level 200)
Wednesday, February 11, 2009 1:00 PM Central Time (US & Canada)
Presenter: Adrian Stone, Senior Security Program Manager Lead, Microsoft Corporation
On February, 11, 2009, Microsoft releases its monthly security bulletins. Join us for a brief overview of the technical details of the February security bulletins. We intend to address your concerns in this webcast, therefore, most of the webcast is devoted to attendees asking questions about the bulletins and getting answers from Microsoft security experts.
Config Manager 2007 Webcasts
TechNet Webcast: Introduction to System Center Configuration Manager 2007 (Level 200)
TechNet Webcast: Deploying System Center Configuration Manager 2007 (Level 200)
TechNet Webcast: Deploying System Center Configuration Manager 2007 Clients (Level 300)
TechNet Webcast: Microsoft System Center Configuration Manager 2007: Deployment (Level 300)
TechNet Webcast: Microsoft System Center Configuration Manager 2007: Managing Servers (Level 300)
TechNet Virtual Lab: Introduction to System Center Configuration Manager (SCCM) 2007
Here is a link to the SMS Archived Webcasts on Demand: