(iBoyd)

March 8th, 2010

SharePoint Foundation 2010 and Office Web Applications

Several posts ago, I promised to provide some insight on the new development capabilities for SharePoint 2010 within Visual Studio 2010. Yeah, I’m still working on that. However, I did get around to installing and test driving Office Web Applications on top of SharePoint foundation and I have to say that I am quite impressed so far.

In recent years, it has become evident that Microsoft needs to port their office suite to the Word Wide Web in order to compete with Google Apps. For Office 2010, Microsoft has stepped up to the challenge by releasing a free online Office suite, appropriately named Office Web Applications. Despite being a bit rough around the edges, the applications provide an excellent idea of what direction Microsoft is headed in, and it certainly looks good.

The Word Viewer Web App provides a read-only version of the Word document inside of the browser.

In my opinion, there’s one huge advantage that Microsoft has over some (but not all) of the other competitors in the Online Office Suite market: Organizations have the option to host the Office Web Applications themselves. For organizations that can’t or don’t want to use a hosted solution, this could be huge. To get there, Microsoft has married the document management capabilities of Microsoft SharePoint with the new functionality that the Office Web Applications offer. As a system administrator, you must play the role of the priest in this wedding: Getting the Office Web Apps functionality requires a separate installation from SharePoint. The good news is that installing Office Web Apps feels relatively painless. As for the benefits? Well, imagine opening a Word document in SharePoint without ever opening Microsoft Word. Now imagine editing that document and saving it back to SharePoint without ever opening Word or even leaving your web browser. Daddy like.

From both an interface and functionality perspective, SharePoint and Office Web Apps integrate fairly well. By default, the Microsoft Word Web App opens documents in a read-only view. With this view, documents are displayed almost identically to how they look within the installed version Microsoft Word. Most text can be selected and copied to the clipboard. It’s like viewing a PDF document in a browser, but without the terrible Adobe Reader browser plug-in.

So how does the Word Web App do at actually editing documents? Well, it provides a lot of great functionality, but it does leave something to be desired.  A familiar ribbon is displayed at the top of the page, with basic tools for formatting text, inserting pictures, and creating tables. Just don’t expect all of the special features that you’re used to seeing in the installed version of Word. It is free, after all. A few of the documents I tested did not have certain formatting settings that were visible in the online editor, such as table backgrounds. I’m not surprised by that. Overall, I see this as a great way to generate quick documentation or take notes, but I wouldn’t recommend it for advanced publishing. In fact, I wouldn’t recommend any of the online document editors for advanced publishing. They just aren’t that robust.

The Word Web App provides a lot of basic document editing functionality. Just don't expect to do a mail merge through it.

One of the most significant features (if you want to call it that) of the Office Web Apps is that they work across browsers, just like SharePoint 2010. This has always been a huge pain point for me with SharePoint 2007 and a few other Microsoft web products, because they have traditionally catered to Internet Explorer, and I am a Firefox user. There is also better support for viewing SharePoint sites and Word documents from mobile devices. I’m glad that culture at Microsoft has shifted such that they realize that cross-browser (and cross-platform) support will be crucial to their success in the future and I hope they continue down that path.

I haven’t had a chance to try out the Excel Web App, or the PowerPoint Viewer. I’ll save those for another weekend. Some good news for those waiting for the production version of SharePoint and Office 2010: Microsoft just announced that these products will  launch on May 12, 2010 and RTM sometime in April. It will be interesting to see if there are any new features between the Betas and the RTMs. Regardless, I’m really looking forward to the latest iteration of these products.

If you’re looking for more information about Office Web Applications, be sure to check out the Office Web Apps blog on MSDN: http://blogs.msdn.com/officewebapps/ .

January 26th, 2010

Converting a 6to4 IPv6 Address to its IPv4 equivalent (Dude, where’s my IPv4?)

Alright, here’s the scenario:

  • You’ve upgraded your web server to Windows 2008 and you have a bunch of Windows Vista and Windows 7 clients connecting to an ASP .NET application on that web server. The application uses My.Request.UserHostAddress to check the IP address of the client. For whatever reason, your application only expects an IPv4 address to be returned
  • Both the server and the client have IPv6 functionality enabled (by default) but are only configured with IPv4 addresses.
  • Since neither the client nor the server have an IPv6 address set, you would expect My.Request.UserHostAddress to return an IPv4 address. Instead, it returns an IPv6 address that starts with 2002 prefix.

How in the heck  did this happen!? Well, it turns out that this behavior is by design. When Microsoft added IPv6 support beginning with Windows Vista, they added support for using IPv6 over an IPv4 network, for compatibility and transitioning purposes. By default, a Windows Vista or Windows 7 computer that only has an IPv4 address assigned to it will try to communicate over IPv6 by using a special IPv6 address called a 6to4 address. All 6to4 addresses start with the 2002 prefix. The good news is a 6to4 address is derived from the octets of an IPv4 address, so we can convert 6to4 addresses to their IPv4 equivalent. This Technet page goes into further detail about the 6to4 addressing scheme.

Here’s the code I wrote to convert 6to4 IPv6 addresses back to their IPv4 equivalent:

       ipAddress = System.Net.IPAddress.Parse(My.Request.UserHostAddress)
        If ipAddress.AddressFamily = Net.Sockets.AddressFamily.InterNetworkV6 Then '
            Dim tmpBytes() As Byte = ipAddress.GetAddressBytes
            If tmpBytes(0) = 32 And tmpBytes(1) = 2 Then 'Check it's a 6to4 address (it begins with "2002")
                ipAddress = System.Net.IPAddress.Parse(Convert.ToString(tmpBytes(2)) & "." & Convert.ToString(tmpBytes(3)) & "." & Convert.ToString(tmpBytes(4)) & "." & Convert.ToString(tmpBytes(5)))
            End If
        End If

Note that this code will only be applicable to 6to4 IPv6 addresses. Normal IPv6 addresses will be ignored because they can’t be converted to an IPv4 equivalent. This means that your code will eventually need to handle IPv6 addresses if clients that connect to the application are ever assigned IPv6 addresses.

December 9th, 2009

Sharepoint Foundation 2010

Although it may seem like most of Microsoft’s resources are tied up in the Windows 7 launch, you can rest assured knowing that MS developers have been hard at work on new versions of their enterprise products, including  SharePoint.  I created a Windows 2008R2 virtual machine with SharePoint Foundation 2010 (the lightweight version of SharePoint formerly known Windows SharePoint Services) to take advantage of all that extra RAM and CPU on my new Windows 7 desktop. After testing the beta, I can safely sum up the next iteration of this web-based content management and collaboration software in just one word: ribbon.

SharePoint Foundation 2010 Ribbon

The tab-based toolbar that first appeared in Microsoft Office 2007 has now been tied in (pun intended) to SharePoint, most likely to further associate it with the Microsoft Office branding. It is by far the most obvious change in SharePoint and probably one of the best. It’s also a very crucial part of the new in-browser WYSIWYG editor for editing pages. Yes, it works in Firefox! Overall, the SharePoint 2010 interface is a huge improvement. Here are a few screen shots:

I’m investigating some of the new Visual Studio 2010 features for developing SharePoint 2010 content. I’ll have another post about that in the near future.

December 1st, 2009

Visual Basic: Parse Command Line Arguments from a String

Sometimes I write code that I think I need but never end up using. This was the case with the parseCommandLineString() function that I wrote in Visual Basic .NET. I needed a function that would take a command line string that included arguments and parse it in the same way that Environment.ParseCommandLineArgs() does. Why? Because System.Diagnostics.ProcessStartInfo uses two properties that separate the executable file name from the arguments. Why Microsoft left this functionality out of the framework is beyond me. Anyway, there is a method build into the Windows API that can parse arguments from a command line string: CommandLineToArgv(). Unfortunately, calling it in VB .NET requires Marshalling and I couldn’t find a good example online. Here’s my code:

    Private Declare Function CommandLineToArgv Lib "shell32.dll" Alias "CommandLineToArgvW" (ByVal lpCmdLine As String, ByRef pNumArgs As Integer) As Long
    '''
    ''' Summary: Parse the command line string so that it can be used with System.Diagnostics.Process. I chose to use the Windows API here to ensure that the command line parsing is consistent with how Windows handles it.
    '''
    ''' Parameter command: The string that should be parsed
    ''' Returns: An array of command line arguments similar to what Environment.GetCommandLineArgs() produces.
    ''' It sure would be nice if the framework had a method for doing this. It becomes a drawback of using System.Diagnostics.Process, which requires arguments to be separated from the executable.
    Private Function parseCommandLineString(ByVal command As String) As String()
        Dim numargs As Integer
        Dim t As Integer
        Dim ptrCommand As IntPtr = Marshal.StringToHGlobalUni(command) 'Marshal the string to a pointer
        Dim ptrSplitArgs As IntPtr = CommandLineToArgv(ptrCommand, numargs) 'Pass the pointer to CommandLineToArgv for parsing, retrieve the pointer of the result.
        If ptrSplitArgs = IntPtr.Zero Then Throw New System.ComponentModel.Win32Exception 'Is it a valid pointer? Throw an exception if it isn't.
        Dim splitargs(numargs - 1) As String

        For t = 0 To numargs - 1
            splitargs(t) = Marshal.PtrToStringUni(Marshal.ReadIntPtr(ptrCommand, t * IntPtr.Size)).Trim  'Iterate through the arguments and add them to an array.
        Next
        Marshal.FreeHGlobal(ptrCommand)
        Marshal.FreeHGlobal(ptrSplitArgs)
        Return splitargs

    End Function
October 23rd, 2009

Windows 7 is Missing NETDOM.EXE

UPDATE: I discovered that there is a working NETDOM.EXE for Windows 7. Here’s what you need to do (on a Windows 7 machine) to get it:

  1. Install the Remote Server Administration Tools (RSAT).
  2. Go to Control Panel -> Programs and Features -> Turn Windows features on or off
  3. In the treeview, go to Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools and select AD DS Tools. Click OK.

NETDOM should be located in your SYSTEM32 folder. If would rather use Powershell to join the domain, since it’s included with the Windows 7 RTM, then please continue reading. I apologize for any confusion.

(Begin Original Post)

Now that the title of this post has your attention, I can tell you that Windows 7 isn’t really missing this important tool that joins a machine to an Active Directory Domain in an automated fashion. Instead, this command-line utility has been superseded by a new command that’s included in Microsoft’s love-it-or-hate-it command line shell: Windows Powershell. Why? Well, Powershell is certainly more powerful than the standard command prompt. But more importantly, Windows 7 is the first version to include Windows Powershell in the RTM build. With Powershell built into Windows 7, perhaps Microsoft saw no reason to continue including and supporting our old pal, NETDOM.

Joining a Domain with Add-Computer

When you’re finished grieving over the loss of our beloved NETDOM, which has joined countless computers to countless Windows Domains (or far inferior Workgroups), it’s time to roll up your sleeves and start working with the successor command: Add-Computer. This command will only run in a Windows Powershell command prompt. The good news, however, is that you can easily run Add-Computer inside Powershell through a normal command prompt (or batch file). To do so, open a command prompt (with elevated privileges) and run this command:

powershell Add-Computer -DomainName "YOURDOMAIN"

See? That wasn’t so bad now was it? If you don’t mind entering credentials to join the domain on every single computer, that’s all you need. But unfortunately, some of us need to automate the process of joining the domain. For that, it gets more complex, and we’ll need a bit more Powershell to make it work.

Screenshot: Add-Computer -?

Screenshot: Add-Computer -?

How to Use Add-Computer

From a command prompt, you can get more detailed usage instructions for Add-Computer by using this command:

powershell Add-Computer -?

In the syntax section, you’ll find syntax switches that can be used to specify the domain name, OU path, and credentials.  For a more details and examples on Add-Computer, you can also use this command:

powershell get-help Add-Computer -detailed

The first thing you should notice is that, unlike NETDOM, there aren’t syntax switches to specify the username and password. Instead, there is a switch called “-Credential” that takes in a PSCredential object. Therefore, we need to create a PSCredential object with the credentials that will be used to join the computer to the domain before we can actually use the Add-Computer command in an automated way. To do this, we’ll need to create a Powershell script.

If you have never used Powershell before, you’ll probably say to yourself, “PSCredential object? What is that!?”  I’ll give you this very brief explanation: PSCredential is an object that can securely store Windows credentials. Furthermore, Powershell is  more like full-blown Object-Oriented scripting language than a shell language. Like DOS, it has a command prompt. However, the differences usually end there.  Anyway, this article isn’t about Powershell, but if you want to know more about it, start Googling. Or you can just continue on to get the Powershell script.

A Powershell Script to Join the Domain

The Powershell script needed to join the domain contains only two commands.  Create a new text file named “joinDomain.ps1″ and put the following powershell code into it:

$credential = New-Object System.Management.Automation.PsCredential("MY.DOMAIN.COM\user", (ConvertTo-SecureString "mypassword" -AsPlainText -Force))
Add-Computer -DomainName "MY.DOMAIN.COM" -Credential $credential -OUPath ("OU=Computers,DC=MY,DC=DOMAIN,DC=COM")

The first line of the script creates a new System.Management.Automation.PsCredential object. PsCredential takes in two parameters: a string containing a username and a secure string containing the password.  You should change “MY.DOMAIN.COM\user” to the user that will join the computer to the domain. Change “mypassword” to the password of that account.

The second line is the Add-Computer command. “MY.DOMAIN.COM” should be changed to the domain that the computer is joining.  Change OUPath to the OU String that points to the OU container that the computer object should be placed in.

Running the Script

To run the Powershell script above, you need to open an elevated command prompt. To run it, type powershell ./joinDomain.ps1 and press enter. In many cases, you will find that you’re not allowed to run the script, despite running the command as an administrator:

>powershell ./joinDomain.ps1
File joinDomain.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.

The funny part about Powershell is that, by default, it is configured to only allow the execution of signed scripts. This is a security feature so that unauthorized or malicious scripts that could compromise the system can’t be executed. After all, Powershell is quite power-ful. Unfortunately, this really tends to confuse and frustrate people. To get around this, you can temporarily change the execution policy, and then change it back:

powershell Set-ExecutionPolicy Unrestricted
powershell ./joinDomain.ps1
powershell Set-ExecutionPolicy Restricted

You can also change the execution policy to allow only signed scripts and scripts created by you. For more information about the Powershell execution policy, check out this article.

Final Thoughts

Now that you are able to automate a domain join with Powershell instead of NETDOM, there is one final thing that I want to mention. In the script above,  the password String was converted to a SecureString by using the “-AsPlainText -Force” arguments. Using SecureString in this way is generally discouraged as it defeats the whole purpose of having a secure string. Furthermore,  having account credentials in plain text with in the script is insecure and generally a bad idea. I’m guessing that this is the reason why Microsoft left out the “/userD” and “/passwordD” parameters from the NETDOM command and made it more slightly difficult to include the credentials in plain text. You should limit the rights of the account you’re using to automatically join the domain so that it cannot be used to delete Active Directory objects, access network shares, etc. You should also consider other methods of storing the credentials. This article has an alternative method for storing credentials used in Powershell that may meet your needs.

October 12th, 2009

Windows PE 3.0 and the Missing WMI Class

Since I maintain the Windows XP Image for our lab machines, I was tasked with doing the same thing with Windows 7. When I rewrote our imaging tools last Spring, I created a WinPE 2.0 image that included the WMI package so that the imaging application could perform WMI queries in PE. I used WMI only to get basic information about the machine (Such as the Manufacturer, Model, Serial Number, and Disk Information).

While upgrading the WinPE image from 2.0 to 3.0 in anticipation of deploying Windows 7, I discovered that the Windows PE 3.0 base image (the same one that comes with the Windows AIK) was missing Win32_DiskPartition. I use this class to retrieve the number of partitions on the system disk so that I can make sure that each partitition (and its volume) has been assigned a drive letter so that I can search each drive for a preexisting configuration file. But why would Microsoft remove this class!? On a standard Windows 7 machine, the command “WMIC.EXE PARTITION” returned a list of partitions on the system, confirming that I wasn’t losing my mind. However, the command returned nothing when I tried it in Windows PE 3.0.

After lots of searching, I finally came across a post on Microsoft Technet where another developer ran into the same issue. Fortunately, he found a simple, but somewhat obscure, solution:

  1. On a fully-installed Windows 7 machine, copy the contents of C:\Windows\System32\wbem
  2. Mount the Windows PE 3.0 image and replace the contents of <mountdir>\Windows\System32\wbem with the wbem folder from the previous step

Using the Windows 7 wbem folder in your WinPE 3.0 image will make it several Megabytes larger, but at least you will be able to get to the missing WMI class(es) that you need!

Update 3/11/2010: After upgrading to the latest version of the Microsoft WAIK, I was unable to overwrite existing files in the WBEM folder (Access Denied). For some reason, the permissions are different on this folder now. Here is the workaround:

  1. To take ownership of the existing WBEM folder and files, run this command: TAKEOWN /F <mountdir>\windows\system32\wbem /A /R
  2. To grant administrators full control of the existing WBEM folder and files, run this command: ICACLS <mountdir>\windows\system32\wbem /grant Administrators:F /T

Once the permissions are updated, you will be able to overwrite files in the WBEM folder.

May 26th, 2009

Injecting Intel Matrix Mass Storage Drivers into a Windows XP WIM

In Classroom and Lab Computing, we use sysprep in our Windows XP imaging process so that we can support the various computer models that comprise the 4000+ computers participating in CLM, both at University Park as well as several other campuses at Penn State. Using the tools and techniques that we have developed, we are able to apply our single OS image to a machine in about 5 minutes using a USB drive. After that, the USB drive can be removed and the machine will continue to build completely unattended. Not only is the process really cool, it saves a lot of time. However, sysprep for Windows XP isn’t perfect, and with newer hardware we have run into a few caveats.

The Problem

While updating our XP image last year, we ran into a snag where the new model (a Dell Optiplex 755) refused to build when SATA operation was set to AHCI in the BIOS. This was due to a missing Intel Matrix Storage driver. Normally, drivers can easily be added to a sysprep image by injecting them into a folder within the image and then adding them to OEMPnPDriversPath in Sysprep.inf. However, these drivers are not applied until midway through the mini-setup process that runs the first time Windows boots. Without having the correct Mass Storage Driver for booting the first time, Windows will blue screen (with stop error 0×0000007B) before it can even enter mini-setup. Now that many of Dell’s newer systems come with eSata ports, it is recommended that AHCI is used for SATA operation. There is a way to insert Mass Storage Drivers when sealing a sysprep image. However, we already sealed our image for this year and wanted to avoid another reseal. Fortunately, there is a way to manually inject the drivers into the image. It’s a bit tedious, but it does work.

Manually Injecting the Intel Matrix Storage Drivers into an Windows XP image

  1. Download the Intel Matrix Storage driver (be sure it’s the latest version) from the Intel website or from the system manufacturer website. If using the Intel website, you will probably need to extract the drivers from the executable. This can be done by calling <filename>.exe -a -0 <folder path>. Folder path is the folder where the drivers will be extracted to.
    • Make sure that you have the following files: iaahci.cat, iaahci.inf, iastor.cat, iastor.inf, and iastor.sys.
  2. Open iaahci.inf with a text editor. First, look in the [version] section for the ClassGUID. Copy and paste this somewhere. Next, look for the [INTEL_HDC] section. You will see syntax similar to this:
    %PCI\VEN_8086&DEV_2681&CC_0106.DeviceDesc% = iaStor_Inst, PCI\VEN_8086&DEV_2681&CC_0106

    The portion of the line that is in red is the HardwareID. Copy and paste the HardwareID portion of each entry in [INTEL_HDC] to a separate line in an empty text file. They will be important later on.
    Note: The [INTEL_HDC.ntamd64] section below, which is below this section, can be skipped. They are the same.

  3. Open iastor.inf and note the ClassGUID.  Look for the [INTEL_HDC] again. The formatting should be the same. Once again, copy and paste each of the HardwareIds to a separate line in an empty text file.
  4. Mount your Windows XP image using imageX (imagex.exe /mountrw <path-to-wim-file> <image index #> <mount-folder-path>) . If using Ghost, you will probably have to apply the image to a separate hard drive. Last time I checked, Ghost couldn’t edit disk images that were in NTFS format. By the way, now may be a good time to look at switching from Ghost to ImageX for capturing and applying your image.
  5. Copy the driver files to the following folders:
    • Copy iaahci.inf and iastor.inf to <mount-folder-path>\Windows\inf
    • Copy iaStor.sys to <mount-folder-path>\Windows\system32\drivers
    • Copy iaahci.cat and iastor.cat to <mount-folder-path>\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
  6. The HKLM\systemxp\ControlSet001\Control\CriticalDeviceDatabase key

    The HKLM\systemxp\ControlSet001\Control\CriticalDeviceDatabase key

  7. Next, the SYSTEM registry hive from the image must be loaded. Open the Registry Editor (Start->Run->regedit.exe). Click on HKEY_LOCAL_MACHINE and then go to File->Load Hive… browse to <mount-folder-path>\Windows\system32\config and select the file named SYSTEM. When prompted to give the hive a name, type systemxp. The systemxp registry hive should not appear below HKEY_LOCAL_MACHINE.
    Note: At this point, you should take a moment to browse to <mount-folder-path>\Windows\system32\config and make a backup of your SYSTEM file in case the registry changes break something.
  8. Now that the driver files are in the right spot, a registry key must be created for each of HardwareIDs that we retrieved from iaahci.inf and iastor.inf.  The easiest way to do this is to create a .reg file that will add all of the entries to the hive. Create a blank text file and name it IntelMSD.reg. From a text editor, open IntelMSD.reg and set the first line to this:
    Windows Registry Editor Version 5.00

    Next, we need to create an entry for each of the HardwareIDs that we are adding. Here is what the syntax for each entry will look like:

    [HKEY_LOCAL_MACHINE\systemxp\ControlSet001\Control\CriticalDeviceDatabase\pci#ven_8086&dev_2929&cc_0106]
    "Service"="iaStor"
    "ClassGUID"="{4D36E96A-E325-11CE-BFC1-08002BE10318}"

    The parts in bold are what will be changed for each entry. On the first line, the red text is where the HardwareID for each entry will go. The second line is the same in each entry. The third line is where the GUID associated with that entry will go. The two ClassGUIDs that were retrieved in steps 2 and 3 will be used here. Make sure that the GUID you put is the one that was in the same .inf file as the HardwareID.

    Note: I realize that this part was a bit tricky. You can compare your .reg file with mine here to make sure your syntax is correct. Keep in mind that yours may have more entries, especially if it’s a newer version of the driver. Also, be sure that you have made a backup of your SYSTEM file in case the registry becomes corrupt.

  9. In the registry editor, go to File->Import… and browse to the IntelMSD.reg. This will load all of the registry entries into the systemxp hive. To be sure, you can browse to HKEY_LOCAL_MACHINE\systemxp\ControlSet001\Control\CriticalDeviceDatabase and check for the entries yourself.
  10. In addition to the entries created in CriticalDeviceDatabase, an entry for the iaStor service must be created. This registry file should apply the entries that are needed to HKEY_LOCAL_MACHINE\systemxp\ControlSet001\Services. To import it, go to File->Import… and browse to iaStor.reg.
  11. In regedit, click the systemxp registry hive and then go to File->Unload Hive… This will unload the XP Image SYSTEM hive so that the image can be unmounted.
  12. Unmount the image (or if using Ghost, recapture it). Test it on machines that have AHCI enabled (and use the Intel Matrix Storage Driver).

Other Mass Storage Drivers

Although I haven’t tested this, I am pretty sure that this process will work with other Mass Storage Drivers. The key to getting them to work is being able to read and understand what the inf file is doing. The Intel Matrix driver only required registry edits, and so it was fairly easy to do. For more information on inf file syntax, look at this MSDN page.

May 13th, 2009

Windows 7 RC: First Observations

Only a few days after the Release Candidate of Microsoft Windows 7 was released, I took the plunge and installed it on my primary laptop. Previously, I was running Windows Vista Ultimate x64 and I was really disappointed in how sluggish the system felt, especially when entering or leaving hibernation. With little to lose except for a bit of time, I completely removed Vista and installed a fresh copy of Windows 7RC.Se

Setup and Configuration

If you’ve ever installed Windows Vista, the setup process for Windows 7 will be very familiar. While there are some minor aesthetic changes, the process appears to be mostly the same. However, one difference that you may have noticed is the spare 100-200MB partition in front of the system partion that setup creates automatically during a clean install. This partition is created so that Bitlocker can easily be activated later if the end user chooses to do so. As I will describe later, this makes enabling and configuring Bitlocker drive encryption very easy for the end user.

Once setup completed, I checked Device Manager to see what devices were missing drivers. For the most part, the Vista drivers for these devices worked fine. The Lenovow website did not have a working driver for the fingerprint reader, but I managed to find a beta version through the hardware manufacturer website. Overall, the install process was relatively painless.

Interface Changes

Clearly, Microsoft focused on the interface in this version of Windows. The first difference that most users are likely to notice is that the task bar has received a major overhaul. Open application windows are all grouped under a single icon in the task bar, and the title of each window is no longer displayed. Surprisingly, this isn’t a bad thing thanks to the new behavior of task bar icons. For example, hover over an application icon, and thumbnails of all open windows for that specific application are displayed above the task bar. If you then hover over one of those thumbnails, all other windows become transparent so that you can see the application window, courtesy of the new ‘Aero Peek’ feature. Right click on the icon and you are presented with additional application-specific options or items. For example, right clicking the Internet Explorer icon shows frequently visited sites, while right clicking the Remote Desktop Connection icon will show recent and pinned remote desktop connections.

Hovering over the very right side of the task bar sets open windows to transparent so the desktop is visible. Clicking the right side of the button minimizes open windows, just like the 'Show Desktop' icon in previous versions of Windows.

Hovering over the very right side of the task bar sets open windows to transparent so the desktop is visible. Clicking the right side of the button minimizes open windows, just like the 'Show Desktop' icon in previous versions of Windows.

The ‘Show Desktop’ icon that was in the quick launch menu  in previous versions of Windows is now a permanent, yet inconspicuous, part of the task bar. Clicking on the thin blank button on the right side of the task bar will minimize all open windows so that the desktop is visible. However, if you only need to see the desktop and would rather not minimize all open windows, you can hover over this area instead of clicking it so that windows are temporarily transparent.

I’m sure there will be users that will cringe at the idea of learning to use a new task bar with different behavior, especially since the former has been in use since Windows 95. However, after a few hours of using it, I’d imagine most users will be comfortable with the new features and concepts that this task bar introduces.In my opinion, it is significantly improved. In the long run, I think most users will be happy with this change and will have a hard time looking back.

Bitlocker is a Bit Better

Hard drive encryption has become a hot topic recently, especially in the realm of laptops and mobile devices. The implications of data loss or theft are far reaching and, depending on the industry, can result in a company receiving large fines, fiscal losses,  negative public image. To defend against this, organizations have started to mandate hard disk encryption in order to prevent data from stolen or lost devices from being recovered by malicious third parties.

Turning Bitlocker feature on and off in Windows 7 is very easy.

Turning the Bitlocker feature on and off in Windows 7 is very easy.

This time around, Microsoft did things right and pre-configured the hard disk partitions during setup to support Bitlocker encryption. Turning on Bitlocker is very easy in Windows 7 (assuming your computer has a Trusted Platform Module). Simply go to ‘Bitlocker Drive Encryption’ in the control panel and click ‘Turn on Bitlocker’. The wizard will go through the process of saving a recovery key and then proceed to reboot the system and configure the Trusted Platform Module. After booting, existing files on the hard drive are encrypted in the background. The machine is still usable during this process. The disk encryption process finished in about 2 hours on my laptop. Since encrypting the drive, I have noticed little performance impact. Even my battery life seems to have remained fairly consistent.

Intuitive Device Management

Not only was pairing my Windows Mobile phone easy, the Windows Mobile Device Center was automatically installed afterward.

Not only was pairing my Windows Mobile phone easy, the Windows Mobile Device Center was automatically installed afterward.

Microsoft seems to have tried to streamline the administration and configuration of peripherals for the in Windows 7. A new area in the control panel, called Devices and Printers, allows users to quickly view and add device connections to their system. Previously with Windows Vista, I had inconsistent results establishing a Bluetooth connection with my Windows Mobile phone. Sometimes it would work great, but most of the time it took several tries to actually get the laptop and phone to pair and begin a sync. With Windows 7 RC, my experience was quite intuitive. From “Devices and Printers” in the control panel. I clicked ‘Add a device’ and selected my mobile phone, which Windows had automatically found.  A pre-generated code was displayed to pair my phone. After entering the code on my phone, the pairing was complete and the phone appeared in the devices list. If that wasn’t easy enough,  Windows 7 proceeded to detect that the phone was a Windows Mobile device and automatically began installed the Windows Mobile Device Center. Impressive.

There’s More

I’m continuing to find other new features and changes in Windows 7 that I really like. Some of these changes are more subtle than others, but the majority of them seem to share a common goal of making the interface more intuitive, responsive, and efficient to the end user. Even the minor changes to components, such as the Resource Monitor and the wireless connection task tray feel like great improvements when compared with previous versions of Windows. And to compliment all of this, Microsoft seems to have made no compromises in the areas of security, reliability, and performance. Microsoft really seems to be taking the shortcomings (both real and perceived) of Vista seriously. As for me, I am going to continue using the release candidate and look forward to the official release of Windows 7 at the end of this year.

February 18th, 2009

Faux Security

A few weeks ago I was reminded that it still isn’t common knowledge that antivirus software will not protect your computer from all threats. A conversation with a family member that works for a small business revealed  that their “IT Guy” thinks Windows Updates aren’t necessary, yet he continues to install antivirus software on workstations religiously. Unfortunately, that could not be further from the truth. Keeping your Windows machine properly patched is, in my opinion, more important than having antivirus software. Attackers are known for using worms that attack the vulnerabilities of a Windows machine from the outside without user interaction.  The conficker worm is just the latest example of how improperly patched Windows machines can be compromised remotely and completely outside of the protection of antivirus.

Think that your firewall or router is protecting you from attacks like this? Think again. Once one compromised machine is on the network, all bets are off. Infected machines can be used by attackers to completely circumvent the firewall and infect any other vulnerable machines on the network. Mobile devices that roam from network to network can make matters worse by being the carriers of these infections, much like influenza is spread by humans. Worms like Conficker waste no time gathering personal data, logging keystrokes, and propagating to other systems. In Conficker’s case, the infection spread incredibly fast. In January, the infection count jumped from 2.4 million to 9 million Windows machines in just four days.

Clearly, there are a significant number of users with a false sense of security. It is estimated that 30 percent of the Windows machines connected to the internet are unpatched. I’m guessing that a lot of the same users that aren’t updating Windows believe their system is secure because they have installed antivirus software. This is just one of the many myths that many computer users believe today.

Please spread the word to your friends, family, coworkers, and acquaintances that Windows Updates ARE EXTREMELY important to the health of their PC and that Windows Updates, firewalls, and antivirus applications by themselves are not an all-inclusive solution to computer security.  Instead, all of these security tools should be used in order to effectively protect a computer.

January 11th, 2009

SCCM: Content downloaded to the client does not match the content specified in the content source

There are some software packages that introduce a lot of interesting complexities that SCCM  2007 gets confused by. One of the applications that I was trying to test and deploy was giving me a particularly interesting problem: all of the clients downloaded the package, but when they checked the content, it did not match the source.

The error, which had an ID of 10057, was found by going to System Status -> Advertisement Status -> <advertisement name> -> Show Messages on the actions pane:

The program for advertisement “SIT00001 has failed because download of the content “SIT00029″ – “Per-system unattended” has failed. The download failed because the content downloaded to the client does not match the content specified in the content source.

Possible causes: The content on the distribution point has been manually modified, or a local administrator on the computer has modified the content in the computer’s hash. Solution: Refresh the content on the distribution point and retry the download.

The solution seemed obvious: update the distribution points. But multiple tries, including recreating the package and advertisement completely, did not fix the problem. Finally, I stumbled upon a forum post that helped me narrow the problem down to one of two scenarios:

Binary Differential Replication – If this is enabled in the package configuration, some packages seem to fail. I’m assuming that they can’t handle this kind of replication and several of the files become corrupt, creating a hash mismatch. This can be turned off by opening up the package properties, going to the Data Source tab, and unchecking Enable binary differential replication. This wasn’t my problem because I hadn’t enabled binary differential replication.

Hidden Files – Apparently, if the package source contains hidden files, SCCM may not calculate the correct hash for the package and clients could encounter an error. I found a quick way to check this using the command line:

  1. Open up a command window in the root director that contains your package source files.
  2. Type Dir /S /A:H and hit enter. Depending on the package, you may be presented with several directories with multiple hidden files.
  3. Trying to remove the hidden attribute on all the files with the GUI would be tedious, so just use this command instead: attrib -H /S
  4. Update the distribution points.

The package finally verified properly and the advertisement completed.