Despite all the recent news and hoopla about Windows Vista’s failure in the enterprise marketplace, it’s by no means the case that the response to Microsoft’s Windows Vista related certification exams has been completely nugatory. As of 10/27/2008, in fact, the total number of individuals who’ve earned the 70-620 TS: Configuring Windows Vista credential stands at 45,998. By interesting contrast, the total number of MCDST credentials stands at 49,936, even though that program has been available for three years longer (the first exam for the MCDST has been around since January, 2004).
In fact, Microsoft offers four more Vista exams for IT professionals , though no counts for those who’ve passed these exams are available as yet:
- 70-621 Pro: Upgrading your MCDST Certification to MCITP Enterprise Support
- 70-622 Pro: Supporting and Troubleshooting Applications on a Windows Vista Client for Enterprise Support Technicians
- 70-632 Pro: Supporting and Troubleshooting Applications on a Windows Vista Client for Consumer Support Technicians
- 70-624 TS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops
Microsoft lets existing MCDSTs upgrade their credentials to an MCITP certification by taking only a single exam (60-221), offers two MCTS exams that relate to Windows Vista (70-620 and 70-624), and requires two exams (just like the MCDST) for those who seek MCITP certification on Vista. There’s a lot of interesting information lurking in these certs, and some definite value to be gained from earning them.
In my next series of Windows Vista Enterprise Desktop blogs, I’ll be looking at all five of these exams in some detail and report on their coverage and objectives, as well as pointing out some good study resources for those who might wish to pursue them.
On Tuesday, October 28, as I was knocking off for the day, after 11 PM, I noticed that the autoupdate function in Windows Update had posted two more items to my primary production Vista PC. Both look interesting, but so far I’ve had some trouble trying to ferret out more details about one of these two patches.
Here’s what I know so far:
- One of the items is a security update, labeled MS08-062 and is entitled “Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution.” Interestingly, the security bulletin is dated October 14, and it documents a serious vulnerability in the seldom-used Internet Printing Service–or rather, the IPP protocol and the Internet Printing Client that this service uses–that Vista installs by default (see this vulnerability report dated October 14 for more info on the vulnerability details; this MS White paper describes how Internet Printing works inside Vista; note further that this vulnerability applies to Windows 2000, Windows Server 2003 and 2008, and Windows XP as well). Basically an integer overflow in this service lets attackers run arbitrary code at system level privilege: a proof-of-concept exploit is known, and several “active, in-the-wild exploit attempts of this type have been detected.” If you don’t use Internet Printing, you can follow the instructions in the MS White paper to turn off the Internet Printing Client in Vista instead (under Printing Services, Turn Windows features on or off, Programs and Features, Control Panel).
- More interesting, and more mysterious is the other item: a “reliability update” for Windows Vista described in a currently unavailable Knowledge Base article (KB957200). All I can find on this update so far is the standalone download page entitled Update for Windows Vista (KB957200). Of course, I’m dying to know what’s been tweaked in this particular update, and why MS decided to push it out the door before November 11 (next patch Tuesday). The Web is abuzz with the word that the KB article remains missing in action, so I guess I’ll have to bide my time. As of this morning (10/30/2008) the article remains missing in action, so I posted a query to the Technet Windows Vista Announcements forum in hopes it might provoke some kind of official response (or better yet, the promised KB article).
My advice on MS08-062 is to download and install it, unless you never use the Internet Printing Service, in which case you can simply turn it off on your PCs, or set a GPO to do it globally. Files affected are detailed in KB 953135, and include three Vista DLLs: Msw3prt.dll, Win32spl.dll, and Printcom.dll. As far as the reliability update documented in KB957200 goes, stay tuned: I’ll provide more information about this update as soon as it becomes available.
Wow! Two out-of-cycle update postings for Windows in the same month, after 18 months with no updates except for Patch Tuesday releases. What does it all mean?
It’s difficult to make the most of a modern Windows desktop in an enterprise environment without dealing with Group Policy, and the many objects (usually called GPOs) used to implement and enforce Group Policy in the Windows environment. Group Policy has tons of functionality that is both very board and really deep. Want to lock down the Windows desktop? Try some GPOs. Need to limit application, utility, and Control Panel access? GPOs can do that, too. Want to automate and script desktop and application deployment? GPOs can help! And so forth, and so on, nearly ad infinitum. For those seeking information, advice, examples, and troubleshooting help with GPOs, I recommend these two books:
Jeremy Moskowitz: Group Policy: Management, Troubleshooting, and Security: For Windows Vista , Windows 2003, Windows XP, and Windows 2000 (Mark Minasi Windows Administrator Library), 4e, Sybex/Wiley, April 9, 2007, ISBN-13: 978-0470106426.
The first of these two books is part of the excellent Mark Minasi Windows Administrators Library (a Sybex book, which is now a Wiley imprint). Jeremy Moskowitz did the honors here–he’s a well-known and respected writer on Windows administration topics–and his book focuses on nuts-and-bolts information for working with GPOs in various Windows operating systems, including Vista, Windows Server 2003, Windows XP, and even Windows 2000. It provides good coverage of Vista and XP security topics, desktop lockdown and control, application management, MS Office topics, deployment scenarios, GPO scripting, and even how to set up and manage roaming profiles for XP and Vista desktops. ($31.49 at Amazon)
Derek Melber: Windows Group Policy Resource Kit: Windows Server 2008 and Windows Vista, Microsoft Press, March 15, 2008, ISBN-13: 978-0735625143.
I had the good fortune to work with Derek on several editions of the Exam Cram titles on Windows XP, and got to know and respect his knowledge and skills in working with all aspects of Microsoft desktop operating systems, including GPOs. His Microsoft Press book is a bit shorter than Moskowitz’s offering, but none the less valuable for its more focused coverage of the subject matter. I find the Moskowitz book to be better when troubleshooting GPO issues or mysteries, but this book to be a better general reference and how-to when it comes to implementing GPOs for enterprise use. Melber certainly hits all the key topics related to GPOs in this book, including automating typical administrative tasks, handling policy enforcement, working with system updates and software installations, dealing with security services and settings, and centralized management and control of GPOs. You’ll also find a CD included with the book that offers some nice utilities and various kinds of GPO planning and design aids. Definitely worth the price of admission ($31.49 at Amazon).
Vista admins seeking a good reference book would do well to acquire Melber’s Resource Kit; those looking for a great GPO troubleshooting resource should turn to Moskowitz instead. Me? I have both books, because I need a good reference, and I also appreciate (and use regularly) Moskowitz’s troubleshooting help and his many good examples.
Whenever you install a service pack on a Windows machine, it’s not unusual for it to leave plenty of files strewn about the system disk in its wake. What’s unusual about Windows Vista SP1, however, is that it includes its own clean-up utility.
If you run it after performing an SP1 install it can recover somewhere between 1.2 and 2.0 GB of disk space from your hard disk. That’s the upside. If you elect to use this utility, however, the SP1 install becomes irreversible (unless you can restore a backup that includes those missing files) and you can’t roll back if you want or need to. That’s the downside.
Because I now make daily backups, the prospect of losing those files didn’t scare me too much. I went ahead and ran it, and have yet to experience any ill effects as a result. Here’s how to use this utility:
1. Open a command window inside Vista (I usually just type cmd into the search box in the Vista Start menu to do this).
2. Type the program name for the SP1 cleanup utility:
3. Wait for the utility to complete.
Here’s a screen dump of what you’ll see as that process completes, rendered in plain text for easy readability:
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved
This operation will make Windows Vista Service Pack 1 permanent on this computer.
Upon completion you will not be able to remove Windows Vista Service Pack 1 from this system.
Would you like to continue? (Y/N): y
Performing Vista Service Pack 1 Disk Clean-up...
Windows Vista Service Pack 1 Disk Clean-up completed.
On my PCs, space savings from running the command amounted to just over 1.2 GB, and took less than a minute to complete. If you’ve been using SP1 for a while and no longer need to roll back, or are ready to commit to this new Service Pack, feel free to use this utility to clean up the dross that will otherwise hang around on your hard disk forever afterward. What a treat to have Microsoft provide a tool to clean up after itself!
Normally, Microsoft reserves its security patches, fixes, updates, and other software tweaks and maneuvers for the second Tuesday in each month, aka “Patch Tuesday.” Yesterday afternoon I was somewhat surprised to see various sources trumpeting the release of an out-of-schedule security patch through Windows Update on the fourth Thursday in October.
As described in Knowledge Base article 958644 and MS Security Bulletin MS08-067, this update addresses a vulnerability in the Windows Server service. The Server service is a critical portion in any modern Windows OS that responds to incoming network communication requests; it has been part of the Windows kernel since the LAN Manager days. In fact, this service is called the LAN Manager Server in the “Server service configuration and tuning” article (KB 128167). It’s also managed via a Registry key named LanmanServer in the HKLM\SYSTEM\CurrentControlSet\Services sub-tree.
In short, the Server service is so entrenched in Windows operating systems that even Windows Server 2008 installations that lack a GUI–the so-called “Server Core” minimalist version–can fall prey to this vulnerability. That explains why every Windows OS from Server 2008 and Vista, to Windows XP, Windows Server 2003, and Windows 2000, in 64- and 32-bit flavors, and server and workstation versions, where applicable, is included in this security update.
Why all this hoopla? According to Brian Livingston’s Windows Secrets Newsletter, “this is the first time in 1-1/2 years that Microsoft has released an emergency fix outside of its montly Patch Tuesday cycle.” The reason is that Microsoft discovered an RPC (remote procedure call) attack that could propagate around internal networks and the Internet with no user action needed to help it spread. Modern versions of Windows that predate User Account Control (UAC), such as XP, Windows Server 2003, and all flavors of Windows 2000, are especially susceptible to this vulnerability. At the same time, most AV vendors have also released updates to defend against this kind of attack, but Livingston’s newsletter reports “there are already nine different strains of viruses” that seek to exploit this vulnerability.
As with other patches that replace kernel files, Windows will request you to restart your PC after the patch is installed. In writing the story on this RPC vulnerability for the Windows Secrets Newsletter, writer Susan Bradley also urges administrators and users to reboot their PCs before installing the patch, just to make doubly darn sure the machine will reboot properly once the patch has been installed (the update process requires a successful restart/reboot for the patch to be completely and properly applied). Then when you reboot the machine after installation, you can be reasonably sure it will complete the installation process following a second successful restart.
If you haven’t already installed this patch, please do so now. It only replaces a single Windows file–namely Netapi32.dll–and is therefore unlikely to cause any incompatibility problems, either for server or desktop machines.
Like it or not, sometimes applications wind up on Vista desktops that have to go. Either they’ve been replaced with something different, newer, or better, or they never should have been there in the first place. Count yourself lucky if a program’s uninstall utility does a thorough job of removing its traces from the file system, the desktop, and the Windows registry. My own informal testing with hundreds of Vista apps indicates that about every other one does a decent or better job of cleaning up after itself, with no additional clean-up required. That’s not lucky enough to justify buying a lottery ticket, in other words, but it is lucky enough to guess “Heads or tails?” in a friendly coin toss.
What to do when applications leave detritus behind? This can include orphaned icons, orphaned file associations, files and folders in the
%SystemDrive%\Program Files folder, and all kinds of odd and interesting leftovers in the Windows registry. Occasionally, you may even finder helper or support applications left behind (such as various types of viewers, players, or other software the program uses to display certain files, but may not remove from your system even though it cleans up its own code quite nicely), and so forth. The answer to this dilemma depends on which installer the program uses, and what kinds of tools you’ve got at your disposal.
Let me mention two particular items of interest in this context:
- Revo Uninstaller
A free, handy, and quite usable tool that even offers various levels of post-vendor-uninstall-cleanup for you to choose. Basically, you use this tool to launch a program’s built-in uninstaller from inside this program. Revo Uninstaller watches what that program does, then checks the file system and the registry for you to remove additional remaining traces after the built-in program does its job. I’ve been using it for a couple of years now, and it’s a capable and well-maintained tool (they post updates on a regular basis, sometimes as often as once or twice a month). Grab it at www.revouninstaller.com. For a more complete review of this tool see my recent article “Should Software Makers Clean Up After Themselves?“
- Windows Installer Cleanup Utility
This tool comes from Microsoft, the same folks who created the Windows Installer, and the most likely party to use this tool for installing software (though you do find a fair number of third-party utilities that do likewise). It only works with programs that use the Windows Installer to install themselves, but it is able to clean up after incomplete or failed installs that originate with that tool. MS Help and Support provides information about and access to this tool in their “Description of the Windows Installer Cleanup Utility” article (KB290301). Please note that this tool will not clean up mangled Microsoft Office 2007 installs, and if the Windows registry’s Windows Installer configuration management data gets munged, you may be likewise out of luck.
If you run into problems or issues with these tools, there are plenty of commercial uninstaller programs that work on Vista. Fortunately for my own Vista machines, I’ve yet to encounter an uninstall problem that one or the other of these tools can’t handle. That said, if you have any experience or favorites you’d like to share, please post a comment to this blog and let us all know. I’ll keep an eye out, and review such items as attract glowing mention and my own fancy.
I recently stumbled across a hitherto unknown gem inside Windows Vista–to me, anyway. It’s called a “System Health Report” and it provides a pretty comprehensive view of a Vista system’s state, status, and current behavior. To my surprise it comes from the same facilities that support the System Reliability Monitor (see my blog “My Love-Hate Relationship with System Reliability Monitor” for my take on this built-in Vista facility) and generates a report on all major components and subsystems on the Vista PC it targets.
Here’s how to launch this facility:
- Click Start, type Performance into the Vista search box, then select Performance Information and Tools.
- Click Advanced Tools in the left panel.
- Click Generate a system health report.
At first, you’ll see a display that lets you know the program is gathering data
Once the data-gathering phase is complete, you’ll see an overview report appear instead. It offers details in a number of areas, including Diagnostic Results, Software and Hardware Configuration, and details for CPU, Network, Disk, and Memory, as well as Report Statistics. The overview report looks pretty innocuous, but you can click the arrow to the right that’s associated with any item on the left to start digging into the details.
Here, you can see the various warnings that my Vista machine collected as I ran this report. These reflect my having turned User Account Control (UAC) off on this machine, and the interesting failure of Spyware Doctor with Antivirus to register either of those components–antivirus and antispyware, that is–with the Microsoft Security Center on this machine. In this case the former is a deliberate choice, and the latter a known issue (though Spyware Doctor maintains updated signatures and software as it’s supposed to, so there’s no real cause for concern here).
If you manage a large number of Vista desktops, you may be interested to learn that this facility dovetails with products that include System Management Server or System Center Essentials to enable daily health reports to be e-mailed from each machine to a mailbox for subsequent analysis and review.
For some more good information on working with this facility in Vista, see “Scenario 6: View a diagnosis report” in the Windows Vista Performance and Reliability Monitoring Step-by-Step Guide on TechNet.
For the next couple of weeks, I’ll be digging into issues related to application compatibility for organizations and enterprises considering the move to Windows Vista. For such outfits, one of the most important and pressing concerns that surround a migration has to be application compatibility, which should perhaps be pithily restated as “Will my apps work with Vista?”
Microsoft is keenly aware of this potential hurdle, and has devoted considerable time, energy, and resources to creating tools, guides, and processes for assessing application compatibility. In some upcoming blogs, I’ll take a closer look at that company’s Application Compatibility Toolkit 5.0, aka ACT. In this blog, I begin the overall process of assessing application compatibility by describing that process as Microsoft sees it, and pointing to some papers, resources, and how-to’s that the company has put together to help companies and organizations see their way through it. Much of the information you’ll find here, in fact, is summarized from the company’s paper entitled “Getting Started with Application Compatibility in a Windows Deployment” (PDF document, 301KB).
In a nutshell, the process works like this:
- Collect information about current applications in use.
- Prioritize and rationalize applications worth testing for compatibility, and supporting after Vista deployment.
- Test a finalized list of applications in priority order as need dictates, and resources permit.
- Mitigate issues to make applications workable or replace them as necessary (Or as MS puts it: “remediate, upgrade, mitigate, retire”).
Centrally managed environments that have established standard desktop configurations and that control the applications allowed to run on those desktops will have the easiest time of the inventory stage. ACT includes an inventory tool, in fact, for environments that don’t already maintain one (such as Microsoft Desktop Optimization Pack for Software Assurance, Microsoft System Center Configuration Manager 2007, or SMS 2003). The idea is to put together a comprehensive list of every application and version in use on enterprise desktops.
The next step, which MS delicately labels “prioritize and rationalize” is the tricky one. This really means choosing standard versions for apps in use across multiple versions (what MS calls “application relevancy”). It also means choosing a single app when more than one is used to do the same job (such as multiple productivity suites, video editing tools, and so forth; MS calls this “application redundancy”). Finally, it means getting rid of unauthorized applications or those that, as MS puts it, “are irrelevant to the day-to-day work being done in your organization.”
After the winnowing process is done, there will be fewer applications to deal with. This is the point at which prioritization occurs, based on the relative importance of the remaining applications within your organization. Often, this means tossing names into buckets that might be labeled:
- Business Critical: essential to ongoing business operations. SLA response
- High Priority: perform vital roles in some departments or across the organization. SLA response
- Important: used frequently but won’t cause work stoppages if it fails. SLA response
- Optional: Approved applications in limited use not directly related to business functions. Not covered by SLA, and receive “best-effort” IT response.
The categorization process also involves identifying applications essential for business or operations to proceed, and for typical job roles to be enacted. Prioritization within buckets requires management buy-in and means tackling items from the top down, once there’s agreement on what’s on top, and how items are ordered from there.
Next comes application testing, which is where you’ll decide which applications can be made to work, and which ones may need to be retired and replaced. Ultimately, the idea is to work toward a collection of software components that get the necessary work done and that also work properly with Vista. More on this in my next blog!
For more ACT resources, check out
Just Released: Application Compatibility Toolkit (ACT)5.0.3
ACT 5.0 Deployment Guide
ACT 5.0 Step by Step Guides
TechNet Webcast: Making Windows Vista Application Compatibility Testing More Predictable
Webcast: Debugging for Application Compatibility Issues with Chris Jackson (interested readers should also check out Jackson’s Blog)
Windows Vista Application Compatibility Training Recordings
In a perfect world, IT professionals wouldn’t have to worry about application compatibility issues: everybody would already have embraced the latest versions of Visual Studio (2008) and the .NET Framework (3.5), and all code would run on Vista seamlessly and unhindered. Yeah, right! In the real world, however, all kinds of interesting code still runs, and needs to keep running, be it orphaned, legacy, unsupported, or whatever other trouble-making adjectives might apply to same. All of this conspires to make Application Compatibility a real concern for Windows Vista administrators, if not something of a “dirty word” to that doughty community. In my next series of upcoming blogs, I intend to dig into this subject from a number of different points of view, and examine some important tools and resources available to Vista admins to help them tackle and handle the sometimes tricky tasks of assessing, testing, and where possible, forcing applications to work properly on Vista desktops.
To kick off this discussion, I want to point at a Web page in the Microsoft Technet Windows Client TechCenter. It’s entitled “Application Compatibility and User Account Control” and provides all kinds of tools, information, and material to help IT professionals and managers deal with application compatibility issues at all conceivable levels.
The key resources portion of this page itemizes some interesting elements, some of which I’ll cover in more detail in upcoming blogs:
- the Microsoft Application Compatibility Toolkit (ACT)
- the Windows Vista Compatibility Center (covers both hardware and software, in fact)
- the Application Compatibility Factory (ACF)
You’ll also find some fascinating discussions of “software shims” (small bits of custom-crafted software designed to fit between (older) applications and (newer) operating systems) in a paper called Managing Shims in the Enterprise with an accompanying Stock Viewer Shim Demo Application.
As you deal with application compatibilty issues with Windows Vista, don’t forget its own built-in Program Compatibility wizard (you can launch this by typing
at the command line). This lets you select a program target, then choose from a list of other Windows versions that Vista can emulate (Windows 95, Windows NT 4.0 SP5, Windows 98/Me, Windows 2000, Windows XP SP2, and Windows Server 2003 SP1), select a display mode, run with administrator privileges, to see if it works as needed or not. Only if you exhaust the various possibilities that this Wizard offers without solving your compatibility problems, should you dig into the other topics I’ll cover in my upcoming blogs on more advanced applications compatibility topics and tools.
Even in enterprise situations where IT professionals will disable Windows Update on desktop and server machines, in favor of staging updates to test machines in the background, and using their own deployment tools and techniques to roll them out, there will be occasional problems in downloading or installing updates from the Windows Update servers. I’ve learned two valuable techniques to help overcome these problems as and when they occur.
Unable to Access the Windows Update Server
After a clean Vista install, and after installing Service Packs on reference builds, you will occasionally encounter an error message that reads “Windows Update Error 87002EE2: Unable to access Windows Update.” The help link that accompanies this error information includes lots of potentially useful information to help resolve the various possible causes for this error, but I’ve observed that adding the following URLs to the Trusted Sites list in Internet Explorer usually resolves this problem:
Please consult KB836941 for more information and troubleshooting tips for this situation.
When individual updates fail to install automatically, look for standalone installer versions
Discriminating admins will notice that all Windows Updates make reference to related Microsoft Knowledge Base articles, in a form that looks like KB, where is a 6-digit number. Invariably, digging up the relevant article will also include a link to the Microsoft Standalone Installer version of the same update that Windows Update delivers in slightly different binary form. Simply by inserting the six-digit KB article number into this string should take you right to that document: http:/support.microsoft.com/kb//en-us (replace with the actual number).
In most cases, you can package up the self-installing update for deployment to client machines after you’ve tested and approved it for general release. It will need to be embedded inside a script to force the installer to run, but this shouldn’t present too many difficulties (I’ll cover this activity in another upcoming blog).