Last week I had some issue’s with connecting to corporate network by DirectAccess. The System Log pointed me tot the following: Event ID: 1023 Source: DNS Client Events. Name resolution policy table has been corrupted.

For some reason, the rules that come from DA GPOs had been duplicated. The originals from GPOs were named as “UAGDA Rule1” to “UAGDA Rule3” and the duplicates were named simply “Rule 1” to “Rule 3”  (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig).

By removing the duplicate rules and restarting the DNS Client service name resolution was solved. After establishing a “legacy” VPN connection to our corporate network I refreshed Group Policy and voíla, everything (DNS name resolution and DA) is working again.  Netsh name show effective shows the correct entries and only the same 7 entries exist in the registry under DNSPolicyConfig

Windows 7 Direct Access Troubleshooting

During TechDays 2011, John Craddock presented two great sessions DirectAccess Under the Hood and How to troubleshoot DirectAccess. These sessions are actually a redelivery of TechEd Berlin 2010. During the session of Troubelshooting DirectAccess I was pointed to a default built-in Windows 7 capability troubleshoot DirectAccess, which was new for me. This capability might handy for ‘ default’ end-user additonal to DirectAccess Connectivity Assistent  (DCA) (Control Panel\All Control Panel Items\Troubleshooting\Network and Internet\Connection to a Workplace Using DirectAccess)

Sources

• Introduction to the NRPT
• IPv6 and DirectAccess Troubleshooting Cheat Sheets
• Social Technet

This Microsoft IT Showcase slide gives you an overview how Microsoft secures its data. Maybe little bit outdated but still informative to get a picture of the high-level basics how to secure your corporate data.

How to Discover 16-Bit Applications Before Migrating to 64-Bit Versions of Windows 7
By Andreas Stenhall, Microsoft MVP — Windows Expert – IT Pro

When companies migrate to Windows 7, most of them look at deploying the 64-bit version of Windows 7. The x64 architecture of Windows does not support running 16-bit applications as the 32-bit version does. Unfortunately, 16-bit applications are still widely in use—even though you might not know it.

You can use the Microsoft Application Compatibility Toolkit (ACT) to take an inventory of all applications on your client machines. This is a great way to find applications when migrating to Windows 7. The ACT inventory does contain information about 16-bit applications that are still on client computers and being used in your business, but there is one slight challenge.

Application Compatibility Manager, which is part of ACT, does not provide a way to view these applications in the graphical user interface, so you have to do a SQL query using Microsoft SQL Management Studio Express tools.

1. Perform an inventory of applications using Application Compatibility Toolkit.
   
2. Install SQL Management Studio Express.
   
3. Connect to the database and run the following query, which will return a list of potential 16-bit applications; it will list all applications that are not 32-bit or 64-bit. (Note: You will need to replace “ACTDATABASE” with the name of the ACT database that you have.)USE ACTDATABASE
   GO

   SELECT DISTINCT Applications.appName, Static_App_Properties.fileName, fileModuleType
   FROM Static_App_Properties
   INNER JOIN Application_Instance_Files
   ON Static_App_Properties.identity_hash = Application_Instance_Files.filePropertyID
   INNER JOIN Applications
   ON Application_Instance_Files.appID = Applications.identity_hash

   WHERE fileModuleType<>’32BIT’ AND fileModuleType<>’64BIT’ AND propertyType=’File’
   ORDER BY appName
   GO

The above query will return a list of applications that need investigation and testing very early in the process of migrating to Windows 7. For example, applications listed as Windows on Windows (WOW) or DOS applications will and/or might indicate a 16-bit application that you should prioritize to test and handle as necessary. You will also see any batch files or command files that have been inventoried; you will need to verify whether these will work with Windows 7.

Options for Dealing with 16-bit Applications
If you find 16-bit applications that your business needs to keep when you migrate to Windows 7, you might virtualize them with presentation virtualization technologies such as RemoteApp or Remote Desktop Services, or you might use virtualization technologies such as Microsoft Enterprise Desktop Virtualization (MED-V) to expedite the migration to the 64-bit version of Windows 7 while keeping the legacy 16-bit applications running. Under the best circumstances, all 16-bit applications would be replaced by more modern software, but experience has shown me there are many factors that keep this from happening.

Happy hunting for 16-bit applications!

Andreas Stenhall works as a deployment specialist at Knowledge Factory in Sweden and specializes in Windows customization and deployment. He is deeply involved in the Swedish community alltomwindows.se and also maintains an English-language blog for IT professionals. Andreas has repeatedly been awarded with the Microsoft Most Valuable Professional award for “Windows Expert – IT Professional” for his dedicated work and involvement in the community.

Download a printable overview of Windows 7 deployment options for small and midsize organizations that includes the advantages and limitations of each option.

Explore the different options for deploying Windows 7 in a small or midsize organization. This print-ready poster from the Springboard Series for Windows 7 features an overview of each method, details on advantages and limtations, basic requirements, and helpful links to additional tools and guidance. You’ll also find a helpful step-by-step overview of the Windows 7 deployment process.

Download the handy overview in PDF, XPS or VSD here

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Check the following regkey: HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\EnableDAForAllNetworks and make sure it is set to 0 and not 2.

The values for the key are shown below

Enable DA for All Networks

Key: Software\Policies\Microsoft\Windows NT\DNSClient

Value: “EnableDAForAllNetworks”

Type: REG_DWORD

Size: 32 bits.

Data: This field is a 32-bit value, which MUST contain one of the following values.

After changing the value I rebooted my Windows 7 client and DirectAccess is working again like a charm J

Sources:

http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/cd924318-12d3-4b27-ad3c-a50320819241

http://msdn.microsoft.com/en-us/library/ff957870(PROT.10).aspx

http://technet.microsoft.com/en-us/library/ee844114(WS.10).aspx

DirectAccess Client Location Awareness – NRPT Name Resolution

Configure the NRPT with Group Policy

Microsoft announces the beta versions of Microsoft Application Virtualization (App-V) 5.0 and a new MDOP product Microsoft User Experience Virtualization (UE-V) are now available for download from
Microsoft Connect.

UE-V is an enterprise-scale user state virtualization solution that delivers a user’s personal Windows experience across devices, is simple for IT to deploy, and easily integrates with existing management tools.

Some of the main features of UE-V are:

• Users retain their application experience without having to reconfigure applications when they log in from a different Windows instance – regardless of whether it is a rich desktop or virtual desktop session. 
• Automatically delivers a personal experience to Windows 7, Windows 8, Windows Server 2008 R2, and Windows Server 8 based devices, giving users the flexibility to work from anywhere.
• If a user accidently applies unwanted changes, IT can simply roll back to the initial state.
• Seamlessly integrates with Microsoft desktop virtualization products to roam the user experience in heterogeneous environments.

 Some of the new features in the App-V 5.0 Beta are:

• Flexible virtualization choices let virtual applications work more like traditionally installed applications, allowing local and virtual applications to communicate and enabling control of which virtual applications can share environments.
• There’s no dedicated drive letter required, and no 4 gigabyte maximum package size. It’s easy for IT to work with and take action on App-V diagnostic information because App-V logs Windows events instead of separate log files.
• Easy and efficient to use in VDI environments, allowing IT to make the best use of expensive disk resources without changing the way they get their jobs done.
• Web-based management makes it easy for busy IT professionals to get their work done while away from their desk.
• Rich PowerShell scripting allows IT to automate repetitive tasks and to integrate App-V with existing processes.

These products will be part of a future version of the Microsoft Desktop Optimization Pack (MDOP).  If you want to learn more about App-V 5.0 and UE-V now, check out the Windows for your Business Blog were we have posted even more information about the products.

Download and try the betas of UE-V and App-V 5.0.

Sources:

http://blogs.technet.com/b/mdop/archive/2012/04/04/microsoft-user-experience-virtualization-and-microsoft-application-virtualization-5-0-betas-now-available.aspx

http://windowsteamblog.com/windows/b/business/archive/2012/04/04/introducing-ue-v-and-app-v-5-0.aspx

This update extends the Key Management Service (KMS) for Windows 7 and Windows Server 2008 R2 to allow enterprise licensing of Windows 8 and of Windows Server 2012. KMS provides support for the following KMS activations:

• Windows Server 2008 R2 and Windows Server 2008 R2 Service Pack 1 (SP1)
• Windows Server 2008 and Windows Server 2008 Service Pack 2 (SP2)
• Windows 8
• Windows Server 2012
• Windows 7 and Windows 7 Service Pack 1 (SP1)
• Windows Vista and Windows Vista Service Pack 2 (SP2)
• Office 2013 (Preview)

MBSA 2.3 Preview has been released on the Client Management Connect site to the ConfigMgr Open Beta community.

MBSA 2.3 release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 will no longer be supported with this release. The final release of MBSA 2.3 is expected to be available in Fall 2013.

You can download MBSA 2.3 Preview here.

As Microsoft announced on September 23rd updating their Windows Intune cloud service which will be available October 18th I thought it might be interesting having a closer look what is going-on after installing the Windows Intune client agents software.

In this post I will cover the following points of Windows Intune. Enjoy

• Windows Intune Client Software
• Windows Intune Software Components
• Windows Intune Log Files
• Windows Intune Registry
• Windows Intune Services
• Windows Intune Operation Manager
• Windows Intune Endpoint Protection
• Windows Intune Task Scheduler
• Windows Intune Center
• Windows Intune Service Endpoints

Windows Intune Client Software

The Windows Intune client software can be downloaded from the Windows Intune Administrator console and can installed manually, by group policy or Configuration Manager.

When you enroll a client computer in the Windows Intune service, Windows Intune schedules the download and installation of additional agents, applications, and components to the client computer. These agents, applications, and components are updates to the initial Windows Intune client enrollment software package. After the Windows Intune client software is installed on client computers, the Windows Intune agents communicate with the Windows Intune service to provide the service with data about the clients.

Software Components

Log Files

The log files for Windows Intune software components can be found at C:\Program Files\Microsoft\OnlineManagement\Logs\. This will be your start point in case of a troubleshooting.

Registry

The configuration of the Windows Intune client software is based at HKLM\SOFTWARE\Microsoft\OnlineManagement. Here you can find all Windows Intune settings.

Services

By installing the Windows Intune client agent and related Windows Intune components new services will be installed to your system. Below the services identified by installing Windows Intune client agent.

Operations Manager Agent

As mentioned before with the Windows Intune client software installs additional components including an Operations Manager 2012 SP1 RTM agent (7.0.9538.0). The management group used for Windows Intune is Intune. The management server configured is IntuneServer.

The configuration of the Operations Management agent can found as we used by a Operation Manager Agent at HKLM\SOFTWARE\Microsoft\Operations Manager\3.0

Interesting part are the management packs (39) which are used for monitoring you client systems. Below an overview of the management packs which are installed as part of the Windows Intune deployment.

Endpoint Protection

Depending if you configured Windows Intune Policies automatically deploy Windows Intune Endpoint Protection this client will be installed.

By default Windows Intune Endpoint Protection will not be deployed automatically. Furthermore you can configure the behavior what to do with you correct Antivirus solution (uninstall, upgrade, etc)

Task Scheduler

By default Microsoft.OnlineManagement.UpdateTask scheduled task is created and triggers the Windows Intune Updates Client. This task is scheduled daily and detects whether new updates are available.

This process can be triggered manually through the GUI or initiated by command prompt.

· %programfiles%\Microsoft\OnlineManagement\Updates\Bin\omupdclt.exe /detectnow

· %programfiles%\Microsoft\OnlineManagement\Updates\Bin\omupdclt.exe /updatenow

Client Center

The Windows Intune Client Center can be used whether applications are available through the Company Portal, check for new updates, initiate a system scan or contact your service desk or initiate a Remote Assistance session.

Service Endpoints

There is not such information available (or just I couldn’t find it) how the Windows Intune client agent is communicating to Windows Intune cloud services. At high level the Windows Intune client agents receives policies, software and many more bases on Windows Updates from Windows Intune Cloud services.

The opposite way the Windows Intune client agents communicates based on REST API endpoints/web services to the Windows Intune cloud servers. These web services are used for authentication purpose, uploading inventory-, events, etc.

In HKLM\SOFTWARE\Microsoft\OnlineManagement\…\ServiceEndpoints you find the endpoints used.

What´s new in Intune?

As mentioned before Microsoft is currently upgrading there Windows Intune cloud service platform which introduces new features and capabilities.

Simplifying these into real world actions quickly clarifies what we get in Intune R2, and also highlights the investments in Windows Server 2012 R2 and Configuration Manager 2012 R2:

• Delivering a seamless interface for users to registered devices to access organization data, while enabling IT Pros to gain more granular control over these device settings, ensuring they become compliant with your policies
• Offering a consistent experience for your users to discover your organizations services, and subscribe to the services which you offer, across all of their resisted devices.
• Unified experience for publishing our applications and services to all devices, regardless of there form factor, location, and whether they be managed devices, or user registered.
• Securing the data on these devices is simplified, simply revoking a registered device will remove access to applications, data and polices from the device.

Sources:

http://technet.microsoft.com/en-us/library/jj662670.aspx

http://uksbsguy.com/blogs/doverton/archive/2011/11/15/log-files-on-each-pc-with-windows-intune.aspx

http://blog.coretech.dk/bfa/windows-intune-client-agent-components/

http://albertneef.wordpress.com/2012/01/12/windows-intune-commands/

http://www.petri.co.il/windows-intune-update-2013.htm

Today Microsoft released an updated version of the Windows Assessment and Deployment Kit. This release of Windows ADK includes new and updated functionality to improve assessment and deployment scenarios including support for Windows 8.1 Update.

To determine what version of the Windows ADK you have installed, go to Control Panel > Programs > Programs and Features. The versions are:

• Version 8.100.25984 is for the Windows ADK for Windows 8.1 RTM
• Version 8.100.26629 is for the Windows ADK for Windows 8.1 Update

Version increments between 25984 and 26629 are updated versions of the RTM release. Version increments higher than 26629 are for the Windows 8.1 Update.

For a complete list of changes, see the Windows ADK Release Notes.

For a list of new features included in the Windows ADK for Windows 8.1 Update, see What’s New in the Windows ADK for Windows 8.1.

Download the latest version of the Windows ADK

source

MBSA 2.3 Preview has been released on the Client Management Connect site to the ConfigMgr Open Beta community.

MBSA 2.3 release adds support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 2000 will no longer be supported with this release. The final release of MBSA 2.3 is expected to be available in Fall 2013.

You can download MBSA 2.3 Preview here.

As Microsoft announced on September 23rd updating their Windows Intune cloud service which will be available October 18th I thought it might be interesting having a closer look what is going-on after installing the Windows Intune client agents software.

In this post I will cover the following points of Windows Intune. Enjoy

• Windows Intune Client Software
• Windows Intune Software Components
• Windows Intune Log Files
• Windows Intune Registry
• Windows Intune Services
• Windows Intune Operation Manager
• Windows Intune Endpoint Protection
• Windows Intune Task Scheduler
• Windows Intune Center
• Windows Intune Service Endpoints

Windows Intune Client Software

The Windows Intune client software can be downloaded from the Windows Intune Administrator console and can installed manually, by group policy or Configuration Manager.

When you enroll a client computer in the Windows Intune service, Windows Intune schedules the download and installation of additional agents, applications, and components to the client computer. These agents, applications, and components are updates to the initial Windows Intune client enrollment software package. After the Windows Intune client software is installed on client computers, the Windows Intune agents communicate with the Windows Intune service to provide the service with data about the clients.

Software Components

Log Files

The log files for Windows Intune software components can be found at C:\Program Files\Microsoft\OnlineManagement\Logs\. This will be your start point in case of a troubleshooting.

Registry

The configuration of the Windows Intune client software is based at HKLM\SOFTWARE\Microsoft\OnlineManagement. Here you can find all Windows Intune settings.

Services

By installing the Windows Intune client agent and related Windows Intune components new services will be installed to your system. Below the services identified by installing Windows Intune client agent.

Operations Manager Agent

As mentioned before with the Windows Intune client software installs additional components including an Operations Manager 2012 SP1 RTM agent (7.0.9538.0). The management group used for Windows Intune is Intune. The management server configured is IntuneServer.

The configuration of the Operations Management agent can found as we used by a Operation Manager Agent at HKLM\SOFTWARE\Microsoft\Operations Manager\3.0

Interesting part are the management packs (39) which are used for monitoring you client systems. Below an overview of the management packs which are installed as part of the Windows Intune deployment.

Endpoint Protection

Depending if you configured Windows Intune Policies automatically deploy Windows Intune Endpoint Protection this client will be installed.

By default Windows Intune Endpoint Protection will not be deployed automatically. Furthermore you can configure the behavior what to do with you correct Antivirus solution (uninstall, upgrade, etc)

Task Scheduler

By default Microsoft.OnlineManagement.UpdateTask scheduled task is created and triggers the Windows Intune Updates Client. This task is scheduled daily and detects whether new updates are available.

This process can be triggered manually through the GUI or initiated by command prompt.

· %programfiles%\Microsoft\OnlineManagement\Updates\Bin\omupdclt.exe /detectnow

· %programfiles%\Microsoft\OnlineManagement\Updates\Bin\omupdclt.exe /updatenow

Client Center

The Windows Intune Client Center can be used whether applications are available through the Company Portal, check for new updates, initiate a system scan or contact your service desk or initiate a Remote Assistance session.

Service Endpoints

There is not such information available (or just I couldn’t find it) how the Windows Intune client agent is communicating to Windows Intune cloud services. At high level the Windows Intune client agents receives policies, software and many more bases on Windows Updates from Windows Intune Cloud services.

The opposite way the Windows Intune client agents communicates based on REST API endpoints/web services to the Windows Intune cloud servers. These web services are used for authentication purpose, uploading inventory-, events, etc.

In HKLM\SOFTWARE\Microsoft\OnlineManagement\…\ServiceEndpoints you find the endpoints used.

What´s new in Intune?

As mentioned before Microsoft is currently upgrading there Windows Intune cloud service platform which introduces new features and capabilities.

Simplifying these into real world actions quickly clarifies what we get in Intune R2, and also highlights the investments in Windows Server 2012 R2 and Configuration Manager 2012 R2:

• Delivering a seamless interface for users to registered devices to access organization data, while enabling IT Pros to gain more granular control over these device settings, ensuring they become compliant with your policies
• Offering a consistent experience for your users to discover your organizations services, and subscribe to the services which you offer, across all of their resisted devices.
• Unified experience for publishing our applications and services to all devices, regardless of there form factor, location, and whether they be managed devices, or user registered.
• Securing the data on these devices is simplified, simply revoking a registered device will remove access to applications, data and polices from the device.

Sources:

http://technet.microsoft.com/en-us/library/jj662670.aspx

http://uksbsguy.com/blogs/doverton/archive/2011/11/15/log-files-on-each-pc-with-windows-intune.aspx

http://blog.coretech.dk/bfa/windows-intune-client-agent-components/

http://albertneef.wordpress.com/2012/01/12/windows-intune-commands/

http://www.petri.co.il/windows-intune-update-2013.htm