anyweb

As geeks, we're well aware of the importance of running as a normal user instead of as root (UNIX/Linux/BSD) or administrator (Windows). However, while this should be common knowledge to anyone reading OSNews, it's often hard to illustrate just how important it is - until now, that is. A report by BeyondTrust looked at how many security bulletins issused by Microsoft are mitigated by simply... Not running as administrator. Despite the advances made by Microsoft on securing Windows, the fact of the matter is that the first user created on a new system is always administrator. This means that many (most?) Windows users out there are running as administrator, and as BeyondTrust's report shows - that's incredibly insecure. Of the total amount of security vulnerabilities put out by Microsoft in 2009, across all versions of Windows and Office, 64% are mitigated by removing administrator rights. Microsoft published 190 security vulnerabilities last year, and 121 of them are thwarted by running without administrator rights. Breaking it down per product, the figures become even more interesting. Microsoft reported 55 Office vulnerabilities in 2009, and all of them are mitigated by removing admin rights. Of the 33 Internet Explorer issues reported, 94% were thwarted by removing admin rights. For Internet Explorer 8, 100% would be. If we restrict the vulnerabilities to just Windows, we see that 53% can be mitigated by not running as admin. The threat of the most severe type of vulnerability, the ones that would allow remote code execution, can be greatly educed by not running as admin: 87% of them are ineffective when you do not run as administrator. These figures how us exactly what we already knew: running as administrator is stupid, and asking for trouble. All the more reason for Microsoft to finally abolish that quaint custom of making the first user an administrator. via > http://www.osnews.com/story/23088/64_of_MS_Vulnerabilities_Mitigated_by_Removing_Admin_Rights

if you want to use the unknown computer feature of R2 then you'll need to advertise some task sequences to the Unknown Computers collection, if you make them optional then you'll get a list to choose from

Microsoft recommends keeping sql on box so i wouldn't move it, you can adjust the amount of RAM sql eats if you want help with that i'll tell you, as regards your other problem, are we talking one boundary here or more than one ? and more than one site ?

MDT uses the ztitatoo script to do something very similar, have you looked into that and looked into integrating mdt into sccm ?

if you disable antivirus software on that bdp does it work then ?

as Kinom correctly says you need SCCM 2007 sp2, more details here http://www.windows-noob.com/forums/index.php?/topic/1475-operating-system-deployment-support-in-sccm-2007-sp2/

just install the SCCM Admin console on a computer and do it there, have you tried that ?

adding variables using Create Task Sequence Media (standalone)

and don't forget there's here too ! http://www.windows-noob.com/forums/index.php?/topic/1660-customising-windows-7-deployments-part-1/ (Changing the keyboard layout using unattend.xml) and http://www.windows-noob.com/forums/index.php?/topic/575-what-is-windows-sim-and-how-can-i-use-it/ cheers

Configuring the Clients Firewall:- If the configuration Manager client is NOT INSTALLING on your clients then verify that the firewall rules are set to allow SCCM traffic, or disable the firewall for testing...). Next step > Create a package and then a program and advertise it to a collection and then distribute it The guide covers:- Creating the Package Creating a Program for the package Advertising the Package Creating and updating distribution point

yes its possible to start over fresh but dont reuse the site code cheers niall

Screenshots of the Configuration Manager client Below are some screenshots of the Configuration Manager client installed using this guide on a Windows Vista Ultimate machine (test-pc). Here's the control panel with some new icons from SCCM and here is the Configuration Manager client General tab the components tab... the Actions tab... the Advanced tab... If you have pushed out the client install and you don't see the Configuration Manager listed in control panel, then make sure you are doing the client push installs with a user that has local administrative rights on the client pc, plus for troubleshooting check c:\windows\system32\ccmsetup and look at any LOG files present for errors.

I've added the first webcast now, please check it out and tell me what you think ! http://www.windows-noob.com/forums/index.php?/topic/1885-webcast-%23-1-using-offline-mode-in-windows-pe/ cheers niall

did you at any stage create a client from definition package ?

hi all, I'm very proud to present windows-noob.com's first webcast, please let me know what you think. I know a lot of you have asked for more details and clarification so here it is, it's Offline Mode in Windows PE and references the following post. I hope the webcast brings some clarity into how the process works in SCCM. You can download the webcast here: Offline Mode in WinPE - offline_mode_full.wmv (65mb) please leave feedback about the webcast here and if you have any special requests then post them in this section of the forum, thanks to my eldest son Christopher for giving me some help with Windows Movie Maker. more webcasts coming soon, cheers niall

in your site settings, how are your boundaries setup for this site ?

are you sure you pasted all of it in the right place ?

1. Do I only need to add the .inf Files to the boot images (what about the cab and other Files)? the driver import will take what it needs only (usually the infs) 2. I added a .exe File to my SCCM2007 SP2 that's supposed to include the NIC driver from Intel: Network Adapter Driver for Windows Vista on Intel Site which is supposed to be esx compatible as this guide says. But these are Applications and no .infs. how do i get the infs (if really needed) out of the application instead of running it? if you are using SP2 then for boot images use windows 7 network drivers, for SP1 use windows vista drivers, if you have an exe with drivers in it then extract the drivers using whatever silent install switch came with the drivers (what hardware supplier was it ?) remember that there are two sets of drivers we are interested in here, * drivers for our boot.wim files (they will be only vista or windows 7 based and only network or storage) * drivers for the OS we are deploying, which could be xp, vista, server 2003/2008, windows 7 3. Aren't there drivers in the Windows 7 .iso Files? yes but not for all hardware, so adding network drivers is common, dell for example provides driver packs for their latest models for configmgr, just import the lot to support an entire family of products like Dell E Series 4. In the "How can I deploy Windows Vista"-Section you are mentioning an SMSInstall account. Is it aequivalent to the SMSread or SMSadmin Account we had to create for Windows 7 Deployment? yes SMSread is the same as SMSInstall, basically a 'user', whereas SMSadmin would have special administrative permissions, for example a local administrator on the sccm server..

is it xp sp2 or xp sp3 ?

you do raise some interesting points, and i'm interested to see where you get with this however, for me client push *manually via wizard or site wide* would be my preferred way, you do realise you don't have to take the firewall down but just to add the following exceptions on the client ?

great info, thanks for sharing, keep me in the loop cheers niall

using MDT 2010 integration in SCCM 2007 SP2, if you right click on boot images and choose Create MDT boot image you will see a wizard, this is one of the screens (summary), note the reference to PowerShell and NetFX I believe these options are coming in a future release of .... MDT ? but we have to wait and see, currently using the wizard there is no method of enabling them to 'True'

here's another way, using a registry hack, thanks to Stefan for that http://www.msfaq.se/?p=189

some updates take time to appear in the console and some wont appear at all based on your selection criteria for the software update component Classifications and Products choices

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: March 1, 2010 at the top of the topic. This month's updates incorporate customer feedback and What's New in the Configuration Manager Documentation Library for March 2010, which lists all the topics that are new or contain significant technical changes since October 2009. Look out for an announcement to download this with the Configuration Manager 2007 Help File Update Wizard, so that you can run the help file, SMSv4.chm, locally. In addition to the summary of changes, we've also made some revisions based on customer feedback. In particular, we've focused on topics relating to the client - from discovery, to client installation (especially client push) and requirements for clients in another forest, and Windows Embedded devices. We do value customer feedback and try to incorporate it when possible. Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement. So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.