THE OFFICIAL BLOG OF THE SBS DIVA

There's one thing I want to bring up that caught my eye regarding the Security Intelligent Report -- volume 8 and that is a graph on page 13:

http://download.microsoft.com/download/4/3/8/438BE24D-4D58-4D9A-900A-A1FC58220813/Microsoft_Security_Intelligence_Report%20_volume8_July-Dec2009_English.pdf

http://www.microsoft.com/security/about/sir/videos.aspx#1

See that blue bar of "Windows update" only?  First off I'm going to ASSume that if you are still on Windows update you are using Shavlik, or BigFix or WSUS or SOMETHING other than manually going to Microsoft update to get your updates.  You are right?  And that's why you still have Windows update as your patch engine on those workstations and servers right?

But if there's a server or a workstation in your domain that is still only going to Windows update and you don't have a third party patching tool ... EXCUSE ME!!!! Have you not been listening to me for the past several years beating you over the head that Windows update JUST updates Windows and Microsoft Update ensures that it scans for all other Microsoft platforms?  That you need to go to Windows update and flip yourself to Microsoft update!

Microsoft offers an extension to Windows Update called Microsoft Update. This service allows you to get updates for other Microsoft products, as well as receive notices of new Microsoft software that you can download and install for free. Here's how to get updates and notices about new software:

1. Open Windows Update by clicking the Start button . In the search box, type Update, and then, in the list of results, click Windows Update.

2. If you've never checked for updates before, in the left pane, click Check for updates. Wait for Windows Update to finish checking for updates.

3. In the Windows Update dialog box, click Find out more under Get updates for other Microsoft products. Follow the steps on the screen to start using Microsoft Update.

4. In the left pane, click Change settings.

5. Under Microsoft Update, select the Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows check box.

6. To get notifications of new Microsoft software, select the Show me detailed notifications when new Microsoft software is available check box.

7. Click OK.  If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

</QP>
Source: http://windows.microsoft.com/en-us/windows7/Change-how-Windows-installs-or-notifies-you-about-updates

Also see Tip #1 at the bottom of this page: http://windows.microsoft.com/en-us/windows7/How-can-I-tell-if-my-computer-is-up-to-date 

But wait... I ain't done raking you over the coals just yet.  I want you to ask yourself about the other stuff.

You'd better have a means to update Adobe Acrobat, Adobe Flash, Sun Java, Quicktime, ITunes and your iPhones, iPads and iWhatevers these days.

If all you are caring about is Windows update and not all the other third party stuff that is on your workstations, man you are a ticking time bomb.

Windows update is not enough.  WSUS is not enough.  Look for a third party patching platform to help you identify all of the software that needs updating these days.

We're going to tweak WSUS to be a bit more proactive in pushing out updates to Vista and Windows 7 workstations.  This only impacts those two platforms and cannot be adjusted for WinXP workstations as this particular policy won't work on XP.

You can either set a separate group policy or adjust the existing one.

We're going to adjust the following:

Turn on recommended updates via Automatic updates

Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update service.

When this policy is enabled, Automatic Updates will install recommended updates as well as important updates from Windows Update update service.

When disabled or not configured Automatic Updates will continue to deliver important updates if it is already configured to do so.

First log into your SBS 2008 server (of course you can do this as well on SBS 2003 with WSUS 3) and launch the group policy management console.

Now I would probably adjust the Update Services Common settings policy or the Client computer policy.

Right mouse click and edit and drill down under Computer configuration - then policies - then Administrative templates - then Windows Components

Then scroll down to Windows Updates

Now scroll down to that  Turn on Recommended updates via Automatic updates

 Click enable and then apply

The .NET known issues section was updated tonight:

Known issues and additional information about this security update

For more information about installation issues with Microsoft .NET Framework 3.5, click the following article numbers to view the article in the Microsoft Knowledge Base:

What I will be posting in the Partner forum:

Is there a replacement for KB290301 for a generic windows installer repair utility?  My issue is that I keep being reoffered KB954430 (XML 4 sp2 security update from long ago) and I can't uninstall it from programs and features because I can't find it.  So in past threads it recommend using the uninstaller utility to remove XML. My problem is that this KB290301 has been drastically changed to be *just* an Office removal tool and is no longer the extremely useful and generic removal tool it once was.  Do you have a replacement native Microsoft utility that can do this?

"While the Windows Installer Cleanup utility resolved some installation problems, it sometimes damaged other components installed on the computer. Because of this, the tool has been removed from the Microsoft Download Center. The Fix it Solutions in this article provide the ability to fully remove Office 2003, 2007 and 2010 suites without damaging other Windows components."

What I am thinking:

What stupid program manager in some division thought it was a good idea to replace the general clean up tool with this Office clean up tool?   Do you have any idea how frustrating it is to get a XML patch stuck on a Windows 7 and not be able to remove it?  Do you now realize that I will have to either go to some bootleg download site to get the tool I need or find some third party tool for what should be NATIVE in your premier windows operation system?

Did you ask for ANY feedback at all before changing that tool?

Don't take away tools that are needed when YOUR patches get stuck on YOUR operating system.  And don't go down the "oh you can download it from third party web sites either" as that promotes BAD surfing folks.

grumble, grumble, grumble, grumble, rant, rant, rant

Description of an update for Microsoft XML Core Services 4.0 Service Pack 3:
http://support.microsoft.com/default.aspx?scid=kb;en-us;973685

Finally downloading that and using the bootleg installer clean up did the trick.

Gawd I hate patching .NET... newly released tonight is a bundle of "known issues" for .NET updates including this gem:

Files in use or File Locks can Result in Framework Assembly Files being Deleted:
http://support.microsoft.com/kb/2260913/

If the installation of framework patches fail and roll back due to assemblies in the GAC (Global Access Cache) being held "*/in use"/* or */locked/* you might find some assemblies being deleted

Updating assemblies that are *locked* or *in use"* might cause them to be inappropriately deleted.  This is a bug.  Microsoft is presently working on a fix.

Microsoft is aware of this problem and is expected to create a hotfix soon. This article will be updated when release information is known. This fix will address only the deletion of assemblies from the GAC.  The failure of the patch must be addressed separately and will not be affected by this fix. 

There are no known workarounds.  If the problem and deleting of the files has not yet occurred the best approach is to reduce the risk of any patch installations from failing by shutting down any applications that might be locking files.  See KB 2263996 "Patching of Microsoft Framework can fail with Access is denied or File in Use error" for steps to detect and prevent applications locking framework assembly files.  See More Information section for instructions on how to counter the problem if it has already occurred.See More Information section for instructions on how to counter the problem if it has already occurred.  

Geeze dudes... then don't release the patch.  This is where that lovely "we need patched out in 60 days" blows up for me.. I want solid good patches not ones that I read through the known issues and go "oh crap!"

They say a picture is worth a thousand words... well not quite today maybe...

But review these Japanese cartoon security bulletins and tell me if you get a better view of which ones are

a.  malicious web sites that will nail you

b. malicious media that will nail you

c.  malicious email that will nail you

MS10-047 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-047e.mspx
MS10-048 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-048e.mspx
MS10-049 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-049e.mspx
MS10-050 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-050e.mspx
MS10-051 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-051e.mspx
MS10-052 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-052e.mspx
MS10-053 : Internet Explorer の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-053e.mspx
MS10-054 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-054e.mspx
MS10-055 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-055e.mspx
MS10-056 : Word の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-056e.mspx
MS10-057 : Excel の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-057e.mspx
MS10-058 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-058e.mspx
MS10-059 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-059e.mspx
MS10-060 : Windows の重要な更新:
http://www.microsoft.com/japan/security/bulletins/ms10-060e.mspx


Other resources you need to be reading tonight includes:

http://blogs.technet.com/b/srd/archive/2010/08/10/assessing-the-risk-of-the-august-security-updates.aspx

http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-054-exploitability-details-for-the-smb-server-update.aspx

http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-049-an-inside-look-at-cve-2009-3555-the-tls-renegotiation-vulnerability.aspx

http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-048-an-explanation-of-the-defense-in-depth-fixes.aspx

http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-049-a-remote-code-execution-vulnerability-in-schannel-cve-2010-2566.aspx

http://eightwone.wordpress.com/2010/07/26/exchange-2007-sp3-prevents-exchange-2010-rtm-prep/

http://johanveldhuis.nl/?p=1973&lang=en

So if you happen to plan a move from Exchange 2007 sp3 to Exchange 2010 RTM... uh... don't.  You'll potentially hit an issue where you hit an error in the process.

So if you are planning a migration from Exchange 2007 sp2 you'll be fine.... going from Exchange 2007 SP3 to Exchange 2010 RTM... watch out for an oops.  Exchange 2010 sp1 will reportedly fix this.

Today was the Mini Cooper send off from Santa Anita racetrack to Arizona

http://www.flickr.com/photos/21221358@N05/sets/72157624556998653/

And yes, I did find it odd that at the venue where the Mini launch party was held -- the Wallis Annenberg building of Science Learning and Innovation that they wre still running Windows 2000 on a computer

http://www.flickr.com/photos/21221358@N05/4872260173/in/set-72157624556998653/

Yes, it's no longer supported.

here in la at the countryman launch

Stiltwalker dancing at the party

The new countryman

I really like HP products, including some upcoming servers, but there are times that HP stumbles.

Case in point, their lovely "anti bribery training" that they forced all partners regardless of size to pay a fee and go through.  Thus pushing the brunt of the costs onto the little guys.

http://community.crn.com/message/42273

http://www.crn.com/it-channel/220300914

As has been pointed out there... perhaps HP's own chief should have had a bit moral training? 

http://www.nytimes.com/2010/08/07/business/07hewlett.html?_r=1&partner=rss&emc=rss

Sad and lame, but it points out that you can't teach ethics, it has to be inbred in the person.

http://www.whiteroofradio.com/mtts-db-sets-off-from-san-diego/

http://www.facebook.com/MINIUSA?v=wall#!/MINIUSA?v=app_11007063052

http://www.whiteroofradio.com/mtts-play-along/

I am down in LA today for the MINIcross and the launch of the new Mini Cooper model the Mini Countryman.

So if you see any mini coopers running around the LA freeways today, don't mind us.

http://twitter.com/jasonlydford/statuses/20385085168

anyone had luck installing sharepoint 2010 enterprise onto an sbs 2008 box?

Yes.  Robert Crane is one.  The latest update to his SharePoint operations guide talks about the process.  http://www.smbbooks.com/products/procra01.htm

So if you  need to install it NOW, Robert's your best bet.  But keep in mind that there's a whitepaper in the works to detail how to do this.

From the oh yeah I forgot about this bug...

You cannot install updates from Windows Update, Microsoft Update, or by using Automatic Update after a repair install of Windows XP or after you install Windows XP SP3 immediately after a clean install of Windows XP SP2

http://support.microsoft.com/kb/943144/en-us

If you take Xp sp2 media and immediately upgrade to sp3 you''ll end up in a situation where you can't get updates.  This is due to the fact that a key dll gets messed up.

This issue occurs because the Wups2.dll file that is included in the latest version of Windows Update is not installed correctly.

Method 1: Download and install the Windows Update Agent

Method 2: Register the Wups2.dll file

Twitter / David Wilson: Note to Microsoft: Windows ...:
http://twitter.com/davidwilson001/statuses/20359458828
Note to Microsoft: Windows 2008 SBS needs work. A total time suck getting it tweaked to work properly. Script this, regedit that. Ugh

You know what... I kinda agree with that statement.  One of the reasons we're collaborating on a SBS 2008 build doc - http://social.technet.microsoft.com/wiki/contents/articles/small-business-server-2008-build-document.aspx

If there are tweaks and tips you do that you don't see, all you need to do is register on the site with your LiveID and join in on the suggestions and editing.

Ugh is right.  But sometimes you make lemonade out of lemons.

SMB Nation Fall 2010:
http://www.smbnation.com/Events/SMBNationFall2010/tabid/307/Default.aspx

I'm planning to go to Vegas this year and I hear that www.thirdtier.net is planning a pre-day tech event the day before.

See you there!

Okay so it didn't KIN as fast as KIN but the fact that Google is killing off Google wave today is telling that early adopters may lose out to fuddy duddies when it comes to technology.

Yeah yeah Susan this soooo does not relate to cloud services. Sorry, yes it does because I've yet to see a vast majority of small businesses that are so gung ho for the cloud that they are jumping tomorrow with all of their data.  It comes down to religion and beliefs.  And sometimes change doesn't come easy and fuddy duddies still make the business decisions.

The ultimate guide to SBS 2008 setup failures - The Official SBS Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/sbs/archive/2010/08/03/the-ultimate-guide-to-sbs-2008-setup-failures.aspx

[Today's post comes to us courtesy of Damian Leibaschoff from Commercial Technical Support]

Since the early beta versions of SBS 2008, we have accumulated almost 3+ years of experience supporting the product. By now, we have a number of setup issues that we consider "common", this post will try to document these issues, the common triggers and the recovery steps if you have encountered them.

Let me start by saying that most of these issues can be prevented by just following the existing guidelines and documentation, the following post is a one stop checklist for your source server (SBS 2008 Migrations from SBS 2003 - Keys to Success).

Unfortunately, most of the failures are catastrophic. These failures leave the server in an unsupported state, half configured, with missing features and incorrect/unexpected settings. They require the source server to be restored from backup and the process to be started over, that is why, again, we stress the importance of the preparation work, testing and proven backup systems.

Most failure reasons can be isolated by looking at one of these files:

• C:\Program Files\Windows Small Business Server\Logs \SBSSETUP.LOG
  • The main log, all failed tasks will be logged here.
• DcPromo logs
  • C:\Program Files\Windows Small Business Server\Logs \DcPromo_Date.Time.LOG
  • C:\windows\debug\DcPromoUI.LOG
  • C:\windows\debug\DcPromo.LOG
  • Will be needed to understand failures during the tasks that are used to promote the server to a domain controller.
• Exchange SetupLogs
  • C:\Program Files\Windows Small Business Server\Logs \ExchangeSetup.LOG
  • C:\ExchangeSetupLogs\ExchangeSetup.LOG
  • Will be needed to understand failure during the installation of Exchange. This file will not be present if Exchange installed with no errors, if that is the case, the log will be in its default location under c:\ExchangeSetupLogs .

Rest on the blog... http://blogs.technet.com/b/sbs/archive/2010/08/03/the-ultimate-guide-to-sbs-2008-setup-failures.aspx

If you are a tech head you should be head over heels regarding this blog post.  Not that you want to be in this condition mind you...but the gobs of good solid interpretation of the log files and what might get you stuck is priceless.

So check out that blog post, and remember... all of that can be bypassed by having a healthy network to begin with.

Trick of the trade.. first whatever issue you are hitting try googling on "sbs blog" and then the topic at hand.

Sometimes googling is hazardous to our servers.  Case in point is SharePoint.  Instead of running the www.sbsbpa.com and fixing the backconnection values as noted there, people are searching and hitting http://support.microsoft.com/kb/927012/en-us.  Which tells you to solve your problem change the log in.  But...and this is a biggie... do that and later on you'll get nailed issues trying to update SharePoint.

Trust me, you don't want to follow that KB.  If you do, you'll end up barfing on the recent SharePoint security update... see item 15 in the top issues post

Sometimes... google is not our friend and gives us bad information.

15.  After a recent security update, SharePoint fails to work as expected.

a.  Reason:  On some (not all) servers, the recent SharePoint security update will not complete the update.  On others, you may have googled some information and changed the log in of the search service.  Don't do that.  You'll make your server go boom on updating with this patch. 

b.  Solution:  Follow this blog post for ways around the issue.  In many cases merely running psconfig as noted there will solve the issue.  In others, change the account back to local service and rerun psconfig.

If none of these help you ANY issue with a security update is a free support call to Microsoft.  Call 1-800-Microsoft or your local Microsoft office.  Indicate that you had an issue with a security update.

iPhone iOS4 Devices Required to Install iOS 4.0.1 - Microsoft Online Services Team Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/msonline/archive/2010/07/23/iphone-ios4-devices-required-to-install-ios-4-0-1.aspx

There's one thing I hate about iPhones... no not what you think.. it's updating them.  They take forrrever to update.  About 30 minutes to download, backup, install, reboot yadda yadda.

It's worse than patching a SBS box I tell ya.

My sister may have an iphone and an ipad but when she was watching the "Macheads" documentary she said that the people showcased were weird and asked if Windows people were that strange in person.

There have been MVPs at the MVP summit that gushed that badly to Bill Gates about how much he changed their lives and went on for minutes being embarrassingly gushing to Bill, but I've yet to see them gush quite to that degree like that to Steve Ballmer.  Maybe Steve doesn't give off the right amount of "gush"?

MacHeads - Watch the Documentary Film for Free | Watch Free Documentaries Online | SnagFilms:
http://www.snagfilms.com/films/title/macheads/

"I never knowingly slept with a windows user" is probably the most memorable catch line from the film.

I've yet to hear a Windows user have a similar statement that they never knowingly slept with a Mac User.