Category Archives: Windows Server 2008

Target an advertisement based on the software version in SCCM

Let’s say we want to advertise an update to Adobe Reader only to clients with outdated versions (anything older than 10.0.1).

  • Create a new collection.
  • Edit the membership rules.
  • Click on Edit Query Statement.
  • At the bottom press “Show Query Language”.
  • Paste the following:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Adobe Reader %" and SMS_G_System_ADD_REMOVE_PROGRAMS.Version != "10.0.1"

Make edits to match the DisplayName and Version according to the results you want.
You’re good to go.

Namaste.

Unable to run reports in ConfigMgr?

You may get the following error message when trying to generate reports:

“The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map.”
To solve that, add the ASP Role Service to IIS in addition to ASP.net.
Namaste.

Adding PXELinux option to WDS.

Deployment guru Johan Arwidmark has a pretty interesting article about adding a boot menu to WDS. But it’s about Windows Server 2008 R2. If, like me, you need info about Windows Server 2008, follow his step-by-step until step 7.

  • At step 7, open the Windows Deployment Services console, right click on your server, then click on Properties.
  • Go to the Boot tab.
  • Change the boot images to the following:
  • Go back to Johan’s step 8.
Namaste.

Sophos Antivirus Deployment How-To.

I came across a couple of issue while test-driving Sophos Antivirus Enterprise.

Here are the correct steps to deploy Sophos to Windows machines (XP, Vista and 7):

  1. Create a GPO named Disable UAC with the following settings and apply it to your hosts (Computer Configuration):
    Computer Configuration (Enabled)/Policies/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control/Policy Setting
    User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
    User Account Control: Detect application installations and prompt for elevation Disabled
    User Account Control: Run all administrators in Admin Approval Mode Disabled
  • Create a GPO named Remote Registry Service with the following settings and apply it to your hosts (Computer Configuration):
    Computer Configuration (Enabled)PoliciesWindows SettingsSecurity SettingsSystem ServicesRemote Registry (Startup Mode: Automatic)
    Allow NT AUTHORITY\Authenticated Users Read
    Allow NT AUTHORITY\Authenticated Users Start, Stop, Pause and continue
    Allow CONTOSO\Domain Admins Full Control
    Allow CONTOSO\Domain Users Read
    Allow CONTOSO\Domain Users Start, Stop, Pause and continue
  • Create a GPO named Sophos Firewall Exceptions with the following settings and apply it to your hosts (Computer Configuration):
    Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile
    Windows Firewall: Allow inbound file and printer sharing exception Enabled
    Windows Firewall: Allow inbound remote administration exception Enabled
    Windows Firewall: Define inbound port exceptions Enabled
    Define port exceptions:
    8192:TCP:*:enabled:SophosAdmin
    8193:TCP:*:enabled:SophosAdmin
    8194:TCP:*:enabled:SophosAdmin
    Windows Firewall: Define inbound program exceptions Enabled
    Define program exceptions:
    %programfiles%\Sophos\Sophos Anti-Virus\SavMain.exe:*:enabled:SophosAV
  • Run the following command in your logon script: “netsh firewall set service type=FILEANDPRINT mode=ENABLE”

You should now be able to deploy Sophos Antivirus seamlessly.

Namaste.

Trying to get rid of WINS but still in trouble with rogue Master Browser elections?

There is an interesting article at TechRepublic about GNZ or Global Name Zones in Windows Server 2008.

http://blogs.techrepublic.com.com/networking/?p=608

For the record, in the Windows Support Tools, you can find the browstat.exe utility (browstat status from a command line) that allows you to check which computer is the Master Browser and then to troubleshoot that mess that is slowing down your LAN.

Enjoy!