If you prefer video/speech to reading, there’s a very good video available for download as well

If you’d like to pre-install Vista updates and hotfixes while Vista is installing:

1. Go to your Distribution Share (C:\Distribution)
2. Go into Operating Systems, then find your Vista OS (C:\Distribution\Operating Systems\Windows Vista Business SP1 – 32bit\)
3. Create a new folder in this directory called “update”
4. Copy all of your Vista Update files (.msu) into this directory
5. That’s it The next time you run a Vista deployment, the updates will be pre-installed!

Extra tip

systeminfo | find /i “install date”

Picked this one up from windowsnetworking.com

Check out the Press Release, or skip straight to the Corporate Install download page if you know why you want it

After fruitless searching I resigned myself to the fact that if I wanted to deploy Vista 64 I’d just burn an ISO of the 64-bit WinPE Boot Image and install from there. Fortunately, we rarely need to deploy 64-bit Vista, but this may change soon.

However, just now, I found the solution…

To enable 64-bit Boot Images via PXE with WDS, you need to run this command on the WDS Server:

wdsutil /set-server /architecturediscovery:yes

Why this was never mentioned in the Documentation that I read for MDT/BDD I’ll never know (maybe I just missed it), but finally I can boot to 64-bit WinPE and deploy 64-bit Vista from the network, hooray!

I found the answer on EggHeadCafe by searching for: “mdt 2008 deploy 64-bit vista pxe”. Roughly half way down the hard-to-read page was the nugget I needed.

For reference, there’s a proper Microsoft KB article explaining the solution.

Really hopes this helps someone out!

Support for corporate deployment of DisplayLink software
——————————————————–
It is now possible to obtain a DisplayLink software installation solution that supports automated and remote installation scenarios. This kind of installation requires specific installation steps, detailed in the User Guide that is part of the Corporate Installer.

Yup, it’s true: we’re releasing an MSI installer very soon.

I’m excited about this news on two fronts. Firstly, this is the first time that I’ve contributed directly to a software release; I wrote the Deployment User Guide, gave advice on what IT Administrators want from a corporate installer, and helped steer testing scenarios. Secondly, this feature will allow IT Administrators to deploy DisplayLink’s software onto thousands of PCs simply and easily, further strengthening our ease-of-use message. And I don’t need to tell you how awesome GPSI+MSI is for us IT admins!

The “Corporate Install” package is different to the standard software release and will require you to register with DisplayLink in order to obtain the MSI files and sign the EULA. Once obtained, you can then deploy DisplayLink software to all the computers in your network via Group Policy Software Installation. Of course, you can perform silent/unattended installs manually via msiexec if you wish as well.

It’s worth mentioning again that the MSI installer has not been released yet, but it is coming. 

Stay tuned for more info!

Windows 7 also manages wireless radios better allowing them to drop below 100% power draw while managing the connection. And by tweaking the OS kernel, the CPU can sometimes run at a lower frequency and stay idle longer. This results are a minimum of 11% better battery life for Windows 7 compared to Vista — and we’re still only talking about pre-Beta Windows 7 software, mind you. Nice. 

Nice, indeed

It seems that no more than a day after Microsoft released a Critical Security update, someone’s released a Trojan into the wild that exploits the vulnerability.

Given the “exploit potential”, this one sounds relatively tame. I suspect it’ll only be a matter of time before the exploit code is perfected and turned into a much more potent animal.

Putting a few hours in on Thursday night, has potentially saved us exponentially more hours in data and service recovery, as well as general IT support. It definitely pays to be proactive!

I thought I’d document what actions I took, in case it helps out anyone in the future. I’d also be interested to hear how you handled the situation, particularly if you did something I missed, or if you think I could have done things better!

History repeating…

Although I remember the impact of Sasser and MyDoom, I’ve never been in the trenches when such a critical update has been launched for Windows.

No-one likes working late at night, but I didn’t fancy the chances that a 0-day exploit may be released and in the wild before we can patch our mission critical servers; so as soon as I found out, I started working on a plan.

The Plan

The plan was relatively simple: Get the update to as many PCs as possible, as soon as possible; with an emphasis on any Servers that provide business-critical services.

Simple enough, but what next?

WSUS

About a month back we setup an internal WSUS server to centralise Windows Updates – quite handy for this type of scenario! The main thing here is to ensure that WSUS has the updates downloaded and approved, ready for deployment. Fortunately it had, as it performs a sync every evening, and automatically approves Critical Updates.

Group Policy

To ensure PCs get the update as fast as possible, we needed to open up GPMC and re-configure all existing Group Policy Objects (GPOs) that address Windows Update configuration.

The Windows Updates settings are under Computer Configuration > Administrative Templates > Windows Components > Windows Update.

Note that, if you don’t have WSUS, you can still make the changes outlined below in order to minimise Time-to-Patch. If you haven’t set “Specify intranet Microsoft update service location”, PCs will automatically ask Microsoft’s update servers on the internet.

What we’re looking to do is:

- Set all PCs to download and schedule updates. This is abnormal for us as we allow our Engineers to dictate when to install updates as it can interfere with Software development and testing.

- Make sure each PC checks for updates with our WSUS server every hour, as opposed to every 22 hours.

- Set PCs to install the updates at 11am. This gives time for people to turn on their PCs, for the PCs to update their Group Policy settings and pick up the new settings, and then to check in with the WSUS server for the new update.

- If the PC missed the 11am deadline (e.g. it wasn’t on) it’ll check whether or not it has updates, and then install the updates after 30 minutes.

Informing End-users

A notification email was crafted to all employees, informing them of the severity of the update, what was being done, and what actions they should take. I’ll include a copy of the email I sent out at the end of the post

Protecting the business

Last night, we couldn’t wait for WSUS to “offer” the update to our servers so I grabbed the Update and manually installed it on each business-critical server, rebooting them promptly.

This morning

That was last night out of the way. This morning and this afternoon I’ve been checking WSUS’s reports to see which PCs have the update installed. As of 1pm, at least 90% of PCs had installed and rebooted. I’ll be chasing the rest later

The notification

As promised, here’s the Email notification sent out to employees:

 
Hi all,

Microsoft has just released a very serious critical security update for Windows operating systems.

To see how this affects you, please see below.

Cambridge Employees

Tomorrow we will be rolling out an essential security update to all Domain-connected Windows PCs. This update is mandatory. If you press Control+Alt+Delete to log in, you are on the domain. If you do not press Ctrl+Alt+Del to log in you should follow the advice for Non-Cambridge employees below.

Although we will be trying our best to force this update out. It’s advisable that if you see the “Yellow shield” in your Task Bar, you should click it and install all updates reboot as soon as possible.

Not doing so poses a serious risk to DisplayLink’s networks.

Non-Cambridge Employees 

If you are not based in Cambridge, you should visit Windows Update as soon as possible and install all updates, specifically this one.

DisplayLink Servers

Servers in the UK will have the update installed and be rebooted as soon as possible to ensure we’re protected.

Further information

Further information on this Critical update can be found on Microsoft’s KB article.

Thanks go to Dave Hill for spotting this one on The Register!

Cheers,
Phil Wiffen
IT Engineer

 

How did you handle it?

As I said earlier, I’d also be interested to hear how you handled the situation, particularly if you did something I missed, or if you think I could have done things better! Let me know in the comments

Kind of explains why Windows 7′s tentative release date is “so soon” after Vista.

If you have a Technet subscription, you can get early access to Windows XP Service Pack 3 from the Technet Subscriptions page. Scroll down the page and look for the grey “Top Downloads” section.

I’ve been running it for a few days now and haven’t had any problems

If you don’t have a Microsoft Technet subscription – which I highly recommend – you can probably find a direct download link around somewhere.

These instructions apply to Project 2003 Standard Edition. To slipstream other versions, you’ll need to replace PRJSTDE.MSI with the name of the MSI for your Project Edition.

Steps

You’ll need a Volume Licence Key setup CD.

D:\setup.exe /a

Save to C:\project2003\

Download Project 2003 SP3

Extract its contents to C:\Project2003SP3\ with:

Project2003SP3-KB923622-FullFile-ENU.exe /Q /C /T:C:\Project2003SP3\

Perform slipstream with:

msiexec /p C:\Project2003SP3\PROJECTSP3.msp /a C:\Project2003\PRJSTDE.MSI SHORTFILENAMES=TRUE /qb

Delete the C:\Project2003SP3\ folder as you no longer need it

Support for hibernation on computers where the system partition is encrypted (previous versions of TrueCrypt prevented the system from hibernating when the system partition was encrypted). (Windows Vista/XP/2008/2003)

Other things of note include faster encryption/decryption using AES, and faster boot times.

[ Version History ] [ Download Trucrypt 5.1 ]

Ever wanted to download all of the fantastically useful Sysinternals tools in one go? Well, now you can. Mark Russinovich has created a bundle pack which includes all of the Sysinternals tools in one single Zip file.

Download the Sysinternals Utility Pack

[Found on Desktop-Engineer, when I was looking for something else entirely ]

Picture this: You’re consolidating your digital music collection from numerous locations to a single directory on a networked drive. To save time, you don’t want to replace existing files as these are most likely duplicates, and network transfers are often slow. Unfortunately, when Windows pops up and asks you whether you want to replace the existing file, it gives you every option you’d like apart from the most useful: “No to all”.

To tell Windows “No to all”, hold down Shift while clicking No, and it will apply to all replacements for that transaction

This will also work when Windows asks whether you want to move Read-only Files or not.

Why did I embolden Full Disk Encryption? Because UK companies and Government organisations are losing laptops left, right and centre – without encrypting their sensitive contents. As an IT Professional, you’d be crazy to not be investigating the various options for keeping your company’s data safe, in the event of loss or theft.

Check out what’s new in TrueCrypt 5.0.

To automatically download every hotfix released for Windows XP post Service Pack 2, just run this script. [Source site].

You’ll probably want to drop wget into your system32 directory before running the command, otherwise it’ll try to use your browser to individually download the files.

Once the script has finished, you can then integrate the hotfixes into your XP SP2 source and burn a bootable ISO using something like nLite. I’ll cover more options for integrating hotfixes in a later post.

The reasons for wanting to integrate post-SP2 hotfixes are numerous; but mainly, it saves time (using both WSUS and Microsoft Update take a while), and, overall, makes for a cleaner install.

It took me ages to find this via Google, so much kudos to Ross Smith for creating such a useful script. Thanks Ross!

If you’ve lost your Window License Key, and it’s not on the side of your machine, you can retrieve your key by using a little application called Keyfinder, by Magical Jelly Bean. You probably want to grab the 2.0 beta, as 1.5 is a little old and doesn’t support the latest operating systems.

In addition to retrieving keys for Windows 95, 98, ME, 2000, XP, Server 2003, and Vista; Keyfinder also finds keys for Office XP, Office 2003, and Office 2007.

For Small Business IT guys, as an added bonus, you can easily change your Windows key from the Tools menu. Handy if you’ve accidentally installed two PCs with the same license and need to change one (without having to re-install).

Download Keyfinder from Magical Jelly Bean

It’s a problem we all encounter at some point: You’ve just re-installed Windows, and now you need to download your Mainboard drivers. But which motherboard do you have again?

Instead of opening your PC case to find the Motherboard model number, check out CPU-Z

CPU-Z is a free, stand-alone application (no installer) that very quickly lets you know your system’s vital statistics (CPU, Mobo, and RAM), so that you can head off and find the drivers you need, without having to open up the PC.

This is something I come across frequently when I’m performing OS refreshes at DisplayLink. I imagine it’s a common problem in most start-ups (are we still are start-up? haha), where PCs are bought to spec on an ad-hoc basis. Often, the only way of finding out the motherboard number is by opening the case, lifting cables, and poking around the motherboard, in an attempt to find the tiny bit of writing on the PCB that tells you its model number. Hardly ideal!

Going from my own experience with Vista – poor stability and woeful performance – I’m not surprised about this at all. Maybe – as with XP – SP1 will fix these issues, but until then, I remain unimpressed and unconvinced.

Found via Slashdot