Nós estamos quase chegando aos artigos técnicos desta série, mas antes queria comentar com vocês um pouco sobre os relatórios oferecidos pelo Windows Intune. Existem quatro relatórios principais no Windows Intune que favorece o acompanhamento de algumas funcionalidades. Esta é uma tarefa muito importante a ser seguida, o acompanhamento, pois será aqui que iremos saber se o ambiente está ou não em conformidade com o que pretendemos para o ambiente.

Porém, se estes relatórios não atenderem completamente a sua necessidade é possível exportarmos os dados para arquivos CSV e utilizarmos outras ferramentas para esta análise, como o próprio Excel. Entenda os relatórios através das palavras descritas no próprio Windows Intune:

·         Relatório de Atualizações

O relatório de status de atualizações pode ajudar a identificar rapidamente as atualizações que não puderam ser instaladas nos computadores da sua organização, determinar quantas atualizações são necessárias pelos computadores e verificar quantos deles possuem uma atualização instalada. Você pode selecionar critérios de relatório para exibir uma lista de atualizações com base em produtos ou categorias de produtos, classificação (como Atualizações de Segurança), avaliação do Microsoft Security Response Center, status de instalação, os grupos de computadores aos quais as atualizações estão destinadas, bem como a aprovação efetiva para esses grupos.

·         Relatório de Softwares

O relatório de softwares mostra uma lista de aplicativos que estão instalados em computadores na sua organização. Além de mostrar esses aplicativos, o relatório também mostra seus respectivos números de versão. Você pode usá-lo para planejar aquisições futuras e para compreender melhor as necessidades de software específicas dos usuários de computadores na sua organização.

·         Relatório de Aquisição de Licenças

O relatório de aquisição de licenças permite comparar títulos de software inventariados habilitados para licenciamento por volume que se encontram em grupos de licenças selecionados com a cobertura atual dos seus contratos de licença para esses títulos de software de acordo com o Microsoft Volume Licensing Service. Um relatório de aquisições pode ajudar a obter informações sobre possíveis defasagens na cobertura de contratos de licença que a sua organização possa ter.

·         Relatório de Instalação de Licenças

O relatório de instalação de licenças permite comparar os softwares que foram descobertos nos computadores que você gerencia usando esse serviço com a cobertura atual dos seus contratos de licença pra essas famílias de produtos. Relatórios de instalação podem ajudar a determinar se a sua organização tem uma cobertura adequada de contratos de licença para todas as instalações de um produto nos computadores de um grupo selecionado.

E a melhor parte, os computadores não precisam estar online no momento que executarmos um relatório, pois toda a informação necessária já estará disponível para o relatório com base na última vez que cada computador esteve online. Aqui, quem já está acostumado com o System Center Configuration Manager (SCCM) pode se sentir um pouco limitado, mas eu não acho que a solução fique devendo em qualidade, apenas é um ponto mais simples e que podemos tratar com alguma alternativa.

Agora sim, eu prometo que no próximo artigo iremos abordar de vez mais detalhes técnicos sobre o Windows Intune e conhecer melhor o cliente do produto.

Obrigado pela leitura e até a próxima publicação,

Abraços.

Cleber Marques

Microsoft MVP & MCT | Charter Member: SCVMM & MDOP
Projeto MOF Brasil: Simplificando o Gerenciamento de Serviços de TI
Meu Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

O Windows Intune trabalha na nuvem, assim como o Windows Update e o Microsoft Update, porém o Intune vai precisar apenas da instalação de um cliente em cada computador, ao contrário dos outros dois serviços citados que para atender empresa de médio porte de forma organizada e controlada necessita de uma infraestrutura local com o WSUS. Além disso, veja abaixo o que o Intune oferece sem a necessidade de termos infraestrutura local:

·         Gerenciamento de Atualizações: Gerenciamento centralizado da distribuição de atualizações disponibilizadas pelo Microsoft Updates, incluindo Service Packs, para todos os computadores com o cliente Intune.

·         Proteção de Computadores: Proteção contra Malware e as mais recentes ameaças através do Microsoft Malware Protection Engine, utilizando a mesma tecnologia do Forefront Endpoint Protection e Microsoft Security Essentials.

·         Monitoração Proativa: Recebe alertas sobre atualizações e ameaças que possibilitam a identificação e resolução de problemas de forma proativa, antes mesmo de impactar o negócio da empresa.

·         Assistência Remota: Ajuda na resolução de problemas de forma remota, possibilitando a ação de um analista técnico sobre um computador, diminuindo a necessidade de atendimento local.

·         Inventário de Hardware e Software: Possibilita o acompanhamento de inventário sobre Hardware e Software, de modo que forneça informações sobre os ativos, licenças e conformidade para todo ambiente gerenciado.

·         Aplicação de Políticas de Segurança: Gerenciamento centralizado das configurações para proteção contra Malware, firewall e atualizações, até mesmo se o computador estiver fora da rede da empresa.

Todas estas funcionalidades podem ser utilizadas pelos analistas de TI da sua empresa de forma remota, através da console que tem o acesso controlado com base nos direitos de cada analista. Apesar de gerenciarmos apenas desktops (não servidores), estes podem ser físicos ou virtuais, pois o Intune atenderá perfeitamente qualquer ambiente neste sentido, desde que o sistema operacional, físico ou virtual, atenda aos requisitos mínimos da solução, algo que veremos mais adiante em outro artigo.

Então, neste sentido podemos observar que com o Windows Intune é possível substituir a infraestrutura local com WSUS, substituir nosso antivírus e até o sistema de acesso remoto utilizado atualmente, e ainda contando com um grande diferencial, o Intune não requer que os computadores estejam em um domínio Active Directory, ou seja, trabalha muito bem com computadores no domínio ou em grupo de trabalho. Vamos ver no próximo artigo um pouco mais de detalhes sobre os relatórios disponíveis no Intune.

Obrigado pela leitura e até a próxima publicação,

Abraços.

Cleber Marques

Microsoft MVP & MCT | Charter Member: SCVMM & MDOP
Projeto MOF Brasil: Simplificando o Gerenciamento de Serviços de TI
Meu Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

Today is the day that the Windows Phone team has been driving towards, and we’re very excited to say that we’ve reached the biggest milestone for our internal team – the release to manufacturing (RTM) of Windows Phone 7!  While the final integration of Windows Phone 7 with our partners’ hardware, software, and networks is underway, the work of our internal engineering team is largely complete. 

Windows Phone 7 is the most thoroughly tested mobile platform Microsoft has ever released.  We had nearly ten thousand devices running automated tests daily, over a half million hours of active self-hosting use, over three and a half million hours of stress test passes, and eight and a half million hours of fully automated test passes.  We’ve had thousands of independent software vendors and early adopters testing our software and giving us great feedback. We are ready

Today is the day that the Windows Phone team has been driving towards, and we’re very excited to say that we’ve reached the biggest milestone for our internal team – the release to manufacturing (RTM) of Windows Phone 7!  While the final integration of Windows Phone 7 with our partners’ hardware, software, and networks is underway, the work of our internal engineering team is largely complete. 

Windows Phone 7 is the most thoroughly tested mobile platform Microsoft has ever released.  We had nearly ten thousand devices running automated tests daily, over a half million hours of active self-hosting use, over three and a half million hours of stress test passes, and eight and a half million hours of fully automated test passes.  We’ve had thousands of independent software vendors and early adopters testing our software and giving us great feedback. We are ready

I was building a TMG 2010 architecture for one of my customers and during this period I consolidated some of the limitations and considerations in specific scenarios. This article is a one place summary for them:

Single network adapter functionality:

The single network adapter topology enables limited Forefront TMG functionality, that includes:

• Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
• Web caching for HTTP and CERN proxy FTP.
• The following Web publishing scenarios:
  • Web publishing.
  • HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
• Dial-in client virtual private network (VPN) access.

Limitations of a single network adapter topology:

The following limitations apply when you use the single network adapter topology:

• Server publishing and site-to-site VPN are not supported.
• SecureNAT and Forefront TMG Client traffic are not supported.
• Access rules must be configured with source addresses that use only internal IP addresses.
• Firewall policies must not refer to the external network.

Workgroup Considerations:

The following considerations must be taken into account when deploying solution components into a workgroup environment:

• Enterprise deployments and array deployments in a workgroup environment require additional preparation steps that aren’t required in a domain environment, and require maintaining mirrored accounts on Forefront TMG computers for management purposes.
• Local accounts that belong to the Administrators group must be maintained on all Forefront TMG servers for management purposes. The accounts must have matching passwords.
• If web traffic is to be authenticated, one of the following conditions must be met:
  • The credentials of all users must be mirrored on each Forefront TMG server. Any groups used in access rules must also be duplicated across all TMG servers.
  • Forefront TMG servers must be configured as RADIUS clients and RADIUS users and groups used for access control.
• Domain name suffixes need to be set on all Forefront TMG servers, since they use fully qualified domain names (FQDNs) to communicate with EMS and each other.
• Only a single EMS can be used for the entire Enterprise, this is because of EMS replication requires Kerberos to authenticate.
• Automatic web proxy detection using Active Directory is not available (clients can still use DNS, DHCP, automatic configuration scripts or manual configuration).
• Certificates must be installed to allow Forefront TMG servers to authenticate a remote configuration store.
  • For Enterprise arrays, certificates must be installed on each EMS and the certificate of the root CA installed on every Forefront TMG server.
  • For Stand-alone arrays, certificates must be installed on every Forefront TMG server to allow the “array manager” role to be transferred to any member.
• If HTTPS inspection is used, the root certificate of the hierarchy used to inspect HTTPS sessions must be manually installed on all web client computers.
• You can not lock down the Forefront TMG server using Group Policy rather than local policies.
• You can configure VPN client user mapping to map users of operating systems other than Microsoft Windows to domain user accounts. User mapping is only supported when Forefront TMG is installed in a domain.

Remote management through a firewall":

If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:

• Remote management, such as, from an Enterprise Management Server (EMS) computer, requires the use of remote procedure call (RPC) for remote server status and service status monitoring.
• The path from Forefront TMG clients to Forefront TMG must not be port-filtered.

The ports required at the intervening firewall are described in the article Service overview and network port requirements for the Windows Server system (http://go.microsoft.com/fwlink/?LinkId=156514)

Authentication considerations:

You should consider the following authentication issues when selecting a domain or workgroup deployment:

• When access rules require internal clients to authenticate for outbound access, Forefront TMG can authenticate domain user accounts against AD DS. Web proxy requests in a workgroup environment can be authenticated against a RADIUS server.
• Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, although this requires some administrative overhead for secure management.
• To authenticate inbound requests to internal Web servers using domain account credentials or certificate authentication, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS or SecurID server can be used for authentication.
• To authenticate virtual private network (VPN) requests using domain account credentials or certificates, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS server can be used for authentication.
• You can not use TMG for ADFS pre-authentication.

Enterprise Management Servers:

• EMS is available only for users of Forefront TMG Enterprise Edition; it is not available for users of Forefront TMG Standard Edition.
• If all EMS are lost, the running policy cannot be reverse-engineered into the EMS-format policy. For this reason, you MUST perform regular policy backups as well as performing a backup prior to any policy change.
• The first-installed EMS server is the owner of the schema and naming roles. If this server is lost, you cannot make schema changes until these roles are seized by one of the remaining EMS replica. Refer to http://blogs.technet.com/isablog/archive/2009/03/31/transferring-configuration-storage-server-fsmo-roles.aspx for details
• The computer must be connected to the Internet during the installation process.
• TMG EMS must be installed on a separate system outside of the array.
• While Forefront TMG servers and arrays can retrieve their configuration from an EMS across a WAN link, monitoring performance (such as viewing Forefront TMG logs) will be poor over a low bandwidth connection. This is because the EMS needs to retrieve server-specific information from the array members themselves and this is performed using a combination of SMB, RPC or DCOM protocols based on Windows remote management API usage.
• Installation of EMS on Domain Controllers is not supported.

ISP-R:

• Forefront TMG must be deployed in an Edge scenario and the source network(s) must have NAT relationships with the default “External” network.
• The organization must have two ISPs on unique networks (i.e. the network portion of the IP addresses must be different). Forefront TMG can connect to these either using individual adapters or a single adapter (with two unique network addresses bound).
• If two network adapters are used to connect to the two ISPs, they should each have a different default gateway pointing to the respective ISP’s nearest router.
• If two network adapters are used to connect to the two ISPs, the network offload processing configuration must be identical on both adapters. If the settings are not identical, network offload processing will be disabled on both adapters.
• If one network adapter is used to connect to both ISPs, configure two default gateways pointing to the respective ISP’s nearest routers.
• If both ISPs use DHCP to assign an address, manually add default routes to each ISP in the routing table.
• ISP-R only works for connections that have a NAT relationship with the default “External” network.

I was building a TMG 2010 architecture for one of my customers and during this period I consolidated some of the limitations and considerations in specific scenarios. This article is a one place summary for them:

Single network adapter functionality:

The single network adapter topology enables limited Forefront TMG functionality, that includes:

• Forward (CERN) proxy for HTTP, HTTPS, and CERN proxy FTP (download only).
• Web caching for HTTP and CERN proxy FTP.
• The following Web publishing scenarios:
  • Web publishing.
  • HTTP-based communications, such as Microsoft Office SharePoint Server, Exchange Outlook Web Access 2007, ActiveSync®, and remote procedure call (RPC) over HTTP (Outlook Anywhere, Terminal Services Gateway or WSMAN-based traffic).
• Dial-in client virtual private network (VPN) access.

Limitations of a single network adapter topology:

The following limitations apply when you use the single network adapter topology:

• Server publishing and site-to-site VPN are not supported.
• SecureNAT and Forefront TMG Client traffic are not supported.
• Access rules must be configured with source addresses that use only internal IP addresses.
• Firewall policies must not refer to the external network.

Workgroup Considerations:

The following considerations must be taken into account when deploying solution components into a workgroup environment:

• Enterprise deployments and array deployments in a workgroup environment require additional preparation steps that aren’t required in a domain environment, and require maintaining mirrored accounts on Forefront TMG computers for management purposes.
• Local accounts that belong to the Administrators group must be maintained on all Forefront TMG servers for management purposes. The accounts must have matching passwords.
• If web traffic is to be authenticated, one of the following conditions must be met:
  • The credentials of all users must be mirrored on each Forefront TMG server. Any groups used in access rules must also be duplicated across all TMG servers.
  • Forefront TMG servers must be configured as RADIUS clients and RADIUS users and groups used for access control.
• Domain name suffixes need to be set on all Forefront TMG servers, since they use fully qualified domain names (FQDNs) to communicate with EMS and each other.
• Only a single EMS can be used for the entire Enterprise, this is because of EMS replication requires Kerberos to authenticate.
• Automatic web proxy detection using Active Directory is not available (clients can still use DNS, DHCP, automatic configuration scripts or manual configuration).
• Certificates must be installed to allow Forefront TMG servers to authenticate a remote configuration store.
  • For Enterprise arrays, certificates must be installed on each EMS and the certificate of the root CA installed on every Forefront TMG server.
  • For Stand-alone arrays, certificates must be installed on every Forefront TMG server to allow the “array manager” role to be transferred to any member.
• If HTTPS inspection is used, the root certificate of the hierarchy used to inspect HTTPS sessions must be manually installed on all web client computers.
• You can not lock down the Forefront TMG server using Group Policy rather than local policies.
• You can configure VPN client user mapping to map users of operating systems other than Microsoft Windows to domain user accounts. User mapping is only supported when Forefront TMG is installed in a domain.

Remote management through a firewall":

If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:

• Remote management, such as, from an Enterprise Management Server (EMS) computer, requires the use of remote procedure call (RPC) for remote server status and service status monitoring.
• The path from Forefront TMG clients to Forefront TMG must not be port-filtered.

The ports required at the intervening firewall are described in the article Service overview and network port requirements for the Windows Server system (http://go.microsoft.com/fwlink/?LinkId=156514)

Authentication considerations:

You should consider the following authentication issues when selecting a domain or workgroup deployment:

• When access rules require internal clients to authenticate for outbound access, Forefront TMG can authenticate domain user accounts against AD DS. Web proxy requests in a workgroup environment can be authenticated against a RADIUS server.
• Firewall client requests automatically include user credentials. To authenticate these requests, Forefront TMG should belong to a domain. In a workgroup environment, you can authenticate requests with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the Forefront TMG server, although this requires some administrative overhead for secure management.
• To authenticate inbound requests to internal Web servers using domain account credentials or certificate authentication, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS or SecurID server can be used for authentication.
• To authenticate virtual private network (VPN) requests using domain account credentials or certificates, Forefront TMG must belong to a domain. In a workgroup environment, a RADIUS server can be used for authentication.
• You can not use TMG for ADFS pre-authentication.

Enterprise Management Servers:

• EMS is available only for users of Forefront TMG Enterprise Edition; it is not available for users of Forefront TMG Standard Edition.
• If all EMS are lost, the running policy cannot be reverse-engineered into the EMS-format policy. For this reason, you MUST perform regular policy backups as well as performing a backup prior to any policy change.
• The first-installed EMS server is the owner of the schema and naming roles. If this server is lost, you cannot make schema changes until these roles are seized by one of the remaining EMS replica. Refer to http://blogs.technet.com/isablog/archive/2009/03/31/transferring-configuration-storage-server-fsmo-roles.aspx for details
• The computer must be connected to the Internet during the installation process.
• TMG EMS must be installed on a separate system outside of the array.
• While Forefront TMG servers and arrays can retrieve their configuration from an EMS across a WAN link, monitoring performance (such as viewing Forefront TMG logs) will be poor over a low bandwidth connection. This is because the EMS needs to retrieve server-specific information from the array members themselves and this is performed using a combination of SMB, RPC or DCOM protocols based on Windows remote management API usage.
• Installation of EMS on Domain Controllers is not supported.

ISP-R:

• Forefront TMG must be deployed in an Edge scenario and the source network(s) must have NAT relationships with the default “External” network.
• The organization must have two ISPs on unique networks (i.e. the network portion of the IP addresses must be different). Forefront TMG can connect to these either using individual adapters or a single adapter (with two unique network addresses bound).
• If two network adapters are used to connect to the two ISPs, they should each have a different default gateway pointing to the respective ISP’s nearest router.
• If two network adapters are used to connect to the two ISPs, the network offload processing configuration must be identical on both adapters. If the settings are not identical, network offload processing will be disabled on both adapters.
• If one network adapter is used to connect to both ISPs, configure two default gateways pointing to the respective ISP’s nearest routers.
• If both ISPs use DHCP to assign an address, manually add default routes to each ISP in the routing table.
• ISP-R only works for connections that have a NAT relationship with the default “External” network.

Today's tip courtesy of Kevin Royalty:

If you are like me, you like to do things as efficiently as possible when building an SBS server, whether it be a migration or fresh installation.  We also happen to be an HP Reseller and use the HP SmartStart tools to do our server installations.  Below is something I discovered that should be helpful to those of you similar to me in the community

Use HP SmartStart to install SBS 2008 from DVD or Flash drive.  Below are some of the screenshots you may encounter – note that the serial number entered is completely invalid (thanks to Tim Barrett of NoGeekLeftBehind for telling me that this works) and will come into play later.  Note also that I’ve enabled all the necessary stuff in the SmartStart install so we can monitor/manage the HP hardware.

Now we get to wait while the SBS DVD (or flash drive) installs.  If you entered the invalid key, you’ll be prompted to enter your key again. 

Uncheck the “Automatically activate windows when I’m online” checkbox and leave the key field blank (next, NO) to install in “Trial” mode.  You might use this for a migration, or a lab, or if you don’t have your customer license in hand yet.

Once you see the below screen, you are at a “fork in the road” and have a couple of decisions to make.

1)      Is this a “fresh” SBS install

      a.       Do you have an “answer file”

                             i.      If yes, hit SHIFT-F10 to get a command prompt, and insert your media with the answer file.  Copy it to the root of C:.  Close the command prompt and hit “cancel”.  The server will reboot (you can power it down if you wish once it starts to reboot).  Once it reboots it will follow your answer file and complete the install.

     b.      If NO to A, click Next and continue.  Answer the questions manually.

2)      With a migration, you need your answer file.  Hit SHIFT-F10 to get a command prompt, and insert your media with the answer file.  Copy it to the root of C:.  Close the command prompt and hit “cancel”.  The server will reboot (you can power it down if you wish once it starts to reboot).  Once it reboots it will follow your answer file and install in migration mode.

Após a introdução comercial ao Windows Intune, vamos continuar agora com este assunto que ainda vai ter muito pano pra manga.

Então quer dizer que, para usar o Windows Intune vou ter que atualizar todos os computadores da minha empresa para o Windows 7? Com certeza não, como nós veremos mais adiante, o Windows Intune trabalha com o Windows XP, Windows Vista e Windows 7 (por enquanto apenas com desktops mesmo), mas, um dos grandes benefícios de adquirirmos licenças do Intune é que teremos o direito de instalar o Windows 7 nos computadores Windows XP/Vista com Windows Intune implementado, sem nenhum custo adicional além o da licença pelo Intune, mas isso é totalmente opcional.

Se eu já tenho o System Center Configuration Manager (SCCM) ou algum outro produto de gerenciamento instalado nos meus computadores eu não poderei usar o Windows Intune? Não há problemas neste cenário, os seus computadores podem ter o SCCM (ou System Center Essentials) ou qualquer outro produto de terceiros gerenciando o ambiente, o Intune poderá ser utilizado, claro que, será preciso realizar testes antes para acompanhar o funcionamento do Intune no mesmo computador que alguma outra tecnologia, pois devida a grande quantidade de produtos no mercado não foi possível realizar testes com todos os existentes, logo, cabe a nós tomarmos esta providência.

Bom, já que esclarecemos algumas dúvidas que podem ter ficado desde o último artigo, vamos dar continuidade ao nosso estudo sobre o Windows Intune.

A princípio o Intune estará disponível nos seguintes idiomas: Inglês, Francês, Alemão, Italiano, Japonês, Coreano, Português (Brasileiro), Russo e Espanhol. Também devemos entender que, a partir do momento que instalarmos o cliente do Intune nos computadores da nossa organização isso não quer dizer que a Microsoft irá gerenciá-los para nós, o papel da Microsoft será apenas fornecer a infraestrutura na nuvem para o Intune, e a equipe de TI da empresa deverá gerenciar o ambiente com esta ferramenta. Agora, contando que estamos no beta 2, o que o Windows Intune oferece? Veja:

·         Gerenciamento de Atualizações (Patches)

·         Proteção de Computadores

·         Monitoração Proativa

·         Assistência Remota

·         Inventário de Hardware e Software

·         Aplicação de Políticas de Segurança

Acompanhe abaixo uma breve comparação entre os benefícios do Windows Intune e os benefícios de alguns outros produtos oferecidos pela Microsoft:

Observações sobre as marcas na tabela acima:

1. O Windows Intune não distribui atualizações de terceiros.

2. Suporta sistema operacional cliente.

3. Suporta sistema operacional servidor.

E então, percebemos que o Windows Intune mantém um foca mais restrito para algumas funcionalidades apenas, mas em compensação oferece grande benefícios como a console Web e a possibilidade de atualização para Windows 7. No próximo artigo iremos entrar, finalmente, em alguns detalhes mais técnicos sobre esta solução.

Obrigado pela leitura e até a próxima publicação,

Abraços.

Cleber Marques

Microsoft MVP & MCT | Charter Member: SCVMM & MDOP
Projeto MOF Brasil: Simplificando o Gerenciamento de Serviços de TI
Meu Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

The miscreants spreading malvertizing in recent times are using the domain facilitatedigital.NET (see my earlier blog post about them) – the legitimate Facilitate Digital uses the domains facilitatedigital.COM, .US and .EU

Please do not confuse the good guys with the bad guys :o)

O Windows Intune (Intune) é a mais nova solução da Microsoft oferecida através do Windows Cloud Services, e nesta série de artigos eu pretendo explorar um pouco cada uma das funcionalidades do Intune, mostrando para vocês do que ele é capaz. Desde que comecei a trabalhar com o Intune, na época de seu desenvolvimento, muitas coisas mudaram até aqui, começando pelo nome, que antes era chamado apenas por System Center Online Desktop Manager, até a adição de novas funcionalidades e método de funcionamento. Eu particularmente gosto muito quando um produto leva em seu nome um System Center, mas neste caso Intune ficou mais SMART e receptível.

·         O que faz o Intune? Ele entrega gerenciamento e segurança baseados na nuvem, funcionalidades que são administradas através de uma simples console web, possibilitando a sua TI gerenciar computadores através de qualquer lugar.

·         Quem deve usar o Intune? Empresas sem alguma infraestrutura de gerenciamento (como o SCCM, por exemplo), empresas com funcionários que trabalham de forma móvel e distribuída, pois o Intune garante uma melhor proteção e conformidade ao mesmo tempo em que mantém a produtividade de cada usuário.

A Microsoft tem planos de oferecer o Windows Intune de forma comercial já em 2011, mas por enquanto está oferecendo o Beta 2, para algumas empresas residentes no Canadá, France, Alemanha, Irlanda, Itália, México, Porto Rico, Espanha, Reino Unido e Estados Unidos. Atualmente esta fase Beta esta fechada para apenas 10.000 empresas, caso a sua se enquadre nesta situação basta acessar o site e se inscrever.

Inicialmente o Intune é destinado a empresas de pequeno e médio porte, algo entre 25 e 500 computadores, mas durante esta fase Beta o Intune poderá gerenciar apenas 25 computadores do seu ambiente, para testar o produto mesmo. Porém com o início de sua comercialização o Windows Intune não possuirá um número máximo de computadores, até então, definido pela Microsoft, isso será muito bom para empresas de qualquer tamanho e, é claro, para prestadores de serviços também, mediante a assinatura do Microsoft Online Services Partner Agreement (MOSPA). Estima-se que cada licença do Intune custará em torno de 11 dólares por computador/mês, podendo ser adquirida através de algum parceiro Microsoft ou dos programas de licenciamento Microsoft Enterprise Agreement (EA) e Campus Agreement and School Agreement (CASA). A assinatura do Intune será anual, mas o pagamento será mensal, haverá possibilidades de desconto no valor para compras acima de 250 licenças e para empresas que já possuem um contrato de Software Assurance (SA).

E ainda, um dos maiores benefícios de adquirir o Windows Intune, além do gerenciamento centralizado, é que a empresa terá o direito de atualizar o Windows de cada computador gerenciado pelo Intune para o Windows 7 Enterprise (desde que o computador tenha capacidade física para o Windows 7), isso mesmo, este benefício já virá incluído no pacote, e estará ativo enquanto a empresa mantiver a licença do Intune, ou seja, atualização (ou downgrade) permitida até para as futuras versões do Windows. Mas que fique bem claro, o Windows Intune não realiza a distribuição de sistemas operacionais, apenas permite de forma legal a atualização do Windows em computadores gerenciados com ele. Para realizarmos a atualização de sistemas operacionais temos algumas tecnologias da Microsoft, como o System Center Configuration Manager (SCCM) e até o Microsoft Deployment Toolkit (MDT).

Para o próximo artigo vamos entender um pouco mais sobre algumas questões pertinentes aos Windows Intune e seu funcionamento, e em breve teremos uma abordagem mais técnica sobre o produto.

Obrigado pela leitura e até a próxima publicação,

Abraços.

Cleber Marques

Microsoft MVP & MCT | Charter Member: SCVMM & MDOP
Projeto MOF Brasil: Simplificando o Gerenciamento de Serviços de TI
Meu Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

I just created a tips page on Idle Detect/Inactivity Timeout.   Microsoft’s KB article on this topic is decent but doesn’t cover some of the real world issues we found.

I also needed this page to be referenced by some new functionality in the about to be announced Enterprise Edition version of the Auto FE Updater.   The sample code I introduced a while back in the Auto FE Updater but stated it was for future use .  The code is the AutoFEUpdater_ExitApp subroutine in the module zmdlAutoFEUpdater.   The idea being that your app will automatically exit the app after 30 or 60 minutes of inactivity and this will be logged in Auto FE Updater.  This way, you the developer, can see who hasn’t exited the app at the end of the day.   Or if the app was terminated abnormally because of either Access or the operating system crashing, power failure or other abnormal condition.

I have no idea now where I found the code for the IsMDE function.   If someone would like to tell me an original URL and a source I’d be happy to acknowledge them.

Test Post

Thank you all for attending this webcast. I hope you’ll enjoyed it.

Resources for Datacenter Virtualization

You can get the recorded webcast over here Click on Register and it will give you download option from Live Meeting Site.

Evaluation Software Download

Windows Server 2008 R2 Evaluation http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspx

Windows 7 & Windows Server 2008 R2 Service Pack 1 Beta

Microsoft Hyper-V Server 2008 R2

System Center Virtual Machine Manager 2008 R2

System Center Virtual Machine Manager Self-Service Portal 2.0

Virtual Machine Servicing Tool 3.0 Beta on Connect Site

System Center Operations Manager 2007 R2

System Center Configuration Manager 2007 SP2 & System Center Configuration Manager 2007 R2

System Center Data Protection Manager 2010

System Center Service Manager 2010

System Center Opalis

Dynamic Datacenter Toolkit for Hosters http://code.msdn.microsoft.com/ddc

Online Reference Resources

Microsoft System Center Site http://www.microsoft.com/systemcenter/en/us/default.aspx

System Center Service Manager http://www.microsoft.com/systemcenter/en/us/service-manager.aspx

System Center Opalis http://www.microsoft.com/systemcenter/en/us/opalis.aspx

System Center Dynamic Datacenter Site: http://www.microsoft.com/systemcenter/en/us/dynamic-data-centers.aspx

Microsoft Private Cloud Site http://www.microsoft.com/virtualization/en/us/private-cloud.aspx

Dynamic Datacenter Toolkit for Hosters http://dynamicdatacentertoolkit.com/

System Center Demo Labs to try out online http://technet.microsoft.com/en-in/systemcenter/om/bb539977(en-us).aspx

Microsoft Site Recovery Solution using Windows Server 2008 R2 Failover Clustering http://blogs.msdn.com/b/clustering/archive/2009/11/04/9917628.aspx

Blogs

http://blogs.technet.com/b/virtualization/

http://blogs.technet.com/b/ddcalliance/

http://blogs.technet.com/b/systemcenter

Happy Virtualization

Today the Forefront Online Protection for Exchange (FOPE) team announced to customers that they are shipping a new Outlook Junk E-mail Plug in on Sept 10th.

The new plug in works on Outlook 2007 and 2010. It adds a button to your Outlook toolbar that allows you to report junk e-mail directly to the FOPE team. 

This is the text from the announcement:

The Microsoft Junk Email Reporting Add-in for Microsoft Office Outlook lets users report junk e-mail to Microsoft for analysis, allowing for targeted reduction in volume and impact of junk e-mail messages.  This reporting add-in is an upgrade to the pre-existing Junk E-mail Reporting Tool version 1.1 for Microsoft Office Outlook 2003 and offers the following benefits:

·         One-click reporting that allows users to select junk e-mail and submit it for analysis to Forefront Online Protection for Exchange. 

·         Option to select and submit multiple e-mail messages with a single click. 

·         Automatically moving selected e-mail messages to the Junk E-Mail folder. 

·         Multi-language support. 

·         Options to send submitted e-mail messages to a Bcc address. 

The Microsoft Junk E-mail Reporting Add-In for Microsoft Office Outlook will be available for download on 9/10/2010. To download the add-in from the Microsoft downloads page, click here. 

For more information, see the user guide in the Microsoft TechNet Library.

If you need help, contact Forefront Online Protection for Exchange Online Technical Support. In the United States and Canada, you can call toll-free (866) 291-7726 or dial direct (204) 927-2299. Outside the United States, call the Universal International Freephone Number 800-0000-0060.

For our privacy policy, click here.

In case you missed the original blog about this session, I am bringing it back to the top.  As I speak with many partners and service providers trying to understand Microsoft's strategy with the online productivity space and what does it mean to them, I realize that you can't repeat the message enough.  I One thing is clear, email is a commodity offering now and all service providers are trying to understand how to best to navigate through this highly competitive marketplace. Check out this video to get a better understanding of Microsoft's Online Services offerings and our strategy and partnership opportunities.

] 

Here are some handy shortcuts for moving around in Word documents more quickly.   (My favorite is Shift+F5.)

Follow our daily tips:
• facebook.com/TechNetTips
• twitter.com/TechNetTips
• blogs.technet.com/tnmag

Opalis has a set of Integration Packs (currently about 30 depending on how you count) that are included in the downloads of both the 180 day trial and the Full Version for licensed customers.

A common question we get is … But what if I want to integrate and orchestrate across systems not on that list?  Well, we have the answers!  We have a number of built in functions (Foundation Objects) to integrate with other systems, and if that is not sufficient, we have the Quick Integration Kit (QIK).

Charles Joy has posted an article that explains how we can integrate with just about anything, please go take a look!

   Adam Hall 
   Sr. Technical Product Manager, Opalis   
  

Two terms that often confuse UAG and IAG customers are Privileged Session and Privileged Endpoint. What those actually mean, and how do they differ? And what’s the difference between a default session and a privileged one? Well, here I am, with answers.

To put it simply, a privileged session is a session that was initiated by an endpoint that has met the Privileged Endpoint policy, and therefore receives special treatment. This is useful in a situation where an organization considers users to be at a certain level of risk (or to BE a certain level of threat), but under certain circumstances to be at a lower level of risk/threat. For example, an organization’s users may be using public computers, such as internet kiosks, but some of them are using laptops provided by the workplace. A public computer can be very risky for an organization, if it is used for remote access. It has a high chance of containing viruses or spyware (compared to a private computer), and can be accessed by virtually anyone – the next user, the kiosk owner etc. An organization can reduce its security exposure by detecting that their users are using a public computer, and treating it with higher prejudice than a private computer (or, from a different perspective, treat a private computer as a lesser security exposure, and giving it a break).

The way this works is by the administrator assigning a certain policy for the trunk (on the Endpoint Access Settings tab), and then configuring different settings for endpoints that meet it (on the Session tab):

The tricky parts are deciding which endpoints would be considered “privileged”, and how to detect them reliably. You might decide, for example, that only company computers should be treated as privileged, and everything else as regular endpoints. Another popular differentiator is the security software in use – computers that have a certain Anti Virus product would be considered OK, and all the rest as higher-risk. As you know, the endpoint policy mechanism in IAG and UAG is extremely clever and flexible, and you can check many things for this determination. You can even write a custom detection script to look for a registry key on the client computer, or a certain file.

One thing that concerns some administrator is how reliable are these checks. Would an attacker that is familiar with your organizations policy be able to fake it? Unfortunately, most of the things detected by the UAG/IAG client components are possible to fake, and so this indeed needs to be carefully considered. One thing that is virtually impossible to forge is a computer certificate, and so I strongly recommend employing that (“Use certified endpoints”), but I won’t get into that now. One important thing to keep in mind is that the default privileged endpoint policy that comes with UAG and IAG is just set to “false”, and does not check anything. This means that it cannot be used as-is, because no computer will ever be able to “meet” it and be considered a privileged endpoint.

Once you have defined what you consider to be the differentiators, configured your endpoint policy and selected it in the Endpoint Access Settings tab, it’s time to configure the specific settings for the privileged sessions in the Session tab. Most of these are pretty straight-forward. The inactive session timeout and the trigger logoff scheme are obvious things that make life easier. Setting the server not to delete cookies at log off can benefit users of applications that rely on cookies a lot. For example, an app that stores your last visited page in a cookie will save you some time by being able to go to that page automatically. The “not to cache” setting, if set to be unchecked, allows the user’s browser to cache the application’s files, making the application perform faster. The endpoint session cleanup component (known as the Attachment Wiper in IAG) cleans up files downloaded during the session, so having it disabled for privileged endpoints can make them perform faster when re-visiting the application later-on.

OK, imagine your first day in a new role you're told to build a 12-node cluster for use in some performance and scalability testing. Of course you have never built a cluster with that many nodes, say nothing of one that needs 48 data LUNs attached to it.

After building out the cluster nodes, and using the cool new Windows PowerShell module in Windows Server 2008 R2 for failover clustering, the only challenge left is configuring the storage for this 12-headed beast. In my particular scenario, the cluster will have 1 LUN as a witness disk, and 48 LUNs available for use by the Microsoft SQL Server instances that will be running within the cluster.

This all leads up to the real challenge at hand: Because there are more LUNs than drive letters available, what is the quickest way to configure mount points for these 48 LUNs.

A quick internet search yields http://support.microsoft.com/kb/280297, which provides some insight on the matter. Some quick math leads me to the conclusion that I'm looking at about 2880 mouse clicks in my immediate future (12 Nodes x 48 LUNs x 5 clicks per LUN).

2880 mouse clicks didn't sound like much fun for a host of reasons, so I set out to find a better way and came up with the script below. The key "initial condition" for this script is that while formatting these LUNs, I gave each one a unique name that I could then later use to compute what cluster group it belonged in, and what its volume mount point would be. For example, one of the LUNs is labeled StoreMG02Data0. This tells me that it will belong in the cluster group named StoreMG02 and that it will have a volume mount point path of C:\SQLData\StoreMG02\Data0. In my scenario, there are 12 Cluster Groups Named StoreMGxx, and each cluster group contains 2 LUNs for data, and 2 LUNs for log files.

With all the storage formatted and labeled, I was ready to take the instructions from the above KB article and start creating some mount points, so let’s start walking through the script.

First, because we'll be using some of the Windows PowerShell cmdlets for Failover Clustering, we need to import that module so they are available and also get the computer name of the cluster node we are currently running on.

Import-Module FailoverClusters

$CurrentNode = (Get-WmiObject Win32_ComputerSystem).Name

Next, we need to move all the storage to the node we are currently running the script on. Once it is all on one node, we need to pause the cluster service on all the other nodes, and put all the disks in maintenance mode.

Get-ClusterGroup | Move-ClusterGroup -Node $CurrentNode

Get-ClusterNode | Where-Object {$_.Name -ne $CurrentNode} | Suspend-ClusterNode

Get-ClusterResource | Where-Object {$_.Name -match "Cluster Disk \d"} | Suspend-ClusterResource

Now we’re ready to start doing some actual work. The process I used was an inner and outer loop designed to allow me to easily build 2 variables: the volume label (i.e. StoreMG04Data1) and the volume mount point path (i.e. C:\SQLData\StoreMG04\Data1). With those variable set, all I needed to do was make sure the local mount point path existed and then actually assign the mount point to the appropriate volume.

for ($i=1;$i -le 12;$i++) {

  foreach ($Suffix in @("Data0","Data1","Logs0","Logs1")) {

    $label = "StoreMG" + $i.ToString("00") + $Suffix

    $mount = "C:\SQLData\StoreMG" + $i.ToString("00") + "\" + $Suffix

    if (!(Test-Path $mount)) { New-Item -ItemType directory -Path $mount }

    GWMI win32_Volume | Where-Object {$_.label -eq $label} | ForEach-Object {$_.AddMountPoint($mount)}

  }

}

The last thing we need to do is take all the disks out of maintenance mode, and then resume the cluster service on all the other nodes in the cluster.

Get-ClusterResource | Where-Object {$_.Name -match "Cluster Disk \d"} | Resume-ClusterResource

Get-ClusterNode | Where-Object {$_.Name -ne $CurrentNode} | Resume-ClusterNode

All that is left to do is run this same script on the remaining cluster nodes and we’ll be in business. Technically I could have run this script remotely, but that would take some additional configuring, and to use the words of Alton Brown from Good Eats, “That’s another show.”

For more information on what we do within the MTCs, please check out this link: http://www.microsoft.com/mtc/default.mspx.

No video today. But I do have some important content to share.

As Opalis becomes more and more popular, one thing is for sure, people are going to start thinking of new use cases and new integration targets. Another “for sure” thing will be the emergence of the question, “Does Opalis have an Integration Pack for __________?”, where you can fill in the blank with whatever product that may exist out there.

First and foremost, I am glad to see that the footprint for Opalis is growing so fast. It is an exciting time! :)

Because this question continues to come up, let me level-set, at least for now.

CURRENT LIST OF INTEGRATION PACKS

This image depicts the currently available and road-mapped (flagged with a **) list of Integration Packs. If a product is not on this list, it does not yet exist as an Integration Pack for public consumption.

Just because a product is not on this list, does not mean that Opalis cannot Integrate, Automate or Orchestrate to that product.

In many cases, Opalis can integrate to just about any product (including the ones on the list) WITHOUT an Integration Pack. Instead, Opalis would utilize one of its various “Extensibility” objects. These objects all exist within the base offering for Opalis, also known as, the Foundation Objects. Some great examples of “Extensibility Foundation Objects” are:

• Run Program
• Query Database
• Run SSH Command
• Query WMI
• Invoke Web Services
• Run .Net Script
• Get/Monitor/Create SNMP Trap

Each of these can be used to GENERICALLY connect to a system. Once connected, different actions can be taken, depending on the integration surface you are connecting to and the method in which you are connecting.

If these objects cannot satisfy the requirements of the integration, Opalis ships with a fully functional and very powerful SDK. This portion of the product is called the “Quick Integration Kit” or “QIK”. With this SDK, you can BUILD YOUR OWN Integration Pack Objects and Integration Packs.

For more information on the usage of many of the “Extensibility” items I listed above, as well as QIK, please refer to the following links:

• Quick Integration Kit (QIK)
• Query Database
• Invoke Web Services
• Run .Net Script – PowerShell
• Run .Net Script – C#
• TechNet Opalis Webcast 3 of 3 - Extensibility - "No Integration Pack, No Problem" (Level 300)

enJOY!