1 2 Previous Next

Geek Speak

29 Posts authored by: Lawrence Garvin

Recently Wally Mead joined us for a webcast about Configuration Manager 2012 SP1 and the Microsoft Management Summit. That webcast is now available for public viewing on YouTube. As often occurs in a webcast, we were unable to answer all of the questions presented. We thank all of the participants for their questions and I was able to follow-up with Wally after the webcast and get answers to the rest of those questions. Additional discussion on these questions is welcome in the comments section and I’ll be happy to provide additional assistance, or follow up with Wally if appropriate.


One question that we did answer during the webcast concerned assistance with upgrading an instance of SQL Server to SQL Server 2012, and I wanted to share this MSDN collection that should provide some additional assistance with that effort: Upgrade to SQL Server 2012



Q1.  I have a question about Task Sequences. When booted from media, I have the option to insert IP Address when OS is booted to WinPE, however, these static settings I set do not survive to the actual OS phase, DHCP settings have taken over … any thoughts on how to get this kind of scenario working?


LG: During the webcast I suggested to use DHCP Reservations, but I asked Wally if there was another option for this scenario.


WM: The suggestion is to use DHCP reservations. That’s the best way to handle it. However, a response from the [Product Group] PG was:


PG: When they set the IP in WinPE, it is applied on the fly and not saved as it may only be relevant to WinPE. If they want to persist that IP, then they’ll need to do a custom script to pull the addresses from the system in WinPE and set the task sequence variables so that it is used later by the Apply Network Settings task.



Q2. Can you go over OSD support with SCCM 2012 SP1 in terms of using the default wim files that are shipped on the OS install DVD?


WM: You simply browse to the Install.wim from the OS when adding the Operating System Image. Then you add a new TS variable to tell it to not restore to the same drive:

     D: issue - Add OSDPreserveDriveLetter=False allows the task sequence to auto-correct



Q3. Are there any known issues with setting up SQL Server Reporting Services with Configuration Manager 2012?


WM: You must install SRS on a SQL Server computer, then make sure that we have an account to use. That’s really about it. http://technet.microsoft.com/en-us/library/gg712698.aspx



[This question is a follow-on to the use of security roles to manually add nodes.]

Q4. If I have a security group listed as an administrative user, I can grant that user security roles, which correspond to security groups? If I grant this administrative user security roles which define it to have access to fully manage clients in their collection, but only manage the all systems collection to import computer information, I am not seeing a way to handle this because it seems to be a one-to-one relationship. So from the admin user group, what roles are they assigned on what collections? I don’t see a way to assign roles multiple times to say this role applies to this scope, while that role applies
to another scope.


WM: By default, when you add an administrative user (individually or via a security group), you designate the role(s), security scope(s), and collection(s) that this administrative user has. All actions for all roles are available to all objects with that same scope applied, to all members of the associated collections. If you want more granular control, such as specific actions (i.e. roles) applied to specific collections, and other roles applied to different collections, you go to the “Security Scopes” tab of the administrative user Properties dialog. Then select the bottom radio button “Associate assigned security roles with specific security scopes and collections”. That allows you to control which roles/scopes are associated with which collections.



Q5. There is more than Exchange that we would want to manage on mobile devices, like applications, policies for connections, etc. We need a complete MDM solution based on CM, not an external service – when is that coming? (and from the same participant, in the registration form): Why doesn’t CM support devices the same way Intune does without the added cost of Intune?


WM: Configuration Manager does not provide the same level of management of mobile devices as does Windows Intune. If you need more management than what Configuration Manager can provide when integrated with Exchange ActiveSync, then you’d have to go with the Windows Intune integration. There is no planned on-premise, full MDM solution other than what we have for Windows Mobile/Phone 6.1/6.5 and Nokia Symbian. Windows Intune, through the cloud, is our stated direction for this support.



Q6. We don’t want CM advertisements for VApps to have a countdown, is there still a countdown notification in CM2012 advertisements for VApps?


WM: If you are referring to the countdown before a deadline app, then you can disable all notifications if you want to. That’s done on a per deployment basis, on the User Experience tab.



Q7. What is your recommended strategy for cluster patching with SC2012 SP1?


WM: We have architected nothing specific in Configuration Manager to handle cluster patching scenarios. Most people I know of are using System Center Orchestrator to coordinate those activities. But nothing in Configuration Manager natively, and no integration with the cluster aware updating from the OS. Other than Orchestrator integration, it is a manual process.



LG: And finally, for those of you who were unable to attend the Microsoft Management Summit, all of the sessions presented (plus some bonus interviews) are now available for public viewing on Channel 9.

Activities are rolling ahead for this year’s Microsoft Management Summit (MMS), which will be held at the Mandalay Bay in Las Vegas from April 7th through April 12th. For those of you with a bend for country music, you might also be aware that the Association of Country Music awards are taking place on the opening day of the conference in the MGM Grand in Las Vegas. (I’m still trying to figure a way to take advantage of that!)

What is Microsoft Management Summit?

Microsoft Management Summit is an annual conference dedicated to IT management. It offers five days of hands-on-labs, presentations, and community events with Microsoft staff, Microsoft MVPs, and other industry experts. If you’re involved in any aspect of systems management, including configuration, operations, virtualization and help desk, this conference is likely to have something of interest to you. If you’ve not yet registered, it’s not too late (although you will have to arrange your own hotel accommodations).

This year, sessions are being presented in eight different technical tracks:

  • Access & Information Protection
  • Application Management
  • Desktop Client
  • Desktop Virtualization
  • Infrastructure Monitoring & Management
  • Service Delivery & Automation
  • Unified Device Management
  • Windows Server & Azure Infrastructure

As you might expect, that content will be heavily wrapped around Windows Server 2012 and System Center 2012.

MMS Content Online

If you can’t attend, don’t worry, because all of the session content is also published online. MMS 2012 offered over 160 sessions, and you can review any of the session content from MMS 2012 online today with just a social networking logon (WindowsID, LinkedIn, Twitter, or Facebook). The 2013 content will be available online shortly after the conference ends, and there are currently 305 sessions listed in the content catalog.

MMS Presentation

I will be co-presenting a session with Kent Agerlund titled Managing Third-Party Updates with System Center 2012 Configuration Manager SP1. Kent is a Senior Consultant with Coretech A/S in Denmark and a Microsoft MVP. He blogs on the Coretech blog and recently authored a must-read book about implementing Configuration Manager 2012 in small- and medium-sized organizations. In our presentation, we’ll be talking about the various ways Configuration Manager can be used to manage and deploy third-party updates. The presentation is currently scheduled for Sunday, April 7th at 5:00pm PDT. (Which should get me out in time to go party with my ACM friends, eh?)

SolarWinds Booth #712

SolarWinds will also have a booth in the Expo Hall, so come by and say Hi! We’d love to meet you, chat with you, show you some products you don’t yet have, or help you answer any questions about the ones you do have. You’ll find us in Booth 712.

Webcast with Wally Mead

To kick off that week’s worth of festivities, this Thursday (March 28th) at 11:00am CDT, SolarWinds is hosting a webcast with Wally Mead. Wally is a well-known expert in all things related to Configuration Manager. He and I are going to chat (well, he’s going to chat, I’m just going to ask questions and listen) about:

  • Service Pack 1 enhancements in Configuration Manager 2012 (and there are a LOT of cool enhancements!)
  • Using Microsoft Intune with Configuration Manager for mobile device management
  • The educational opportunities at MMS2013, including presentations and the hands-on-labs.

Plus a special bonus: Questions from the viewers! If you register now for the webcast, you’ll have an opportunity to submit a question of your own for Wally. We’re going to pick the best of the best tomorrow (Wednesday), and Wally will answer those questions live in the webcast Thursday. Hope to see you all there!

Today’s IT Blogger Spotlight is on Derek Schauland. Derek’s blog is Technically Speaking, and he is an IT Manager for a small organization in Wisconsin in the food services business. He's been working with technology since the days of Windows NT. Derek also posts on the Microsoft TechNet IT Management blog and TechRepublic.com.


Recently Derek and I attended the Microsoft MVP Summit together, and we had an opportunity to chat about his blog.

LG: Tell me about your blog.

DS: The blog started as a way to share tips, tricks, and problem solutions with others.


LG: What are your most popular blog posts?

DS: The product reviews seem to be the most popular.


LG: Who are some of your other favorite bloggers?

DS: I read a lot of Ed Bott (edbott.com, zdnet.com), and TechNet Blogs.


LG: You recently completed your first book. Training Guide: Configuring Windows® 8. How was the book writing experience? Would you do it again?

DS: Writing a book was certainly an interesting challenge.  Articles and blog posts are quick and easy most of the time, but the book proved to be a much bigger challenge.  It was definitely a worthwhile experience and I would consider doing it again, but I’ll need some time to recuperate first.


LG: What do you do when you’re not doing IT? (and "sleep" doesn’t count!)

DS: That’s it.  I.T. and sleep.  Just kidding.  Although I am doing a ton of IT-related things outside of my job, including running a not-for-profit training organization (http://www.techontap.org) with a couple of friends. The idea behind the project is to help other IT pros network and learn about technology.  Maybe they get a chance to meet someone like Lawrence from SolarWinds or someone else in the industry they might not have otherwise met, but that is still IT.


LG: Okay, let me try another way. What would you do if there was an eight-day week and you could only work seven of them?

DS: Photography! I’ve always had a passion for the creative art of photography.


LG: What are some of your favorite SolarWinds products and why?

DS: Lately the favorite products are the smaller ones:

  • Mobile Admin because I can get alerts and correct issues from my iOS devices if I am not in the office
  • Web Help Desk because I am getting my co-workers used to the idea of tickets to help manage their issues
  • DameWare Remote Support for the huge number of features available for working with/troubleshooting issues on the local network

Follow Derek on:

Twitter: @webjunkie

His blog: Technically Speaking



More IT Blogger Profiles:

Scott Lowe

Bob Plankers of Lone SysAdmin

Matt Simmons of The Standalone SysAdmin

All blog spotlights

Last November, my colleague Phil wrote an article in this blog about using the Patch Manager Update Management Wizard to deploy third-party updates. A similar capability also exists in the Update Management Wizard for deploying Microsoft Updates, but it requires use of a different option. For the third-party updates discussed in the previous article, the files for those updates are physically present on the SUP, so it is possible for the Windows Update Agent to download those update files.


A different situation exists for Microsoft updates, because the update files for Microsoft updates are never downloaded to a Software Update Point. The Good News, though, is that the Update Management tool and the Update Management Wizard tool both have an option to instruct the client to download updates directly from Microsoft Update.


Update Management Wizard - Use Microsoft Update option.png

There are a number of ways in which the actual update task can be invoked.


  1. The Computer Explorer | Windows Update Scan tool can be used to scan the client against the SUP catalog to determine which synchronized updates are installable, select the desired update(s) from the scan results, and then launch the Update Management task from the Computer Explorer to have the Windows Update Agent download and install the updates from MU.
  2. The Update Management tool can be used in conjunction with the "Select Updates" option to choose one or more updates from the list of updates synchronized on the SUP.
  3. One or more rules can be defined in the Update Management Wizard, and have all applicable updates matching that rule set pulled from MU. (Note that this methodology can result in the client obtaining updates that are not available via the SUP.)



One of the lesser known features of Patch Manager is its ability to supplement the reporting capabilities of Configuration Manager. What makes Patch Manager the choice of interest is not what it does, but how it does it, to wit, predefined report templates and an easy to use report builder. This functionality, though, is not immediately available for use right out-of-the box; it requires some additional options configurations inside Configuration Manager. In this article we’ll show you how to turn on the client reporting to the Configuration Manager Software Update Point (SUP) so that you can get update compliance data using the Patch Manager reporting system.


In a WSUS standalone environment the Windows Update Agent automatically reports state information to the WSUS server. However, in the Configuration Manager environment, this automatic reporting is suppressed, and the only state information reported comes from the Configuration Manager Agent to the Configuration Manager Management Point server.

To enable the clients in a Configuration Manager environment to report state information to the SUP, you’ll need to modify the configuration of the SUP component in the Configuration Manager console.


Enabling WSUS Reporting Events in Configuration Manager 2012

CM2012 SUP Component Configuration.png

In the Configuration Manager 2012 console:

  1. Select the Administration workspace.
  2. Select the Site Configuration node.
  3. Select the Site from the list of sites in the details pane.
  4. Open the Configure Site Components menu.
  5. Select Software Update Point to launch the SUP component properties dialog.

CM2012 SUP Reporting Events Option.png

     6. Select the Sync Settings tab, and in the WSUS reporting events section at the bottom of the dialog, select the option Create all WSUS reporting events.

Enabling WSUS Reporting Events in Configuration Manager 2007

CM2007 SUP Reporting Events Option.png

In the Configuration Manager 2007 console:

  1. Navigate through the Site Database -> Site Management -> Site -> Site Settings tree.
  2. Select the Component Configuration node.
  3. Select the Software Update Point Component entry from the list of components in the details pane.
  4. Right click and launch the Properties dialog.
  5. Select the Sync Settings tab, and in the WSUS reporting events section at the bottom of the dialog, select the option Create all WSUS reporting events.

Client Behavior

The clients will upload their state information to the SUP database during their next scheduled Software Updates scan. How long this will take depends on the frequency you have configured for Software Updates scans. At most it should take no more than a full day. Alternatively, you can use the Client Management tools in Patch Manager to force your clients to perform a Software Update scan immediately, or at a scheduled time.

Configuring a WSUS Inventory Task for Configuration Manager Environments

PM Launch WSUS Inventory.png

While you’re waiting for the clients to upload their state information to the SUP, you can configure Patch Manager to perform a WSUS Inventory when those uploads have completed.

Drill into the Update Services -> SUP node of the Patch Manager console, right-click, and select WSUS Inventory to launch the inventory configuration dialog. Use the default options, and configure the task to run at a time and frequency appropriate to your needs. Typically, this would be a daily task run during non-working hours.


Using WSUS Reporting

Once the WSUS Inventory task has completed, you can use the reports and datasources in the Patch Manager MMC console to access the client-reported state information. The best place to start is the Computer Update Status report, which is a general report for all clients and all updates showing the installation state for each update on each client. Updates identified as "NotApplicable" are automatically suppressed from this report, so the report focuses only on the installable updates and whether or not they are installed.

Finding WSUS Reports in Patch Manager console.png

Make special note that in a Configuration Manager environment, there are no update approvals, so you might wish to remove the Approval State column from your reports since it has no meaning.


For more information about creating the WSUS Inventory task and using the Patch Manager WSUS reports, please review these resources:

Virtualization is one of the fastest growing “new technologies” in the I.T. world, but it’s not cheap to implement, mostly because of storage costs. CPU and Memory capacities of today’s systems are more than sufficient to handle a host with several running virtual machines, but very few systems have adequate internal storage services to support the number of virtual machines that can run in the available memory space.


External storage is inevitable

One way to address the storage challenge is with external storage. Large virtualization implementations typically implement Fibre Channel or iSCSI SANs, but these are fairly expensive implementations, and quite often out of the reach of many organizations. File sharing solutions can be very cost-effective for more modest virtualization implementations, but they’ve not always been functional solutions for more than experimentation.


Another factor that encourages the use of external storage is the growing prevalence of both Microsoft Hyper-V and VMWare ESX/ESXi implementations in the same data center. Building out individual host servers with internal storage capacities gets very expensive. The differential in pricing between servers with large numbers of internal bays and a minimal number of internal bays can be a factor of ten. Shared storage can be a great cost-effective strategy for addressing the needs of hybrid environments.


Back in the really early days of virtualization, I recall experimenting with putting virtual disks on a file server, and found that to be a functional solution for a single virtual machine, but it quickly hit the wall with additional machines, due to limited network bandwidth. At that time, Gigabit Ethernet was not within easy reach of the masses, and only a limited number of virtual disks could be supported on a 100Mb/sec Ethernet connection. The only thing available at that time that could really provide the services needed were Fibre Channel SANs. Today available Ethernet network bandwidth exceeds the capacity of Fibre Channel.


Previous limitations of file sharing

Until recently, though, the file sharing technologies available for using external storage were the primary bottleneck. If you were working with Microsoft Hyper-V, the capabilities of SMB in Windows Server just didn’t measure up. In fact, some people believe that SMB v2 (introduced in Windows Server 2008) was actually a step backward in performance, and the SMB v2.1 patches done for Server 2008 R2 merely brought us back to the performance levels of Server 2003.


For VMWare ESX/ESXi the opportunities weren’t much better. The ESX/ESXi external file sharing model uses Network File System (NFS) v3. NFS has been the file sharing system in Unix and Linux for dozens of years, but it can be complicated to configure and tune performance. NFS v3 is almost 30-years old. It also has limitations with respect to security, performance, statefulness, and cluster support – all things that would be particularly useful when hosting virtual disks.


File sharing improvements.

In April, 2003, the IETF introduced NFS v4 (RFC 3530) which addressed security and performance, and introduced a stateful protocol model. In January, 2010, the NFS v4.1 (RFC 5561) enhancements added capabilities for clustered server deployments and scalable parallel access to file distributed among multiple servers, making NFS v4.1 a very robust file sharing protocol for use with virtualization. Concurrent with the NFS developments, Microsoft was hard at work making improvements to the SMB protocol, and has introduced those with SMB v3. Some of these improvements compare to the scale of improvements seen in NFS from v3 to v4.1.


NFS v4 and SMB v3 together

Combining the capabilities of SMB v3 and NFS v4.1 into a single file server brings an exceptionally powerful external storage solution to virtualization environments that are budget conscious, and Microsoft has made both of these protocols available in Windows Server 2012. Now, a single file server can provide storage services to both Hyper-V environments and ESX/ESXi environments, using each hypervisor’s ‘native’ file sharing protocols.


Today, Hyper-V v3 can use either SMB v3 or NFS v4.1, and soon (we hope) ESX/ESXi will be enhanced to also take advantage of these significant improvements in NFS v4.1. If you’re looking to expand your virtualization infrastructure, shared file storage might be something to include in your environment.


For those that are using file sharing to support your virtualization environments, what are your experiences?



One of the ongoing challenges with the release of WSUS for Windows Server 2012 (Win2012) was how to remotely administer the WSUS server. Currently, a WSUS server installed on Windows Server 2012 (also known as WSUS v6) can only be remotely administered from a Windows 8 or Win2012 system. This is a result of dependencies in the console infrastructure that cannot (or at least, will not) be rolled back to Windows 7 systems, and that introduces a very significant challenge for organizations who would like to migrate to WSUS v6: They also have to install Windows 8 or an additional Windows Server 2012, just to have a remote console.


With the release of SolarWinds Patch Manager (SPM) v1.85 on Jan 22, 2013, SPM now brings a unique capability to the WSUS environment: The ability to manage both WSUS v3 and WSUS v6 servers from a Patch Manager remote console installed on Windows 7.


To clarify: WSUS v6 is the version of WSUS that ships with (Win2012), as compared to WSUS v3 which is the version of WSUS available for Windows Server 2008 R2, Windows Server 2008 SP2, and Windows Server 2003 SP2. Unless otherwise specified, this entire article refers exclusively to WSUS v6.


There are five scenarios in which SPM can be implemented to remotely administer a WSUS v6 server from Windows 7. I’m going to present them in what I believe is the optimal order of choice:

  • Install the primary SPM server on a Win2012 system.
  • Install a secondary Automation Role server on a Win2012 system.
  • Install a secondary Automation Role server on the WSUS system.
  • Install the primary SPM server on the WSUS system.
  • Install a secondary Automation Role server on a Windows 8 workstation.


Install the primary SPM server on a Win 2012 system

If you’re installing a new instance of SPM you should consider installing it on Win2012. When SPM is installed on Win2012, the installer will automatically install the console components of WSUS.  This functionally is identical to how SPM has installed the WSUS v3 console on pre-Win2012 systems. Register the new WSUS server and you’re ready to go.


Install a secondary Automation Role server on a Win2012 system

If you already have SPM implemented in your environment, it may not be desirable to migrate your existing primary server (PAS) just to get WSUS v6 manageability. As an alternative, after upgrading your existing PAS to v1.85, you can install an Automation Role server on a Win2012 system. The installation of the Automation Role will also install the WSUS console components. Register the WSUS server after the installation is completed. One additional step is required within SPM: You will need to create an Automation Server Routing Rule for the WSUS server to ensure it is managed by the Automation Role installed on the Win2012 system. (For more information about Automation Role servers and Automation Server Routing Rules, also see Chapter 14 of the Patch Manager Administrator Guide.)


Install a secondary Automation Role server on the WSUS system

If you don’t have another available Win2012 instance, you can also install the Automation Role onto the WSUS system. Register the WSUS server after the installation is complete, and create the Automation Server Routing Rule for the WSUS system.


Install the primary SPM server on the WSUS v6 system

As a last resort – you can install SPM on the same system as WSUS v6. Ideally in this scenario, both WSUS and SPM will use a back-end SQL Server database server. However, the WSUS v6 scenario brings one additional complication to the table. While SPM v1.85 is supported with SQL Server 2012 (SQL2012), as of this moment, WSUS is not supported with SQL2012. If you choose to use a remote SQL Server for both WSUS and Patch Manager, you must use an instance of SQL Server 2008 R2 SP1.


Install a secondary Automation Role server on a Windows 8 workstation

If you don’t have an additional Win2012 system, and do not wish to install SPM on the WSUS system or already have a PAS deployed, the Automation Role server can also be installed onto a Windows 8 system. In this instance, the SPM installer will download and install the Remote Server Administration Tools (RSAT) for Win2012 in order to provide access to the WSUS console. As with the other secondary server options, you will also need to configure an Automation Server Routing Rule.


The WSUS v6 server will appear in every Patch Manager console along with any existing WSUS v3 servers in the Update Services node.


To download Patch Manager v1.85, existing maintenance customers will find it available in the Customer Portal. A free 30-day evaluation of Patch Manager v1.85 is also available from the SolarWinds website.


SolarWinds Patch Manager provides an enhanced capability for creating Custom Update Views in the Patch Manager console.  We’re going to talk about three custom views that you may find helpful.


Third Party Updates

The first view is probably not new to you: Third Party Updates. KB3690 provides instructions on how to create this view. You may wish to refer to that knowledge base article for assistance in creating the next two views we will discuss.


Needed Updates

The second view that I’ve found useful is a dedicated view for Needed Updates. Using the guidance in KB3690:

  1. Select the “Updates have a specific approval and installation status” property.
  2. In the Updates View Filter dialog, set Approved State = “All”
  3. Set Update Status = “Needed”
  4. Assign the name “Needed Updates” to the view.

Now you can select “All Updates” or “Needed Updates” at will, with no additional query or refresh activity required to toggle between them.


Approved & Superseded Updates

The third view is a very important one. One of the critical WSUS administration tasks that should be performed on every WSUS server is update approval maintenance – specifically, removing approvals from superseded updates. I talked about why this is important in a PatchZone blog post series about WSUS Timeout Errors. In the WSUS console, finding superseded updates with approvals to be removed is somewhat of a tedious activity, but in the Patch Manager console, using the enhanced capabilities with custom update views, you can define a view that shows only the superseded updates that are approved and should have the approvals removed.


Here’s how to do it:

  1. Launch the task to create a new update view.
  2. Select the “Updates have a specific approval and installation status” property.
  3. Set Approved State = “Approved” and Update Status = “Installed/Not Applicable” and name the view “Approved Superseded Updates”, or something you like.
  4. Add the “Not Applicable Percentage” column to the view, and drag the “Not Applicable Percentage” and “Has Superseding Updates” columns to the left side of the view.
  5. Set the filter on “Has Superseding Updates” to only show updates with the value “Yes”.
  6. Set the filter on “Not Applicable Percentage” to only show updates with the value “100%’.
  7. Click on the “Save View Layout” to store this view state.

You now have a display showing the superseded updates, that are no longer needed by any system, and have approvals that should be removed. Select all of the updates and decline them.

Patch Manager Approved Superseded Updates.png

CAUTION: As discussed in the PatchZone blog post about WSUS timeout errors, if you have downstream servers you may need to be careful about the number of updates you process at one time. On a not-so-well-maintained server I recently worked on, there were 254 updates to be declined. That’s probably too many to process in a single task, because the downstream servers will need to replicate those changes. Keeping the limit to 100 per synchronization cycle should keep you out of trouble. You can also schedule the decline tasks to occur at a future time!


After removing the approvals you can run the Server Cleanup Wizard to remove the files associated with them. After declining the updates on the server with 254 updates, the Server Cleanup Wizard deleted almost 12GB of unneeded files.




Every time you install Hyper-V you you’re presented with a diverse landscape of platform options, that left untended can overgrow even the most capable IT team.  Counting the legacy existence of Windows Server 2008 R2, there are now (theoretically, at least) a dozen different ways you could install an instance of Hyper-V on a system.  Hyper-V for Windows Server 2008 x64 SP2 is excluded from this discussion due to teething/setup issues.  There are notable feature enhancements in Window Server 2012 (Hyper-V v3) that you may wish to consider in choosing what host OS to install. Making the best decision for a host operating system can save you a whirlwind of complications down the road as your environment expands. Expand your Hyper-V monitor capabilities.

Windows Server (Full Installation) with Hyper-V Role

If you’re installing Hyper-V for the very first time, I would highly encourage you to start with the Full Installation of Windows Server. The primary advantage here is that you’ll have access to the Hyper-V console on the server, and not have to deal with the added complication of remote administration.


Another reason that you might choose the Full Installation over Server Core or the free Hyper-V Server is if you’re installing a non-production environment, and also need to run additional roles on the Server OS. Not all roles are available in Server Core, and managing a multi-role Server Core system can be a significant headache. For production systems, you should plan to make a Hyper-V server dedicated to that role.


One might be inclined to think that the presence of the GUI in the Full Installation has performance implications, but not really. More significantly, the presence of the additional baggage in the Full Installation represents additional overhead regarding patch management.

Windows Server (Server Core) with Hyper-V Role

If you’re installing Hyper-V in a production environment, and will be installing at least one instance of a Windows Server OS that is not yet licensed, then this is the best installation option. The Server Core installation removes a number of unnecessary OS components, which significantly mitigates the patch management efforts for your host system, but it still provides the additional virtualization licensing.


Consider this: The only thing worse than having to reboot a production server … is having to reboot a production virtualization host running multiple production servers.


Note, however, that if you choose to install Windows Server 2012 (Server Core), this will require an installation of Windows 8, or another installation of Windows Server 2012, in order to access the Hyper-V console remotely. Windows Server 2012 cannot be administered from a Windows 7 or Windows Server 2008 R2 system.

Hyper-V Server

The free Hyper-V Server provides the best impact when you’re looking to virtualize non-Windows installations (e.g. Linux, Unix), or where you already have the licenses for existing Windows operating systems. If you’re focusing on server consolidation and primarily doing physical-to-virtual migrations of existing (licensed) Windows servers, then this is the best place to start; however, like the Server Core installation, if you opt for the Hyper-V v3 Server, it will require you to work from the command line, or manage the server with Windows 8 or another Windows Server 2012 system. The Hyper-V v2 Server can be managed from Windows 7.


Also worth noting, both the Server Core and Hyper-V Server installations can also be managed from System Center Virtual Machine Manager.  Hyper-V monitoring simplified!






Over the holiday break, ORYSP published an infographic in their blog that was quite humorous.. and accurate. It brought back many memories of my time in the trenches. With their permission, we have included their infographic here.


We'd also like to remind you that we did some surveys of our own this year, and if you've not yet had a chance to find out what your colleagues around the world think of being an IT Professional, you should check these out too.


How many of the IT jobs listed here are part of your daily duties? Are there other IT jobs you regularly engage in that are not identified? How do you handle difficult users?


The disk drive. That impermeable "black box" that stores our life's work ... documents, photographs, music, videos, and almost everything we hold dear in our life. Have you ever wondered how it really works? Have you ever longed to open the case and look inside? Maybe you'd just like to know what clothes ITPros wore to work before the turn of the century?


Recently I had the opportunity to view an old video tape, compliments of the This Week in Tech Security Now podcast #384 (Dec 26, 2012), that discusses those very questions. In 1990, when Steve Gibson's SpinRite was just a fledgling product, he went on the road and did a series of educational presentations to retailers, sponsored by SoftSell (a major distributor of computer software in 1990), describing everything you'd ever want to know about how disk drives work, and why they don't.


Have you ever wondered about the internals of a disk drive ... Heads, Cylinders, Sectors. Or maybe the bygone question of interleaving. Why did IBM choose a grossly inefficient interleave of 6:1? Why did Western Digital overcompensate by making it 3:1, trying to produce a 2x faster system, but actually producing a 3x slower one!? Or the myriad of acronyms that befell ITPros back then: MFM, RLL, ERLL, to name a few. What impact does heat really have on disk drives, and what was the real reason common wisdom was to leave your PC turned on all of the time?


Most significantly: Why do disk drives fail? What can you do to reduce, maybe even eliminate, disk drive failures – even today!


In addition to being informative, the video is also exceptionally entertaining. Steve has an incredible sense of humor, whether picking on his mother-in-law, “Big Blue”, Seagate Technologies, or Western Digital. I promise that even if you actually personally owned a PC in the late 1980s, and lived through this experience, you'll still learn something new from this video. I did (and yes, I bought my first IBM PC-compatible in June 1989 .. 23 1/2 years ago).


The full episode is 65 minutes, but minus the 10 minute intro/ads, and the 10 minute wrapup, the legacy video is about 45 minutes long.


Happy New Year!



This has been a busy year for changes in WSUS and Patch Manager. In this article I’m going to summarize these changes. Treat this like a checklist. If there’s something on this list you’ve not yet done, use the next couple of weeks to develop a remediation plan. If you need help with any of this, post a message in the Thwack Patch Manager or PatchZone forums, and I’ll be happy to respond.



Following the EminentWare acquisition, Patch Manager v1.72 was released and implemented a new licensing model (see KB3552) . This new licensing model

  • granted access to the 3rd Party Updates Pack to all Patch Manager customers,

  • eliminated the need for activation on Secondary Application Servers, and
  • changed the methodology of how the 3rd Party Updates catalog is synchronized.

If you’re still running one of the EminentWare Extension Packs – this update should be a New Year’s Resolution for sure! Details on upgrading to v1.72 and troubleshooting a common licensing issue are discussed in KB3602 and KB3562 respectively.



KB2718704, the first of many updates precipitated by the Flame fiasco, was released. This update replaced the certificates used by the WUAgent to validate digital signatures on files signed by Microsoft, and by WSUS to establish SSL connections for synchronization. I talked about this in the Product Blog (June 4). For some really technical details on what this update does, read these Microsoft Security Research & Defense (SRD) blog posts [ June 3 | June 6 ]

Also in June, we released a free tool - the Diagnostic Tool for the WSUS Agent - designed to make your efforts in troubleshooting communications and behavioral issues with the Windows Update Agent much easier. Most notable about this tool is that it runs on 64-bit systems, and it provides guidance on known causes and the proper solutions for many of the issues encountered with configuring the WUAgent and communicating with a WSUS Server.


Two events of significance occurred in July: one from Microsoft, and the other from SolarWinds.

Microsoft KB2720211

KB2720211, a preliminary update to facilitate the changes announced in this SRD Blog (July 10) was released to WU/WSUS. This update provided four items of significance, it:

  • updated the digital signatures on the WSUS resources.
  • updated the Windows Update Agent to use those new digital signatures.
  • updated the WSUS API to create 2048-bit certificates for use with local publishing.
  • rolled up a couple of previous local publishing related hotfixes.

Probably the two most significant issues with this update were

  • that it was exceptionally difficult to successfully install (partly due to Microsoft’s rush to getting it out the door; see these WSUS Support Blog Posts [ June 20 | July 23 ] for guidance installing KB2720211), and
  • that without it, systems that updated the WUAgent via AU/WU/MU were no longer able to communicate with an unpatched WSUS server due to the certificate changes (See KB958045 and this WSUS Support Blog Post for details).

This is a required WSUS update. If you’ve not yet installed it, doing so needs to be at the top of your patch management to-do list. However, you should also consider installing KB2734608 as an alternative to KB2720211. It’s reported to provide a more reliable installation. I discuss it in more detail later in the article.

For Patch Manager customers, this update also presented some minor complications, because it does not detect as installable on WSUS console-only installations. (I asked the WSUS product team about this behavior, and they told me it was “by design”. I told them that I thought it was a bad design, but it is what it is.) So, be sure to install KB2720211 on your WSUS console systems, as well, most notably all of your Patch Manager servers, which also have WSUS console installations. More on this is available in KB4054 and KB4328.

  • If you have WSUS and Patch Manager installed on the same system, you will also encounter an Access Denied failure in the Patch Manager console after installing KB2720211. We discuss this scenario in KB4014.
  • There was some confusion regarding the About->Help dialog in the MMC console after upgrading WSUS or Patch Manager from/to any version. KB4107 discusses this scenario.
  • After installing KB2720211, if you are using local publishing in WSUS to deploy third-party updates, you must create a new publishing certificate, distribute it to all systems, and re-sign all update packages that are needed by client systems. Details on this procedure are available in KB4100. Also there is a minor anomaly that impacts the Server Publication Verification Wizard, which we discuss in KB4127.

Patch Manager v1.73

Patch Manager v1.73 was released, in response to the forthcoming digital certificate changes announced in the July 10 SRD blog posting. I wrote about the proposed Microsoft certificate update in the Product Blog (July 25).

The Patch Manager v1.73 update has some stringent requirements for how it is deployed in environments with more than one Patch Manager server. If you’re still running Patch Manager v1.72, please read the notes in KB4099 and KB4138 very carefully. If you’re still running an older EminentWare Extension Pack, see KB4118 for additional guidance.


Microsoft KB2661254

KB2661254 was published, as announced earlier, but only to the Microsoft Download Center, providing a big break to Patch Manager customers. An announcement that the update would be released to WU/WSUS in October was posted to the MSRC Blog.

KB2661254 will break all Local Publishing functionality on a WSUS server that does not have KB2720211 installed, so you need to perform all of the required actions for KB2720211 prior to installing KB2661254 on the WSUS server. This is discussed in greater detail in KB4110.

Microsoft KB2734608

KB2734608 was published, but only to the Microsoft Download Center. This update will not be distributed via MU/WSUS because of the complex requirements for its installation. There are two items noteworthy about this update:

  • It provides the ability to patch Windows 8 and Windows Server 2012 systems from a WSUS v3 server by adding SHA256 hashes to the WSUS content, which is required by the WUAgent v7.8 installed on Win8/Win2012.
  • It rolls up all of the updates contained in KB2720211.

This is an optional update for WSUS! If you don’t need to patch Win8/Win2012 systems yet, I recommend you bypass this update (assuming KB2720211 is already installed). If you choose to install this update, please read the detailed deployment guidance provided in the KB article.


What We're Working On

  • full capabilities for patching and managing Windows 8 and Windows Server 2012,
  • managing WSUS v6 installed on Windows Server 2012, and
  • installing Patch Manager on a SQL Server 2012 instance.


I have a desktop PC connected to my 37” TV where I do most of my personal work on at home, everything except email which is on a different system. Working from a 37” monitor is really sweet. Additionally, when I work from home, I use that PC to Remote Desktop to my SolarWinds notebook where I have all of my work-related applications and documents. In addition to having the work environment on the big screen, I can also leverage the wireless keyboard and mouse that’s connected to the PC.


Remote Desktop limitations

But using Remote Desktop has some inherent limitations: first I lose the use of the internal notebook display, because the Microsoft Remote Desktop connection locks it out. Second, streaming video across the RDP connection is not so good. Now, this may be a factor of the 802.11g (54mb/sec) wireless connection that the notebook uses to get on my home network, but that’s what I have to work with at the moment. Third, routing audio via RDP impacts my ability to use a USB or Bluetooth connected headset with the notebook, and while it is possible to switch between the two, it’s not particularly easy to do so on the fly.


Directly connected complications

I explored plugging the notebook directly into the TV, via HDMI, which would get me direct sound in my 5x1 (rather than via RDP) and streaming video direct to the TV. But, that would also require implementing a second wireless keyboard/mouse set, and I didn’t really want to plug in (or buy!) an extra keyboard/mouse just to manage that system.


A real solution

Then I remembered that DameWare Mini Remote Control (MRC) can solve all of those challenges, most notably because it doesn't take over the display of the remote system. So as of today, I now have the notebook plugged into the TV via HDMI, and the notebook display can also be active. I’m viewing the notebook video directly from the HDMI TV connection, so I’ve completely eliminated my streaming video issues coming across the wireless RDP session. I have a DameWare MRC session initiated from the PC to the notebook, which is giving me wireless keyboard/mouse controls on the notebook.


Special tips of importance

Oh, a couple of tips for this scenario, to keep the control PC from stealing mouse control away from the MRC application.ing

  1. Aside from the MRC session needing to be in Full Screen mode on the control PC, you’ll also want to make sure you hide the taskbar on the control PC.
  2. Be aware of the MRC control bar that sits in the top center of the control PC. This will impact your ability to navigate into the Title Bar of the remote PCs windows if they’re open fullscreen. You can move the MRC control bar to a different location on the control PC. I dragged mine down to the farthest lower-left corner of the screen so the only thing it now impacts is the “Show Desktop” button on my left-side positioned taskbar – which I never use anyway. If your taskbar is in the native location at the bottom of the display, you might move the MRC control bar to the far lower-right corner.



As some of you may have read recently, SolarWinds conducted a survey of 401 US-based system administrators. We asked a lot of questions about their life inside and outside of the workplace, and as you might expect, we specifically asked what their primary job function was. The top two answers were related to tasks involving installing, operating, maintaining and supporting computer systems. You can review the full survey results here, and discuss the results in our forum.


Performing the various tasks involved with installing, operating, maintaining, and supporting computer systems requires the use of a disparate set of tools. For example, installing operating systems typically requires physical access to machines, but sometimes is done from server-based toolsets that are accessed remotely. Operating computers may seem very simple – you just sit at the keyboard -- but sometimes those systems being operated are across the room, downstairs in the basement, or maybe even across town, so sitting at the keyboard is not physically possible. Maintaining systems is a never-ending, ongoing, task that quite often requires working on multiple systems simultaneously. Supporting systems is even more complex, not just because of the physical location of the systems, but also because, quite often, other computer users are involved in the equation.


One of the things that can help significantly simplify this process of installing, operating, maintaining, and supporting computer systems is a consolidated toolset with a consistent user interface. It also improves productivity by reducing the amount of time a system administrator spends performing "context switches" from one application to another.


DameWare Remote Support provides a comprehensive suite of IT support software that allows a system administrator to manage files, services and logs on a system, to reboot the system, or logon remotely and take full control of a system, or perform remote desktop sharing with a logged-on user to assist them in resolving an issue. It also provides tools for active directory management, including a group policy editor. Being able to perform all of these tasks from a single, streamlined interface, designed for the special needs of a system administrator can significantly increase the efficiency of performing the daily tasks of the job. A fully-functional 14-day evaluation copy of DameWare Remote Support is available for you right now.




Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.