Donnerstag, 30. Juni 2011

How to upgrade Polycom CX700 1.0.452.0 using the OCS 2007 R2 Device Update Service

Let me start by saying that, although the title of this post refers Polycom CX700 (because was this device I used), the procedures described here will probably work with other devices (e.g. LG-Nortel or Microsoft).

If you read my previous post Troubleshooting OCS 2007 R2 Device Update Service for Communicator Phone Edition, you probably noticed the comments about upgrading Office Communicator Phone Edition (OCPE) version 1.0.452.0.

When I wrote that post, I hadn’t tested anything lower than 1.0.522.34, so, to tell you the truth, I was not sure it was possible to upgrade these early (Beta) versions. Until today!

When I had the chance to put my hands on one of these early babies (thanks Paulo Silva), I didn’t think twice.

The upgrade process

As soon as I plugged the device into my test environment and tried to sign in, I got the following error:

Cannot sign in to Communications Service. Current version
does not work with the available server. Contact your
system administrator.

I immediately understood what the problem was: the Client Version Filter. Lowering the allowed OCPhone version to 1.0.199 did the trick.

After a quick reboot and still no signs of a successful upgrade, I noticed that I was getting an Update Status (0x0/404) on the phone. The IIS log confirmed the HTTP error 404 – File Not Found. The device was requesting the file /UCDeviceUpdates/ucdevice.upx, which cannot be found because the virtual dir /UCDevicesUpdate doesn’t exist.

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2009-04-15 17:47:37 POST /UCDeviceUpdates/ucdevice.upx - 80 - Microsoft+UCPhone+Device 404 0 2 0

I’m not sure why the device requests that specific URL. In the tests I made with an even lower version, 1.0.199, the requested URL was /RequestHandler/ucdevice.upx, which is the correct one. Further investigation is needed to determine the cause of this issue.

In order to try to overcome the situation, I decided to create the /UCDevicesUpdate virtual dir, replicating all the settings of the /RequestHandler folder. Here’s how to do it on IIS 7.0 (with IIS 6.0 would probably be easier, since there is an option to redirect a virtual dir):

  1. Open Internet Information Services (IIS) Manager, right click the web site and select Add Application. Name it UCDeviceUpdates, select the LSGroupExpAppPool, and point it to the same Physical path as /RequestHandler.
  2. Select the newly created application (/UCDeviceUpdates), on the Features View select Authentication and then disable Windows Authentication.
    If we stop now (as I first did), we would get the HTTP Error 405.0 - Method not allowed.
3.   #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2009-04-15 18:07:35 POST /UCDeviceUpdates/ucdevice.upx - 80 - Microsoft+UCPhone+Device 405 0 64 31
  1. The Handler Mappings for /UCDeviceUpdates must be changed so that they match /RequestHandler, particularly the *.upx Script Map.

With these changes in place, the upgrade process went as expected: the device gets in-band provisioning about the update URL, downloads and installs the interim version (1.0.522.103), reboots, downloads and installs the approved version (3.5.6907.9), does a final reset and it’s ready to use with Office Communications Server 2007 R2.

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2009-04-15 18:36:09 POST /UCDeviceUpdates/ucdevice.upx - 80 - Microsoft+UCPhone+Device 200 0 0 6531
2009-04-15 18:38:28 GET /DeviceUpdateFiles_Int/OCInterim/ENU/CPE.nbt - 80 - Microsoft+UCPhone+Device 200 0 0 139006
2009-04-15 18:38:28 GET /DeviceUpdateFiles_Int/OCInterim/ENU/ - 80 - Microsoft+UCPhone+Device 200 0 0 15
2009-04-15 18:46:05 POST /requestHandler/ucdevice.upx - 80 - Microsoft+UCPhone+Device 200 0 0 2093
2009-04-15 18:49:09 GET /DeviceUpdateFiles_Int/UCPhone/Polycom/CX700/A/ENU/3.5.6907.9/CPE/CPE.nbt - 80 - Microsoft+UCPhone+Device 200 0 0 183461
2009-04-15 18:49:09 GET /DeviceUpdateFiles_Int/UCPhone/Polycom/CX700/A/ENU/3.5.6907.9/CPE/ - 80 - Microsoft+UCPhone+Device 200 0 0 15
2009-04-15 18:50:29 POST /requestHandler/ucdevice.upx - 80 - Microsoft+UCPhone+Device 200 0 0 140
2009-04-15 18:51:51 POST /RequestHandler/ucdevice.upx - 443 - Microsoft+UCPhone+Device 200 0 0 187
2009-04-15 18:56:47 GET /Abs/Int/Handler/F-0bd2.dabs - 443 - Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+CE) 401 2 5 0
2009-04-15 18:56:47 GET /Abs/Int/Handler/F-0bd2.dabs - 443 DEMO\OCPhone Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+CE) 200 0 0 125

A final note: I didn’t use the Test Devices option, instead I approved the update (this means that all qualified devices would get the update without first testing it).


So far, the OCS 2007 R2 Device Update Service revealed to be capable of successfully upgrading OCPE version 1.0.452.0 and later. The early beta versions can sometimes be tricky and require some tweaks, like creating a new virtual dir (as explained in this post).

I’ve read some post regarding the 1.0.452.0 version stating that WINS is required. In the tests I made, I didn’t use WINS, only DNS (I had the UCUPDATES and UCUPDATES-R2 defined as A records and pointing to the OCS pool IP address).

Backup Exec 2010 v3

Anfangs Mai wurde Backup Exec 2010 v3 veröffentlicht. Grund genug, das mal auszutesten.

Empfelungen zum Upgrade sind hier veröffentlicht:

Anschliessend mit Live Update noch die verfügbaren Updates installieren.

Und so sieht die Konsole aus

Dienstag, 28. Juni 2011

TMG PPTP, L2TP/IPsec and SSTP Remote Access VPN Server

Welcome back to our Test Lab Guide series. Last time, we configured the TMG Core Lab. Now we can start having fun with it and you can find out how you can use the Test Lab Guides to learn about TMG firewall features and functionality. In part 1 of this latest Test Lab Guide article, you will learn how to configure the TMG firewall as a remote access VPN server that supports PPTP, L2TP/IPsec and SSTP.

The first step is to restore your TMG Core Lab snapshot. If you haven’t completed the TMG Core Lab yet, then check it out over at here.

Once you’ve restored the snapshot, log into TMG1 as CORP\User1. Then open the TMG firewall console. In the TMG firewall console, click the Remote Access Policy (VPN) node in the left pane of the firewall console as shown in Figure 1.

Figure 1

In Tasks Tab in the Task Pane, click the Enable VPN Client Access link, as seen in Figure 2 below.

Figure 2

Next you’ll see an error message with an ominous red “X” as shown in Figure 3. Ouch! What happened? Apparently you have to define how you want to assign IP addressing information to the VPN clients before you can enable the VPN configuration. Actually, if you know how the ISA VPN server worked, this wouldn’t be unexpected –we saw the same thing with the ISA firewall. Tom and I always considered this a bug, but some folks consider it a feature. It’s all in the eye of the beholder.

Figure 3

It’s hard to say who’s at fault here. Did I do something wrong, or was this coded badly? If you look in the middle pane of the TMG firewall console, you’ll see that Step 1 is to Configure Address Assignment Method and Enable VPN Client Access. Okay, maybe it’s because I went rogue and headed to the Tasks Tab first, instead of reading the instructions in the middle pane. I’m feeling properly chastised and ready to toe the line now, at least for a little while.

Click the Configure Address Assignment Method link in the middle pane of the TMG firewall console, as seen in Figure 4 below.

Figure 4

This opens the Remote Access Policy (VPN) Properties dialog box and lands you on the Address Assignmenttab. Here you have two options:

  • Static address pool. If you select this option, you can configure a static address pool for IP addresses you want to be assigned to the VPN clients. You can assign on-subnet or off-subnet addresses. If you assign on-subnet addresses, they will likely be part of the current definition of the default Internal Network. If that’s the case, you will need to remove the on-subnet addresses you want to be in your static address pool from the list of the addresses included in the default Internal Network. If you use off-subnet addresses, then make sure your routing infrastructure knows the path to the off-subnet ID hosted on the TMG firewall VPN server.
  • Dynamic Host Configuration Protocol. If you select this option, a DHCP server on the Internal Network that is accessible from the TMG firewall’s internal interface can be used to assign IP addresses to the VPN clients. If you use on-subnet addresses, you do not need to remove them from the default Internal Network or any other TMG Firewall Network definition, because the firewall will do this automatically and dynamically add the addresses to theVPN Clients Network.

In the bottom section of the dialog box, which is shown in Figure 5, notice the drop down box under Use the following network to obtain DHCP, DNS and WINS services. The DHCP and WINS server configured on the NIC you select here will be used to assign similar DNS and WINS server addresses to the VPN clients.

For the purposes of this Test Lab Guide, select the Dynamic Host Configuration Protocol (DCHP) option. From theUse the following network to obtain DHCP, DNS and WINS services drop down box, make sure you selectInternal. Click Apply and then click OK.

Figure 5

In the middle pane of the TMG firewall console, click the Enable VPN Client Access link in the middle pane, as seen inFigure 6 below.

Figure 6

After you click the Enable VPN Client Access link in the middle pane of the TMG firewall console, note in the Tasks Tab of the Task Pane that the option changes to Disable VPN Client Access, as seen in Figure 7 below.

Figure 7

In the Tasks Tab in the Task Pane, click the Configure VPN Client Access link. This brings up the VPN Clients Properties dialog box. On the General tab, confirm that there is a checkmark in the Enable VPN client accesscheckbox and then change the value in the Maximum number of VPN clients allowed text box to 10, as seen in Figure 8 below.

Figure 8

Click the Groups tab. Note that user accounts that belong to the domains you select here should have VPN access, as configured in the accounts’ dial-in options, set to Control access through remote access policy. If that option isn’t available (for example, with Windows 2000 functional level domains), then select the Allow Access option in the dial-in properties of the account. We’ll see those account settings in the Active Directory Users and Computers console shortly.

For this Test Lab Guide, click the Add button. This brings up the Select Groups dialog box. In the Select Groupsdialog box, click the Locations button and select In the Enter the object names to select (examples) test box, enter Domain Users. Click Check Names and confirm that Domain Users gets underlined. Click OK in the Select Groups dialog box, which you can see in Figure 9.

Figure 9

You should now see Domain Users in the Select the domain groups for which remote access is allowed list that’s shown in Figure 10.

Figure 10

Move to DC1 and log on as CORP\Administrator. Open the Active Directory Users and Computers console from the Administrative Tools menu in the Start menu. In the left pane of the console, click the Users node. In the right pane of the console, double click User1. In the User1 dialog box, click the Dial-in tab that’s shown in Figure 11. Notice that the default setting is Control access through the NPS Network Policyin the Test Lab. This confirms that the settings we configured on the Groups tab seen in the figure above will work as expected.

Figure 11

Click on the Protocols tab. Here you select the protocols you want the TMG VPN server to support. Put a checkmark in the Enable PPTP, Enable L2TP/IPsec and Enable SSTP checkboxes, as seen in Figure 12 below. Click on theSelect Listener button that sits to the right of the Enable SSTP option so that we can configure a Web listener to support incoming SSTP connections.

Figure 12

This brings up the Choose Web Listener for SSTP dialog box that’s shown in Figure 13. There are no Web Listeners available yet for SSTP, so we need to create one. Click the New button.

Figure 13

This in turn brings up the Welcome to the New Web Listener Wizard page, which you can see in Figure 14. EnterSSTP Listener in the Web listener name text box and click Next.

Figure 14

On the Web Listener IP Addresses page, shown in Figure 15, select External by putting a checkmark in the checkbox next to it. This means that the VPN server will accept incoming VPN client connections using SSTP on the External Network interface. Notice that you have the option to enable incoming SSTP connections on other interfaces. This is especially useful if you want to create multiple DMZ networks. For example, you might create a guest network, but then want to VPN into the internal network from the Guest Network (that’s only one scenario, but there are many different scenarios in which you might want to allow VPN client connections to interfaces other than the default External Interface).

After putting a checkmark in the External checkbox, click the Select IP Addresses button. This will bring up theExternal Network Listener IP Selection dialog box. Select the Specified IP addresses on the Forefront TMG firewall in the selected network option. We need to do this because the SSTP listener can only listen on a single IP address. That’s because we bind the SSL certificate to that address and map this address to the name on the certificate in the public DNS (we’ll do this later in this Test Lab Guide).

In the Available IP Addresses section, click and then click the Add button. This moves the IP address to the Selected IP Addresses list, as seen in Figure 15 below. Click OK in the External Network Listener IP Selection dialog box.

Figure 15

Confirm that appears next to External in the Web Listener IP Addresses page that’s shown in Figure 16, and then click Next.

Figure 16

On the Listener SSL Certificates page, select the Use a single certificate for this Web Listener, as seen in Figure 17 below, and then click the Select Certificate button.

Figure 17

In the Select Certificate dialog box, notice that we already have a certificate with the common, which was assigned to this computer when it joined the domain during the Base Configuration Test Lab. We can use this computer certificate, since the certificate contains the intended purpose of “server authentication”. In a production environment, you will probably want to request another certificate to use exclusively for the SSTP connection. Just make sure that the certificate includes the OID for “server authentication” and you’ll be able to use it for your SSTP certificate.

For this Test Lab Guide, select from the list on top and then click theSelect button shown at the bottom of the dialog box in Figure 18.

Figure 18

On the Listener SSL Certificates page that you see in Figure 19, notice that EDGE1.corp.contoso.comnow appears. Click Next.

Figure 19

Review the settings on the Completing the New Web Listener Wizard page shown in Figure 20, and if they are all as you wish, click Finish.

Figure 20

In the Choose Web Listener for SSTP dialog box, shown in Figure 21, you can see the settings for the SSTP Listener you created. This will be used to accept incoming SSTP VPN client connections. Click OK.

Figure 21

Now click the User Mapping tab that’s shown in Figure 22. Be aware that you would use this tab and the settings here if you were using RADIUS or EAP authentication. We’re not going to use either of those in this Test Lab Guide because we’re taking advantage of native Windows authentication. Do not make any changes on this tab.

Figure 22

Click on the Quarantine tab that you see in Figure 23. Here you can configure settings that will enable VPN quarantine. We will not enable VPN quarantine in this Test Lab Guide, but we will do this in the future and when we do, we’ll base it on the Test Lab Guide. Do not make any changes on this tab.

Figure 23

Click Apply and then click OK. Notice that you receive a warning that you might need to restart some of the services, as shown in Figure 24. An alert will be triggered for each computer in the array where the services need to be restarted. In this Test Lab Guide, there is no reason for us to manually restart any services so we’ll just click OK to dismiss this dialog box.

Figure 24


In this, part 1 of the TMG VPN server Test Lab Guide, we went through some of the configuration steps that are required to get the TMG VPN server working. Note that the configuration is not done yet! There will be two more parts to this Test Lab Guide, so don’t get started yet on putting together your TMG Test Lab. In the next part of this series on the TMG VPN server Test Lab Guide, we’ll continue configuring the VPN server and then we’ll configure INET to host the domain so that CLIENT1 can reach the SSTP and L2TP/IPsec listeners. See you then! –Deb .

Slipstream Office 2010 setup with SP1

When you slipstream Service Pack 1 with your Office 2010 installation media, Office 2010 will be directly installed at Service Pack 1 level, saving you the trouble of applying it afterwards. All you need is Office 2010 Service Pack 1 and the installation file or DVD of Office 2010.

Optionally, you can also modify the installation to already accept the EULA, fill out your Product Key and customize some additional settings.

Folder structure

This guide assumes the following folder structure but you can of course differ from that;

  • C:\Office2010\
  • C:\Office2010\DVD\
  • C:\Office2010\SP1\
  • C:\Office2010\SP1\extract\

Slipstreaming process

  1. Download the administrative version of Office 2010 SP1 for your language and save it to;

  2. Extract the downloaded Service Pack 1 file and extract it to theC:\Office2010\SP1\extract folder via the following Run command (the command below assumes the English 32-bit version of SP1);
    "C:\Office2010\SP1\officesuite2010sp1-kb2460049-x86-fullfile-en-us.exe" /extract:"C:\Office2010\SP1"

    • Note: The command above is a single line.
    • You can open the Run command via Start-> Run or by pressing Windows Logo Key+R on your keyboard.

  3. When you get a User Account Control (UAC) prompt, press continue or provide administrator credentials.

  4. Accept the EULA of the Service Pack.

  5. Insert your Office 2010 DVD and copy its contents to;

    • If you only have a single installation file (*.exe) open the Run command and type;
      "" /extract:"C:\Office2010\DVD"

  6. Copy all the files from the C:\Office2010\SP1\extract\ to the Updates folder in;

  7. When the copy is finished, you can write the contents of the C:\Office2010\DVD\ folder to a DVD and you’ll have an Office 2010 SP1 slipstreamed DVD!

You can follow these instructions as well to include updates and other hotfixes.

Accept EULA, set Product Key and additional options

Aside from including the Service Pack, you might want to make some changes to the installation process. For instance, to never prompt you for the EULA anymore or to already have the Product Key filled out for you.

Office Customization Tool (OCT)
If you have the Enterprise version of Office 2010, then you can set these additional installation options and settings by using the Office Customization Tool (OCT). To start this tool start setup.exe from the Office 2010 DVD (or extracted installation files) with the /admin switch. The OCT not only allows you to customize the installation experience but also allows you configure Office settings itself. This will allow you for instance to deploy Office with a preconfigured Outlook mail profile.

If you don’t have an Enterprise version, or as an alternative, you could customize the config.xmlfile that Office uses for its installation. You can find this file in the productname.WW folder. For instance, the WW folder for the Retail version of the Professional Plus editions of Office 2010 is called; ProPlusr.WW

You can set the variables between the productname"> and the tags.

For documentation about modifying the config.xml file of the Office installation can be found here; Config.xml file in Office 2010


The example below will modify the installation for the Retail version of the Professional Plus edition of Office 2010 to;

  • Accept the EULA.
  • Fill out the installation key.
  • Sets the name of the person responsible for the license.
  • Sets the name of the company responsible for the license.

Note that the Product Key does not require the dashes (-) to separate the 5 key sections.

Montag, 27. Juni 2011

GPO - Gruppenrichtlinien



Weitere und aktuelle CSE Updates per WSUS – Sind optional Verfügbar




F5 –F8 Taste

Wie bekomme ich die IE9 Einstellung in Group Policy Preferences?

Microsoft ist sich noch nicht sicher…

!!Dieser Vorgang ist von Microsoft nicht Supported!!

· Erstellen Sie ihre Vorlage mit Internet Explorer 8

· ziehen die Datei per Drag & Drop auf den Desktop und benutzen des Editor um die Änderung vorzunehmen.

· Version auf

· Name ändern Beispiel Internet Explorer 8 auf Internet Explorer 9

· Save und per Drag & Drop in die GPP Console einfügen

Ich empfehle die veränderte GPP im UI öffnen um die Einstellung nach einmal zu kontrollieren.

Starter GPO


Zentral Store

Um die Vorteile der .ADMX-Dateien zu nutzen, müssen Sie einen zentralen Speicher im Ordner SYSVOL auf einem Domänencontroller erstellen. Des zentralen Speichers ist ein Dateispeicherort, der von den Gruppenrichtlinien-Tools überprüft wird. Die Gruppenrichtlinien-Tools verwenden alle .ADMX Dateien in den zentralen Speicher. In den zentralen Speicher enthaltenen Dateien werden später auf allen Domänencontrollern in der Domäne repliziert.

Erstellen Sie zum Erstellen eines zentralen Speichers für .ADMX und .ADML Dateien einen Ordner mit dem Namen PolicyDefinitions an folgendem Speicherort:

\\ \SYSVOL\ FQDNFQDN \policies Link://

GPOs Online

“Fast Boot”

GPO: \\Computer\Policy\System\Logon\Always wait for the network at computer startup and logon
Details finden Sie auf Microsoft Technet Link:

Network Location Awareness

Bei VPN werden die GPOs nach erfolgreicher Anmeldung ausgeführt.
Details finden Sie auf Microsoft Technet Link:


WMI Code Creater - Microsoft download Link:

WMI-Filterung mithilfe der Gruppenrichtlinienkonsole



Import-Module GroupPolicy

Get-Command *-GP*


Get-WmiObject -Query "SELECT * FROM Win32_OperatingSystem"

Measure-Command { Get-WmiObject -Query "SELECT * FROM Win32_OperatingSystem" }

Get-WmiObject -Query "SELECT * FROM Win32_ComputerSystem"

Measure-Command { Get-WmiObject -Query "SELECT * FROM Win32_ComputerSystem" }



Windows Server 2003 DC mit installierter GPMC \\c$\Program Files\GPMC\Scripts\BackupAllGPOs.wsf

Weitere Skripts finden Sie auf jedem Windows Server 2003 (\\c$\Program Files\GPMC\Scripts\) mit installierter GMPC oder hier Download (



· Gpresult /Z

· Gplogview Link:

· Err.exe Link:
sollte Sie kein passendes System finden wie „gpcore“ verwenden Sie “winerror.h”

GPO Debug


\\HKEY_local_Macchine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Reg_Dword UserEnvDebugLevel

0x0 OFF

0x10002 Full Debug in Datei (userenv.log und userenv.bak)

0x30002 Full Debug in Datei und Debugger. z.B. DebugView von Sysinternals Link:

!! Ab Windows Vista muss der Ordner „UserMode“ unter C:\Windows\Debug\ manuell erstellt werden. !!

Diverse ADM Files

Internet Explorer 9

Google Chrome

Does anyone know if Chrome has any Group Policy Templates (ADM)?
Ideally I would like to centrally manage the settings for Chrome via Group Policy much like I can for IE and to a lesser extent Mozilla.

Here can you download the GPO files:

Chrome MSI download:




Offen Punkte

· Adobe ADM Files

Rename Onedrive Business root folder

Rename Onedrive Business root folder Here is what I remember: In the Office 365 web admin pages, change the organization name to a shorte...