I deployed SCCM 2012 RTM to our environment last week, after having run the RC successfully for a while. Since then, there have been a number of dropped RDP sessions to our servers. They occur at random intervals, and there are no errors reported in the event logs.

On further investigation, I discovered that the disconnects were occurring at the instant the Forefront Endpoint Protection client updated the Default Antimalware Policy. I’ve turned off the ‘Behavior Monitoring’ and ‘Protection Against Network-Based Exploits’, under the ‘Realtime Protection’ tab. Things appear to be stabilizing.

I suspect that it is the protection against network-based exploits feature (which uses the Network Inspection System) that is causing this. It’s caused me grief in the past with Forefront TMG, and doesn’t appear to be that much better in SCEP.

Apple

With the introduction of iOS, Apple unveiled a brand new UI model. Many pundits have theorized over the last few years about Apple unifying the two platforms, similarly to how Microsoft has attempted to sell ‘Windows everywhere’.

While I’ve always admired Apple for their tightly integrated user experiences inside OS X, and the tightly integrated user experience inside iOS, the two platforms seemed very distinct and separate over the last few years. By rights, they are two very different platforms, with very different interaction models.

Apple made its first real attempt to unify the available services across the platforms with MobileMe, a less than stellar ‘cloud’ service intended to unify communications content across the platform, as provide hosted media sharing services. The service failed miserably, and Apple moved on.

Over the last year or so, with the introduction of iOS 5 and OS X Lion, Apple has positioned iCloud as a unified content service, bundled with any new Mac or iOS device. Developers can plug their OS X apps and iOS apps in, and expect the same content to be accessible (streamed or synced locally) on any device the user is signed into. There is also limited cloud front-end for some of Apple’s own apps, but I suspect that in a year or two we may see the iCloud front end open up to developers, and enable users to sign into a web portal to access their content.

In addition to unifying the accessible content across their platforms, Apple has also been unifying design elements across their platforms. The latest versions of OS X Lion and OS X Mountain Lion borrow design elements heavily from iOS. However, while certain design elements are heavily borrowed, OS X remains  oriented toward keyboard/trackpad usage, and iOS remains heavily oriented toward direct touch interaction. They look visually similar, enough to put a new user coming from the other platform at ease, while still maintaining their respective, functional interaction optimizations. Add the user’s content being automatically available via iCloud, and a new user will feel right at home.

Microsoft

Microsoft has lagged behind in the mobile market over the last few years, having gone back to the drawing board after the success of iOS. With the introduction of Windows Phone 7 however, Microsoft unveiled an innovative new design language now called ‘Metro’, optimized for touch interaction.

Windows Phone 7, while not a mass-market share success, was well received and praised by critics for the UI. While very different from iOS, it was unique, very fluid, and felt very natural very quickly. Unfortunately however, it entered the smartphone market very late in the game, and was forced to compete with iOS and the various Android copies/competition.

This past year however, Microsoft began to implement the Metro design language across its platforms. The Xbox 360 saw the Kinect add-on and a firmware update, which changed the console UI to a virtual-touch UI model. Windows 8, client and server, were unveiled with dramatically changed UI’s. Gone is the old Start menu, replaced with a very in-your-face fullscreen Metro Start menu. Leaked screenshots of Office 15 also appear to signal a shift inside the office applications toward Metro. Microsoft has also been pushing developers very strongly to shift toward the Metro design language.

Microsoft has been positioning Windows with Metro UI as a single operating system and UI across their devices. Using Windows Live ID, users have their desktop settings synced from desktop to desktop, Xbox to Xbox, tablet to tablet, smartphone to smartphone, and so on. Content optionally can be synced via the Windows Live Skydrive, and is accessible through a web interface, while Office documents can be modified via Office Web Apps.

‘Windows everywhere’ means that a user will see the same UI across desktop and mobile, and have the same settings for their type of platform (gaming, mobile/desktop, smartphone), no matter where they sign in. This provides a consistent user interface across the Microsoft ecosystem. The issue with this approach however, is that the design of Metro UI is not really suited toward keyboard/mouse, but toward direct touch interaction. In addition, users used to the interaction model from the last 10 years of Windows OS, are now being forced to transition to a UI model that is not even tailored for their mode of interaction.

Summary

In summary, each approach is very similar, yet subtly and fundamentally different. Apple has opted for having the user’s content accessible to them everywhere, while interacting with that content through different, albeit similar, design interfaces on different device types. Microsoft on the other hand, has opted for the route of universally consistent UI interaction, and consistent settings within the individual device types, while optionally making content accessible across devices.

‘Open’ does not mean what you think it means

• Google gives early, priority access to select partners. ¹ This is hardly ‘open’ nature.
• Google buys partners. This not only is merely to get access to patents to use as defense in litigation, it also is hardly fair to other device manufacturers.
• Google takes an average of 100 days to open source Android code. ² The point of the ‘open’ principle is to allow everyone to contribute to the same set of code.
• Android is encumbered by patent lawsuits. More than half of Android OEMs have signed patent license agreements with Microsoft ³, and Samsung has well-publicized patent lawsuits from Apple. Google steals hard work and ideas from other companies, makes it ‘open’ (not free), and considers themselves justified. If you don’t like the patent rules, work to change the system, don’t abuse it. Play by the rules while working to change them.
• Slavish copying of the iPhone by Android manufacturers. See here ⁴ and here. ⁵
• Carriers block versions of Android if they choose ⁶. This is one of the flaws (features depending how you look at it) of the Android model. Every carrier can customize and distribute Android as they see fit. Unfortunately, this also means that they can choose to not distribute entire versions of their customers if they so choose.
• The idealisms of ‘open’ and ‘free’ are not enough to win. Linux zealots have been claiming for as long as I can remember that ‘this is the year of Linux’, that Open Source will triumph. Yet, the desktop market share of Linux has never gone much above 1% market share ⁷. Idealism is not enough. Just like communism, Open Source promises much in its ideology, but there are many practical matters in life that hinder reaching ideal. Only the billions of dollars thrown at Android by Google have given it any headway whatsoever.
• Developers live by the profit generated from their code. They will go where the money is. iOS generates 4 times as much return for developers as Android ⁸, so this leads to more investment in the platform, and better apps for the platform.

‘Open’ does not mean safer

• Android has seen a rise of malware (37% increase last quarter, 1000 detected infections, doubled over the past year). ⁹ Almost all new mobile malware targets Android. Just because software might be ‘open’, does not mean that exploits are patched and gone.
• CarrierIQ. Precisely because the Android distribution model allows carriers to install their own customizations/bloatware on devices before distributing, nefarious apps like CarrierIQ can be installed and customized to scrape all your data, including text messages and email. So the average customer gets a device that they believe is safer because it’s ‘open’, but the carrier may have already exploited that ‘open’ nature and implemented spyware.
• Viruses are prevalent on Android. Because apps are not vetted, it is free range for coders/hackers to distribute malicious apps. There was a 400% increase in malware Year Over Year in May 2011, and in 2H 2011, another 472% increase.¹⁰
• I’ve heard arguments that Android has permissions that can be set on a per-app basis, and that this makes the device secure. This model of security however, has been broken, using the very model designed to protect it.¹¹ It does not make your device secure.
• Another excuse I hear frequently is that the user should make sure that they are installing legitimate apps. No, just no. Respecting a user means taking all that background gunk out of the picture and giving them peace of mind. They should not have to worry about whether the app is safe or not… that is up to the distributor. Users in general are not inclined toward technology, and just want something that works. You don’t ask to see your bus driver’s license every time you get on the bus because you trust the transit commission. Why should a user have to worry about whether the app they’re installing is safe if coming from a primary distributor?
• I also hear the excuse that a user may need to sacrifice security for choice. Again, no. Microsoft and Apple have managed to bring the best of both worlds in a closed model, so this is merely an excuse for selling Android’s ‘open’ness with its security flaws.
• I also hear that if users want security, they should only stick with ‘trustworthy’ sources. This violates the entire principle of ‘open’! A user should not have to go to ‘trustworthy’ sources at the expense of ‘open’, if you are selling to them on the principle of ‘open’!
• A misconception I often hear is that viruses infect iOS and WP7, proven by the jailbreak toolkits. No. Exploits are not viruses, and viruses are not exploits. An exploit is a vulnerability, a virus is something malicious that takes advantage of the vulnerability. Android is the only major smartphone platform invaded by viruses, thanks to its ‘open’ model.
• Carriers distribute updates infrequently. Typically, after 6 months, carriers/OEMs of Android phones no longer distribute updates.¹² This means all those security vulnerabilities that have been discovered, are no longer patched. New security enhancements and features in new phones are not available on the old phones. This is because there is too much cost and no incentive to either the carrier or the OEM in the ‘open’ model to distribute updates to their users. Compare this to the iOS and WP7 platforms, where updates are mandatory on WP7, and updates are still being distributed for the latest OS to even 2.5 year old iPhone models.

‘Open’ does not mean better

• As we saw above, ‘open’ systems will always lag behind ‘closed’ systems in areas of design and UI/UX, thanks to the very nature of those developing ‘open’ systems.
• ‘Open’ systems will generally be significantly weaker in security, thanks to the principle of allowing anyone to distribute whatever they want. There is no real safeguard to prevent coders with malicious intent from distributing their wares to unsuspecting users.
• As MG Siegler points out¹³, comparing an iOS device to an Android device is a bit like comparing a Mercedes to a Honda. Those who appreciate design and experience will get much more out of the Mercedes, but have difficulty telling someone who only appreciates functionality why.
• Android has poor integration with enterprise services. No native IPsec VPN, and varying Exchange compatibility between OS versions. Thanks to the carriers who choose not to ensure updates to their devices, the support effort required to support Android on an enterprise deployment becomes astronomically larger in comparison to properly governed systems in a closed model.
• There is no official support desk for Android. This is a huge barrier for many enterprises. Sure, there are many forums with coders and hackers to come up with fixes, but how many of them have experience in an enterprise setting, and would be able to resolve issues involving infrastructure beyond the device itself?
• ‘First’ is irrelevant. Arguing that one OS or piece of UI was developed before a competitor is irrelevant when it comes to which is better. Stop sidetracking!
• In general, Android apps are not as polished as iOS or WP7 apps, thanks to reasons I outlined previously. Low-quality apps from more sources is not ‘better choice’ than high-quality apps from a single source.
• ‘More Choice’ does not necessarily attract a customer. Simple is often better, and when you look at the lineup of iOS phones (4 phones) vs the hundreds of phones from other vendors, a user will often pick from a simple, easy to understand lineup. A very interesting study on this here.¹⁴
• Feature phones do not equal smartphones. By stripping down Android as a base OS for cheap/free phones that provide basic phone service with a few extra features increases market share. However, this increased marketshare does not make Android a better smartphone OS, as it’s no longer a smartphone. It merely speaks to the flexibility that Android can function.
• Being able to install Flash because it’s ‘open’ does not make it better. Mobile Flash has proven to be a battery and performance killer on every platform. Installing a now-deprecated¹⁵ battery and performance killer does not make the platform better.
• ‘Open’ software does not mean able to change your battery. This is something that is at the discretion of the manufacturer. Some will choose to make it user-serviceable, others will not. The only thing that really matters in this scenario is the cost and downtime to fix it.
• ‘Open’ does not mean better quality of code. Firefox for example, is incredibly bloated on the Mac OS, and runs poorly. It also has hit the 32bit limitation for compiling.¹⁶ Open does not mean better code or coding practices.

extension-dll-exception

Cause

Figured out that the error is happening due to .Net Framework 4 being installed, and FIM attempting to use .Net 4 instead of .Net Framework 2. This is a new issue that occurred in the June 2011 CU for Sharepoint 2010, and unbeknownst to us, the June CU was re-released to fix it. We were still utilizing the original June CU.

Resolution

This issue can be fixed by either installing the latest version of June CU, or by following the steps below.

1. Open

   C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe.config

   for editing.
2. Locate the below section:
   
   

   <startup useLegacyV2RuntimeActivationPolicy="true">
     <supportedRuntime version="v4.0.30319"></supportedRuntime>
     <supportedRuntime version="v2.0.50727"></supportedRuntime>
   </startup>

3. Delete or comment out the reference for the .NET v4 version. Like this:
   
   

   <startup useLegacyV2RuntimeActivationPolicy="true">
     <!-- <supportedRuntime version="v4.0.30319"></supportedRuntime> -–>
     <supportedRuntime version="v2.0.50727"></supportedRuntime>
   </startup>

   or
   
   

   <startup useLegacyV2RuntimeActivationPolicy="true">
       <supportedRuntime version="v2.0.50727"></supportedRuntime> 
   </startup>

4. Restart the two FIM services in the services console.
5. Run the sync again.

SMS_MP_Control_Manager errors:

Navigate to %windir%\\System32\\inetsrv\\config\\schema, take ownership of webdav_schema.xml,  remove the readonly attributes, and edit them to these:

attribute name=”allowAnonymousPropfind” type=”bool” defaultValue=”true”
attribute name=”allowInfinitePropfindDepth” type=”bool” defaultValue=”true”
attribute name=”allowCustomProperties” type=”bool” defaultValue=”false”

If issues, still exist, and your authoring rules are correct, try removing WebDAV, rebooting, re-installing WebDAV.

Clients not talking to server:

• Is the client push installing? If not, check WMI is enabled on the client firewalls
• Are site boundaries defined?
• Is the install flag cleared?
• Is a sitecode defined in your AD schema? If so, are the clients picking it up? Sometimes your clients may appear to have a site code assigned (from the SCCM console), double-check on your client machines to be sure they are actually picking it up. If this has occurred, please see the following note.
• Are you using a GPO with the Configuration Manager ADM template to control the site code? If so, be aware that it works by applying a registry key (also considered a preference, so it’s stickied unless you explicitly define a removal policy for it). This registry key defaults to an x86 portion of the registry. The actual key for an x64 machine is located elsewhere, and needs to be defined in the following key:

‘HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\SMS\\Mobile Client\\AssignedSiteCode’

I recommend pushing this registry key out by GPP in one of your GPOs, and then initiating a re-install of the SCCM client on the machines affected.

WSUS MP issues:

1. Remove WSUS, delete the existing database.
2. Remove WSUS component from SCCM.
3. Reboot server. Re-add the WSUS role. You may have to manually download WSUS with SP2 from Microsoft Download Center if you are encountering errors re-adding the role. Do NOT configure the WSUS role when re-adding.
4. Re-install WSUS component in SCCM.

Forefront Endpoint Protection 2010 installation on SCCM failing:

When installing FEP2010 on SCCM, you may be hit with an error just before installation completion that ‘Setup was unable to create unknown machines. 0×80070003‘, and/or that sms_def.mof couldn’t be updated. This occurs because the FEP2010 setup is looking for the x86 Program Files directory for one of the last steps, and not using the default Program Files directory on an x64 machine.   To resolve the first error, do the following:

1. Manually create this folder structure:  Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\ddm.box  (give folder same ACL’s as is on existing installed directory)
2. Run R2 setup again. When install completes, copy the two DDR’s from the C:\\Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\ddm.box and place them it into the “C:\\Program Files\\Microsoft Configuration Manager\\inboxes\\auth\\ddm.box” (where SCCM is actually installed):
3. Once the DDR’s processed the R2 installation should succeed.

To resolve the error about sms_def.mof not updating, do the following:

1. Manually create C:\\Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\clifiles.src\\hinv
2. Copy C:\\Program Files\\Microsoft Configuration Manager\\inboxes\\auth\\clifiles.src\\hinv\\sms_def.mof to the folder you just created
3. Re-run FEP2010 setup and then copy C:\\Program Files (x86)\\Microsoft Configuration Manager\\inboxes\\auth\\clifiles.src\\hinv\\sms_def.mof back to the original Program Files path.

On the existing SCVMM share, I noticed that it had the local Users and Administrators groups added to the NTFS permissions. After adding both these to the ACL on the share I was trying to add, SCVMM was able to add the share. I’m assuming this is related to how the SCVMM agent operates.

So, if you’re having issues adding a network share to an SCVMM library, check the local NTFS ACL, and try adding the local Users and Administrators group to the folder.

I could be wrong, but it looks like they’re enabling home WiFi streaming via Home Sharing in iOS 4.3 and iTunes. This is something I’m definitely excited about.

Watching some of the Engadget videos I must say the new device looks fast as hell. I didn’t think they could make iPad 1 look slow, but watching those videos I get the feeling that my iPad lacks some of the power and speed of the new ones, particularly in regards to real-time media editing in the Photo Booth application.

Speaking of movie editing, it looks like they’re really targeting home media production with this new device. Those new movie/audio apps, the HDMI out, and AirPlay turn iPad into a powerhouse for media generation.

I appreciate and agree with Steve’s comment near the end. “Our competitors are looking at this like it’s the next PC market. That is not the right approach to this. These are post-PC devices that need to be easier to use than a PC, more intuitive.” An important distinction in mentality I think. The PC market was for reasonably tech-savvy people, or people with reasonably tech-savvy relatives. The tablet/post-PC market is a new generation, one where anyone can pick one up and being computing. There’s no fear of technology, just something that stimulates curiosity.

Those are my thoughts for now. I won’t buy one now as the only benefit I get is the new form factor and Facetime communication. The speed is not something I need at this point since I don’t produce home movies or audio. However, while it’s not a jaw-dropping new product, it is definitely a quality upgrade to the product line.