My needs for a blog have out grown what a live space can do so I am moving my blog over to a hosted WordPress solution.

To find all my Group Policy related material over to the web site http://www.grouppolicy.biz

All my other IT related blog post can be found at http://www.smartergeek.info

So please update you RSS feeds to the new sites and thanks for visiting this site over the past 18months.

I have just setup a new web site called “Group Policy Center” that you can see at http://www.grouppolicy.biz this site is now where I am going to post all my tutorials and news articles. I have also migrated all my existing Group Policy articles on this site over this site so you don’t have to keep coming back to this web site.

However this site is not going away so please don’t delete it from your favourites as I still plan to use this site for all my non-group policy relates tech news and information…

If you are interested in Group Policy please add http://feeds.feedburner.com/GroupPolicyCenter to your RSS reader.

Well 2010 (pronounced “twenty ten”) has rolled around and now I can say that this year Project Natal will be coming out for the Xbox 360. WOOHOO!!

So with the impending release of Natal for the Xbox 360 this year I have been thinking about this device some what and here are some predictions I have about the device…

Natal will be for the Xbox 360 and for Windows. Project Natal is probably going to be a USB device (see cable from the device below) as this would be the most convenient way to provide power and data to the camera/microphone array. Now granted this might be a wireless device for the Xbox 360 like the standard controllers and that cable might be a power lead but if this is true you could still connect it to a PC via the USB Xbox 360 Wireless receiver.

So if you can connect the Natal to a PC this would be a way of providing 3D motion capture, facial recognition, voice recognition using the cameras and acoustic source localization and ambient noise suppression via its microphones. These sorts of capabilities would greatly help Microsoft implement NUI interface to Windows  like the Microsoft Office Labs 2019 Video that was released early last year…  See about 1 minute 30 seconds.

 

So imagine being able to sit down at your computer and have it recognise to who you are and log you on with you face and a voice print identification then use your hand to move around and organise the windows on your screen…. The future is here (soon)…

My other prediction for Project Natal is that it will enable new gaming titles such as Dance Hero which could be done via a full body motion capture dance. This is something that has been done before but it does away with the tacky floor pads (see image below) that were previously needed to make this work.

This weeks (and first for the year) Group Policy Setting of the Week is a Group Policy setting that configures Group Policy. The “Group Policy refresh interval for computers” can be found under Computer Configuration > Policies > Administrative Templates > System > Group Policy and is used to control how often the background computer refresh interval of a performed.

By default the refresh will happen every 90 minutes however it has a 30 minute random offset so it could potentially take between 1 to 2 hours for a policy refresh to occur. Keep in mind however that if configured the policy refresh to a shorter interval it will potentially not take affect to all your computers until the longest refresh interval of the last refresh interval setting. Normally this setting it set to a short interval before a major change to group policy setting is made to an SOE so that any rollback of the change can be implemented faster (example see How to use Group Policy Preferences to set change Passwords).

Now that Microsoft security initiates are paying off and Windows and Internet Explorer more secure that the rivals. It seems that hackers are changing their focus as McAfee labs have said “Adobe product exploitation will likely surpass that of Microsoft Office applications in 2010.”. What is even more disturbing is that these security issues are platform independent which makes any security vulnerability even more appealing as it will work on multiple platforms (Windows and OSX).

In response to all the security issues that have recently come out for Adobe products they announced that they will be releasing security patches second Tuesday of the first month of every quarter unless the patch is deemed to be critical enough to release an out of cycle update… GREAT!!! Why they don’t just say second Tuesday of every month like Microsoft does so that all these patches can be released together is beyond me but at least its a start.

Problem is there was for a long time no way to automatically update these products as WSUS and Windows Update support updates of Adobe products. This often results in companies in having to manually patch the software via sneaker net or worse not at all leaving some gaping security holes on their computers.

Thankfully Adobe with the latest release of Adobe Reader 9.2.0 now supports Automatic Installation of updates. To enable this option you need to select “Automatically install updates” option under the "Updater” categories under Preferences menu option.

For large scale enterprises this option is still not an practical option however for the mum and dad and SOHO’s this will at least mean they no longer need to manually check for updates every month to stay secure.

For more information on Adobe Reader Security Issues Details see:

• http://securitygarden.blogspot.com/2009/10/adobe-reader-and-acrobat-critical.html
• http://securitygarden.blogspot.com/2009/05/critical-update-adobe-reader-and.html

Today on Group Policy Setting of the Week we are going to be taking a look at “Exclude directories in roaming profile” which can be found in the deepest darkest regions of User Configuration > Policies > Administrative Templates > System > User Profiles. This setting is useful in organisations that have Roaming Profiles configured but want to make sure that the roaming profile size does not blow out thus slow doing the users logon and log off or the computer. This option can be used to exclude specific folders of poorly written application from the roaming profile if they write large amounts of data (e.g. caches) to incorrect locations.

A classic example of this was when Google Earth was first released it saved cache files to the users roaming profile folder which meant their profile size quickly swelled to over 1gb. User then quickly started to complain that it took a a long time to logon and logoff their computer (go figure). Enabling this option allowed the specific cached folders to be excluded from their roaming profile and therefore a much smaller roaming profile was copied to and from the server making their login’s and logoffs much quicker. The side affect of this is that the setting saved to the folders you exclude will no longer roam with the user when they logon a new computer.

Very handy if you want to keep roaming profiles to a small size which in turn will speed up the users logon and logoff processes.

This setting will work with Windows 2000 or greater and multiple paths can be appended with a ; as a delimiter between the entries.

Microsoft have now released a Bing iPhone app that allow you to use the Microsoft services from your iPhone. The app itself is actually a few apps in one with a launching pad to numerous Bing services:

• Standard Search (Voice or Text)
• Image Search
• Movies
• Maps (and directions)
• Business
• News

Home Screen

Home Screen

 

Navigation Controls

The navigation buttons are always present when you are navigating in the app. The home button is very useful for coming back to the launch screen and the simple navigation buttons are also nice. My only complaint was that the back button is next to the home button so it is really easy to press the wrong button.

I have to also wounder if this application is also a preview of the look and feel for applications running on Windows Mobile 7.

App Navigation Controls

Search

The search feature works as expected you tap in the search bar up the top and you start to type. You also start to see search results as you type.

Search as you type results

Search Results

Search (Voice)

Next the the search bar you see a microphone that can be used to perform a voice search via BING. Press the button and just start to say what you want to search then press done when you have finished talking.

Voice Search Listening

Voice Search Thinking

Now if you are not in the USA after a few seconds of thinking the app will crash and dumps you back to the home screen for now if you change you region setting of the iPhone to the United States it will work. When you do this voice searching will then work and searching for terms like "PIZZA" work really well. Microsoft have come out and said that they will be releasing a fix for this soon.

Images

As expected the image search allows you to search for images via BING. I tried searching for my name and was happy to find that a photo of me came up first… The image search results also faded in nicely as the phone loaded the images.

Image Search

Movies

I can only assume this is an USA only feature for now as when I select this option I immediately get a “We did not find any results for Movies” popup. Hopefully localised Australian information of the movie times will be coming soon.

Movies Search

Maps

This certainly looks a lot like the Silverlight map web application that Microsoft recently released on the http://bing.com web site. The maps have integrated the  seadragon deep zoom technology which makes the whole experience very smooth. The map has full multi pinch to zoom and GPS support. The settings for the map are very similar to those seen on the included Google map app in the iPhone. I do wonder what the “Shaded” view  is as this seems to be no different to the “Road” map view.

Map

BING maps settings screen compared to the inbuilt Google maps setting screen. Very similar.

Bing iPhone App Map Settings

iPhone Map Settings

Businesses

This option for searching for different types of business near your location but again it seems that there is no localised data for Australia for it to use yet.

Business Search - Restaurants

News

This option was another a disappointment as when you launch it you are immediately presented with the “We did not find any results for (null)” message box. Not sure if this is also an issue for just Australian users but the error message is less than graceful.

News Search

Directions

Again this seems to mirror very closely the inbuilt Google map app however you launch this separately from the “Directions” option from the home screen.

Another disappointment here as the search feature will only direct you to the suburb instead of the exact address that you typed into to the search. What I really don't like about this is that it does not warn you that it is not sending you to the exact address just to a random point in the middle of the suburb….

Directions

    

Bing Directions

iPhone native app Directions

Just like Microsoft releasing Photosynth for the iPhone and licensing active sync they continue to demonstrate that they are willing to compete by innovation and not by exclusion. This makes me wounder how long it will be until we see Microsoft Zune App for the iPhone.

Overall

This is a really nice looking app and it is great to have an alternative to the inbuilt iPhone/Google apps. Its buggieness can be forgiven as this is Microsoft first really shot at making a mainstream iPhone app and this only needs to have a updated version deployed to fix the voice record issues. However it is really dissapoininting that a lot of the feauters dont work in Australia and what Microsoft really needs to do is get the localised services for Australia up and running ASAP.

UPDATE: Looks like these issues are going to be fixed soon as Microsoft have come out and said they will be soon fixing the issues of the voice search crashing outside the USA and enable the ability perform searchs outside of the USA. 

If you want to try it out you can install the app right now from this iTunes Link for free.

At long last my Intel X-25 M 160gb Solid State Disk (SSD) drive arrived in the mail and I joyfully ripped open the packaging like a kid on Christmas morning to see what had arrived (like I didn’t already know). To my absolute delight it was a brand new box with what I hoped contained the saviour of my now aging (slow) Dell Dimension 9150 with a 2.8ghz Dual Core CPU which was in desperate need of an upgrade.

As you can see below the drive is 2.5” so it will fit into most laptops but it also comes with a 3.5” caddy for installing into desktop computer. While I did not take the smaller size into account when I bought the drive i realise this is a real bonus as I can easily use it in a laptop in the future if I ever decide to get something more portable to replace my current desktop at home.

I also decided to the get the 160gb model because it now has a faster write speed than the 80gb version with the release of the its latest firmware from Intel.

It also comes with a very important “my SSD Rocks!” sticker to show as a badge of honour (or to tell someone that your computer it worth stealing for the parts).

 

As I was un-boxing the drive I kept think to myself that “gee I hope this drive was worth it” and “I hope it will make a difference with my computer”. My initial worry was that the drive was not going to be able to run at 3gb/sec to take advantage of the full throughput of the drive. But I was relieved to see that the drive and motherboard were 3gb/sec capable and so it negotiated its link speed at full speed. nice… so I continued my tests…

Benchmarks

OS Load Time (12m:09sec)

So I found my USB stick of Windows 7 64bit, plugged it in an turned it on…

12min 9sec (see timer below) after I pressed the power button I was at a default desktop…. Nice…  This was good and I was starting to feel a little confident that the drive was going to make the system faster. Note that this also included all the time it took me to click the buttons using the OS install Wizard. I would estimate that this would have added at least an extra minute to this overall time.

 

Windows Experience Index (7.8)

The Windows Experience Index is a bench mark that was introduced with Windows Vista that allows people to assess the performance of the individual pieces of hardware in a computer. This benchmark helps people determine what part of their computer is slowest and can help guide people to what upgrade they perform next to get some more speed out of their system. In Windows 7 the rating numbers go from a minimum of 1 to a maximum value of 7.9 (which is up from 5.9 in Windows Vista).

As you can see the drive rated very well with a 7.8 although I was hoping for a 7.9 because I have to wounder what drive on the market could possibly be better that this drive (maybe 2x Intel X-25 M in a stripe).

 

OS Boot Time (20.1sec)

The other really important stat about the drive is how quick it takes to boot up and shutdown. Now Google claims that it can get 8 seconds boot from with it uses a SSD drive so I was really keen to see how fast it compares with Windows 7. Now the total overall boot time from power on to desktop was 32.8 seconds however this included the 12 seconds BIOS post tests. Now bear in mind that my system is almost 5 years old and BIOS start up time for computer now are a lot quicker.

If you take a look at the lap time (top right) the whole OS boot only took 20.1 seconds.

OS Shutdown Time (3sec)

Now this I have not measured exactly yet however this is now a near instantaneous from fully loaded desktop to powered off takes no longer that 3 seconds.

Windows Media Center (much better)

Now my desktop computer also acts as a server for Windows Media Center on my two Xbox 360 which was always bit sluggish to navigate through the menus which I put this down to the lag from the IR remote to the Xbox 360 via the Ethernet to the Computer back via the Ethernet to the Xbox and onto the screen. However even though my media files are stored on a 1tb 1.5gb/sec SATA WD Green plater based drive the over all navigation and load time has much improved.

Better with Windows 7

Its also one of the first SSD drives to offer native support for the Trim SATA command with Windows 7 which all but eliminates any performances degradation over time with SSD drives.

Windows 7 also recognises SSD based drives and disabled the defragmentation option as this offers no benefit due the drives low random seek speed and can even cause premature wear out of drives if performed to often.

Overall (5 Stars)

Needless to say I am very, very, very impressed with the performance of the drive and this upgrade has now turned me into an absolute speed demon. It definitely seems that drive I/O is now the most constraining factor with computer as ever relatively slow CPU’s on a modern Operating System such as Windows 7 seem to be more than capable.

I also find that doing multiple tasks at one is much smoother and seems to have almost no performance impact at all. This is obviously due to the less than 1ms random seek time of the drive and the native command queuing that allows the drive to handle a massive amount of simultaneously commands.

Another advantage of the drive is that is has no moving parts which should mean that the reliability of the drive is (hopefully) going to be more reliable with a predicted 1.2 million hours Mean Time Between Failures (MTBF) which is nearly double that of 750,000 hours MTBF that most other spinning platter based drives have.

This is a drive that I will probably using in my next 3 computers so I really see it as a long term investment even though it cost a little (ok a lot) extra. If you are looking for an upgrade to your system that will really give it a killer punch in performance then this is it even thought its a bit pricey still it is totally worth the cost.

But for I can truly say I no longer wait for my computer to load program anymore… 

Rating 5 out of 5 stars.

For a more in-depth review of the drive including some of it’s issues (which have been fixed via the latest firmware) see the following PC Perspective Articles:

• Intel X25-M 80GB Solid State Hard Drive Review
• Long-term performance analysis of Intel Mainstream SSDs
• Intel Responds to Fragmentation with New X25-M Firmware
• Intel X25-M G2 TRIM firmware is out, really, we mean it this time, honest!

Intel’s specification sheet on the drive can be found Here

Link tot he latest firmware that  the drive Here and instructions can be found Here

Link to an eBay store stocking the drive can be found Here

Disclosure cmp.ly/0/llruwy

   Asa Dotzler one of Firefox’s (Mozilla) co-founders has recently did a blog post that recommends that all Mozilla’s users should

“switch Firefox's search from Google to Bing”

due to the privacy issues with Google.

No…  Really, really!!!!

I have to admit that this is just about as believable as Bill Gates praising Apple Computers or Microsoft saving Apple from Bankruptcy. Asa makes some good points however on his Blog that Google and it certainly seems to be getting complacent with data private after the video of Eric Schmidt, Google's CEO said

"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.”

I think the reason that Bing’s privacy policy is better than Google’s is that they have already been through the anti-trust ringer and don't want a repeat of history. Where as Google still thinks it can do know wrong and are willing to push the boundaries a little further.

I also have to wounder weather this means that Microsoft are also paying Mozilla just like “Google (and Yahoo and others) pay for search traffic”. This would be very interesting if this was the case as it would mean Microsoft would effective be paying IE’s biggest competitor. While this sound unlikely just remember that the Exchange team licences Active Sync to both the iPhone and Android even thought they compete against Windows Mobile so I think it is definitely possible. 

You can read Asa’s Blogs articles below:

• if you have nothing to hide...
• follow-up on schmidt
• privacy context and other concerns

Just paid another visit to Officeworks Milton and I noticed a few cool things that would great gift ideas for Christmas for someone who already has Windows 7 installed on their computer. These two devices very small boxes that you plug in power and ethernet cable into and a HDMI cable into your TV so you can play all your music, photos and videos from you Windows 7 computer. The reason that these two different brand devices can support playing information from a Windows 7 computer is because they both support DLNA (Digital Living Alliance) which is a standard used by a number of electronic manufactures to share media across a network. One of the nice feature of the Netgear Digital Entertainer is that you can also plug in a Wireless USB Adapter (EVAW111, Sold separately) that means you don’t need to run a network cable from your computer if you already have a wireless access point.

Western Digital WD TV Live Costs $196.00 (Officeworks Milton) for more information see WD TV Live HD Media Player (WDBAAN0000NBK) 

Netgear Digital Entertainer Live Costs $234.00 (Officeworks Milton) for more information see Netgear - Digital Entertainer Live

 

But If you are a gamer in any way then the Xbox 360 is also a DLNA compatible device and you can pick up and one at EB Games for only $299 (with a free game). This give gives you all the functionality of the above devices but also a full game console, DVD player, Windows Media Center Extender, Facebook and Twitter client as well.

Microsoft Xbox 360 Cost $299 (EB Games) for more information see Xbox.com | Console Overview 

Disclosure cmp.ly/0/llruwy

Looks like Microsoft has just enabled an ability to exactly alight you Photosynth with the location on maps. This feature allows you to change the scale and the orientation of you Photosynth so when you zoom in using Bing maps it is aligned correctly with that location… Looks very cool and I have not seen any word from Microsoft about this feature so I am not even sure if this  is supposed to be public yet.

Photos and video showing how it work below:

Chose your Photosynth and click Edit Synth

Click the Geotag Tab

Under Allignment Click the Start button

Rotate the layover point map with the <> and + – controls

Align the point map to the features on the map

Click Test

In the past couple of days a few new PC products have been appearing on the shelf just in time for Christmas. If you are wondering what to buy that computer geek in your life then below are a few gift ideas:

Bamboo Input Device

This is a really good way to touch enabled you desktop computer with out having to replace your monitor. I recently bought a Dell 21.5” Multi-touch monitor and while the screen it self is very nice having a touch interface on a traditional sit down desktop computer is just not very practical as you quicker get tired arms and you are forever pressing in the wrong sport because you can see where you are touching because your finger in are in the way. Well i reckon this is a much better (and cheaper way) to touchify your computer… The Bamboo Touch does supports Windows 7 but also support Vista and XP so this should please pretty much any Windows PC user. However to really take advantage of the touch input Windows 7 is recommended.

You can buy it now from Harvey Normal for $99.95

See Bamboo Touch for more information

 

Microsoft LifeCam Cinema

If you are like me and you now use Skype to call you family and friends when you are away for work then you will know how frustrating it is to only be able to see them via a really grainy image. Well Microsoft have now released the LifeCam Cinema (a.k.a. Microsoft HD Web Cam) that will transmit 720p 30fps video (depending on bandwidth). This has only just

Get it now from Harvey Norman for $169.95

See LifeCam Cinema for more information

Windows 7 Family Pack

Now if you have a geek that you want to buy something for it is very likely that they have more than one PC in their home so ll this is defiantly the deal for them. This limited time offer give you three licences of Windows 7 Home Premium for $247 total. Which works out to be $83 per copy or a massive 51% off the RRP of a single copy. Also this is a limited time offer so definitely buy it soon as they have just stopped selling it in the USA so i expect this offer will only last until January at the latest.

Get it now from OfficeWorks for $247.00

See Windows 7 Family Pack Limited Pilot now Available in Australia for more information.

Disclosure cmp.ly/0/llruwy

This weeks simple Group Policy Setting of the Week (GPSW) is called “Add Logoff to the Start Menu” which can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar. This option adds the “Log Off <username>” to the users start menu and is normally configured to be enabled on Terminal Servers where you don’t want them accidently shutdown the server.

 

Now hopefully your normal users don’t have admin access to your Terminal Servers however if you are a Server Administrator then you could have admin access and as such having the shutdown button on a desktop that looks a LOT like you local computer could be very dangerous. So this is one of the few group policy settings that should be configured to loopback that should be applied to the server administrator via a Loopback merge setting (we will talk about Loopback setting another day).

But how do I shutdown the server then I hear you ask? No prob you can either run the “shutdown.exe” command line (tshutdn.exe on Windows 2003) or by CTRL-ALT-END and then shutdown from the secure desktop.

As I previously mentioned in Part 1 “use Group Policy to save “How to use BitLocker to Go” recovery keys in Active Directory – Part 1” one of the cool new features in Windows 7 is the ability to encrypt removable storage devices to help prevent the loss of data within an organisation while storing a copy of the decryption key in Active Directory. Another way to encrypt the removable storage devices and still have the ability to recover a encrypted devices if the unlock key is lost is to use a Data Recovery Agent digital certificate.

Now before you begin you first need to have deployed you a PKI infrastructure in your organisation so that you can issue the data recovery certificate to your nominated recovery agents.

So lets get started…

How to configured Group Policy to use a Data Recovery Agent with “BitLocker to Go” drives

Issuing the EFS Data Recovery Agent

First you need to create/issue at least one account with the Data Recovery Agent certificate that will be used for when encrypting all the Bitlocker to Go drives.

Step 1. Click Start, and then type certmgr.msc to open the Certificates snap-in

Step 2. In the console tree, expand Personal, and then click Certificates.

Step 2. Right click on Certificates and click on All Tasks and then Request New Certificate…

Step 3. Click Next to the first page of the Certificate Enrollment wizard and then then click on Active Directory Enrollment Policy and click Next

Step 4. Tick the EFS Recovery Agent policy and then click Enroll

Step 5. Click Finish once your account has enrolled as the EFS Recovery Agent certificate.

You should now see the File Recovery Certificate in you Personal Certificate store.

Exporting the DRA Certificate

You now need to export the DRA certification information to be used in the BitLocker Drive Encryption group policy in a future step.  

Step 1. Double-click the BitLockerDRA certificate to display the certificate properties sheet.

Step 2. Click the Details tab

Step 3. Click Copy to File

Step 4. Click Next on the Welcome to the Certificate Export Wizard page

Step 5. Leave the No, do not export the private key selected and then click Next.

Step 6. On the Export File Format page, verify that DER encoded binary x.509 (.CER) is selected, and then click Next.

Step 7. On the File to Export page, click Browse to display the Save as dialog box. In File name, type BitLocker. In Save as type, verify that DER Encoded Binary X.509 (.cer) is selected, and then click Save to return to the File to Export page.

Step 8. The File name box on the wizard page should now display the path to the BitLocker.cer file in your document library. Click Next.

Step 9. On the Completing the Certificate Export Wizard page, verify that the information displayed is correct, and then click Finish.

Step 10. When the certificate has been exported, the Certificate Export Wizard dialog box will be displayed with the message The export was successful. Click Close to close the dialog and the wizard.

Configuring the Bitlocker Data Recovery Agent in Group Policy

In this section we are going to take the Data Recover Agent certificate we exported above and import it into the group policy to apply to computers that will have DRA certification for encrypting Bitlocker drives. The screenshots below are from a Windows Server 2008 R2 server with the group policy management console installed but if you are on a Windows 7 computer you will need to have install the Remote Server Admin Tools installed.

Step 1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

Step 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

Step 3. In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption, and then click Add Data Recovery Agent to start the Add Recovery Agent Wizard.

 

Step 4. Click Next on the Add Recovery Agent Wizard welcome screen

Step 5. On the Select Recovery Agents page, click Browse Folder

 

Step 6. Browse to the location you have a copy of the BitLocker.cer file that you exported in the previous procedure select the certificate and click Open

Step 7. Click

Note: You can repeat this process as necessary to add multiple data recovery agents. After all data recovery agent certificates you want to use have been specified, click Next.

Note: The example above has USER_UNKNOWN because the DRA file was manually imported.

Step 8. On the Completing the Recovery Agent Wizard page, click Finish to add the data recovery agent

Below is the BitLocker Drive Encryption setup with a DRA installed.

Additional Group Policy Configuration

BitLocker Identification Field

You now need to configure the BitLocker Identification field on all the computers you are going to use Bitlocker on as this helps identify what removable devices belong to your organisation.

Step 1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

Step 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

Step 3. In the console tree under Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption and then double click on Provide the unique identifiers for your organization

Step 3. Enter you specific Bitlocker identification name that you use to identify your Bitlocker encrypted devices in the BitLocker identification field

Note: You can add additional Bitlocker identifiers from other trusted organisations in the Allowed BitLocker identification field 

Enable Allow Data Recovery Agent

Continuing on from above you will need to configure you computers to Allow the Data Recovery Agent option.

Step 4 (cont.). In the console tree under Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drive and then double click on Choose how Bitlocker-protected removable drives can be recovered , then you will need to click Enabled and tick Allow data recovery agent then click OK

Note: You still have the option of configuring the standard AD recovery keys in this window. The Allow Data Recovery Agent option as far as I can tell has no bearing of the other options.

You have now configured Group Policy to use a Data Recovery Agent certificate to be used to encrypt all the “Bitlocker to Go” drives in your organisation.

How to unlock a “BitLocker to Go” drive with a Data Recovery Agent

Below are the instructions explaining how to use the Data Recovery Agent to unlock a BitLocker to Go encrypted drive

Step 1. Put the drive into the computer you want to unlock.

Step 2. Right Click on a Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

Step 3 (optional). If you want to get information on the volume before you unlock it you can run manage-bde -status E:

Step 4. Now you need to get the “CertificateThumbprint” of the drive you want to unlock type the command manage-bde –protectors –get E: where E: is the volume you are trying to unlock

Note: Take a note of the Data Recovery Agent (Certificate Based) Certificate Thumbprint (see circled in red).

Tip: You could also mark the thumbprint by using the Edit > Mark option of the command prompt.

Then select the thumbprint by clicking on the first character of the thumbprint and dragging to the last character.

Step 4. To unlock the drive, type the following command Manage-bde –unlock E: -cert –ct  88d07b2874031569e17eedf402e0a098fc0f7b81

You have now successfully unlocked the drive using a Data Recovery Agent.

Note: You will need to have the Data Recovery Agent Certificate (with the private key) installed in the Personal certificate store on the computer you are performing this task.

Step 5 (optional). Try getting running the following command again to view more information about the drives encryption manage-bde -status E:

Form more information about BitLocker drive encryption with Data Recovery Agents see the following pages:

• Microsoft TechNet: Configuring the BitLocker Identification Field (Windows 7)
• Microsoft TechNet: Using a Data Recovery Agent to Recover Bitlocker-Protected Drives
• Microsoft TechNet: Using Data Recovery Agents with Bitlocker

The hunt continues…

Just visited the local the Milton Officeworks and I asked an assistant if they had any copies of the Windows 7 Family pack for sale. He  informed me that they had some copies out the and the back and he would grab me a copy. Well after a few minutes he came back and spoke to the duty manager after which he told me all they had was the display boxes. But then he said that it would be for sale on December 9th. I was able to see a display box for the product which looked fairly similar to the standard Windows 7 box except it was double the width. Obviously the double width box is only a marketing thing as the Windows 7 family pack DVD is identical to the normal version with the only difference being the registration key.

So on Monday Microsoft said previously posted ( Windows 7 Family Pack Limited Pilot now Available in Australia) that the Windows 7 Family Pack will be “available in time for Christmas” but they didn’t specifically mention a date it would be on sale. Well if i had to make a bet then I say that there Microsoft has embargoed the sale for Windows 7 Family Pack until Wednesday December 9th maybe to co-inside with and advertising launch.

I will keep you informed when I spot a copy in the wild…

This week I have selected the “Shared Printer” Group Policy Preference as my Group Policy Setting of the Week (GPSW). This is arguably one of the most wanted group policy settings by Group Policy admin’s that was missing before group policy preferences. It was possible previous to preferences to map printers natively in group policy using the pushprinterconnections.exe option but like the Star Trek Deep Space Nine episode “Trials and Tribble-ations” we defiantly “do not discuss it with outsiders” as this is just a setting we would rather forget.

The “Shared Printer” options can be found under by right clicking on “User Configuration > Preferences > Control Panel Settings > Printers”. As with most group policy preference settings you also have the option to CRUD (see Group Policy Preferences Colorful and Mysteriously Powerful Just Like Windows 7) which means you can also use this option to remove any printer mapping that people have to printer queues that no longer exist.

Now it has always been fairly straight forward to map printers via logon script either via batch, vbscript or even kix scrtip however the real power of this setting is that it can now take advantage of the really powerful targeting options. More commonly you can map a printer via a single security group or IP range but you can really start to do some really advance targeting when you start to combine multiple targeting setting using Boolean logic. If you want to see some more advanced targeting options for printer mappings then check out my “How to use Group Policy Preference to dynamically map printers when using Roaming Profiles” article.

As you can see above you can also use this option to set the default printer for your users which can be very handy if people have a habit of always printing to the really expensive A3 colour printer on your floor when you are trying to reduce cost. Just use the default printer option wisely however as you could end up annoying your manager who likes to printer to their locally attached printer.

Enjoy!

Back when Windows 7 launched on October 22nd there was an Australian Consumer/Press launch event in Sydney to show case how awesome the product was and from all accounts the event went really well. But… They then opened up the floor to questions and got hammered that there is no Windows 7 family pack licensing in Australia. The response to all this was along the line of “we will look into it” but I don't think anyone was expecting much when they left the event.

Well it is only 5 weeks later and Microsoft have announced that you will be able to buy the Windows 7 Family pack for a “limited” time in Australia. This is good news (even thought it will be for a limited time) as you are going to be able to pick up 3 copies of Windows 7 Home Premium for $249au total. At $83au for each copy of Windows 7 Home Premium it works out to be a saving over over $85au per copy (or more that 50% off)…. Nice…

Note: I visited OfficeWorks today and they did not have any copies of Windows 7 Family pack on the shelves. This could be because they are offering Wireless Comfort Desktops Keyboards for anyone who had already paid full price for 3 copies of Windows 7 before tomorrow. So I will check again tomorrow to see if they have any stock…

Windows 7 Australia Blog : Windows 7 Family Pack Limited Pilot now Available in Australia

One of the new products that Microsoft announced at PDC 09 was the beta release of Silverlight 4. What has since come out is that Silverlight 4 will now offer support for the iPhone (kinda). Microsoft has been committed to making Silverlight as cross-platform as possible however Apple don’t allow applications such as Adobe Flash or Silverlight as this would allow people to bypass the application store and run what ever application they want. So to get around Apple’s restriction Microsoft's the Microsoft User Experience Platform Manager Brian Goldfarb has said “We worked with Apple” to enabled Silverlight on the server to stream video natively to the iPhone.

The really nice thing about this is you can checkout just how nice it work right now at http://www.iis.net/iphone

Source: Microsoft 'worked with Apple' for Silverlight on iPhone, says Goldfarb

Here is a the complete screen cast of my TechEd Australia 2009 session “Using the Power of Group Policy Preferences to Eliminate logon scripts and take control of your Environment [CLI308]”.

As I mention at the start of my session if you were one of the people who came to my session but you also wanted to see Andrew Dugdell’s session “Windows 7 After Hours” click on image below to see his session.

 

• Had to reboot #iPhone again today. This time to get 3G data working. #fail
• @leadfollowmove Flash 10.1 still crashed when I installed it.
• RT @maryjofoley No IE 9 code expected yet, but MS is on tap to say something about it at PDC on Wed (via@tom_warren): http://bit.ly/P2pO6
• ZUNE is now available in Australia!
• @jeffa36 Zune Market Place is now working for Video on the Xbox 360. No device or Zune Pass yet however... Its a start
• @GTRoberts where? how?
• @GTRoberts I wounder if they are selling it via official channels?
• @GTRoberts just spoke with then and the Zune HD they have in stock is an import... Damn
• @GTRoberts Warranty is only done via the place you bough it and there is no Zune online support
• Going to catch up on SG:Uni and Heroes tonight.
• @NickHodge meh. they were flying around all last week to
• Just learnt that we are getting 100% of bonus's this year. Awesome! #fb
• Watching Glee with Alicia and Steph via MSN Messneger Chat #fb
• RT @orinthomas Short Restricted Groups Policy screencast for those looking for a quick intro: http://bit.ly/2e1cLj
• Hey Google! I already have a browser on my OS so go back and do what you do best and sell some more adds.
• Looks like I have office web apps on my skydrive now.
• Office Web Apps is totally Awesome!
• Leaving sydney CBD now
• WTF! Homeless guy just flashed me in Belmore Park,Sydney. #fb
• @themolk Sorry dude you are on one of my lists. Just send me an email.
• Going offline now.
• Back on line. Still in Sydney! Plane has a broken AC, never got off the ground.
• Just got my first Microsoft NDA.
• @coatsy what's the URL for the podcast?
• WOW... Chrome OS is really shit
• Waiting for taxi to go to the airport for flight to Sydney. Again.
• Boarding plane to Sydney now. #fb
• Landed in Sydney. Current temp is 20c. Glad I missed the heat wave yesterday. #fb
• Group Policy Setting of the Week - 3. Group Policy Preferences Power Plans http://bit.ly/GPSW3 #gpsw
• Did you know you can control power plans in windows 7 using group policy. See how @ http://bit.ly/GPSW3 #gpsw
• @kathyhughesMVP is it 802.11n?
• @NickHodge only .5 over 1000 years I might go back to burning my rubbish.
• Windows 7: Fastest selling OS ever, says atomic mpc http://bit.ly/4E30cX #fb
• I just spotted a kindel in the wild. They are still rare in Australia.
• Are people really that dumb that they don't know how to hang up a telephone hand set #fb
• How not to impress your boyfriend... Smash his Xbox 360 http://bit.ly/692tSK
• See my latest Group Policy Setting of the week at http://bit.ly/5H0o5B #gpsw
• @mattcorr if you followed @translinkseq you would have know that...
• http://bit.ly/abskbase is getting close to 10,000 hits, if not tomorrow then definitely on Thursday...
• How to use Group Policy + BitLock to Go with Windows 7 http://bit.ly/3Fwj0Y
• About to have lunch with @jeffa36
• @auteched i nominate #cli306 to be free. that way everyone can come to my group policy session. #auteced
• Yahoo / Bing deal is now APPROVED!!! http://bit.ly/5TAb1t (in Australia)
• Western Australia daylight savings update for Windows is out now http://bit.ly/5elvua

Follow me on Twitter

I have selected for this weeks Group Policy Setting of the Week (GPSW) the group policy preferences that is used to configure Power Plans. While configuring power plans for your environment may be nothing new if you have deployed third party tools, you can now avoid the added expense and complexity of doing this as this functionality is now provided out of the box.

This option can be found under User Configuration > Preferences > Control Panel Settings > Power Options and is used to control the individual power plan for your computers. Strangely I have found that this option only works under the User Configuration setting which I presume is the case because it is normally a user configured setting even though the option is under the computer configuration section as well. This power plan option also work with Windows XP however you do need to explicitly select the correct OS power plan as the XP plan will not work on Vista+ and vice versa.

Windows Vista and later Power Plan

Windows XP Power Plan

As you can see this can be used to configured almost all the power plan setting that your version of windows has to offer. One notable omission is the CPU System Cooling Policy setting that was introduced with Windows 7 which is not available to be configured in the Vista (or later) power plan.

Left (Windows 7 System cooling policy) Right (Windows Vista and Later plan without the System cool policy option)

If you are interested in more advanced targeting option with Group Policy Preferences and want to learn how to apply different power plans to computers based on the time of the day check out my previous blog article at http://abskb.spaces.live.com/blog/cns!8834054641A09100!1133.entry

If you have not already got Group Policy Preferences deployed in your organisation then this is definitely the excuse you need to get it deployed. Go to any manager today and say you can start reducing the power consumption of you computer fleet using software they are already licensed and almost always the reaction will be to have it done yesterday.

Notes:

• This setting will work on Windows XP or greater if you have the Group Policy Client side extensions installed.
• You need to be running the Group Policy Management consol on Windows Vista (Windows 7 recommended) to manage these settings

This weeks Group Policy Setting of the Week (GPSW) can be found under Computer > Policies > Administrative Templates > System and is called “Verbose vs normal status message”. It is a really simple setting that doesn't actually do much but I dub this setting the “Make my computer start faster” setting which give users the illusion that their computer are working faster.

So what does it do and how does it make my Computer start faster? This setting displays a number of extra status messages during the start up and shutdown of the computer and when the user is logging on and off.

Some of the verbose status messages you will see are (but not limited to):

• Mapping Drives
• Playing Logon Sound
• Mapping Printers
• Applying Power Settings
• Stopping Services

You will still see your Applying Computer settings and Preparing Desktop messages however these will be shown for a lot shorter time.

Unfortunately it will not actually make your computer start any quicker but I have generally found that by enabling this option users seem to perceive that their computers are starting up quicker. Why? Well I think its because the extra status messages are holding their attention for a few seconds each time a new one is displayed something like the opposite of watching grass grow or a watched pot that never boils…  In any case this is still a handy setting to enable as at the very least will help your IT support troubleshoot logon performance issues.

This setting will work on Windows 2000 and above and it will also show the processing of newer Group Policy Preferences.

The European branch of Microsoft has put together a video trying to showing the logic (if you can call it that) of why they used “7” for the name Windows 7. Quite frankly I would have preferred they just said they called it Windows 7 because it sound cool. Anyhow it is a really great video clip so check it out below:

Today when I went into McDonalds for lunch I noticed that the TV’s in the dining area were showing an on screen caption advertisement. I presume that this add was for Telstra as they use the tag line “try the network that works better in more places” about their 3G network. Ironically all McDonalds Australian stores offer free WIFI they offer to all their customers so they don't need to use Telstra’s 3G network…. Hmm…

I wounder weather this breaches the Australian advertising standards as advertisements should always be clearly an advertisement and does this opaque banner across the bottom of the screen constitute subliminal advertising as this is also something that is strictly prohibited.

Perhaps they are not subject to these rules because they are only shown on in  house McDonalds TV’s either way it seems that McDonalds are now in the market of buying and selling of advertising.