07 December 2011

Create Windows 8 bootable installation USB drive fails

To create bootable USB installation drives I have always been using the Windows 7 USB/DVD download tool from Microsoft stores

http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe

Recently I tried to create a Windows 8 installation drive and the process failed right after formatting the drive but before copying of files started.  The app would just die and disappear.

I had the same issue regardless of the source ISO, OS version of the ISO or the USB drive I was using.

The cause of this was the Sophos Endpoint Protection on access scanning running on the machine I was using to create the boot drive.

The behavior of the Windows7-usb-dvd-download-tool.exe gets flagged as suspicious behavior.  To prevent this you need to authorize the file in the local authorization manager (if you have privileges) or through policy in the Sophos enterprise management console.

Add the authorization on the local machine

  • Open the Sophos Endpoint Security and Control Application
  • Select Configure anti-virus and HIPS
  • Click Authorization
  • Select the Suspicious behaviour tab
  • You should now see the Windows7-usb-dvd-download-tool.exe in the known applications pane
  • Click the add button to move it to the Authorised applications pane


If the entry is not listed you can add it manually by clicking the New Entry button and selecting the file.

Add the authorization by policy

  1. Open the Sophos enterprise Management Console
  2. Select the relevant Anti-Virus and HIPS policy being applied to the relevant machines
  3. Select the Suspicious behaviour tab
  4. You should now see the Windows7-usb-dvd-download-tool.exe in the known applications pane
  5. Click the add button to move it to the Authorised applications pane



Note in the screenshot there are two entries.  This is because there are two minor version of the file (1.0.24 & 1.0.30)




To read a but further on creating multi edition boot media check out http://fixmyitsystem.com/2011/02/create-windows-7-multi-version-or.html




06 December 2011

Captivate logon screen never loads on Mac OSX Safari

I explored using the Captivate plugin for TMG to enable it as a Wifi guest network with authentication against multiple AD LDAP stores.

http://fixmyitsystem.com/2011/10/accommodate-tablets-and-smart-phones-in.html
http://fixmyitsystem.com/2011/11/accommodate-tablets-and-smart-phones-in.html

In final testing I ran into a snag.  This worked beautifully on ever single test device I could find to throw at it, until I tried a Mac. What would happen is that Safari would open and redirect to the Captivate login page, but the page would never open.  There was also no time out with an error message, or anything similar to work with.

I eventually (and it took a while) tracked down the source of the problem.  By default the CRL and OCSP checking is set to "best effort".  The preference is also for OCSP.  When the captivate login page is requested the certificate validation process is started, but since there is no internet access yet, the process just sits there and hangs.

To resolve the issue I had to add an additional access rule to my TMG array with access from the Wifi network to a specified Certificate validation URL set.  This rule has to be ahead of the Captivate authentication rule.

The URLs that need to be accessed are the ones specified in the following fields of the certificate:

CRL Distribution Points
Authority Information Access (AIA)



Once this is done, the certificate validation process can be completed and the page would load. This completed process is preferable to the certificate not being validated at all, but it would be nice if there was an error message, or a time-out like with all the other browsers that were tested.

Interesting side effect to fixing this is since this has been added all the other browsers load up the log in page faster because the validation succeeds and does not have to time out first.