Change Notification “From” Email Address in FSE

After a recent deployment of FSE (Forefront Server for Exchange) on an Exchange CMS, I sat back and just watched Forefront notifications come in. Initially they were delivered in my Outlook junk email folder, but I quickly figured it out and added the “domain” Forefront was sending from. This was all ok for me, a sysadmin, but then it hit me: Users whose attachments get blocked also get this notification and it probably ends up in the junk folder aswell. First I thought, ok, let’s push a list of accepted domains down to the clients, but then it dawned on me that there had to be a way to change the “from” address in Forefront. As an added bonus I wanted to find a way to change it on any Server Role (mailbox, hub, cas, edge). Thankfully the Forefront Server for Exchange User Guide provides the answer (goes to show RTFM sometimes goes a long way).

How to Change the From Address

This From Address is written down in a registry key of the Server where FSE is installed.

  1. Open the Registry Editor and browse to the corresponding key depending on the OS version you have:
    For 32-bit:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\ Notifications\FromAddress

    For 64-bit:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\FromAddress
  2. Change the default value to the sender name you would like. I chose a name that also identifies the server where the notification is sent from. You can use any alphanumeric characters, just keep in mind that illegal characters are replaced with “_”.
  3. Now Microsoft says to Restart/Recycle the Exchange and FSE services for this change to become active, please read the notes below regarding this:

Notes: Restarting/Recycling Services looks like quite a simple task however, I do have some hints on that:

  • If using a CMS (Clustered Mailbox Server) you just have to recycle FSE on the ACTIVE node, FSE is not actively running the PASSIVE node. Exchange services don’t need to be restarted for this change to take effect – (this is my personal observation)
  • Recycling FSE on servers running Microsoft Exchange Transport Service (Transport, Edge Roles) will also recycle the Microsoft Exchange Transport service (Transport Service has a dependency on FSE) – so plan for downtime.
  • There is a “bug” in Forefront: after the change and restarting services (not sure what is the cause, didn’t play around to find out) Forefront sends out 3 failed update notifications (1 per engine), for deprecated scan engines it has (AhnLab, Sophos, CAvet) even though none of those engines are enabled/configured to get updates. I spent almost 2 hours scouring the Internet for a reason why this happened. Best just to ignore it, save yourself some brain-cells.
  • If changing the registry key by hand via remote registry you will not see the wow6432Node because regedit already connected you to that key.

Disclaimer: As you know changing the registry is “bad juju” if you don’t know what you are doing you can break things, so handle these operations with care.

This is probably the first post in a series related to Forefront Security for Exchange, I hope they prove useful.

Configure USB device to boot WindowsPE

It’s been a while since my last post but now I found some time to write a complimentary article to my “make your PE boot disk series”. While the make your PE disk series showed you how to make a bootable ISO, it is possible however to write the contents of the ISO to a USB stick and by following this guide to boot Windows PE from USB. The advantage of having a WinPE on USB is great flexibility, with a CD you always have to rebuild the ISO and burn it/mount it whenever you feel like adding new applications/scripts to it. With a flash drive you can just copy the data alongside the booting OS.

Here’s what you need:

  • USB stick of choice (portable USB HDD works aswell)
  • A PC running at least a Windows Vista kernel (Windows 7, 2008 – WinPE versions of these also work)
  • Administrator privileges on the machine.

With the introduction of Vista and later kernels making USB storage bootable for windows became so much easier. Before (win Xp/2003 days there were specialized tools that major hardware vendors had, as far as I know). Why this is was not working in XP/2003?

The reason is that 5.x Versions of Windows did not mark a USB device as hard disk storage device, and you could not use “diskpart” command line utility, to mark partitions as active, what you need to get WinPE to boot.

Diskpart is a pretty powerful disk partitioning utility that comes free with Windows, can be used to manage hard disks when you lack a GUI or are a scripthead like me :). What is great about it is that it’s also included in WindowsPE which can make WinPE a one stop shop for disk management up to a certain point.

The steps we will go through are:

  1. Use Diskpart to list all system disks and select our USB stick
  2. Partition USB stick as desired and mark a specific partition as active
  3. Copy WindowsPE files to the USB stick

Select system drive for WinPE boot

First step is open up your command prompt running it as Administrator. Type diskpart at the prompt and hit enter. After a few seconds you get a command prompt headed by “DISKPART>”.

At the prompt type list disk – this will list all available physical drives. This next step is CRUCIAL. Pay extremely good attention to the information shown. The command will list the disks on your system. Identify which on the disks listed there is your USB stick, use the “Size” parameter to figure it out. If you are still not sure what type of disk you have selected do following:

select disk [enter #] <<enter a disk number from the listing you did>>
detail disk

The output should say your select disk is TYPE:USB. If you get TYPE:ATA, list the disks again and select another number!

DISKPART> detail disk

<DEVICE NAME>
Disk ID: 2EA32EA2
Type   : USB
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

 Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
 ----------  ---  -----------  -----  ----------  -------  ---------  --------
 Volume 6     G                NTFS   Removable   7679 MB  Healthy

Repeat the “select disk #” and “detail disk” until you find your USB device that you wish to make bootable. To see which disk you selected run:

DISKPART> list disk

 Disk ###  Status         Size     Free     Dyn  Gpt
 --------  -------------  -------  -------  ---  ---
 Disk 0    Online          186 GB      0 B
* Disk 1    Online         7680 MB      0 B

Up to this point we’ve done nothing to the usb device, but I hope you have a backup /don’t care about the data on, because it will be gone in the next step…

Prepare disk and mark as active

With the proper selected disk we will wipe all partitioning data from it, create a single partition, format it as NTFS, give it a drive letter, and mark the partition as active.

!WARNING!: The following will wipe your device, so make sure the selected disk it is the correct one. (use list disk and look for the “*” to see which disk is selected)

clean
create partition primary
format fs=NTFS quick
assign letter=U
active
exit

All of these commands will echo a response that they ran successfully, once done type exit to leave the diskpart context and let’s copy the WinPE files to disk.

Copy Windows PE Files

Ok, time for a little linking to my previous posts (post1 and post2). In these posts I discussed how to make a Windows PE boot Disk. IF you followed that tutorial (or similar ones on the internet) you will probably be stuck with a folder called ISO in the <PATH>\WinPE_x86\ folder. Also you should left with the ISO file. BOTH of them are good for this next step which is “Copy all the files from either the ISO folder or the ISO IMAGE you built to the root of the USB partition” (make sure you copy all files and folders including hidden ones). Yep, It’s that easy πŸ™‚

Once you are done safely remove the USB device from the PC and attempt to boot from it. It should plain and simple work (provided your bios can boot from USB disk and you configured it to boot from USB disk properly). If your ISO image was working your USB stick should also be working.

I hope this was helpful and if you have feedback it is always welcome.

How to create a Windows PE Disk (part 2)


It is time for part 2 of this guide to making yourself a Windows PE disk. You can read more about the first part here. This post we will cover following: how to integrate drivers, add 3rd party/applications/files to your image, unmount the image and burn it to an ISO file. I also want to say that this is a scripted approach, and all data and scripts are in the E:\PE path in this guide. The scripted approach will come in handy when you are doing tens of rebuilds of the image because a certain driver will not integrate, or a registry file modification does not work.

Integrate Drivers into WinPE Image

First thing on the agenda here is to get the actual drivers you want to integrate into the Image. For most use cases it is enough to integrate Storage and Network drivers, and perhaps Chipset drivers. You also need to take into account the WinPE version you are building, in this guide, we build a x86 WinPE Image so my focus was on x86 drivers for Windows 7/ 2008 /2008 R2. Now go out and grab those CD’s or vendor provided tools (Hyper-V Integration components or VMware Tools).

Some vendors ship other applications along with drivers, you don’t need the extra files most of the time, because WinPE doesn’t know how to use them most of the time. From the drivers in the list WinPE needs *.inf, *.cat and *.sys files corresponding to each driver you want to integrate and ANY other file specified in the *.inf file. Be patient with this process, as it can be sometimes painstaking and will cause you to rebuild your image until you get it right, until you find all the drivers and files you need πŸ™‚

Let’s take the example of VMware Tools for vSphere. If you want your WinPE to boot into vSphere and be able to see your storage adapters and network cards you need to integrate the drivers from VMware Tools.

Step1: On a VM running Windows 2008/ Windows 7 on vSphere start an interactive VMwareTools Install.

Step2: Install your VMware Tools and reboot VM. Now take a look in %programfiles%\vmware\vmware tools\drivers\ – driver heaven! Copy the needed folders from here into a folder called “E:\PE\Drivers\ESX_40” (e:\PE is the location where we run our WinPE imaging process).

For other drivers you may need to take a different approach. I will just share from my experience. Drivers can be in *.cab cabinet files, in *.zip files, inside MSI files, which you kinda have to install to get to (see vmware tools case), even install a driver and then look in device manager where the device driver exists and search for a similarly named *.inf, sys and *.cat file and all the other files referenced in the *.inf file.

When you have all your drivers run this as administrator from a command prompt:

c:
cd \
cd "%PROGRAMFILES%\windows aik\Tools\x86\Servicing"
DISM /image:e:\pe\winpe_x86\mount /Add-Driver /driver:e:\PE\Drivers\ /recurse

Here you run the DISM tool using /add-driver switch, /driver specifying where the drivers are located, and /recurse to make it look in all subfolders in e:\PE\Drivers. This is one of the sweetest things about the DISM, is that it can recursively search for drivers (in WinPE 2.0 you had to have 1 command per folder containing drivers).

The output of the command should look like this:

As you can see DISM searched the folder and found 84 drivers (inf files that he can integrate). I had 85 inf files inside that folder, one failed, and you see DISM threw and error. This is however just a “pre-flight” check, as there can still be errors during the actual integration:

As you can see in this screenshot, DISM could not integrate some of the drivers and pointed to the DISM log file. This file can be found in %WINDIR%\Logs\DISM\dism.log.

For those that just want to test their driver integration skip the next step.

Adding Custom Scripts/Applications to the Image

In an earlier post, I showed how to mount the WinPE Image. The Image was mounted under “E:\PE\winpe_x86\mount”. If you take a look in this folder you will notice a folder structure resembling a windows install…well that is exactly what it is – all Windows PE files unpacked, as they would look like if booted with the image. This means you can add files under %windir%\system32 of the image (in our case Windows\e:\pe\winpe_x86\mount\windows\System32) and you would be able to execute them as %windir%\system32 is in the %path% environment variable of the Windows OS. Note that not all apps run under Windows PE, sometimes it is a matter of trial and error.

So it is just a matter of copying the files you need from a path, let’s say “e:\PE\CustomApps\” to wherever you want in the folder structure “e:\PE\winpe_x86\mount\”. Use a manual copy or do an xcopy like this for example:

xcopy /y /r /F E:\PE\CustomApps E:\PE\winpe_x86\mount\Windows\System32

It is a little known fact about Windows PE that it has a batch file called “startnet.cmd”. This file includes a command “wpeinit”. wpeinit is an executable that is run when WindowsPE boots on your system (more info here). While I don’t care much about wpeinit itself, I do care about startnet.cmd. This file you can modify/overwrite at this point with a custom made startnet.cmd that can start other scripts, check IP connectivity anything you need to do with your WinPE boot disk. Similar to putting custom apps on WinPE you can do this:

xcopy /h /Y /R /F "E:\PE\CustomScripts\startnet.cmd" "E:\PE\winpe_x86\mount\Windows\System32\startnet.cmd"

I am stressing the importance of this file because, you can access it only at boot time and it is “hard-coded” into the WIM file (you cannot change it after you unmount the WIM and build the ISO afterwards). Therefore, since startnet.cmd cannot be altered after building the image, it could make sense to have startnet.cmd point to a file say, autorun.cmd, that you can put on the root of the ISO file for example. And there are many ISO editing tools,so changes to autorun.cmd are easier to make, for editing a WIM things are not so straightforward.

Still following this? Good, because the worst part is over πŸ™‚

Unmount Image and burn to ISO

This last step is fairly easy. DISM has a parameter to unmount the image and commit the changes to the Image. If you remember in the beginning we copied boot.wim to winpe.wim. now we overwrite the existing boot.wim image with our serviced image. The commands below do just that:

c:
cd "%PROGRAMFILES%\windows aik\Tools\x86\Servicing"
::commit changes to image and unmount
Dism.exe /Unmount-Wim /mountdir:E:\PE\winpe_x86\mount /commit
copy E:\PE\winpe_x86\winpe.wim e:\pe\winpe_x86\ISO\sources\boot.wim /Y

In the current state you have 2 options:

1. Copy the contents of the E:\pe\winpe_x86\iso folder to a bootable USB stick or make an iso file out of it. For now let’s focus on making a ISO file.

Microsoft delivered OSCDIMG with the WAIK, a utility that can create the bootable ISO for us.

cd \
C:
cd "%PROGRAMFILES%\windows aik\Tools\x86"
::"-b" MUST BE next to path for etfsboot.com
OSCDIMG -bE:\PE\winpe_x86\etfsboot.com -n -o E:\PE\winpe_x86\iso E:\PE\Current_ISO.iso

Please note the comment in the script, “feature” or bug you don’t need a space between -b and the etfsboot,com file.

This should have successfully built the image and you can burn it to a CD/mount it in a VM and enjoy a Microsoft Supported Windows 7 live CD :). Before you go take a mental break from all this reading I just want to point out that Windows PE will crash if you run it on a system with insufficient memory.

Why? The boot disk creates a Ramdisk where he loads Windows PE. If there is not enough RAM memory (typically you have this issue on old hardware or VM’s) it will crash and simply not load. As a rule of thumb the machine using it should have at least 1.8 -2.0 the size of the ISO file as RAM available on the machine.

I hope this was helpful for others looking to use WinPE as boot disk and I appreciate any feedback you may have.