SBS 2008 – ONECARE POSTSCRIPT

One glitch in the SBS 2008 migration nagged at me – it didn’t make sense that the computers with the individual version of Windows Live OneCare were not reporting in to the SBS 2008 console, which tracks the security status of all the workstations on the network.

This is a sample of the new console for managing workstations in SBS 2008.

sbsglitch4

A handful of the computers running OneCare were able to get through and the server reported they were secure. I looked in vain for firewall exceptions for ports or services that were different on those.

It took a while to track it down, and in the end it wasn’t the firewall after all.

Many things on a Windows Server network are controlled by “group policy,” a very extensive set of rules that can be applied from the server to the workstations to control everything from network communications to your browser home page. There are thousands of settings that can be closely controlled with group policy.

Windows Server 2008 and SBS 2008 introduced hundreds of new group policy settings, but the workstations do not recognize them until new Group Policy Client Side Extensions are installed (Microsoft KB 943729). The group policy extensions are available through the Windows Update system but apparently are never offered as anything other than an optional update – ignored by OneCare and apparently ignored by WSUS, the system built into SBS 2008 to keep workstations up to date.

Sure enough, most of the computers had never installed the Group Policy Client Side Extensions. When the update was installed, the SBS 2008 console reflected their secure status about an hour later.

One more thing for the SBS migration checklist!