Re: [msh] Some msh setup questions

In message <eiOisnIEGHA.3892@xxxxxxxxxxxxxxxxxxxx>, "Jeff Jones [MSFT]" <jeffjon@xxxxxxxxxxxxxxxxxxxx> writes
I'll try to answer the best I can inline and will get others to follow up where I don't have good answers. The office has been a bit empty due to the holidays so it may take a little while to fill in the missing parts. 

No problem. I'm still on holiday for another week too!


2. MSHXML files rejected at first
The first time you start Msh, it gets upset about the 8 mshxml files. Now
I understand that these are pretty fundamental to the proper running of
MSH - so why are they not trusted in the first place. But more
importantly - I'm not clear on what is not trusting what. Is it MSH that
does not trust the digital signature on the XML docs? If not, why not? Is
there a certificate somewhere that should/could be provided? This is a
poor user experience.

I'm thinking here about larger scale deployment - you can deploy with a
machine startup script easily enough, but I'd like to automate whatever it
is I need to automate in order to get MSH to run smoothly. Is there a cert
I need to install?


Thomas, this goes back to the many discussions we had at the PDC regarding
the default security mode.  Since the MSHXML contain scripts we cannot run
them when in Restricted mode for the ExecutionPolicy setting. I agree that
this may not be the best user experience but it is our stance that we will
be secure by default.  The about-signing help topic that gets referenced in
the error message provided when these fail to load should give the user
enough information to come to a decision on which mode they want to run in.

I understand the ExecutionPolicy thing - I'm trying to get a better handle on how to explain it and to show how you can deploy MSH in a complex environment (i.e. on more than one system. Right now - IMHO of course - the installation requires way too much manual work - creating folders, creating files, etc. Plus it's not discoverable

How is a user supposed to discover a) $profile exists, and b) just which files/folders have to be created? The execution policy help text (which is also NOT installed by default when you install MSH) doesn't explain this either.

This is not an issue on a single machine, where you can just hack the registry, but _is_ an issue for larger deployments.

3. Titanic support?
Is there, is there going to be, support for Msh on Itanium. There is a
version of the CLR, but I suspect the testing load is such that it does
not make sense given only 3 people are actually using this platform
<grin>. What is the Itaniuim support story for V1?


This is still not completely clear to us yet.  We are currently testing on
Itanium until we know for sure whether the platform will be supported by the
likes of Exchange, MOM, etc.

More or less what I assumed! What has to be done to concive MS to either support or not support itanium?? And when do you plan to make that call.

Of course, the lack of a beta version targeting Itanium makes it harder for me to test and generate a convincing case. On the other hand, if Itanium is a supported platform, it should be, umm, supported, not partly supported. FWIW: statements like this tend to make me shy away from even considering Itanium. If I can't be certain of hardware support going forward why bother wasting money on future legacy!

4. Language support
At present, at least so far as I can tell, the only language supported in
B2 is English (well American, but let's not split hairs). What is the
plan? I am guessing that RTM will add German, Spanish, French, Italian,
Japanese, Korea, both CHT and CHS and CS. Is this all?


These are the current languages that we plan to localize to when we ship
with Exchange.


OK.

 Pending on other ship vehicles that we are investigating we
may add to this list.


when will you divulge this wider set of languages??

 For instance, if we release to the web as a Windows
component we will be localized to all the languages that Windows gets
localized to.


Of course.

Also, what will Monad look like? I am assuming all keywords etc are fixed
to their english names. Thus if a german wanted to see pictures of his
wife's dog, he might type

$MeinStuffen = ls  | where {$_.name -match "hund" -and '$_.name - match
"Frau" }

Same for Japanese etc?

What about support for Arabic script?


Anything that will be used in scripts that may be run on machines in
different locales are not localized. All keywords/operators in Monad are
language invariant (meaning they don't change when the product is
localized).


Thanks for the confirmation.

Since most are either US English or acronyms for US English
words, these will remain as such.  All cmdlet/script names can contain any
Unicode character (except \ and -) but they are not localized.  So the
cmdlets and providers that we produce will always have US English names and
will not be localized.  This does not prevent cmdlets being developed with
Japanese names.

So I could have a provider whose name was Japanese, but I'd have to use use a "create-drive command in English but using the -provider switch and giving the Japanese name for the provider?

Seems sensible.

5 Deployment via Group Policies

It looks like deployment via software group policy does not work (although
this may just be a bug), but I can deploy via startup script. I'd like
some idea of recomendations for best practice deployment via GP? Are there
any?


I'll follow up with the setup guys. 

Thanks. There are two issues here:

1. Software distribution GPO does not seem to work.
2. I want the policy for Execution Policy to be in the policy hive, not in a private hive.

Thomas
--
Thomas Lee
doctordns@xxxxxxxxx
MVP - Admin Frameworks and Security
.

Relevant Pages

  • Re: [fw-wiz] httport 3snf
    ... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
    (Firewall-Wizards)
  • Re: Why Deportation?
    ... On second thought...a takeover of Mexico by the US would be one ... Is that the specific policy you support? ... We cannot even support the occupation in Iraq, ... time we should go to war with a country. ...
    (soc.retirement)
  • Re: problem installing fedora 2 x86-64 on a intel xeon 64 bits
    ... >> I also would guess the chipsets to support that are very new. ... > Itanium range, and billions more on support for it. ... > Intel has been carefully attempting to preserve sales on its 32 bit Xeon ... > HyperTransport and the NUMA memory architecture), ...
    (Fedora)
  • Re: "Even if torture works."
    ... >>> indirectly supporting the tactics. ... watch closely what people support and what they do. ... >>> If you decide to support the policy knowing that the tactics include ... >>> torture, how can you argue with any moral strength that you didn't ...
    (uk.politics.misc)
  • Re: [msh] Some msh setup questions
    ... [msh] Some msh setup questions ... > Is there, is there going to be, support for Msh on Itanium. ... These are the current languages that we plan to localize to when we ship ... > What about support for Arabic script? ...
    (microsoft.public.windows.server.scripting)