New Microsoft Technology at PDC2008

Hello from sunny LA.  Yes, all the natives thought they had seen a pre-halloween ghost when this seattle native hit the streets for the Microsoft Professional Developers Conference 2008 (PDC2008).  As usual, Microsoft has some new, cool products and technologies in the developer space that hit in a big way.  You’ve probably been seeing headlines covering Windows 7 and Microsoft “Azure”. 

Here is my very short, sweet summary of this new stuff.  First, Windows 7:

  • Winows 7 will fix all that stuff that caused negative reviews on Vista. 
  • It also has a lot of great, new shell features that will positively impact the experience for the everyday user.  Just the taskbar improvements alone are pretty cool.
  • UAC will still be there, but in a more flexible format for configuration and they have decided to except more operations from prompting.  However, Microsoft continues to be hardcore about forcing all apps to the do the right thing and operate under “standard user”.  The stats do show that most developers are getting the message and a lot of progress has been made.  As a user, UAC drives me up the wall.  As a security person, it’s the right thing to do.

The more exciting (to me) and new technology has to do with the new Microsoft services strategy which includes “Azure” and the “Geneva” server.  This technology will catalyze  two, important business scenarios that really need to get over the hump:  (1) B2B connectivity in which there are many enmeshed partners sharing a workflow and (2) hosted services for enterprises (not just small orgs).

Microsoft has a big cloud in the sky and plays traffic cop for all services that register to the Microsoft “Services bus”.  But, the bus supports some serious authentication and authorizatio through use of WS federation and SAML tokens.  And, part of the offering is SQL services which equates to a SQL DB that is up in the cloud and protected by the aforementioned authentication and authorization.  So, you can support some great B2B scenarios:

  • Partners that all need access to a workflow, but need a slightly different type of data for the same workflow transactions
  • Partners that all use a different directory or authentication type can still positively identify into one cloud
  • Eventing enables store and forward of transactions when one particular partner connectes to the service.

If you are a small company and you are interested in advertising your service, click into the Microsoft service bus and you just go a free advertisement to services consumers.

But…that’s not all.  The biggie is Geneva because it creates a super easy to setup and configure Enterprise Service connector for Active Directory.  This could enable hosting of an internet-based service to a company with an internal Active Directory.  There is a question here of whether the company will accept the Microsoft EULA for connecting to the Services bus and whether their security policy will accept their authentication getting proxied through the Microsoft Federation Gateway in the cloud.  But, the good news is that all the authentication against the hosted service is handled by the Microsoft Service Connector which is located on the company premises.  It reminds me a little bit of ADSI, but better.  If the company doesn’t want to accept the Microsoft EULA, they can set up a B2B direct to their partner ( the hosting provider) who will have the Federation Gateway  (Geneva) handling “claims”.

We still have 1.5 more days here, but I think all the big news has already popped.

Dave Field, CISSP, MCP

Windows Mobile 6.1 Upgrades Now Available – Oct 16, 2008

I’ve compiled a running alphabetical list of which devices now have official supported upgrades available for them. This may be useful for many of you as well. I will keep this list updated, new entries in red. Sorted by mobile operator/OEM:

Alltel HTC PPC8600 [Posted 10/10/2008]
Alltel HTC Touch [Posted 10/10/2008]

ASUS PDA Phone P527 (Released by country): [Posted 9/16/2008]
ASUS PDA Phone P750 (Released by country): [Posted 9/18/2008]

AT&T Motorola Q9h
AT&T Tilt [Reposted 8/26/2008]
AT&T Pantech C810 Duo [Posted 10/8/2008]
AT&T BlackJack II (SGH-i617) [Posted 9/2/2008]

Bell HTC Touch [Posted 8/23/2008]

Fido BlackJack (SGH-i616) [Posted 10/8/2008]

HTC TyTN II (unlocked)
HTC Touch Cruise [Posted 9/30/2008]
HTC Touch Dual [Posted 10/10/2008]

Intermec CN3 [Posted 9/26/2008]

O2 XDA Stellar [Posted 9/19/2008]
O2 XDA Orbit 2 [German] [Posted 9/19/2008]

Orange HTC TyTN II

Rogers BlackJack (SGH-i616) [Posted 10/8/2008]

Samsung SCH-i760
Samsung Omnia SCH-i900 [Posted 8/9/2008]

Sprint Motorola Q9c
Sprint Mogul [Posted 8/6/2008]
Sprint HTC Touch [Posted 8/6/2008]
Sprint Samsung Ace (SPH-i325) [Posted 10/16/2008]

Telus HTC Touch [Posted 8/6/2008]
Telus HTC S720 [Posted 9/12/2008]
Telus HTC P4000 [Posted 8/6/2008]

Verizon Samsung SCH-i760
Verizon UStarcom XV6800 [Posted 8/27/2008]
Verizon XV6900 [Pending ???]
Verizon Motorola Q9c [Posted 9/18/2008]

Vodafone v1615 [Posted 6/27/2008]

If you know of others, or corrections, please let me know!


Picking the Right SSL Server Certicate for Windows Mobile

A lot of Enterprise Software for Mobile devices utilizes SSL for security.  SSL is the de facto choice because it can traverse NATs and routers whereas many VPNs cannot.

So, you’ll need to purchase an SSL certificate for your web server and any Windows Mobile clients should have the root of your SSL certificate in the device’s root certificate store.

The problem comes when the root certificate is not already in the device root certificate store by default.  You can add certificates to the root store (this got a lot easier in Windows Mobile 6.0).  But, this will likely require a user trying to perform the task or the support tech will need to “touch” the device.  And, if the device is cold reset, you have to perform this task all over again.  It is much easier just to use an SSL server certificate from a Public Certificate Authority  that chains to a root certificate that’s already resident on the device.

Unfortunately, Windows Mobile has no root certificate updating service as included in Windows XP and Windows Vista.  With Windows Mobile, you get the root certifcates that were added when the image was built.

If you are using Windows Mobile 5.0 devices, you should not use GoDaddy or Comodo root certificates for the most part.   Here is a table showing which versions of Windows Mobile includes which Public CA certificates:

Windows Mobile Root Certificates

Another consideration is the use of wildcard certificates.  As you probably already know if you are reading this, a wildcard certificate allows the use of a wildcarded DNS name prefix such as “*”.  You can use the same SSL certificate for many different web servers that all have assigned DNS names that end in “”.  It is important for SSL security that the server’s internet DNS name matches the subj or subj alt name on the certificate.  So, if you wildcard th prefix in the certificate, you can use one cert for a lot of servers.

Windows Mobile started supporting wildcard certificates in Windows Mobile 6.0.  If you have Windows Mobile 5.0 devices, you should take a look at the offering from Digicert.  They allow you to pre-populate the subj alt name of the certificate with a list of server names.  This ends up giving you something approaching wildcard certificate features.  However, you do need to know the internet DNS names of all the web servers you’ll be using.  See more details on the Digicert site. Note that digicert is not shown on the list above because they actually chain back to the Entrust root.

Dave Field, CISSP, MCP
Device Management and Security Architect
Enterprise Mobile, Inc.

Writing custom GPOs for SCMDM 2008

UPDATED: Oct 5, 2008: Updated v1.1 .ADM file with corrections and additional settings.

One of the most powerful things about Microsoft System Center Mobile Device Manager (SCMDM) is the ability to manage all of your Windows Mobile 6.1 or above devices through Active Directory (AD) Group Policy Objects (GPOs). A large percentage of the corporate market is already using GPOs to manage their desktop, notebook and server environments.

The GPO technology was introduced in Windows 2000 Server. Before that there were System Policies in Windows NT 4.0. There is already a fair amount of documentation and knowledge around extending GPOs to your own needs. But here I will go into some aspects more important around making use of SCMDM and supporting Windows Mobile in an enterprise running AD.

In this article I will go through how you can extend your own GPOs to have additional settings not available out of the box in the default Windows Mobile GPO template supplied by Microsoft in SCMDM 2008. I will expect that you already know how to access and use the default SCMDM GPO settings.

Windows Mobile Registry Keys

GPOs work by manipulating how registry keys are changed and written on the client machines. This is no different on Windows Mobile, compared to other Windows platforms at this point in time.

I will save the discussion on where to find and research Windows Mobile registry locations. But will point out that many are bound to specific OS levels, OEM and hardware requirements. So what works on one WM device may not work on another. So I can’t stress enough the aspect of testing such settings before a larger deployment to end-users.

For this article I have asked my colleague, Chris De Herrera, to suggest some registry keys to use:

Improve text rendering performance by increasing the GLYPH Cache to 32k (decimal):


Internet Explorer Mobile homepage settings:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs]

Configure Communicator Mobile:

[HKEY_CURRENT_USER\Software\Microsoft\Communicator\System Settings]

Furthermore I have also researched the following registry keys which may be helpful in corporate environments:

ClearType Activation:

[HKEY_LOCAL_MACHINE\System\GDI\ClearType][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]

Browser History:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Default Search Page:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=

Internet Explorer User Agent:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
“Platform”=”Windows CE”
“Version”=”MSIE 6.0″

Menu Animations:


Windows Animations:


Error Reporting:


Today Screen Text:


Display Time/Date in Taskbar or disable for battery indicator:


Permit Bluetooth and IrDA File Transfer:


Please be aware that most of these settings require a soft reboot of the device before they become effective. The SCMDM policy agent should prompt you for a reboot of the device when an updated policy is synchronized from the Device Management Server.

Creating .ADM Files

Using the information published about the correct registry key prefix to use for GPOs on Windows Mobile I created my own .ADM file with my sample registry keys listed above and a few other samples currently available.

You can download it here. I have noted in my sample the references used.

Look for a new folder called “Windows Mobile Settings-Extended” in the Computer Configuration section of the Group Policy Object Editor.

The single main trick was to prefix the native Windows Mobile registry keys with the <SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry> path.

So the native:
<HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs> became the longer:
<SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKLM\Software\Microsoft\Internet Explorer\AboutURLs>.

Note the collapsed HKEY_LOCAL_MACHINE hive into the named HKLM. This also works for the HKEY_CURRENT_USER hive into HKCU.

Further Information on .ADM Files

Please see the reference links below for more details on the syntax used in the example .ADM file. The syntax and commands are not the easiest in the world of IT.

I also found a ADM file editor, called ADM Template Editor from a small company in Australia that may be useful if you are planning to write and manage a large number of custom .ADM/.ADMX files.

Again, please test the policies on the OS platform, level, and hardware you wish to broadly deploy your Windows Mobile settings out to.

Look for more articles soon on useful Windows Mobile registry keys and GPOs!