Posted on November 8th, 2013 No comments
When setting up and connecting Windows Intune to System Center Configuration Manager 2012 R2 and you are trying to enroll a mobile device (iOS device), you may receive the error “UserLicenseTypeInvalid”.
Checking the cloudusersync.log on the ConfigMgr server listed the following two lines which seemed to be relevant:
ERROR: SetLicensedUsers exception System.ServiceModel.Security.SecurityNegotiationException: Could not establish secure channel for SSL/TLS with authority 'msub05.manage.microsoft.com'
Solution: Simply restart the SMS_EXECUTIVE service and everything is back on track and you can enroll the user on the mobile device. I have seen this a few times now and thought I’d share some information on it, not sure why it fails quite often though.
Posted on September 24th, 2013 1 comment
Today I held a presentation at the Swedish System Center User Group client day on topic Microsoft User Experience Virtualization (UE-V) and its integration in ConfigMgr 2012 R2. Great to see such interest in UE-V! Afterwards, the most common question I got was “Does UE-V roam email signatures for Outlook?”. Well, the answer is yes, but there is a big “BUT”!
UE-V does roam the email signature but you have to manually set the signature as default in Outlook options > Mail > Signatures when logging into another machine or after reinstalling your own machine. And, there is an issue if you are using a localized version of Office. First an example of how the Outlook email signature is actually roamed when switching to another machine, but note that you must choose to make the email signature “active” on the other machine.
So this is in Office 2010 on a Windows 7 machine. Note that I have set this email signature to be active for new messages. 1980110714567
And after logging onto a Windows 8.1 machine, the email signature did roam with me, but I as a user must make the email signature active by selecting it in the drop down list for new and/or replied or forwarded messages.
Problems with the default templates for localized Office versions
If you are running a localized version of Office you must manually update the UE-V templates to accomodate for localized folder names. The rule as specified for roaming the Outlook email signature in the UE-V template file MicrosoftOffice2010Win32.xml defines the following:
This will save and roam all files (email signatures) in the users %APPDATA%\Microsoft\Signatures folder. The problem is that on a machine with a localized Office version, the email signature folder located in C:\Users\<username>\AppData\Roaming\Microsoft is not called “signatures” but instead localized to “signaturer” (as I am running a Swedish installation of Office).
If you have followed UE-V best practices and put your template files in a network share pointing that out using the UE-V GPO settings, you can just go ahead and edit the template file in the network location replacing “Signatures” with “Signaturer” in my example and the UE-V agents in your environment will by default pick up the new settings within 24 hours.
This behavior is the default for both UE-V 1.0 (with SP1) as well as the coming UE-V 2.0 (which is now in beta). Note that changes might occur before UE-V 2.0 is released.
UPDATE September 25th 2013: Microsoft has posted a KB article which explains more about why the mail signature is not set as default/active when roaming, see http://support.microsoft.com/kb/2889499/en-us.
Posted on April 8th, 2013 No comments
Thinking about moving to Windows 8? Here are 8 really good reasons to take the step and move to Windows 8.
1. Tablets. Windows 8 on tablets rocks and provide a way to add these kind of devices to your existing infrastructure, adding mobility and security very easily.
2. Security improvements. Further improvements from the great security in Windows 7 is added in Windows 8. Examples of that include BitLocker improvements in terms of performance and new protectors such as using BitLocker with only a password. You also find new features such as Secure boot, Virtual smart cards and more in Windows 8 in terms of security .
3. x64 platform. With Windows 8 there is no turning back, forget the x86 platform, the x64 platform is the one to be used with Windows 8 and that would be on the UEFI hardware platform to be able to fully use the potential of Windows 8.
4. Performance. The Windows 8 platform is the most optimized Windows client to date, requiring less memory and providing a really good user experience.
5. Mobility. With new features such as “Windows on a stick” ie. Windows To Go Windows 8 provides means for great mobility. Add to that new improvements in BranchCache as well as DirectAccess which when used with Windows Server 2012 adds even more and improved mobility features to the Windows client.
6. Virtualization. Client Hyper-V is included in Windows 8 Pro and Enterprise. That means no more need to add third party applications to get the virtualization features you’ve been dreaming about. As a presenter it is really good to be running Windows 8 and virtual machines on a native virtualization platform.
7. User profiles and data. Windows 8 do have some improvements to user profile handling, such as primary machines. Add to that the new UE-V (User Experience Virtualization), which unfortunately is only available to MDOP customers, and you will get user settings roaming in no time, and by doing that creating a really good user experience.
8. Compatibility. The compaitiblity rate for applications compared to Windows 7 is really good, although not 100% as you might hope. Most applications will just work but as with all migration projectes, testing needs to be done. Expect significantly less problems if moving from Windows Vista or 7 to Windows 8 compared to the moving from Windows XP.
Posted on February 16th, 2013 No comments
Doing Windows deployments over VPN is not a very good idea and it will work really bad. If you are using MDT to do Windows deployments you can easily prevent deploying Windows over VPN.
The easisest way is to modify the customsettings.ini to simply not install anything if the network card’s gateway is what we define as the VPN gateway. So lets look at the default customsettings.ini before we modify it.
Now let’s look at what we will do to modify it to fit our needs. We will add a check so that the first thing we do is to check if the machine is on a VPN connection and if so not install anything. In the example we have two default gateways defined.
Happy deploying (but not over VPN)!
Posted on January 12th, 2013 No comments
The new framework and infrastructure around apps in Windows 8 brings some new challenges to deal with. To start with you cannot turn off User Account Control if you want to use the modern apps in Windows 8, but there are more going on behind the scenes that are essential to the working of Windows Store Apps.
When a problem do occur Microsoft provide a nifty little troubleshooter tool for Windows Store Apps, download and run the tool from:
Posted on January 5th, 2013 No comments
A unique Windows 8 book for corporations and enterprises is here! It’s called Windows 8 in the Enterprise and provide you with full step by step guides and information on how to successfully implement Windows 8 in your existing environment. The writing started in mid-August and completed in October, after which there have been some editorial and technical reviews and now the book is finally published at Amazon.com. Go grab Windows 8 in the Enterprise now!
Posted on September 20th, 2012 No comments
I came across a rather peculiar thing with MDT 2012 Update 1 recently. MDT 2012 is pretty good at detecting when there are leftovers from previous deployments but this time it failed, and it failed hard.
LiteTouch is trying to install applications. This cannot be performed in Windows PE.
If booting from a USB Flash Disk, please remove all drives before restarting. Otherwise, ensure the hard disk is selected first in the BIOS boot order.
Oh no, I was NOT trying to install applications in WinPE :) It was a pretty plain task sequence and even recreating it with a brand new standard one did not help. However the solution was to remove the MININT and _SMSTaskSequence folders using the good old rd command with the switches /q and /s. Unfortunately I did not save the logs but the point is that if anyone hits this, there is a real easy solution.
Posted on August 17th, 2012 No comments
Windows 8 has RTM:ed and is now available for download via MSDN and TechNet, that is if you have a subscription to these services. If you do not and still want to evaluate Windows 8 there is a 90 day working Windows 8 Enterprise available at http://msdn.microsoft.com/en-us/evalcenter/jj554510.aspx
Follow-up to TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows ClientPosted on June 27th, 2012 No comments
So to summarize the key areas which you can look into when optimizing performance from an infrastructure point of view here is a summary of the key takeaways from TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client.
1. Slow machine boot and login / GPOs and scripts
Use Windows Performance Toolkit (part of Windows 7 SDK) to troubleshoot what is happening during boot. Specifically narrow in one Group Policy in the section in the Generic events and look for and enable only the Group Policy provider to see what’s going on with group policies. Group policies and scripts are most often the bad guys when having performance problems with boot and login.
Also use Event Viewer > Applications and Services > Windows > Group Policy > Operational log to look for instance events with id 5326, 8000, 8001or 5016. In particular the last one is of interest as this will quickly show you which Group policy extension is taking most of the time to finish.
Cleanup, remove unnecessary settings and GPO objects. Convert scripts to Group Policy Preferences as necessary or make scripts running scheduled after startup or login to minimize the boot and login times.
2. Optimizations for RDP
Activate asynchronous login for users to speed up login for Remote Desktop Services and RemoteApp. Go to Administrative templates > Policies > System > Group Policy and set the setting for “Allow asynchronous user Group Policy processing when logging in to Remote Desktop Services”.
Three other really great tweaks found in Administrative templates > Policies > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment:
Do not allow font smoothing = Enabled
Limit maximum color depth = Enabled, set it to 32-bit
Set compression algorithm for RDP data = Enabled, set it to Optimized to use less network bandwidth
3. SMB 2.1
To get full use of performance improvements in SMB2.1 protocol you need file servers that are running Windows Server 2008 R2 or if you are running a third party storage solution to activate SMB2.x support as that is not always activated by default and sometimes a firmware upgraded is needed.
Performance increases based on my own performance measuring are varying from 10-80% performance increase.
Activate BranchCache feature from Server Manager on the content servers you want to use with BranchCache. Require windows Server 2008 R2 on the content server. For file shares make sure to enable the BranchCache feature on the share(s) you want to use with BranchCache. Also set the group policy “Hash Publication for BranchCache” on the file server(s) found in Administrative templates > Policies > Network > Lanman Server.
To activate BranchCache on the Windows 7 client look in Administrative templates > Policies > Network > BranchCache and activate the required GPO settings.
5. Upgrade key servers to Windows Server 2008 R2
To gain use of RDP improvements, SMB2.1 improvements and actually make performance better for file handling the simple thing to do is to migrate to Windows Server 2008 R2.
BONUS 1. Microsoft tool to measure performance:
WDRAP (Risk and health Assessment Program for Windows Desktop) is a tool designed for enterprise customers that verifies overall performance, including bad drivers, apps that are causing the machine to start slowly etc. Contact your Technical Account Manager at Microsoft to get more information and analyzing the results with this tool. Microsoft themselves used this tool some time ago to improve performance in their environment, more on this in the Microsoft IT Case Study.
BONUS 2. Hotfixes related to infrastructure and performance, Windows 7 Post-SP1:
You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7 (WMI issue)
Slow performance when you browse the My Documents folder in the document library in Windows 7 or in Windows Server 2008 R2
Improved interoperability between the BranchCache feature and the Offline Files feature in Windows 7 or in Windows Server 2008 R2
General Q and A
Q: Can I use this tool to measure performance and troubleshoot on Windows XP?
A: You can run the tool on Windows XP by copying xbootmgr and xperfctrl.dll to an XP machine. You can then analyse the results on a Windows 7 machine. However do not expect the same amount of detailed data as Windows 7 has introduced new features that are not available in Windows XP.
Any further questions around the session or the topics, feel free to leave a comment to the article or send me an email on firstname.lastname@example.org.
Posted on May 10th, 2012 No comments
The one most common misconception around AppLocker is the fact that it could be used to allow standard users to install stuff that in any normal case would require administrator privileges. This is absolutely 100% incorrect.
What AppLocker does is set a number of rules on what can be run and executed on a machine. It is important to note that if you allow something to run or be executed via AppLocker rules the user will still need the appropriate privileges if the setup or application itself require administrative privileges at some point in time such as when doing automatic updating for instance.