I have to start off with two things I want you to bear in mind while you read this post:

  • this is my absolute first production deployment (ok, during these last 4 days I did hundreds of back-and-forth steps using Microsoft Deployment Toolkit (MDT) along with WDS in order to find the most manageable deployment architecture, but still…) of Windows 8.1 using MDT 2013
  • any comments are very welcome!

In order to take advantage of an easily maintainable and upgradeable, yet controllable IT infrastructure within the company, I’ve decided to deploy a few VMs running Windows Server 2012 R2 with the WDS role installed. I’ve also installed MDT 2013 (you can download it from here) and Assessment And Deployment Toolkit for Windows 8.1 Update (ADK – you can download it from here). ADK is required in order to get MDT 2013 to work. Also, make sure that you don’t have any older versions of ADK (such as, the ADK for Windows 8.0 which usually comes high up in the search results when you look for ‘ADK Windows 8.1’).

Installing both ADK (which should come first) and MDT 2013 is a child’s play, but only if you remember to sign out after you install ADK – this will force the PATH environment variable to get updated with the %ProgramFiles%\Windows ADK values. Trust me, this is a requirement for a smooth runtime experience with MDT 2013.

As a newcomer, one of the best approaches to learning MDT 2013 is by downloading the MDT Documentation archive from here, but bare in mind that there are a few best practices missing from the documentation kit and which will be extremely helpful on the long-run:

  1. When you create your first deployment share, bare in mind to use a single-worded share (UNC path), different than the default ‘DeploymentShare$’. Same goes for the deployment share name and folder name. The reason is that you will eventually boot using a customized version of Windows PE (Pre-installation Environment) which might eventually show you the list of task sequences you have defined within your deployment. If you’re like me and like to test things out, you’ll probably don’t want your production images to be mixed with the staging ones. Therefore, I’ve created a deployment share called ‘MDT Staging’.
  2. The deployment share is nothing else than the name suggests: a share – a network share to be specific. This basically means that whilst deploying the customized images of your OS, either you or your users will have to get access to the share. There are two options for this: you either manually send the share credentials out to your users, hoping that they won’t share this credentials with others and that they’ll get them right – why shouldn’t they? The second option is to configure the credentials within an initialization file called bootstrap.ini (which is actually configurable from within the Deployment Workbench directly – simply right-click on the deployment itself, choose Properties in the context menu, go to the ‘Rules’ tab and click the ‘Edit bootstrap.ini’ button). Here you can simply put the following value defaults: UserID, UserDomain and UserPassword. You might argue that this represents a security vulnerability because I’m saving a set of credentials which have access to one of my shares in clear text format. I admit that, but as long as this specific only has read access to my share (and write access to the ‘Logs’ folder within the deployment share), there’s no actual reason to concern anyway. Additionally, this user doesn’t even have to be a directory account, it can be a simple local account with read-only access to the share. And since were at the bootstrap.ini, it’s also worth sharing that the SkipBDDWelcome=YES default will help a lot as well: specifically, it will skip the welcome message on the deployment wizard.
  3. It might make more sense to go through the deployment as quickly and seamlessly as possible. Therefore, a few Skip defaults within the customsettings.ini (by the way, when you change anything within the ‘Rules’ tab in the main textbox, you’re actually updating the customsettings.ini, which is extremely convenient considering that you’d otherwise have to manually open and save a text file in an elevated Notepad) might help:
    • SkipAdminPassword=YES (if you also configure the AdminPassword default, this will force the Administrator password page to be skipped) – whether you’re creating a reference image or a target image, you’d probably be better with a unique administrator password, referenced within the Workbench rather than a bulky handwritten notepad somewhere in your office drawer
    • SkipProductKey=YES – whether you’re creating a reference image or a target image, the product key will probably be a MAK which you could safely put in the task sequence (you don’t want your curious users to write this MAK down and use back at their home, right?) or you might even use a KMS to activate your OS. If you don’t have a key altogether, don’t bother going through this deployment wizard page anyway: the installer will ask for it and you can just skip this step until you activate the OS
    • SkipDomainMembership=YES – it’s best to have the domain configured directly within the customsettings.ini file using the JoinDomain, DomainAdmin and DomainAdminPassword values. Keep in mind that Admin in DomainAdmin doesn’t mean that you need to put in your admin user’s password: instead, simply create a user within your Active Directory which is only allowed to Create Computer objects and Delete Computer objects, along with the option of configuring properties (read/write properties) on all your computers within the OU. This basically means that this will be a special user only allowed to join computers in the domain which helps a lot in automating the deployment process
    • SkipLocaleSelection=YES
    • SkipTimeZone=YES – instead, simply configure the time zone using the TimeZoneName default (e.g. ‘E. Europe Standard Time’). Remember that within Windows, you can get your current timezone and the names of the rest of the time zones using the tzutil command. After all, you’ll most likely deploy the computers based on a deployment share only within a single time zone.
    • SkipApplications=YES – makes this part of your task sequence instead; I’ll have more on this later on
    • SkipRoles=YES – same as before, make this part of your task sequence instead
    • SkipBitLocker=YES
    • SkipBDDWelcome=YES
  4. If you’re configuring a target deployment (which, as mentioned at #1, should be a different deployment share for the best deployment experience), make sure that you’re also configuring:
    • SkipCapture=YES – after all, you can both configure the DoCapture default to whatever you’d like your tasks sequence to end with and, again, having a simple wizard will be way more easy to manage on the long-run
  5. You might test out different default values and different task sequence options before you actually deploy to your hardware devices, so having some of this defaults configured to NO or not at all (such as, the domain defaults – you probably don’t want to add all your tests to your directory) might make sense. However, rather than deleting them from your file, you can comment them out using the ‘;’ symbol. This is also super helpful when you create a new deployment share, because you can simply either comment-out or un-comment settings based on your deployment share target.

When it comes to the actual deployment shares, there are a few things worth sharing:

  1. First and foremost, make sure that you always test your deployments using a VM (Hyper-V is probably one of the best virtualization technologies you can use for free right now for this purpose, especially due to the fact that Gen2 VMs can both PXE boot and are UEFI capable). This is a best practice due to the fact that you can always create a checkpoint and revert the machine back and forth just to make sure that your deployment works fine. It doesn’t make sense to wait too long for your reference deployment to be created just to find out that a variable or whatever application is messing the entire process. Additionally, using a VM will assure you that only the most generic hardware drivers will be used and no funny mouse-or-whatever-device drivers get injected if you’d use an old-PC to test your deployments (actually, you shouldn’t use an old-PC to deploy anything; you’d better get rid of it :-)).
  2. And since we’re talking about drivers, whatever you do, never ever add drivers to your reference image. Instead, add them to your target image only, because you might eventually need to buy a new PC which might have different specs than the original one: do you really want to create the entire reference image from scratch and install all the apps used within the company again?
  3. If you’re using PCs from known vendors (HP, Dell, Fujitsu, Lenovo etc.), make sure that you get the corresponding drivers from the enterprise support systems. In fact, there are some apps for that too, such as HP SoftPaq, ThinkVantage Update Retriever, but if you’re not able to use any of these, simply go through their enterprise support websites (here’s the one for Dell)
  4. Never ever download drivers from strange websites or aggregates (Softpedia and such). If the vendor has a website, use that website instead!

As a best practice, I’d also advise you to group all the drivers in an OS\Computer model hierarchy. Also, make sure that the model is exactly the same to the model specified by the vendor. You can get the model specified by your vendor by using the Get-WmiObject PowerShell cmdlet (Get-WmiObject -Class Win32_ComputerSystem).

Another best practice is to create task sequences based on the PC models you have in the company, considering these are brand PC from known vendors rather than custom-made PCs. The cool trick here is in regard to drivers: you can control the drivers which exist in the driver repository Windows is looking into when it first installs by changing the following:

  1. In the Preinstall step within a task sequence, go to Inject Drivers and change the default selection profile to ‘Nothing’, and also check the radio button option of ‘Install all drivers from the selection profile’. This might at first not make any sense, because we’re actually telling the deployment process to get all the drivers only from nowhere (?!), but the fact is that
  2. you configure (before the Inject Drivers phase) a Task Sequence Variable (from Add > General) and name it DriverGroup001 and give it the value of Windows 8.1\%model% (considering that you’re using an OS\Computer model hierarchy as advised earlier).
  • this will basically instruct Windows to look only in a computer model’s specific folder for drivers, not in the entire repository of all the drivers for all the PC you’re using in your company
  • unfortunately, if you’re using a custom-made PC you’ll get generic computer model names instead, such as ‘All Series’ if you have an Asus motherboard.

Earlier in this post I mentioned that it’s fine to skip the applications selection page. The idea is actually to get better control of the applications you’re installing and also more insights into the applications which have quite installers. Basically, rather than having the deployment process install the applications on your behalf as a bulky operation, you should create a new group right before the Windows Update (Pre-application installation) phase called ‘Custom tasks (Pre-Windows update) and have all your applications installed as Install Single Application phases. If you don’t like/need/want that kind of control, you could also create an application entry in the application group within the deployment share which depends on all the applications you want to install and have this application created as a install single application phase in your new group. Of course, you might be wondering now why you’d do that: the reason is that if you’re installing  Microsoft applications (which you probably will), you should get updated for these application too. You might be also installing chipset drivers, and this application-driver type should be installed first.

Anyway, the idea of having applications installed as install single application phases is to gain better control of the application installation process and finally to automate the entire deployment process altogether.

Another cool trick available in MDT (and not available in SCCM, at least not to my knowledge) is that you temporary suspend the deployment process for cases in which, let’s say, you need to manually download and installer or ClickOnce application or whatever. All you have to do is to copy the Tatoo phase in the task sequence, paste it wherever you need the deployment process suspended and replace the ZTITatoo with LTISuspend in the command line. This will automatically suspend the deployment process, allow you to run whatever tasks manually and when you’re done (even if you need to restart) just double-click the resume shortcut which was created on the desktop (this automatically resumes the deployment process from where it was left off). This tricks helps install ClickOnce applications which require licensing (they normally exit with any of the 0 or 3010 codes too soon and thus don’t get installed properly) or install apps or SDKs using Web Platform installer (such as, Azure SDK).

Last but not least, make sure that you select the Windows Update options in the task sequence of your deployment process to the target computers only. Downloading them during the deployment process on the reference computers will force the deployment process to take considerably longer (for example, it took in my tests an extra 3 hours to create the reference image if the computer was updated during reference image deployment) and thus doesn’t make too much sense. Instead, you might be interested into updating the target computers only. Moreover, you could also add the update packages (though it is tremendous work to keep the Packages folder up-to-date in the deployment share) or you could install the Windows Server Updating Services (WSUS) role on one of your servers and mark the update server URL within the customsettings.ini file using the WSUS Server default.

Ok, that’s it for now.

Happy deploying,

Alex

There’s a hidden feature in Windows 8.1 that for some reason (marketing?!) didn’t get public-ish… It’s slide-to-shutdown. Basically, just like on Windows phone, with slide-to-shutdown you have the option of shutting down your PC from sliding down the lock screen.

This ‘feature’ is however available on your Windows 8.1 PC by running the slidetoshutdown.exe. You can do this directly from you Run prompt or by running slidetoshutdown.exe from a custom app you might develop for yourself (and the rest of the world :-) ).

Alex

A couple of days ago I’ve updated my phone to the preview version of Windows Phone 8.1 and after intensively using it, I made a list of things I love and things I hate about it. Here it goes:

Things I love about WP8.1

  1. UPDATE: I’ve just realized that WP8.1 has Speed Dial! Honestly, I feel that this is a hidden gem. Love it! Just open up the Phone tile and swipe left or right and you get access to your speed dial. No more ridiculous tiles to your contacts on the home screen!
  2. UPDATE: Another cool thing about WP8.1 is that you can open up an unlimited number of tabs (ok, I didn’t really try to open up ridiculously many tabs, but I’ve realized that after opening up abou 9 tabs, I still have access to all of them. Man I love this WP update!
  3. Universal Apps framework: that’s right, this is a developer specific feature that basically gives me the opportunity to develop a single code-base (views included) for both Windows Phone 8.1 and Windows 8.1, which is incredible. Of course that for a highly performing and snappy app some tweaking will be required, yet it’s a cool feature to have, given that your customer audience grows exponentially every day. Sweet!
  4. Customizable background: yes, you can finally have your own custom background in the home screen. This means that the image you select become part of your apps’ tiles background. There’s also a cool effect when you slide up and down, meaning that the background isn’t completely static, yet it doesn’t move along with the slider either. You therefore get an effect where the background seems to stay far back whilst the tiles are closer to you: just like you’d be watching out on the window. Sweet!
  5. Action Center: never loose you your notifications again! Simply slide from the upper side of the screen and get quick access to the Notification Center. Also available from the lockscreen, even if you’ve activated your PIN lock. Finally, guys!
  6. Pin-able Data Sense, Storage Sense and Settings shortcuts in the App list.
  7. Battery percentage and date (shown in the Notification Center; good enough).
  8. Two-way authentication with your Microsoft Account (seriously, was about time – I had enough of creating app secret keys for WP)
  9. IE11 with goodies:
    1. all your videos are rendered directly in IE using the HTML5 player, meaning that you no longer navigate to the Video app to watch your YouTube clips. Sweet!
    2. improved tab functionality: you no longer have to pop out the app bar in order to get access to tabs
    3. reading view in IE11: get read of the annoying menus and ads when you read an article online
    4. IE High DPI fix! Your mobile browser no longer wrongly specifies it’s screen resolution to .CSS. Finally, right?
  10. Pin-able FM Radio (it’s in the App list)
  11. New volume configuration pop-up: you now have the ability of specifying the Ringer + Notification volume and Media + App volume separately! And you can even de-activate vibrations and leave the ringer on directly from the volume pop-up! I’ve been waiting for this Nokia-touch :)
  12. Improved Store: way better content-presentation, quick access to categories, improved suggestions (at least, for me!).
  13. New logos: my Exchange account finally get’s a proper Exchange-like icon on its tile!
  14. Cortana: what cool about it is that it can asynchronously search your inbox for e-mails that contain plane tickets and it will (theoretically) automatically remind you that it’s time to leave to the airport, given the traffic conditions, flight schedule, distance to departure airport etc. However, it’s still in a beta and most of your searches will end up in a bing-query.
  15. Screen projections: just connect your phone via USB to a PC and get a projection on your PC of what your phone shows without installing any additional apps on the phone. As a developer, I love this! No more Hyper-V based emulators during presentations.
  16. Improved Photos: there’s a new home screen in photos that only shown you the photos you’ve taken, in a day based grouping. You can still access your Facebook or OneDrive photos, but you no get thumbnails on all your albums from these, meaning that curious eyes won’t see what your albums might contain. I love this feature! Moreover, you can select photos as favorites which will make your tile display those images only. Sweet!
  17. VPN
  18. tap + send is finally renamed to NFC. I never understood the idea of marketing this feature  as tap+send…
  19. Quick access to screen rotation lock from the Notification Center
  20. Quiet hours: I loved this on my iPhone, I love it on my Windows Phone.
  21. Quick keyboard: just slide your finger and it’s done. You don’t have to worry about double letter in a word and whenever you start a new word (by releasing the keyboard = taking your finger up), a new space is added.
  22. THE BEST OF ALL FEATURES: tight integration with your Microsoft Account. Want to change your theme color? That gets automatically synced to your other Windows (or Windows Phone) devices and vice-versa. Your favorites in IE are also synced (roamed, as they call it)

What I have about the Windows Phone 8.1:

  1. The sliding keyboard thing only works in English.
  2. Cortana is configured to work only in US (or if you configure your region as US). Why would they do that? I can speak English elsewhere too. Is this Bing related? :-(
  3. Apparently, it’s easier to move the caret around. As an ex-WP7, WP8 user, I hate that they removed the way you move the caret around: even though it’s similar to the Windows experience, the caret-mover is almost impossible to use as soon as you place your thumb on the screen simply because you no longer see the caret. Actually, that’s what I love about the way I’d move the caret before: it was about 0.5 cm away from my thumb, meaning that I could always see where I was placing the caret. (note: caret = cursor :-) ).
  4. Because Cortana is accessible via the Search button (both tap and long-tap), you no longer get access to the old Search place. This means that if you’ve been using Local Scouts, you have to use Cortana. That’s ok, but, if you were using the Search functionality to scan barcodes or QR-codes, you now have to open the Camera app (which I normally don’t use, simply because I find Nokia camera better and because on my old 1020, Nokia Camera was to only app to shoot high-resolution – 39MP – photos), open up the Lenses menu and select Bing Vision. From my point of view, that’s a horrible user experience and I might end up in installing crappy QR-code scanner apps. Yuck.
  5. I got super-excited about the lock screen themes at Build 2014, yet there are no lock screen themes. :-((

I think that’s it for now. As soon as I’ll find something cool/ uncool about WP8.1, I’ll update this page.

A.

Hi fellas,

I’m currently getting my agenda ready for //build and I can hardly wait the keynotes. After going through the agenda, I found some very interesting sessions:

  • Diagnosing Issues with Windows Phone JavaScript Apps Using Visual Studio
  • Multitasking and Triggered Background Tasks for Windows Phone Apps (in regard to Windows Phone 8.1)
  • Building a Converged Phone and PC App using HTML and JavaScript

I guess we’ll be hearing about a share WinRT or something, between both desktop and mobile devices. From a developer’s perspective, that would rock!

A

bootcamp-300x202[1]In April of 2013 we held the first Global Windows Azure Bootcamp at more than 90 locations around the globe! This year we want to again offer up a one day deep dive class to help thousands of people get up to speed on developing Cloud Computing Applications for Windows Azure. In addition to this great learning opportunity the hands on labs will feature pooling a huge global compute farm to perform diabetes research!

Today I am proud to announce that I am going to both host and speak at the GWAB 2014 event in Oradea, RO. Here’s the conference link: http://gwabor.azurewebsites.net

See you there!

Hi guys!

First of all, have a Happy New Year!

Several people asked me ‘Why did Microsoft remove the System Experience Index from Windows 8.1′? Well, you might indeed be wondering why, but the fact is that it didn’t really go anywhere since it’s still there, but not graphycally.

So, if you want to score your PC in Windows 8.1, you have to run the Windows System Assessment Tool from command line (is there any other way?), by using the winsat command in an elevated Command Prompt. You have the option of assessing your Desktop Windows Manager (system graphics capabilities), CPU, Internal Memory, Direct 3D, Disk drives and some other features. Of course, you can also run all of these under a single test (formal test).

However, given the complexety of the output shown by Windows System Assessment Tool, I suppose that Microsoft either prepares something for Windows 8.next when it comes to the Experience Index or their planning to completely remove WEI from the next version of Windows. You still have to keep in mind though, that according to this Windows page (What is Windows Experience Index), WEI typically scores from 1.0 to 7.9 and that in a PC powered by a  64bit processor with 4GB (or less), your memory score will drop to 5.9 and therefore your overall score will also drop to 5.9. Even though, I’ve assembled a PC several months ago where I achieved scores of 8.1 in a row. Therefore, I might say that either the page is outdated or the rating system is about to get some updates, don’t you think?

Alex

Lab Management is a great piece of software that takes great use of virtual machines in order to create virtual labs where you, your team and your testers can test out an application in a clean environment. Lab Management integrates with Team Foundation Server 2010 and thus enables you to create the lab environements out of Visual Studio with ease.

So I started upgrading our TFS 2008 with the not-so-brand-new TFS 2010, on a completely different new machine. Besides the hassle regarding upgrading the databases, prepairing the user accounts, the shared folders, the services etc. I got to the point where I had everything working (except SharePoint Services 3 integration; will talk about that later) and was getting ready to install the Lab Management stuff.

Before starting of with the real subject of this post, let me tell you, in short, the environment topology: Active Direcotory with several domain controllers running WS2003, one WS2008R2 machine running two instanced of SQL Server 2008 R2 (one for TFS 2010, one for SCVMM 2008 R2 –> it is important not to use the first instance for SCVMM), System Center Virtual Machine Manager 2008 R2, Team Foundation Server 2010 and SharePoint Services 3. Also, for running SCVMM that machine has the Hyper-V role activated.

First things are first, so I installed the Hyper-V role on my Windows Server 2008 R2 machine and afterwars System Center Virtual Machine Manager 2008 R2, because Lab Management works with SCVMM. After putting everything up and creating the SCVMM configuration to work with Hyper-V, I got the the final (and, in the end, not so final after all) point where I would configure the Lab Management in Team Foundation Server Admin Console.

So I put in the machine’s fully qualified domain name and click Test, but then suddenty a dialog box pops up requesting a user account. So I enter the user account I created for the Lab Management stuff (TFSLAB), insert the password and click Test. The credentials are fine, so I click Ok. Boom! I get this error:

TF260078: Team Foundation Server could not connect to the System Center Virtual Machine Manager Server: servername. More information for administrator: You cannot contact the Virtual Machine Manager server. The credentials provided have insufficient privileges on servername.

Ensure that your account has access to the Virtual Machine Manager server on servername, and then try the operation again.

Right. Now what? I double-check the password. Password’s fine. I double-check the username. Username’s fine. Obsiously this doesn’t have anything to do with the credentials. I check the Configuring Lab Management for the First TIme article on MSDN (here). Scroll down the site, and come across a Troubleshooting link. Click the link and come across a short text that basically tells me to check some blog or the forums. Check the blog. Nothing there about 260078. Check the forums. No similar error.

Obsiously, I’m special! Search the Web some more. After about an hour or so, I decide to post in the MSDN forums: maybe a wise man does have an answer after all. Post the error in the forum. Wait for two hours. I’m notified on my phone that someone has replied to my post. Don’t really have the time to check the post in that moment, so I’ll leave it for a couple of minutes, but than another notification alerts me! Surely I must have found gold! Two replies one after the other? Problem is as good as solved. Check the thread and find out only that someone else if trying to figure out the same thing.

Ok, enough with the introductory chit-chat.

What I did:

1. (don’t really know if it helps, or not, but this was required for similar errors) Added TFSLAB (and eventually TFSSERVICE – the account Team Foundation Service runs under) to these AD groups Pre-Windows 2000 Compatible Accessand Windows Authorization Access Group.

I tried running the Lab Configuration again, but still no luck.

2. Changed the accounts the Virtual Machine Manager and SQL Server (this is absolutely required) and Virtual Machine Agent run under to the TFSLAB account. Restart the services, but Virtual Machine Agent doesn’t start. The Service Manager posts some extremely generic error message (The Virtual Machine Manager Agent service terminated with service-specific error %%-2147217405.), so I check the Event Viewer and find this: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9C38ED61-D565-4728-AEEE-C80952F0ECDE} and APPID {5364ED0E-493F-4B16-9DBF-AE486CF22660} to the user domaintfslab SID (S-1-5-21-1004336348-790525478-1801674531-15332) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

As the message suggest, VMM Agent cannot start because of a component. My suspicion is that TFSLAB doesn’t have priviledges to that component, so I immediately open Component Services. However, the components are only listed by their friendly name, so I open the registry editor in order to find the component’s friendly name: Virtual Disk Service Loader. Sounds promising. I go back to Component Services, search for Virtual Disk Service Loader, right-click it in order to configure the security permission and find that everything is grayed out, as it were disabled. I check whether DCOM is enabled (right-click on the computer in the Component Services list) and find that it is.

Search online books some more and find that for Windows Server 2008 R2 Microsoft, for some “security” reason decided that Administrators, no matter their level of godness, are no longer permitted to configure anything in the Component Services and instead, a user called TrustedInstaller has acces (not even the godlike SYSTEM accound is no longer permitted acces there –> WHY?!).

Some article on the Web stated that going back to registry editor, back to HKEY_CURRENT_ROOTCLSIDidHere, clicking on the permissions option in the CLSID’s context menu (replace CLSID with that long ID your’s looking for 9C38…) and configuring the FULL CONTROL permission for the Administrator should solve the problem. However, it didn’t. What I did though (as a temporary resort, because it was getting frustrating) was to add the TFSLAB account to the local admin accounts group.

So, in conclusion:

  • add the TFSLAB account to the local admins
  • add TFSLAB to the AD built-in groups I mentioned earlier
  • run SQL Server instance service with the TFSLAB account
  • run the VMM service with the TFSLAB account

and you should have everything up and running (after finishing the configuration, of course).

Till next time,

A