Hi there, for those who are struggling getting the graphics on the RaspberryPI 2 to work with the latest Windows 10 IoT build here are some tips:

  • Make sure you see the blue Windows logo, otherwise your RP2 could be not booting at all
  • Use a class 10 SD card, others might fail because they are to slow (or just crappy)
  • Use the IoTCoreImageHelper.exe tool to flash the card with the flash.ffu file (or the appropiate version of dism)
  • You will need Windows 10 to flash the card
  • When you graphics go black after you’ve seen the blue logo, change your config.txt file to boot in some kind of Safe Mode:
gpu_mem=32 
framebuffer_ignore_alpha=1 
framebuffer_swap=1 
init_uart_clock=16000000 
hdmi_force_hotplug=1
hdmi_ignore_edid=0xa5000080
config_hdmi_boost=4
hdmi_group=2
hdmi_mode=4
disable_overscan=0 
overscan_left=24
overscan_right=24
overscan_top=24
overscan_bottom=24
  • With this safe mode you can start with resolution that every display should be able to render, just change and test a few times until you find the best settings for your setup
  • Use this site to tweak your config.txt file: https://www.raspberrypi.org/documentation/configuration/config-txt.md
  • Disconnect unused USB devices, some devices are generating I/O that will overload Windows 10 somehow, i had to disconnect the Wifi adapter at first boot
  • Only connect one standard USB keyboard
  • IMPORTANT: wait, wait and wait some more. While tuning the configuration i had to in some cases wait a couple of minutes (2 reboots without display) before i saw output on my display. Just take a limit of 10 minutes when flashing your SD again. Also, every now and then the display stays black. Just disconnect the power supply for a few seconds and try again. In most cases when you cutoff power for a few seconds the device will boot normal again. I guess that the boot process has to be enhanced some more but that’s okey…..this is one of the very first versions that runs on RaspberryPI 2 and i installed it just a few seconds ago 🙂
  • Final move would be to switch to another display :-S

Please feel free to reply if you have any questions!!!

Below some screenshots: 
20150811_222000
20150811_22201620150811_230351 20150811_230427

Knipsel

As an addition to an excellent blog post on howto support the Windows 8.1 Mail App in Enterprise environments me and my colleague Christiaan Evenhuis did some research on which Group Policy settings matches the corresponding Exchange ActiveSync policies.

The results:

EAS AD Group Policy / Local Security policy
Require alphanumeric password Password must meet complexity requirements
Require encryption on device BitLocker Drive Encryption \ Operating System Drives (multiple settings)
On Enterprise Domain joined clients you should use SCCM to enable encryption
Require encryption on storage card BitLocker Drive Encryption \ Removable Data Drives
Allow simple password Password must meet complexity requirements
Number of failed attempts allowed Interactive logon: Machine account lockout threshold
Minimum password length Minimum password length
Time without user input before password must be re-entered Interactive logon: Machine inactivity limit
Password expiration (days) Maximum password age

 

Make sure the settings in AD are more locked down to prevent the Windows 8.1 Mail App to invoke configurations that will require local admin permissions. During tests we found out that the Windows Policy provider works on a per computer basis. So when testing, re-deploy your machine to undo policy settings.

Cheers!

Recently i was building a new deployment using SCCM 2012 R2 for Windows 8.1 Enterprise tablets such as the Windows Surface Pro series. These tablets are domain joined and will have a number of business apps installed. Additionally, having Bitlocker enabled is required. Based on test results i found out some critical configurations that should be used to make sure OS deployment will succeed on tablet devices.

1. Disk configuration: Make sure that the Windows RE Tools partition is of the type “Recovery”, the MDT template uses “Primary” by default for the Windows RE Tools partition which will work, however it may prevent you from enabling Bitlocker.

partition

 

 

 

 

 

 

2. Networking: For tablets that don’t have a Ethernet NIC onboard use Microsoft’s Surface Ethernet adapter to deploy an OS deployment task sequence. During testing of OS deployments i used a variety of other USB Ethernet dongles (Sitecom, StarTech.com, etc) however with each of these dongles each deployment failed while downloading the image. Only 10 – 20 % of the download is succeeding until it suddenly stops. Using the F8 command prompt i was able to determine that the USB Ethernet dongle was not working anymore. Sending ping request failed, renewing the IP address failed, etc. Only after re-inserting the dongle it reactivated again. I did not found out (yet) why other Ethernet dongles beside the MS Surface Ethernet adapter are not capable. It will probably have something to do with some of the following features:

10Half = “10 Mbps Half Duplex”
10Full = “10 Mbps Full Duplex”
100Half = “100 Mbps Half Duplex”
100Full = “100 Mbps Full Duplex”
1000Full = “1.0 Gbps Full Duplex”
NetworkAddress = “NetworkAddress”
FlowControl = “Flow Control”
TxRxEnabled = “Rx & Tx Enabled”
WakeOnLinkChange = “Wake on link change”
WakeOnMagicPacket = “Wake on Magic Packet”
WakeOnPattern = “Wake on pattern match”
VLANID = “VLAN ID”
TCPChecksumOffloadV4 = “TCP Checksum Offload (IPv4)”
UDPChecksumOffloadV4 = “UDP Checksum Offload (IPv4)”
TCPChecksumOffloadV6 = “TCP Checksum Offload (IPv6)”
UDPChecksumOffloadV6 = “UDP Checksum Offload (IPv6)”
IPChecksumOffloadV4 = “IPv4 Checksum Offload”
LsoV1IPv4 = “Large Send Offload Version 1”
ARPOffload = “ARP Offload”
NsOffload = “NS Offload”
AutoDetach = “AutoDetach”
UseEeprom = “Use EEPROM Setting”
WolLinkSpeed = “WOL Link Speed”
10mFirst = “10 Mbps First”
MaskTimer = “Mask WakeUp Event Timer”
SelectiveSuspend = “SelectiveSuspend”
SSIdleTimeout = “SSIdleTimeout

Anyhow, just use the Surface Ethernet Adapter. It will work just fine. Others may work, just make sure to use enterprise capable hardware.

3. DriversUse the appropriate drivers! When it comes to drivers for tablets you must be very careful. Just applying all drivers using the Auto Apply Drivers step without category filtering will not end up in a successful installation. Just add a driver package for each model and apply it using the default Apply Driver Package step. Don’t add newer versions of the drivers to the driver package you use. Only replace a complete driver package by replacing it in the task sequence. For the Surface Pro 2 check for updates for drivers here: http://www.microsoft.com/surface/en-us/support/install-update-activate/pro-2-update-history

drivers

 

 

 

 

 

I hope that this may be of some assistance!!!

Greets!!!

Hi, every once and a while i need a site server to test or demo some functions. Each time however, I need to spend a day to deploy a server and download/install SCCM, SQL, ADK, server roles, preqeqs and more by hand. Not having to wait for each step to finish i wrote a basic powershell script to automate this. It doesn’t use variables or fancy loops, just batching it all up in one script.

Step 1: Download source files
Having a fresh installed Windows Server 2012 which is a domain member copy all required files to this server to a folder named: C:\Sources. You will need to (pre-)download all files and place them in the following folders:

  • ADK 8.1: C:\Sources\ADK8.1
  • SCCM 2012 R2 setup: C:\Sources\SCCM2012R2
  • SCCM 2012 prereqs: C:\Sources\SCCM2012R2\Downloads
  • SQL 2012 SP1: C:\Sources\SQL2012SP1
  • SQL 2012 SP1 Cumulative Update 2: C:\Sources\SQL2012CU2
  • Windows Server 2012 Feature file store: C:\Sources\SxS

Note that for ADK as well as SCCM 2012 prereq files you will need to pre-download the sources by running the setup wizard.

Step 2: Create unattended setup ini for ConfigMgr
The setup executable for ConfigMgr supports an input file. The following example is a minimal set of required input parameters for the setup to install unattended:

[Identification]
Action=InstallPrimarySite
[Options]
ProductID=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
PrerequisiteComp=0
PrerequisitePath=C:\Sources\SCCM2012R2\Downloads
SiteCode=HQ1
SiteName="DvdRuit HQ"
SMSInstallDir="c:\program files\ConfigMgr"
ManagementPoint=S01.DVDRUIT.LOCAL
ManagementPointProtocol=HTTP
SDKServer=S01.DVDRUIT.LOCAL
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
DistributionPoint=S01.DVDRUIT.LOCAL
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=0
MobileDeviceLanguage=0
[SQLConfigOptions]
SQLServerName=S01.DVDRUIT.LOCAL
DatabaseName=SMS_HQ1
SQLSSBPort=4022

You might need to modify some these parameters to match your environment. You will need a valid product key. Evaluation version does not support unattended installation (unfortunately). Save this file to C:\Sources\Site-setup.ini.

Step 3: Create a powershell (batch) script to install all prerequisites one by one
To install all prereqs you will have to start of by extending the AD schema with some attributes that are used by ConfigMgr. I’ve put this at the top to make sure that replication to other domain controllers is done once the SCCM setup command is called. A summary of what is installed:

  • Extend AD
  • Install Windows Features
  • Install ADK 8.1
  • Create SQL service account
  • Install SQL 2012 SP1 with CU2
  • Install ConfigMgr R2

Behold the powershell script:

echo =======================================================================
echo ======== INSTALL SITE SERVER AND PREREQS SCRIPT =========
echo ======== By: Douwe van de Ruit =========
echo =======================================================================
echo Before proceeding make sure to copy sources from ADK, SQL 2012 SP1,
echo SQL 2012 CU2, Windows 2012 sxs and ConfigMgr R2 echo to
echo C:\Sources\ADK, C:\Sources\SCCM2012R2, C:\Sources\SQL2012SP1,
echo C:\Sources\SQL2012CU2 and C:\Sources\sxs. Pre-download all prereq
echo files for ConfigMgr to C:\Sources\SCCM2012R2\Downloads. Tested on Hyper-V.
echo No reboots required. Hit enter, get some coffee, sit back and enjoy the ride.
pause
#schema extension
C:\Sources\SCCM2012R2\SMSSETUP\BIN\X64\extadsch.exe
#server prereqs
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ
Install-WindowsFeature WDS
dism /online /enable-feature /featurename:NetFX3 /all /Source:c:\sources\sxs /LimitAccess
#install adk components
cmd /c C:\Sources\ADK8.1\adksetup.exe /quiet /installpath 'C:\Program Files (x86)\Windows Kits\8.1' /features OptionId.DeploymentTools OptionId.WindowsPreinstallationEnvironment OptionId.UserStateMigrationTool
#install sql db
New-ADUser -SamAccountName svcSQL -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd" -Force) -name "svcSQL" -enabled $true -PasswordNeverExpires $true -ChangePasswordAtLogon $false
Enable-ADAccount svcSQL
C:\Sources\SQL2012SP1\Setup.exe /qs /ACTION=Install /UpdateEnabled=TRUE /UpdateSource="C:\Sources\SQL2012CU2\" /FEATURES=SQL,RS,Tools /INSTANCENAME=MSSQLSERVER /SQLSVCACCOUNT="DVDRUIT\svcSQL" /SQLSVCPASSWORD="P@ssw0rd" /SQLSYSADMINACCOUNTS="DVDRUIT\Domain Admins" /AGTSVCACCOUNT="NT AUTHORITY\Network Service" /IACCEPTSQLSERVERLICENSETERMS /SQLCOLLATION=SQL_Latin1_General_CP1_CI_AS 
#install configMgr
C:\Sources\SCCM2012R2\SMSSETUP\BIN\X64\setup.exe /script C:\Sources\Site-setup.ini /nouserinput

There you go! A simple but handy script to automate the installation of a SCCM Site server. Copy this to “C:\Sources\Install-Site server.ps1”. You might need to change some parameters. Run the script with administrative permissions. When you open the taskmgr and see this you’ll be good:

task mgr

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope this may be of some assistance! After a while SCCM is installed. 🙂

SCCM installed

The world of device or client management is changing rapidly and will keep changing. Mobile devices are transitioning to fully capable workspace machines whereas laptops are becoming more mobile and mainly internet-based. Traditional desktop numbers are dropping. Users will take more responsibility in getting the appropriate apps and keeping their devices up to date and protected. On the other hand organizations need to control and maintain device compliancy in scenario’s where highly classified information is disclosed through apps. Number of usage scenario’s is growing. With that, management scenario’s become more granular as well. Happily enough technology is also changing. In SCCM and it’s predecessors mobile device management capabilities are not new and covered some mobile scenario’s. Starting from Systems Management Server (SMS) 2003 Device Management Feature Pack administrators where able to do some level of management on Windows based smartphones. In later versions more “mobile” features and platform support where added. When Windows Intune came into play Mobile Device Management became more mature and capable in supporting all sorts of business scenario’s. Also, the Microsoft Windows client platform is developed with a mobile-first strategy, enabling anywhere, anyplace, anytime relevant functionality while still supporting all sorts of legacy scenario’s as well (such as managed desktops). All form factors will be supported in all scenario’s. However it raises some questions when designing such a solution:

  • Should i choose for SCCM or Windows Intune? Both?
  • Is Windows 8.1 a mobile BYO platform or more a desktop client platform? Or both?
  • Do i (the noble admin) need to provide updates and anti-malware services or is that done by the user him/herself?
  • Should and can i install a management client, is the client domain or workspace joined
  • Is the device private or corporate owned?
  • What kind of apps will be deployed? ARM vs x86 or x64 based?

For each scenario IT admins have to think in terms of capabilities. With SCCM you will be able to manage corporate and LAN/VPN connected Windows devices well enough. A way of managing devices that are mainly connected to foreign networks such as the internet is to extend SCCM with a Windows Intune subscription that will serve the internet connected clients. If you don’t have the luxury of having SCCM you can use Windows Intune separatly (only for small environments). To start with the client management capabilities there are some client mechanisms that can be used by SCCM and Windows Intune to configure the client:

  • OMA-DM API (Open Mobile Alliance Device Management): Many organizations want to manage certain classes of devices, like tablets and BYOD devices, as mobile devices and do only light management. With Windows 8.1, you can use an OMA-DM API agent to allow management of Windows 8.1 devices with mobile device management products such as XenMobile, MobileIron, etc. No agent is required to use this feature.
  • Windows Intune agent: A software agent similar to the Configuration Manager client which is installed on the device and will provide support for deployment of updates and endpoint protection as an addition to the OMA-DM functions. The Windows Intune client should only be used in scenario’s without the existence of SCCM on Windows x86 or x64 platform with the requirement to centrally manage updates/antimalware. There is no Windows Intune client for Windows RT or other platforms such as IOS, Android, OSX and Linux.
  • Configuration Manager agent: Most capable management agent for managing Windows based platforms. When a Windows Intune subscription is connected to SCCM only clients without the ConfigMgr agent, using OMA-DM instead, can use Windows Intune cloud servers to find content or policies that are configured in SCCM. You only need the SCCM console to manage it all. It might be a bit confusing that a ConfigMgr agent cannot use Intune cloud servers (yet??).

Microsoft made an overview on platform support for enterprises:
415199

 

 

 

 

 

 

 

 

 

As you can see the Windows Intune agent is not listed in this table. This is because Microsoft positioned Windows Intune as an extension to SCCM for larger enterprises. For smaller organizations Windows Intune could suffice and than you could need the Windows Intune client capabilities to centrally manage and control updates and endpoint protection.

When looking to Windows based devices/clients only two scenario’s are left mainly:

  1. ConfigMgr Agent based management: updates, endpoint protection, inventory for Windows PC’s such as Windows XP, Windows 7, Windows 8 and Windows 8.1. x86 and x64 architecture only.
  2. Agentless management: for Windows RT, Windows Phone and Windows 8.1 devices/clients in a BYO scenario!!!

Windows 8.1 PC management
Note that Windows 8.1 can positioned in two scenario’s: the Windows PC and the Windows BYO device. This is important because when you need to manage a Windows 8.1 client as a Windows PC you should install the ConfigMgr client. Also, the client should be domain joined. You can deploy and manage all settings and software configurations on the client. You will have complete control of the client configuration. 

Windows 8.1 BYO management
However, when you need to manage a Windows 8.1 client as a mobile device the ConfigMgr should not be installed. Just enable device management through charms bar > PC Settings > Network > Workplace. Enter your credentials that matches a synchronized Windows Intune user account. Optionally Workspace Join the device to the corporate Active Directory to support additional services such as Single-Sign-On and Workspace Folders. You have only management control on some security features that are available to the OMA-DM API. No complete control, only light management possible.

workfolders

 

 

 

 

 

 

 

 

 

Conclusion
A summary to this post gives a quick list of each deployment scenario that should be used for each management scenario for Windows 8.1 clients/devices:

  1. Intune client: used only for small number of clients. SCCM not used.
  2. ConfigMgr client: used for enterprise PC management. With or without Intune subscription.
  3. Agentless: used for BYO management of Windows 8.1 devices.

I hope this clears things up a bit. In other posts i will discuss the Company Portal and BYO management of other platforms such as IOS, Android etc.

Hi there, just a quick and simple overview on how to remove a Windows Intune client installation. The best way of achieving this would be to retire the client from the Windows Intune admin console (method 1), however there are some scenario’s in which that is no option anymore. Although the Intune client has a lot of similarities with the Configuration Manager client the Intune client does not come with a lot of command line options. Uninstalling a recent version of the client can only be done with the help of some batch scripts and an executable which can be downloaded from Microsoft. I found the script after deciphering this Japanese technet blog 🙂 http://blogs.technet.com/b/jpintune/archive/2013/04/03/windows-intune.aspx

Anyhoops, you can download the tool by clicking this link: http://support.microsoft.com/common/survey.aspx?scid=sw%3ben-us%3b3097&altStyle=MFE&renderOption=OverrideDefault&showpage=1&fr=1&nofrbrand=1

After executing the exe some files will be extracted. Copy these files to the client and execute the batch files (method 2):

  • AgentUninstall_AIS.cmd
  • AgentUninstall_Intune.cmd

Capture

After some time the folder C:\Program Files\Microsoft\OnlineManagement should only hold some logfiles. Reboot the client.

At this moment you can enroll the client into Windows Intune again or install a SCCM client to manage the client again.

OR…….. 

  1. Open an admin command prompt
  2. Navigate to C:\Program Files\Microsoft\OnlineManagement\Common
  3. Run “ProvisioningUtil /UninstallAgents WindowsIntune” (method 3)

Now you have 3 methods of removing the Windows Intune client!

Update: Read comments for more options 🙂

Beginning from SCCM 2012 Sp1 / MDT 2012 Update 1 WinPE boot images will be based on the Windows 8 kernel. All boot images are upgraded to WinPE 4.0 which comes with some new hardware requirements. Unfortunatly, VMware ESX 4.x and older natively does not support the Windows 8 kernel or Windows 8(.1) does not support old hardware (http://windows.microsoft.com/nl-nl/windows-8/what-is-pae-nx-sse2). For VM’s to succesfully install and boot up you will need to apply a work around. For this you will need to make some changes to the VM configuration file. Add these lines to the file:

bios440.filename = “path/to/bios.440.rom”  –> if file in folder of vm only bios.440.rom
mce.enable = TRUE
cpuid.hypervisor.v0 = FALSE
vmGenCounter.enable = FALSE

Note that using an alternative boot rom is officially not supported. However, you’re albe to try getting a support statement for your specific environment. You can download the bios rom file here: http://communities.vmware.com/servlet/JiveServlet/download/2139717-98102/bios.440.rom