Tuesday, December 20, 2016

SCCM 1610: Ability to migrate BIOS to UEFI Partitioning and Boot

One of the biggest automated migration issues was always the fact that many companies have Windows 7 x64 in place but due to legacy issues with UEFI deployments in the past they stick still with LEGACY Bios settings and not with modern and much more secure UEFI boot bios settings. UEFI also need GPT partitioning and not MBR partitioning.

To remove this hurdle Microsoft introduced in SCCM 1610 a nice feature that allows you to migrate to UEFI during a task sequence.

Additionally to the task sequence you may need a vendor specific tool that allow you to migrate your bios settings to UEFI.

More you can find here:

Example with Dell CCTK.
The original blog still refer to an older alternate way. But the rest of the article in the end refer to the Dell CCTK tool to modify the BIOS. This is still valid.

Enjoy the show!

Thursday, December 15, 2016

2 new categories available

Hey all!

to better maintain and have the single one stop shop for specific information's I added 2 new sides to my site bar right hand side.

Surface Pro tips and tricks (starting with diagnostic, maintenance and deployment stuff)

Powershell Playbook (where I store my own useful scriptlets for my projects)

Just check out the right middle section of this website.

Enjoy your day!

Friday, October 21, 2016

Windows Server 2016 goes live - Check out this primer site (get updates from time to time)

Hi all, it was a while I had my last post. In between much happens. Got to Ignite and many other MS Events and workshops. A lot has changed with new products and we are really facing a big wave of new techniques and possibilities.
Windows Server 2016 is there no exception. It is really a new platform where you can do so much more. Especially saving money in storage!
So this blog should be a starting point to many other sites helping you and me to find around our way.
What's new in Windows Server 2016

Support and Upgrade
Server Upgrade Role Matrix
Server Compatibility Matrix

NANO Server
Nano Server Builder
Server Update/Upgrade

Windows Server Management
(The GUI is gone when installed wrong)
To enable the Management you will need this here
(RSAT Tools Win10 to Server 2016):

Wednesday, September 7, 2016

Updates needed to serve Windows 10 updates and upgrades with WSUS

I created a demo environment and thought it would be nice to use latest SCCM on latest Windows and guess what?  (SCCM Current Branch on Windows Server 2016 TP5)


Reason is you need to install a patch to WSUS to enable Windows 10 catalog.
But this patch is only available to Windows Server 2012 R2.
Not yet available to Windows Server 2016 TP5 (curious but that's the way it is)

So I installed another WSUS Server on Windows Server 2012 R2 latest patches stand alone. Then I enabled WSUS role.

But before you start configuring it. You must install at least these patches for 
Windows Server 2012 R2:
This Update enables the Win10 classification in the WSUS catalog
(also checkout note from WSUS team:

If you synced the catalog already and you missed the fix in the first place you need to read this for fixing it!

This Update enables the ESD function. Without it you can not deploy 1607 or newer!

This update also replaces the problematic fix KB3148812. If it is installed you can install the KB3159706 on top of it! But don't miss the manual steps!

You get all the updates also through (you need to know the KB article number)

Microsoft promised these steps are not necessary for WSUS on Windows Server 2016 RTM.


Wednesday, August 24, 2016

Virtualization based security (Device Guard, Credential Guard) vs. VMware Workstation

Recently a customer asked me what's about the coexistence of the new Microsoft security features like Credential Guard and Device Guard when you need to work with VMware Workstation where you have some VMs locally used for application compatibility where they run older OSes and they need specific interface types like COM Port or USB for their machine diagnostic software?

So the basic question is: Can virtualization based security in Windows 10 which uses Client Hyper-V underneath coexist with VMware Workstation?

When you need more to know about Credential Guard then check this here:

I took the question to MS an the clear answer currently is:
This is CURRENTLY not supported!  (as of Redstone 1 build release in 08/2016)
They are aware of this issue and looking to solve this in some point of time.

The main reason for this is that Client Hyper-V and VMware Workstation occupy exclusively the hardware virtualization extensions (like IOMMU or VT-X).
In this case nested virtualization does not work. For nested virtualization you find more info here:

Also running other virtualization solutions like VirtualBox in a Hyper-V VM that supports nested virtualization is currently not supported!Some VMware Workstation users tried that recently as reported in forums and end up with bluescreens. Check out this here:

When you need VMs with older OSes regarding App Compat you have currently these options:

  1. Use Client Hyper-V for virtualization. And explore the improved interface mappings like COM-Port or USB port redirection.  To check out the new possibilities read this here:
    for COM Port this may also help:
    or make use of Terminal server devices with physical com port redirection via TCP-IP like these here:  There are a couple different vendors available.

  2. A few other virtualization applications have an “emulator” mode.  This mode don’t require hardware virtualization extensions. But their performance is mostly really bad.
  3. Disable Credential Guard and Device Guard, and run a different virtualization technology.

So my recommendation is give Client Hyper-V another trial :-)
Hyper-V was further developed over the last years and is now really break even with VMware virtualization. In some points its even better :-)

Wednesday, August 17, 2016

Mobile Device Management - simplified joining options

With 1607 the options to join MDM while joining Active Directory or Azure AD where simplified a lot. So you do not need to check 2 different options anymore.

So best is to prepare your Azure AD with the right options first and enable auto MDM enrollment there.

See here:

From a user perspective you you have now 4 major options described further here:

Options are so far:
Corporate owned - Active Dirctory
Corporate owned - Azure Active Directory
Private owned - Azure Active Directory
Independent - MDM using a deeplink

Thursday, July 14, 2016

Azure AD Connect: Synced attributes

I am asked from time to time what attributes are synced with Azure AD through Azure Active Directory Connect tool:

In general its just selected user, group and contact information.

Here you find a list of synced attributes:

Depending on Windows 10 features there are also a few machine attributes synced to Azure AD as well. This is necessary for specific scenarios like Passport for work and requires actual versions of Windows 10 build (build 10551 or newer) for devices:

Be carefull and dont think you know what you are doing by partially not syncing them. Depending on the services they are really necessary. E.g. Exchange onpremise stores a lot of informations in AD. So Exchange online do as well. Therefore these attributes are necessary for proper function.

Unless you are the developer of the cloud application like Exchange Online you are not the one to judge if an attribute is necessary for correct function or not.

So either you feel comfortable with the attributes or just dont use Azure AD at all. Everything else will just mess up the AAD information and the cloud applications will not work properly.

Azure AD also stores Bitlocker keys but only for Azure AD joined machines.

Sunday, June 12, 2016

Windows 10 privacy is always a reason for rumors - whats the fact?

Windows 10 privacy is often a discussion that I have with MS customers especially in Europe and there especially in Germany. Therefore I developed a workshop to discuss all the different settings which finally ends up in a 60 slides deck. But as it get outdated with every version I just use anymore the "online" version of information in the TechNet Blog.

In the last years the technology evolves and with this we have much more possibilities we can use these technologies.

E.g. lets think about Cortana. Cortana is a brilliant assistant. She can do amazing things. And each newer version can even more.

But to let Cortana doing these things you need to share informations so she can use them to serve you better.

Lets assume you want to get a reminder when you are on your way home to buy milk. In this case Cortana need to know when you are driving home (GPS data and also your typical way from your working place to your home address). Without these data she is not able to serve you the right information right in time.

That finally means an assistant can only be as usefull as possible when you share the needed amount of data so she can do their job.

This is not different to a physical assistent. Lets say her name is Mary. She can also only be as supportive as possible when I let her know the things she need to know to be able to do her job.

Microsoft changed their way now how they communicate these privacy settings. They are much more transparent as they were in the past.

Please checkout this technet article from time to time as it gets updated over time with new features as well:

There are also telemetry stages discussed. You find more Informations about them here:

When you are through these articles you are very familiar which data is when shared for what purpose and how you can control it.

During my time working for MS labs I get in contact with the way how MS is dealing internally with customers privacy data. And believe me they take this very seriously. From this experience on I trust MS fully in the way how they handle privacy.

Wednesday, May 18, 2016

Advanced Threat Protection - brandnew feature in Windows 10 (Anniversary release 2016)

Microsoft responded to their customers requests regarding security threats and how to get hold on them especially when the breach already occured.

Antivirus tools we were used to use where yesterday. Now its ATP time!

This tool is really outstanding and uses unique techniques and possibilities that only Microsoft can do!

Please CLICK here to watch the video!

And to learn more and check it out you can sign up here:

ATP consists of 3 components:
1. The Client – end-point behavioral sensor, built into Windows 10 (Windows 10 Anniversary update, Windows Insider Preview Build number 14332 and later) and activated upon service enrollment. The client logs relevant security events and behaviors from the endpoint.     
2. Cloud security analytics service – processing data from endpoints in combination with historical data and Microsoft’s wide data repository to detect anomalous behaviors, adversary techniques and similarity to known attacks. The service runs on the Microsoft scalable big data platform, and uses a combination of Indicators of Attacks (IOAs), generic analytics and machine learning rules, as well as Indicators of Compromises (IOCs) collected from past attacks.
3. Microsoft and community intelligence – our Hunters and researchers investigate the data, finding new behavioral patterns and correlating the data with existing knowledge from the security community.

Windows 10 Update Assistant for failing upgrades from RTM to 1511

Recently MS released an update that let you update your system to the latest public release (1511) if your system is still on RTM and may not update automatically to the recent version due to errors in Windows Update.

Please chekcout this KB article therefore

The update to 1511 is essential to receive the new Redstone release coming in few weeks!

LEGACY: Good news for Win7 and Win8.1 image builders -> new Win7 "SP2" available aka Convenience rollup update

I had recently a customer they had the need to rebuild the Windows 7 SP1 image from time to time due to changes in their images. It took hours over hours to get the hundreds of post SP1 fixes into the image. And finally the image build process stuck with an error.

This was the log situation with our customer while building a new reference image with SCCM:

The client is busy downloading updates from the Deployment Point and putting it in the Ccmcache folder.
But for some reason, the activity in WUAHandler.log suddenly stops with the following lines:
Successfully completed scan.      WUAHandler     09-Mar-16 14:00:53         3016 (0x0BC8)
Going to search using WSUS update source.         WUAHandler     09-Mar-16 14:02:06         2668 (0x0A6C)
Synchronous searching of all updates started...  WUAHandler     09-Mar-16 14:02:06         2668 (0x0A6C)

Usually, after these lines we would expect lines were it is doing the actual installation of updates which it doesn't.

It seems we are not the only ones dealing with this problem. MS created a new solution for people like us dealing with these types of issues.

They created a so-called "Convenience rollup update for Windows 7 SP1"

And the corresponding KB article is found here:

This Convenience rollup does not include updates that are not broadly available and necessary and also not updates they introduce behaviour changes or hotfixes they need additional changes like registry keys etc. So it will shortcut the whole process dramatically but there are still other updates you need to apply additionally.

Monday, May 2, 2016

Use Windows Phone Emulator without Visual Studio

Sometimes it might be very convinient to run the Windows Phone emulator if you want to test things with Phone where full VS running did not help really as you need an open empty project so the UI in VS 2015 let start you the VM.
This might be usefull if you play around with Intune as I do from time to time without disturbing my operational phone. :-)
1. You need to install the current Windows Phone emulator (while I did it the current was 10586)
Requirements found here
And Download for the Emulator Setup found here
If you want to use it as stated in the requirements you need to install Visual Studio (probably Visual Studio Community is enough) but I can not verify it easy as I always use the Enterprise Edition.

2. Before you continue its always wise to make a backup of your flash.vhd file.
You find the file here:"C:\Program Files (x86)\Windows Kits\10\Emulation\Mobile\10.0.10586.0\flash.vhd"

Otherwise when downloaded and installed (need a couple minutes and eat up a few gig on your HDD) then try this here:
Start the installed emulator as VM with this command (without Visual Studio)

"C:\Program Files (x86)\Microsoft XDE\10.0.10586.0\XDE.exe" /name "My Win10 test emulator with default values" /memsize 2048 /vhd "C:\Program Files (x86)\Windows Kits\10\Emulation\Mobile\10.0.10586.0\Flash.vhd"  /creatediffdisk "%LOCALAPPDATA%\Microsoft\XDE\10.0.10586.0\dd.480×854.1024.vhd" /snapshot /fastShutdown /noGPU

If your user is not member of the Client HyperV admins then you get this window and the ability to fix this right away.

Known issues
(as of 10.0.10586.11 which is the installed version from the link above).

1. Store updates only apps they are already in the image
2. Store is not able to download new additional apps (you get a wide range of error messages)
3. If you start the VM directly in Client-HyperV then the additional features are missing. Its just "like" a normal computer VM with limited capabilities.

Commandline Help
Here you get all the different parameters the xde.exe (Build 10586) will show with /?


Windows Store for Business - a quick setup primer

recently I had to create a demo environment to show how Windows Store for Business works.  (updated 04.07.2017)

Here a quick primer.

Just to make sure to have the right understanding.

"Windows Store for Business" is another cloud service that lives side by side with the Windows Store! (This is an essential understanding we need for the next steps).

Great feature that works with your own company account (!).

Whooww when this runs in the cloud how does Microsoft knows my account?
This is a very common question I got these days. To clarify a few things.

Microsoft introduced in Windows 10 a great feature called "Single SignOn" (Well its not brandnew but know it works very easily with currently more than 2500 cloud based services (as of April 2016). Means you can use your company account to logon in Facebook, Twitter, Citrix goto meeting, and many others. Name it and probably they support it).

Therefore it is necessary to have your account synced with Azure Active Directory (a cloud based user directory which is under your full control and enriches your security by features like multi factor authentication (MFA) and much more. Its really worth to spend extra time on this topic!)

And guess what even the Windows Store for Business is one of these more than 2500 cloud services. Thats why you can use your account and password to logon there. (For the security freaks: Cool down your own domain controller is judging if the users password is right or wrong. Keyword: Active Directory Federation Services ADFS))

To come back to our quick primer (Assuming you have already Azure AD setup, if not there will be later another post how to set this up!):

Windows Store for Business Quick-Start

How to setup it up:

2. Logon there with your local domain account (must be synced to Azure AD first!)

      • Hint for MS-Partners you can use your demo environment from
      • If your domain name is not yet transfered the user must logon with the cloud prefix like

          3. Read the EULA. You need to agree with it!

          4. Now you are ready to set it up.

          5. Here we will add simply a few apps from the public store and make them available for users in the Store App.

          6. Search for "Excel Mobile" in the search field.

          7. Click on "Get the App"

          8. Let the default value to make it available to all users
          (repeat the steps with all Office Mobile apps)

          9. It may take a while until the content is visible in the store.

          10. When you are finished it looks like this:


          to be continued as I need the 24 hours to get it into the tenant.

          11. A few hours later (18 in my case) you would see this here:

          Finally on the client it looks like this here:

          A. You open the store and find another tab:

          B. When you click on the tap it looks like this:

          When you are looking for information's how to bring LOB apps to the store you should also consult these sites:

          In some cases you try to carry out offline apps. They also need to go to the store before you can download them and deploy via SCCM.
          Checkout also this site:


          DONT DO THIS AT HOME! - Just for testing disable the local firewall with Powershell on new Windows Servers

          I found while working with the advanced firewall under current Windows Server 2012R2 and newer that since an update (cant tell you which one) disabling the firewall may result in total loss of communication.

          Which is in general a very good security practice.

          For production machines it is always absolutelly recommended to have a fully operational firewall.

          BUT under some circumstances it might be good to know if a newly introduced service is working in general to find out if a blocked port is causing issues or if it is the service itself.

          In the past it was easy:
          Simply shutdown the firewall on all profiles and you could test if it works or not.

          But now its more complex. (PowerShell helps a lot here!)

          Just to rembember:

          1. Dont do this at home! (unskilled admins should stay away!)
          2. Make sure you only do it in a save testing environment which is externally protected by a firewall. (Ok in these days firewalls are only a basic protection anymore!)
          3. If you checked that your testing environment works well turn on the firewall again and add all needed firewall ports from your services documentation to make sure it works the way it was designed for!!!

          Here how it works:

          Open the PowerShell as admin and let run these 4 lines:

          New-NetFirewallRule -DisplayName "Allow TCP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Outbound –LocalPort Any -Protocol TCP -Action Allow

          New-NetFirewallRule -DisplayName "Allow UDP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Outbound –LocalPort Any -Protocol UDP -Action Allow

          New-NetFirewallRule -DisplayName "Allow TCP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Inbound –LocalPort Any -Protocol TCP -Action Allow

          New-NetFirewallRule -DisplayName "Allow UDP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!" -Direction Inbound –LocalPort Any -Protocol UDP -Action Allow

          But last but not least you also need to Re-Enable the firewall function after your testing!

          This is done with these steps:

          Remove-NetFirewallRule -DisplayName "Allow TCP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"

          Remove-NetFirewallRule -DisplayName "Allow UDP Outbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"

          Remove-NetFirewallRule -DisplayName "Allow TCP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"

          Remove-NetFirewallRule -DisplayName "Allow UDP Inbound - TESTING ONLY RE-ENABLE IT AFTER YOUR TESTS!"

          Thursday, April 28, 2016

          Monday, April 11, 2016

          Windows 10 Branch 1511 becomes Current Branch for Business (CBB)

          Hurray the first time we are now able to test the way it should be in the future. The brunch Version 1511 was declared now as "Current Branch for Business" (aka CBB).

          What does that mean?

          Install Bits + cummulative Update March 2016 (KB 3140768) = CBB.
          Thats the trick. No Special bits or media needed. Even if they might be offered also later on.

          To get more info about the different detailed ways to distribute it via media, WSUS or SCCM checkout the full blog here

          Saturday, March 19, 2016

          Repair Windows 10 with DISM command in command prompt

          Windows 10 while it is running you can check and fix components and the component store. (this goes far beyond of the capabilities of SFC.exe)

          a. Start cmd.exe from start menu with right click as Admin (very important!)
          b. Or Win + X Command Prompt (Admin)

          You see now in the command prompt: C:\Windows\system32\
          1. Check if errors are in the registry:

          Dism /Online /Cleanup-Image /CheckHealth

          2. Check if errors are in Windows Components Store

          Dism /Online /Cleanup-Image /ScanHealth

          3. Repair the registry and component store (you need online connection to Windows Update!)

          Dism /Online /Cleanup-Image /RestoreHealth

          If the repair is done you can double check with no2. again (/ScanHealth option)

          If there are still errors you can use the components from the ISO media or the installation DVD:

          DISM /Online /Cleanup-Image /RestoreHealth /source:wim:C:\install.wim:1 /limitaccess

          ATTENTION you may need to adjust /source:wim:C:\install.wim:1
          Probably the C: is  not the drive to the install.wim. It might be e.g. D:\sources\install.wim

          Also make sure that you use the same ISO as you have as OS installed.
          Simply open winver.exe to check the version of the OS.

          If you need the media as you have no media. You may download it here. This also allows you to upgrade to a newer version if you are running an older one.