Notes from the field: some common dependencies for Microsoft 365 deployments

This content is 3 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My blog posts take a while to get published these days. I struggle to find the time to write them and often a few notes can remain in draft form for a long time. Some of those notes never make it. Others possibly shouldn’t.

This is one of those posts where I’m not sure whether to publish or not. It’s based on an email I sent to a client, in 2018, as we were starting to work together. That client was about to embark on a migration to Windows 10 and Office 365, and these notes were intended to set them in the right path.

We all know that Office 365 is under constant development, and some of the advice below might not be current. I don’t think it’s too far off the mark but your mileage may vary. I’ve also added a few comments where I know we’d look to do things differently today. Those comments are marked with square parentheses.

All of these dependencies were things I identified before we got into design… but many more came out as we got into the detail.

Preparing the identity platform

[Identity is key to any successful Microsoft cloud implementation. And Azure AD is Microsoft’s cloud identity platform.]

Recommendation:

  • IdFix tool used to ensure that there are no directory issues that will cause synchronisation issues.
  • Azure AD Connect synchronising without error between on-premises Active Directory and Azure Active Directory. Even with on-premises authentication via ADFS or similar, user objects will be required in Azure AD in order to populate the Exchange GAL.

[in this case, I could be reasonably sure that both of these are already in place for the existing Skype for Business Online deployment.]

Useful links:

Preparing for Exchange hybrid

[It’s common to run Microsoft Exchange in a hybrid configuration when migrating mailboxes to Office 365. Generally, the hybrid will remain in place even after user mailboxes have been migrated to the cloud, for management purposes. There are constraints around the versions of Exchange Server that can be used though.]

  • The hybrid server must be running the latest or immediately previous (i.e. n or n-1) cumulative update or update rollup available for the version of Exchange installed on-premises
  • Domain names that will be used for email should have the appropriate records created and verified in DNS.
  • Ports should be enabled to allow traffic to flow as outlined in the above article. It may be useful to run the Remote Connectivity Analyzer (RCA) tools to verify this.
  • In addition, I recommend that the other Exchange servers in the organisation are upgraded to run with the latest available updates.

Useful links:

Preparation for deployment of Windows 10 images using SCCM

[System Center Config Manager (SCCM) is now part of Microsoft EndPoint Manager (MEM) and I’m not sure I’d recommend an SCCM-based deployment these days. My first preference would be to use Microsoft’s own Windows images, in Azure AD-joined configuration managed with Intune (also part of MEM). This topic would make a blog post on its own…]

Config Manager needs to be updated to align with the version of Windows 10 being deployed: Support for Windows 10 in Configuration Manager.

[Even when I wrote the notes 3 years ago, it seems I was guiding the client towards a Modern Device Management approach with Intune…]

Preparation for the use of Office applications (desktop and web)

[Office 365 ProPlus is now Microsoft 365 Apps for Enterprise but the advice below is unchanged apart from the product name.]

Office 365 ProPlus (i.e. subscription-based Office application) requirements are the same as for Office Professional Plus 2016 (i.e. perpetually-licensed applications) and are detailed at Microsoft 365 and Office Resources.

With regards to documents (including spreadsheets, presentations, etc.) containing macros, etc. It would be advisable to perform some basic compatibility testing: Check file compatibility with previous versions.

Office 2016 and 2019 are supported under the Fixed Lifecycle Policy.

Use of a supported browser is critical to the use of Office 365 web-based components although many organisations are held back by legacy software releases.

General Microsoft 365 system requirements may be found at the Microsoft 365 and Office Resources link above. Most notably:

“Microsoft 365 is designed to work with the latest browsers and versions of Office. If you use older browsers and versions of Office that are not in mainstream support:

  • Microsoft won’t deliberately prevent you from connecting to the service, but the quality of your Microsoft 365 experience will diminish over time.
  • Office 2019 connections to Microsoft 365 services will be supported until October 2023.
  • Microsoft won’t provide code fixes to resolve non-security related problems.

[Microsoft’s guidance previously stated that “Office 365 doesn’t support interoperability with any software that isn’t supported by its manufacturer.”]

Using Windows Autopilot to deploy PCs in the middle of a pandemic

This content is 4 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A year ago, who would have thought that so many people would still be working from home because of COVID-19? That a pandemic response would lead to such a huge impact on the way we live? That we’d be having discussions about the future role of the office?

Lots of things changed in 2020. Some of them may never change back.

Changes to PC operating system deployment methods

There is a saying (attributed to the Greek philosopher, Heraclitus) that the one constant in life is change…

Over nearly 30 years working in IT, I’ve worked on a lot of PC rollouts. And the technology keeps on changing:

  • Back in 1994, I was using Laplink software with parallel cables (so much faster than serial connections) to push Windows for Workgroups 3.11 onto PCs for the UK Ministry of Defence.
  • In 2001, Ghost (which by then had been purchased by Norton) was the way to do it. Working with a a Microsoft partner called Conchango, my team at Polo Ralph Lauren rolled out 4000 new and rebuilt PCs. We did this across 8 European countries, supporting languages and PC hardware types with just two images.
  • By 2005, I was working for Conchango and using early versions of the Microsoft Business Desktop Deployment (BDD) solution accelerator to push standard operating environment (SOE) images to PCs for a UK retail and hospitality company.
  • By 2007, BDD had become Microsoft Deployment. Later, that was absorbed into System Center Configuration Manager.

After this, the PC deployment stuff gets a bit fuzzy. My career had moved in a different direction and, these days, I’m less worried about the detail (I have subject matter experts to rely on). My concerns are around the practicalities of meeting business requirements by making appropriate technology selections.

Which brings me back to the current day.

A set of business requirements

Imagine it’s early 2021 and you’re faced with this set of requirements:

  • Must deploy new Windows 10 PCs to a significant proportion of the business’ staff.
  • Must comply with UK restrictions and guidance in relation to the COVID-19 novel coronavirus.
  • Should follow Microsoft’s current recommended practice.
  • Must maintain compliance with all company standards for security and for information management. In particular, must not impact the company’s existing ISO 27001, ISO 9001 or Cyber Essentials Plus certifications.
  • Should not involve significant administrative overhead.

A solution, built around Windows Autopilot

The good news is that this is all possible. And it’s really straightforward to achieve using a combination of Microsoft technologies.

  • Azure Active Directory provides a universal identity platform, including conditional access, multifactor authentication.
  • Windows Autopilot takes a standard Windows 10 image (no need for customised “gold builds”) and applies appropriate policies to configure and secure it in accordance with organisational requirements. It does this by working with other Microsoft Endpoint Manager (MEM) components, like Intune.
  • OneDrive keeps user profile data backed up to the cloud, with common folders redirected so they remain synced, regardless of the PC being used.

What does it look like?

My colleague, Thom McKiernan (@ThomMcK), created a great unboxing video of his experience, opening up and getting started with his Surface Pro 7+:

(I tried to do the same with my Surface Laptop 3 but unboxing videos are clearly not my thing.)

Why does this matter?

The important thing for me is not the tech. It’s the impact that this had on our business. To be clear:

We deployed new PCs to staff, during a national lockdown, without the IT department touching a single PC.

For me, it took around 10 minutes from opening the box to sitting at a usable desktop with Microsoft Teams and Edge. (What else do you need to work in 2021?)

That would have been unthinkable a few years ago.

It seems that, on an almost daily basis, I talk to clients who are struggling with technology to allow staff to work from home. It always seems to come back to legacy VPNs or virtual desktop “solutions” that are holding the IT department back.

So, if you’re looking at how your organisation manages its end user device deployments, I recommend taking a look at Windows Autopilot. Perhaps you’re already licensed for Microsoft 365, in which case you have the tools. And, if you need some help to get it all working, well, you know who to ask…

Featured image created from Microsoft press images.

Tweaking audio and (webcam) video quality in Windows 10

This content is 4 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Back in the spring (whilst I was on Furlough Leave and had time for weeknotes), I wrote about some upgrades to my home office. The LED lights didn’t work out (battery life was too short – I need to find something that works from mains power) so they went back to Amazon but the Marantz MPM-1000U microphone has been excellent.

I’ve seen a few tweets and videos recently about using software to use a smartphone camera as a webcam. Why might you do that? Well, because many laptop webcams are a bit rubbish (like the one in my Apple MacBook) or poorly placed, giving an unflattering view from below.

I had a play with the Iriun webcam software recommended in this video from Kevin Stratverdt and it worked really well, with the phone on a tripod, giving a better angle of view.

Ultimately though, the Microsoft Surface Pro 6 that I use for work has a pretty decent webcam, and my Nokia 7 Plus was no better quality – all I was really gaining was a better camera position.

I do still have a challenge with lighting. My desk position means that I’m generally back-lit with a north-facing window to my left. Some fill-in light in front might help but I also wanted to adjust the settings on my webcam.

Microsoft Teams doesn’t let me do that – but the Camera app in Windows 10 does… as described at Ceofix, there is a “Pro mode” in the Windows 10 Camera app that allows the brightness to be adjusted. There are more options for still images (timer, zoom, white balance, sensitivity, shutter speed and brightness) but the brightness option for video let me tweak my settings a little.

The next challenge I had was with audio. Despite using the volume controls on the Surface Pro to knock the volume up to 100% whilst I was presenting over Teams earlier, everyone else on the call sounded very quiet. It turned out that 100% was not 100% – there is a Realtek Audio Console app on my PC which, as well as letting me adjust the speaker and microphone settings, including volume, balance, Dolby audio, sample rate and depth. Finding this revealed that my volume was actually no-where near 100% and I was quickly able to increase it to a level where I could hear my client and co-presenters!

Getting started with Azure Sphere: Part 1 (setup and running a sample app)

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Late in 2019, I got my hands on an Azure Sphere Starter Kit, which I’ve been intending to use for an IoT project, using some of the on-board sensors for temperature and potentially an external one for humidity…

For those who aren’t familiar with Azure Sphere, it’s Microsoft’s Secure Internet of Things (IoT) solution using certified chips, a custom operating system and a security service. My device is an Avnet Azure Sphere MT3620 Starter Kit and this blog post focuses on getting it up and running with one of the sample applications that Microsoft provides, using Windows 10 (other options include Linux).

Installing Visual Studio Code and the Azure Sphere SDK

Having obtained the kit, the next stop was Microsoft’s Getting Started with Azure Sphere page. I downloaded and installed Visual Studio Code (I don’t really need the whole Visual Studio 2019 application – though I later found that a lot of the advice on the Internet assumes that’s what you’re using…) and then immediately found that there are two versions of the Azure Sphere Software Development Kit (SDK). According to the Microsoft docs, either can be used with Visual Studio Code but I found the setup for the Azure Sphere SDK for Visual Studio failed when it can’t find Visual Studio (not really surprising) and so I used the Azure Sphere SDK for Windows.

Connecting the hardware

I plugged in the Avnet Azure Sphere Starter Kit, using the supplied USB cable, and watched as Windows installed drivers after which a virtual network interface was present and three COM ports appeared in Device Manager.

Setting up my dev environment

Installing Visual Studio Code and the Azure Sphere SDK was only the first part of getting ready to create code for the device. I needed to install the Azure Sphere extension (easily found in the Extensions Marketplace):

The Azure Sphere extension also installs two dependencies:

  • C/C++
  • CMake Tools

I also need to install CMake (in my case it was version 3.17.1). Not really knowing what I was doing, I followed the defaults but on reflection, I probably should have let CMake add its directory to the system %PATH% variable (I later uninstalled and reinstalled CMake to do this, but could just have added C:\Program Files\CMake\bin to the Path in the user environment variables).

The final installation was Ninja. Windows Defender SmartScreen blocked this app, but I was later able to work around that, by unblocking in the properties for ninja.exe:

I missed the point in the Microsoft documentation that said I needed to manually add Ninja to the %PATH% environment variable but I later went back and added the folder that I copied ninja.exe to (which, for me, was C:\Users\%username%\Tools).

(The above steps were my second attempt – the first time I installed MinGW-W64 to work around issues when Visual Studio Code couldn’t find a compiler, together with several changes in settings.json. I later removed all of that and managed to compile and deploy a sample application using just the settings above…)

Configuring the Azure Sphere device for use

There are a few steps required to configure the device for use. These are all completed using the Azure Sphere Developer Command Prompt, which was installed earlier, with the SDK.

Creating an Azure Sphere tenant and claiming the device

Each Azure Sphere device must be “claimed” and associated with a “tenant”. I followed the Microsoft documentation to do this…

azsphere login --newuser user@domain.tld

After completing Multi-Factor Authentication (MFA) and confirming I wanted to allow Azure Sphere to use my account, I was logged in but with a warning that I don’t have access to any Azure Sphere tenants, so I created one:

azsphere tenant create --name "Mark Wilson"

Warning – more research required: I used a Microsoft Account, as per the Microsoft instructions, but am now concerned I should have used an Azure Active Directory (Organisational/Work or School) account (especially as Role Based Access Control is supported from Azure Sphere 19.10 onwards). As a device can only be claimed once and, once claimed, the device is permanently associated with the Azure Sphere tenant, I’m stuck with these settings now…

I then went ahead and claimed the device:

azsphere device claim

Connecting to Wi-Fi and updating the device operating system

I checked the current OS version on the device:

azsphere device show-deployment-status

As can be seen, not only is the OS out of date, but the device is not connected to a network, so I connected to Wi-Fi:

azsphere device wifi show-status
azsphere device wifi add --ssid "SSID" --psk password
azsphere device wifi show-status

Now, with network connectivity in place, the device had a fighting chance of an OS update and according to the Microsoft documentation:

The Azure Sphere device checks for Azure Sphere OS and application updates each time it boots, when it initially connects to the internet, and at 24-hour intervals thereafter. If updates are available, download and installation could take as much as 15-20 minutes and might cause the device to restart.

Configure networking and update the device OS

I tried several restarts using azsphere device restart with no success. In the end, I left the device connected overnight and, by the morning, it had updated to 20.03.

Finally, I enabled application development on the device, ready to download some code and deploy an application:

azure sphere device enable-development

Downloading a sample app

My initial attempts to use the app that I wanted to didn’t work so I decided to test my setup with one of the Microsoft Quick Starts.

I needed to use git to clone the Azure Sphere Samples Repo, so that meant installing git. Then, from the Terminal in Visual Studio Code, I ran git clone https://github.com/Azure/azure-sphere-samples.git.

I then opened the Samples\HelloWorld\HelloWorld_HighLevelApp folder in Visual Studio Code, ready to build and deploy the app.

Building and deploying the app

Having set up my dev environment, set up the device and downloaded some sample code, I followed the instructions in the Visual Studio Code Azure Sphere Extension to run the following in the Command Palette: Azure Sphere: Configure Settings (selecting High-Level Application) and CMake: Build.

I was then able to build and deploy the sample app to my Azure Sphere device, by starting a debug session (F5) .

and was rewarded with a blinking LED on the board!

Azure Sphere Starter Kit with blinking LED

I can also view the application status with azsphere device app show-status.

Next steps

The next step is to get the app I really wanted to use working on the device, making use of some of the on-board sensors and then integrating this with some of the Azure services. I’m having trouble compiling that code at the moment, so that blog post may be a while longer…

Further reading

How to stay current with Windows as a Service and Office 365 ProPlus

This content is 7 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

For many organisations, particularly those at “enterprise” scale, Windows and Office have tended to be updated infrequently, usually as major projects with associated capital expenditure. Meanwhile, operational IT functions that manage “business as usual” often avoid change because that change brings risks around the introduction of new technology that may have consequential effects. This approach is becoming increasingly untenable in a world of regular updates to software sold on a subscription basis.

This post looks at the impact of regularly updating Windows and Office in an organisation and how we need to modify our approach to reflect the world of Windows as a Service and “evergreen” Office 365?

Why do we need to stay current?

A good question. After all, surely if Windows and Office are working as required then there’s no need to change anything, is there? Unfortunately, things aren’t that simple and there are benefits of remaining current for many business stakeholders:

  • For the CIO: improved management, performance, stability and support for the latest hardware.
  • For the CSO: enhanced security against modern threats and zero-day attacks.
  • For end users: access to the latest features and capabilities for better productivity and creativity.

Every Windows release evolves the operating system architecture to better defend against attacks – not just patching! And Windows and Office updates support new ways of working: inking, voice control, improved navigation, etc.

So, updates are good – right?

How often do I need to update?

We’re no longer in a world of 5+5 years (mainstream+extended) support. Microsoft has publicly stated its intention to ship two feature updates to Windows each year (in Spring and Autumn). The latest of these is Windows 10 1803 (also known as Redstone 4), which actually shipped in April. Expect the next one in/around September 2018 (1809). Internally to Microsoft, there are new builds daily; and even publicly there are “Insider” Preview builds for evaluation.

That means that we need to stop thinking about Windows feature updates as projects and start thinking about them as process – i.e. make updating Windows (and Office, and supporting infrastructure) part of the business as usual norm.

OK, but what if I don’t update?

Put simply, if you choose not to stay up-to-date, you’ll build up a problem for later. The point about having predictable releases is that it should help planning

But each release is only supported for 18 months. That means that you need to be thinking about getting users on n-2 releases updated before it gets too close to their end of support. Today, that means:

  • Running 1703, take action to update.
  • Running 1709, plan to update.
  • Running 1803, trailblazer!

We’re no longer looking at major updates every 3-5 years; instead an approach of continuous service improvement is required. This lessens the impact of each change.

So that’s Windows, what about Office?

For those using Office 365 ProPlus (i.e. licensing the latest versions of Office applications through an Office 365 subscription), Windows and Office updates are aligned (not to the day, but to the Spring and Autumn cadence):

So, keep Office updated in line with Windows and you should be in a good place. Build a process that gives confidence and trust to move the two at the same time… the traditional approach of deploying Windows and Office separately often comes down to testing and deployment processes.

What about my deployment tools? Will they support the latest updates?

According to Microsoft, there are more than 100 million devices managed with System Center Configuration Manager (SCCM) and SCCM also needs to be kept up-to-date to support upcoming releases.

SCCM releases are not every 6 months – they should be every 4 months or so – and the intention is to update SCCM to support the next version of Windows/Office ahead of when they become available:

Again, start to prepare as early as possible – and think of this as a process, not a project. Deploy first to a limited set of users, then push more broadly:

Why has Microsoft made us work this way?

The world has changed. With Office existing on multiple platforms and systems under constant threat of attack from those who wish to steal our data (and money) it’s become necessary to move from a major update every 3-5 years to a continuous plan to remain in shape and execute every few months – providing high levels of stability and access to the latest features/functionality.

Across Windows, Office, Azure and System Center Microsoft is continually improving security, reliability and performance whilst integrating cloud services to add functionality and to simplify the process of staying current.

How can I move from managing updates as a project to making it part of the process?

As mentioned previously, adopting Windows as a Service involves a cultural shift from periodic projects to a regular process.

Organisations need to be continually planning and preparing for the next update using Insider Preview to understand the impact of upcoming changes and the potential provided by new features, including any training needs.

Applications, devices and infrastructure can be tested using targeted pilot deployments and then, once the update is generally available and known to work in the environment, a broader deployment can be instigated:

Aim to deploy to users following the model below for each stage:

  • Plan and prepare: 1%.
  • Targeted deployment: 9%.
  • Broad deployment: 90%.

Remember, this is about feature updates, not a new version of Windows. The underlying architecture will evolve over time but Windows as a Service is about smaller, incremental change rather than the big step changes we’ve seen in the past.

But what about testing applications with each new release of Windows?

Of course, applications need to be tested against new releases – and there will be dependencies on support from other vendors too – but it’s important that the flow of releases should not be held up by application testing. If you test every application before updating Windows, it will be difficult to hit the rollout cadence. Instead, proactively assess which applications are used by the majority of users and address these first. Aim to move 80-90% of users to the latest release(s) and reactively address issues with the remaining apps (maybe using a succession of mini-pilots) but don’t stop the process because there are still a few apps to get ready!

You can also use alternative deployment methods (such as virtualised applications or published applications) to work around compatibility issues.

It’s worth noting that most Windows 7-compatible apps will be compatible with Windows 10. The same app development platform (UWP), driver servicing model, etc. are used. Some device drivers may not exist for Windows 10 but most do and availability through Windows Update has improved for drivers and firmware. BIOS support is getting better too.

In addition, there are around a million applications registered in the Ready For Windows database, which can be used for spot-checking ISVs’ Windows 10 support for each application and its prevalence in the wild.

New cloud-enabled capabilities to guide your Windows 10 deployment

Windows Analytics is a cloud-based set of services that collects information from within Windows and provides actionable information to proactively improve your Windows  (and Office) environment.

Using Azure Log Analytics, Windows Analytics can advise on:

  • Readiness (Windows 10 Professional): planning and addressing actions for upgrade from Windows 7 and 8.1 as well as Windows 10 feature updates.
  • Compliance (Windows 10 Professional): for regular (monthly) updates.
  • Device health (Windows 10 Professional and Enterprise): assessing issues across estate (e.g. problematic device drivers).

OK, so I understand why I need to continuously update Windows, but how do I do it?

Microsoft recommends using a system of deployment rings (which might be implemented as groups in SCCM) to roll out to users in the 1% (Insider), 9% (Pilot) and 90% (Broad) deployments mentioned above. This approach allows for a consistent but controllable rollout.

Peer-to-peer download technologies are embedded in Windows that will minimise network usage and recent versions support express updates (only downloading deltas) whilst the impact on users can be minimised through scheduling.

When it comes to tools, there are a few options available:

  • Windows Update is the same service used by consumers to download updates at the rate governed by Microsoft.
  • Windows Update for Business is a version of Windows Update that allows an organisation to control their release schedule and set up deployment rings without any infrastructure.
  • Windows Software Update Services (WSUS) allows feature updates to be deployed when approved, and BranchCache can be used to minimise network impact.
  • Finally, SCCM can work with WSUS and offers Task Sequences, etc. to provide greater control over deployment.

What about the normal “Patch Tuesday” updates?

Twice-annual feature updates don’t replace the need to patch more regularly and Microsoft continues to release cumulative updates each month to resolve security and quality issues.

In effect, we should receive one feature update then five quality updates in each cycle:

Where can I find more information?

The following resources may be useful:

 

The contents of this post are based on a webcast delivered by Bruno Nowak (@BrunoNowak), Director of Product Marketing (Microsoft 365) at Microsoft.

A newsletter? Weeknote? Blogletter? Issue No 1 (Week 43, 2017)

This content is 7 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Inspired by David Hughes (@DavidHughes) and Christian Payne (@Documentally), a few weeks ago, I ran a Twitter poll to see if anyone would be interested in a newsletter of some of the stuff I’ve been up to. The responses were mixed, but some went along the lines of “the email format doesn’t resonate with me” and “I like reading what you’ve been up to on your blog”. My blog has been falling by the wayside in recent months and I do want to write more, so I’ve decided to write a weekly (ish) newsletter here instead. In between, I’ll stick write the usual tech-inspired stuff but this will be more eclectic. Matt Ballantine (@ballantine70) does something similar with his weeknotes – but he must be incredibly disciplined to get them out every Friday. I spend Fridays trying to end my week.

So, here goes for issue 1. I’m still not sure what this thing should be called?

A week off

I’ve just had a week off work. I needed it. My previous blog post describes some of the challenges I’ve had lately and I really needed to decompress. After the initial weekend madness (just like every weekend), the first half of the week was spent at home, mostly sorting stuff out (more on that later), then a few days away with my family…

The weekend before…

My eldest son has started competing in the Central Cyclocross League and I’ve been joining in the novice races whilst he races in the Under 14s (both races take place on the same course at the same time).

I seriously considered not racing last week after a very hard practice lap but then my son instructed me to “put your numbers on and race your bike”. Oh, OK then!

I’m reasonably fit for long distance stuff (I recently completed the rather hilly inaugural Velo Birmingham 100 mile sportive) and my Caveman Conditioning (circuits) a couple of times a week help with general fitness but cyclocross is something else. Particularly when you’re using a mountain bike because your son is riding his CX bike (how inconsiderate!). I think it may be time for an n+1. Certainly if we do this again next season!

Unfortunately, being ignored in the LBS doesn’t leave a very good feeling. Being ignored on social media after sending the tweet even less so…

Shopping

I don’t often wear a suit for work these days – but there are occasions where it’s still expected (first meetings, particular customers, etc.). I’ve been putting off buying a new suit for a while because a) there are two in the wardrobe that I really should slim down into b) I’d rather spend the money elsewhere. This week I gave in and bought something new.

I took one of my sons with me and he happily browsed the John Lewis technology department whilst I was suit shopping. He thinks I spent a lot of money though and suggested I get a blazer with some M&S trousers like his school uniform for a fraction of the price! Welcome to the world of work, son!

Whilst he was browsing the technology, I spotted this:

The Windows Premium collection appears to be Windows 10, running on a selection of higher-end PCs (Dell XPS 13, HP Spectre, etc.). First time I’d heard of it though…

Administration

I spent a good chunk of my week off working through an administration backlog at home. Ultimately that results in a lot of scanning (on my Canon ImageFormula P-215 desktop scanner), some shredding and a little bit of filing (for those few documents that I do retain in paper form).

After hunting around for PDF editing tools (ideally command line) to remove some pages I didn’t need inside some existing PDF files, I found this comment on the MacRumors forums:

“Preview does all of this quite well, fyi.”

Sure enough: open the PDF in MacOS Preview; delete the extra pages; save. Job done.

Karting, photography and train travel

My youngest son wanted to go to a friend’s go-karting party this week whilst my wife and eldest were heading down to Dorset for a few days. No problem, he could stay at home with me whilst I did some of my admin and then we’d follow on by train.

The karting inspired me to get my Nikon D700 out again. It may be big and heavy but I love the control of the DLSR experience and the results. I’ve tried some pro apps on my iPhone (like 645 Pro) but it’s just not the same!

_DSC7044

Afterwards, the train journey to Dorset gave my son and I a mini-adventure (bus, train, tube, another train) to join the rest of the family – and with a Family and Friends railcard it was less than £30!

Walking

Last Friday was a gorgeous day – almost no wind and bright sunshine didn’t seem like late-October! My family took the chance to go for a walk along the South West Coastal Path from Swanage to Studland (for a pub lunch).

Afterwards, I walked back with one of my sons – and what a treat that was! Glorious views and late-afternoon sunlight meant lots of photo stops but it was certainly my favourite part of the walk!

2017-10-27 16.43.07

2017-10-27 16.58.00

2017-10-27 17.08.54

On the beach

Saturday’s weather was less impressive but, after lunch at our favourite Swanage coffee shop (Java), coincidentally located next to my favourite Swanage restaurant (Chilled Red, where my wife and I had eaten the night before), we took the boys to the beach. They were happy with their wetsuits to keep the cold at bay whilst they played but I decided to stay dry. At least that was the plan.

I was walking out on one of the groynes to take a picture of the boys, when I found that walking boot soles have almost no grip once they meet wet wood and, faced with the choice of falling face-first (or probably chest-first) onto  a large wooden beam or throwing myself towards the sea, I chose the latter… managing to twist my ankle on the way, and then realising that my wallet and my iPhone were in my pockets.

I’m hoping that the phone will be covered on the household building and contents insurance – we have accidental damage cover and I’ll be making that call tomorrow… otherwise I could be getting an iPhone 8+ sooner than planned!

In the meantime, I’ve found out a lot about the water resistance of various Apple products:

Zwift and Android

My son fancied having a go on my Tacx Vortex trainer today, so we tried to get it working with Zwift for him.

Normally, I use the iOS app on my iPhone but, as that’s still drying out, it wasn’t an option. Zwift is currently available for Windows, MacOS and iOS but not (yet) Android so we went back to my original Windows PC-based setup with Zwift Mobile Link as a Bluetooth bridge. After spending a lot of time trying to get it working this afternoon with my son’s Android phone, it seems that I may need to update the firmware on my trainer for it to be recognised as a controllable trainer via the Android version of Zwift Mobile Link and Bluetooth LE (currently they only see it as a power meter and cadence sensor).

Wrap-up

That’s about it for this week… let me know what you think of the whatever-this-is (newsletter? blog post? something else?) and I’ll think about writing another one next week.

VPN, DirectAccess or Windows 10 auto-trigger VPN profile?

This content is 8 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

On a recent consulting gig, I found myself advising a customer who was keen to deploy Microsoft DirectAccess (DA) in place of their legacy virtual private network (VPN) solution. As a DirectAccess user (who used Cisco AnyConnect VPN at my last place of work), I have to say the convenience of being always connected to the company network without any interaction on my part is awesome. I’m sure the IT guys like that they can always access my PC for management purposes too…

The trouble with DirectAccess is that it doesn’t seem to have a published roadmap. So, should I really be advising my customers to use a technology that doesn’t seem to be being developed? First of all, I should add that it’s not been deprecated. DirectAccess is still a supported feature in Windows Server 2016 (it’s part of the Remote Access server role) – so it’s still got a future. Annoyingly, it’s not a supported workload on Azure (leading to on-premises deployments) but we can’t have everything…

Now for the question of whether to use DA or a traditional VPN. Well, Microsoft MVP Richard Hicks (@RichardHicks) has written a fantastic blog post that goes through this in detail. Rather than paraphrasing, I’ll suggest that you go and read Richard’s post on DirectAccess vs. VPN.

But that’s not the whole picture… you see Windows 10 has a new auto-triggered VPN profile capability that I’m sure will, in time, replace DirectAccess. So, where does that fit in?

Great response there from Richard, and then my colleague Steve Harwood (@steveeh) joined in, advising that Auto VPN still requires a VPN profile and infrastructure but gets initiated through either a Universal Windows Platform (UWP) or desktop app being started or stopped, meanwhile DirectAccess has other benefits from being always-on avoiding the need to expose management/compliance systems publicly.

Actually, it gets a bit better with the Windows 10 Anniversary Update (RedStone 1/1607), which has the Always On VPN profile option, but we’re still Windows-only at this point. Richard has recommended a DirectAccess alternative for Windows, MacOS, iOS and Android:

So if the question is “should you deploy DirectAccess?”, the answer is “maybe”. It’s a Windows Enterprise-only solution but, if you have other clients in your enterprise, you might want to consider alternatives instead of or alongside DA.

Securing the modern productive enterprise with Microsoft technology

This content is 8 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

“Cybercrime costs projected to reach $2 trillion by 2019” [Forbes, 2016]

99: The median number of days that attackers reside within a victim’s network before detection [Mandiant/FireEye M-Trends Report, 2017]

“More than 63% of all network intrusions are due to compromised user credentials” [Microsoft]

The effects of cybercrime are tremendous, impacting a company’s financial standing, reputation and ultimately its ability to provide security of employment to its staff. Nevertheless, organisations can protect themselves. Mitigating the risks of cyber-attack can be achieved by applying people, process and technology to reduce the possibility of attack.

Fellow risual architect Tim Siddle (@tim_siddle) and I have published a white paper that looks at how Microsoft technology can be used to secure the modern productive enterprise. The tools we describe are part of Office 365, Enterprise Mobility + Security, or enterprise editions of Windows 10. Together they can replace many point solutions and provide a holistic view, drawing on Microsoft’s massive intelligent security graph.

Read more in the white paper:

Securing the modern productive enterprise with Microsoft technology

Missing Office 365 icons after blocking untrusted fonts in Windows 10

This content is 8 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of my customers contacted me recently to ask about a challenge they had seen with Windows 10. After blocking untrusted fonts in Windows 10, they noticed that parts of the Office 365 portal were missing icons.

The problem

The issue is that Office 365 uses a font to display icons/glyphs (to improve the experience when scaling to adapt to different screen sizes). It appears some browsers are unable to display the embedded fonts when they are untrusted – including Internet Explorer according to one blog post that my colleague Gavin Morrison (@GavinMorrison) found – apparently Edge has no such issues (though I can think of many more issues that it does have…) – Chrome also seemed to work for me.

There’s some good information about blocking untrusted fonts on TechNet and this highlights that:

“Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.”

The fix

So, that appears to be the issue. What’s the fix?

It seems there are two workarounds – one includes excluding processes from the font blocking (but it’s no good excluding a browser – as the most likely attack vector for a malicious font would be via a website!) and the other includes installing the problematic font to %windir%\Fonts.

Tracking down the Office 365 font

So, where do you get hold of the Office 365 font? I thought it should be part of the Office UI fabric but I couldn’t find it there, nor any reference to it in the Office developer documentation (there are some icons in the fabric – but they don’t seem to be the ones used for the Office 365 portal).

There is a site where you can select Office 365 glyphs and download a font file but I’m not sure that will address the issue with the Office 365 fonts being blocked in the portal, so some more detective work was required…

Stefan Bauer has posted quite a lot of information on the Office 365 fonts (there’s more in his “lab”) but it seems the CDN location Stefan highlights has changed. Thomas Daly found some new locations (and helpfully hosts a copy of the font on his site) but I wanted to signpost my customer to a Microsoft-provided source.

One of the locations that Thomas highlights is https://outlook.office365.com/owa/prem/16.0.772.13/resources/styles/fonts/office365icons.ttf but that results in an HTTP Error 404 now (not found). So I opened the Office 365 portal in my browser and started the Debugger. Then, I found the following line of code that gave me a clue:

<meta name="msapplication-TileImage" content="https://r1.res.office365.com/owa/prem/16.1630.11.2221454/resources/images/0/owa_browserpinnedtile.png"/>

I used that base location (up to and including the version number) with the tail end of the URI that Thomas had provided and was pleased to find that https://r1.res.office365.com/owa/prem/16.1630.11.2221454/resources/styles/fonts/office365icons.ttf got me to an installable TrueType font file for the Office 365 fonts on Windows.

I expect the location to change again as the version number is updated but the method of tracking down the file should be repeatable.

Testing my theory

Testing on one of my PCs with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\MitigationOptions set to 0x1000000000000 resulted in Internet Explorer loading the Office 365 portal without icons and Event ID 260 recorded in the Microsoft-Windows-Win32k/Operational log:

C:\Program Files (x86)\Internet Explorer\iexplore.exe attempted loading a font that is restricted by font loading policy.
FontType: Memory
FontPath:

Office 365 fonts blocked - missing icons

After installing the Office 365 icons font (office365icons.ttf) and refreshing the page, I was able to view the icons:

Office 365 fonts installed - icons visible

Uninstalling the font locally and refreshing once more took me back to missing icons.

I then tidied up by setting the MitigationOptions registry key to 0x2000000000000 and restarting the PC, before removing the registry entry completely.

Further reading

Block programs from loading untrusted fonts in Windows 10.

Short takes: super-sized Windows desktop icons; LastPass multifactor authentication; MTP on Windows 10 1607

This content is 8 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A collection of short posts that don’t justify their own blog post!

Fixing super-sized Windows desktop icons

Mostly, I don’t get on with track pads – there’s just something about them that I find awkward and before I know it the cursor is shooting off somewhere that I don’t want it to be, icons are being resized, or something equally annoying.

I recently found myself in a situation where an errant trackpad response to my hot hands hovering over it whilst typing had left me with super-sized desktop icons but I couldn’t work out how/why. Luckily this Lifehacker article helped me put things right – a simple Ctrl + mouse scroll got my icons back to the size they should be…

LastPass Multifactor Authentication

For many years, I’ve used LastPass as my Password Manager. I don’t normally reuse passwords and have gradually been increasing the complexity of my passwords but these days I don’t know the password for the majority of the sites I visit – LastPass fills it in for me. The one weakness in all of this though is my master password for LastPass. It’s a long and secure passphrase but what if it was compromised? Well, now I have multifactor authentication enabled for LastPass too. It’s really simple to set up (just a couple of minutes) and options include Google Authenticator as well as LastPass’ own Authenticator app.

MTP not working on Windows 10 anniversary update (1607)

My son has an Elephone P9000 smartphone, running Android Marshmallow.  He was struggling to get it working with our family PC to import his pictures until I found this forum post that explains the process. It seems that, on the Windows 10 Anniversary Update (1607), the Media Transfer Protocol (MTP) driver needs to be manually installed:

  1. Go to C:\Windows\INF
  2. Type “wpdmtp.inf” in search bar provided to the right of the address bar in Windows.
  3. Once you found it, just right click on it and select install. It will take a very few seconds.
  4. Connect your device to the PC.