Hi, my name is Scott McArthur and I am Senior Support Escalation Engineer on the Deployment/Devices team. In today’s blog I am going to go over the steps to deploy Windows 8.1 Enterprise X64 Update to a Surface Pro 3. In this example I will be using the following deployment technologies

• Microsoft Deployment Toolkit 2013 Server
• Windows Server 2012 R2 WDS server

I will be using the Microsoft USB to Ethernet adapter to PXE boot the MDT 2013 Lite Touch Images from the WDS server. If you don’t have the adapter you could utilize a USB hard drive and Media Deployment from MDT (not covered in this blog). There are various ways to deploy Windows to a device so this is just one example.

Before starting you need to gather up the following:

• Required: Surface Pro 3 Firmware and Driver Pack
• Required: KB2968599: Quick Note-Taking Experience Feature for Windows 8.1

• Note: We are going to make the download of this update easier but in the meantime you can grab this update from this link.

• Optional: Existing Surface Pro 3 with OEM image installed. Used to gather files for Pen Pairing during OOBE

Note: In this blog I am using the Surface Pro 3 as the hardware to build the reference image on. In environment where you are building an image that will only go on a Surface Pro 3 this is generally not a problem but if you create reference image that is going to many different types of systems we recommend for you to build your reference image in a Generation 1 Hyper-V virtual machine so that the reference image is “clean” of any drivers and then you use the features of MDT or SCCM to layer the device specific drivers down during deployment. Since there are so many factors involved I opted to show the simpler of scenarios and then you can decide what fits best for your environment and goals.

Step #1: Extract the contents of the Surface Pro 3 Firmware and Driver pack

After downloading the Surface Pro 3 firmware and driver pack you will see the following files:

• Surface Ethernet Adapter.zip
• Surface Gigabit Ethernet Adapter.zip
• Surface Pro – July 2104.zip
• Surface Pro 2 – July 2014.zip
• Surface Pro 3 – July 2014.zip

Note: This package is updated on regular basis so the filenames be slightly different but overall package organization should be similar.

Extract the contents of the following files:

• Surface Pro 3 – July 2014.zip
• Surface Ethernet Adapter.zip
• Surface Gigabit Ethernet Adapter.zip

For the next steps we will assume they were extracted to the following locations

• C:\Surface_Pro3_July_2014
• C:\Surface_Ethernet_Adapter
• C:\Surface_Gigabit_Ethernet_Adapter
• C:\KB2968599

Step #2: Import OS

In this step we will import the OS. Surface Pro 3 only supports Windows 8.1 X64 Update. This can be Enterprise or Professional.

• Right click Operating Systems and choose import
• Browse to your location of your VL Windows 8.1 Enterprise Update X64 ISO
• Provide directory name such as “Windows 8.1 Enterprise Update X64”
• Click next and Finish

Step #3: Add the Surface Pro 3 Firmware and Driver pack drivers to MDT

In the Microsoft Deployment Toolkit Workbench create the following folder structure under Out-Of-Box Drivers

Note: The last folder must be called “Surface Pro 3”

• Right click Out-Of-Box Drivers\WindowsPEX64 folder and choose import drivers. Browse to C:\Surface_Ethernet_Adapter and import the driver
• Right click Out-Of-Box Drivers\WindowsPEX64 folder and choose import drivers. Browse to C:\Surface_Gigabit_Ethernet_Adapter and import the driver
• Right click Out-Of-Box Drivers\X64\Surface Pro 3 and choose import drivers. Browse to C:\Surface_Pro3_July_2014

Step #4: Create Selection Profile for Windows PE drivers

This still will create a selection profile for Windows PE drivers. This helps to ensure only the necessary drivers are imported into Lite Touch boot image.

• In the Microsoft Deployment Toolkit workbench navigate to Advanced Configuration\Selection Profiles.
• Right click and choose new selection profile
• Name the selection Profile WindowsPEx64
• Browse to Out-Of-Box Drivers\WindowsPEX64
• Select WindowsPEX64 folder

• Next
• Finish

Step #5: Assign Selection Profile for Windows PE

This step will assign the previously created selection profile to Windows PE Lite touch so that only the drivers under WindowsPEx64 are added to the boot image

• Right click the Deployment share and choose properties
• Choose Windows PE tab
• Choose Platform X64
• Choose Drivers and Patches tab
• For selection profile choose WindowsPEx64

Step #6: Import Updates

In this step we will import the update that enables the Pen button functionality with modern OneNote. In most cases you would probably add other security updates and other updates to your deployment at this point also.

In the Microsoft Deployment Workbench right click packages and choose import and then browse to C:\KB2968599\Windows8.1-KB2968599-x64.msu

Step #7: Create Task Sequence

In this step we will create a task sequence to deploy Windows 8.1 Enterprise Update X64

• In the Microsoft Deployment Workbench right click Task Sequences and choose new
• Task Sequence ID=BLDWin81ENTUPX64
• Task Sequence Name=Build Windows 8.1 Enterprise Update X64 reference image
• Choose Standard Client Task Sequence
• Choose the Windows 8.1 Enterprise Update X64 reference image OS
• Choose Do not Specify a product key at this time
• Fill out Organization and other information
• Fill out local administrator password
• Finish

Step #8: Edit Task Sequence for Drivers

In this step we will edit the task sequence to modify the driver injection step. There are a number of ways to address drivers in MDT. The key to preventing driver installation issues to make sure that the only drivers used during the deployment are the ones designed for the Surface. If your Out-Of-Box drivers contain drivers for other systems and you do not use one of the options below then you cannot control what drivers get used during the deployment. This can lead to problems so we would recommend you use Selection Profiles or other methods to ensure only the drivers designed for the Surface are used during the deployment. For additional reading on this topic I encourage you to take a look at this blog

Option #1:Create a selection profile for Out-Of-Box Drivers\Windows81Update\X64\Surface Pro 3 and then set the Inject Drivers TS step to this selection profile. It is recommended to choose the “Install all drivers from this selection profile option also. Disadvantage to this option is that this TS would be specific to Surface Pro 3. If you configure this option it will look like this in the task sequence

Option #2 (Recommended approach):Use the DriverGroup001 variable to set this based on the Model of the system. This is more flexible since it will take the Model (WMI variable from the BIOS) information and use this to decide which folder to use. This allows this task sequence to work for a variety of devices. The folder names have to match EXACTLY with the Model exposed by the system (MSINFO32 will show you the model)

We will use Option #2 for these steps

In Microsoft Deployment Toolkit workbench right click the task sequence you created earlier and choose properties

• Choose the Task Sequence tab
• Browse to the Preinstall phase and look for step called “Inject Drivers”
• Click the Enable Bitlocker step which is right before the “Inject Drivers” step
• Click Add, General, Set Task Sequence Variable
• Set the following:

Name: Set DriverGroup001 variable to Model
Task Sequence Variable: DriverGroup001
Value: Windows81Update\x64\%model%

 

• Choose the Inject Drivers step that occurs after this step and set the Selection profile to Nothing and choose “install all drivers from the selection Profile”. This is important so all the firmware updates and drivers for devices that are not present(for example keyboard) are added to the deployment

• Click apply and save the task sequence

Step #9: Modify the Unattend.xml

In this step we will modify the Unattend.xml to make sure OOBE is completely automated. There is additional prompt during OOBE to join wireless network if the wireless driver is available. The TS Unattend.xml does not contain the entry to automate this since this is a new setting with Windows and the template in MDT 2013 doesn’t contain it

• In Microsoft Deployment Toolkit workbench right click the TS and choose properties
• Choose OS info tab
• Choose Edit Unattend.xml

Note: This will take a while the first time a catalog is created. If you encounter error take a look at KB2524737.

• Navigate to 7 OOBESyetm\Microsoft-Windows-Shell-Setup\OOBE
• For HideWirelessSetupInOOBE choose True

Another option to consider modifying at this point is configuring whether or not the Power button shows on the start screen. The OEM image that ships with Surface Pro 3 is configured to show the Power button on the start screen. If you do a new install the default behavior is not to show the power button (by design). For additional information on this behavior and Unattend option to configure this see the following:

KB2959188: Power/shutdown button may be missing from the Windows 8.1 start screen

Step #10: Configure Image for Pen Pairing during OOBE (Optional)

During the 1^st bootup of the OEM image that ships with the Surface Pro 3 you are prompted during OOBE to pair the pen. In most cases you will probably want to pairthe pen after the deployment is complete but if you would like to add this step to the deployment you can use the following instructions.

Note: The pairing prompt will occur during OOBE so it will interrupt MDT’s automated deployment. Once paired you must click next for it to continue. Ideally this is something IT person would handle for the user before handing over the device to the user.

1. Take one of your existing Surface Pro 3 devices that has the OEM image on it and copy the following files to USB flash drive or other location:

%windir%\system32\oobe\info\default\1033\oobe.xml
%windir%\system32\oobe\info\default\1033\PenPairing_en-US.png
%windir%\system32\oobe\info\default\1033\PenError_en-US.png
%windir%\system32\oobe\info\default\1033\PenSuccess_en-US.png

2. On the MDT server open Deployment and Imaging Tools Environment cmd prompt

3. Use the DISM command to mount the image you are deploying

Dism /mount-wim /wimfile:d:\deploymentshare\operating systems\<name of image>\sources\install.wim /index:1 /mountdir:c:\mount

4. Create the following pathing in the image

C:\mount\windows\system32\oobe\info\default\1033

5. Copy all the files from Step #1 above into this folder

6. Close any explorer Windows and switch to C:\ to make sure no open file handles to the c:\mount folder

7. Unmount the image and save changes

Dism /unmount-wim /mountdir:c:\mount /commit

Step #11: Configure Default Display Resolution

The default display resolution for the Surface Pro 3 is 2160x1440. To set this automatically you can add the following entry to your customsettings.ini (Right click the Deployment share, properties, rules):

[Settings]
Priority=Model, Default

[Surface Pro 3]
XResolution=2160
YResolution=1440

This uses the MDT functionality of where it knows the Model (Surface Pro 3) and based on these entries adds the resolution settings to the Unattend.xml for you

Step #12: Update MDT server and WDS server

At this point you would want to do a full generation of the deployment share to create the Lite Touch boot images to ensure the Surface Ethernet Adapter driver is incorporated into the MDT Lite Touch boot images and then import these images to your Windows Deployment Service (WDS) server. I would recommend you utilize a 2012R2 WDS server. For additional information on support for UEFI in WDS take a look at KB2938884.

Step #13: PXE boot

The final step is to PXE boot the Surface Pro 3. To PXE boot do the following:

• Shut the device down
• Press and hold volume down button
• Press the Power button
• When you see the Surface Logo you can let go
• You should see prompt to PXE boot. The Surface Pro 3 supports a On Screen Keyboard(OSK)
• Press the Keyboard icon in upper right of screen
• Press Enter button on OSK
• Using arrow keys on OSK choose your MDT 2013 Lite Touch image from the WDS server
• Then follow the prompts during Lite Touch to initiate the deployment

If you can’t get the Surface Pro 3 to PXE boot check the following:

• Make sure you are using Microsoft USB to Ethernet Adapter. 3^rd party adapters are not supported for PXE booting
• Check and make sure this issue does not apply to your environment

• 2602043: Invalid Boot File Received Error Message When PXE booting from WDS

Additional Notes

Some additional tips:

• Check out my other blog for some additional tips for the PEN at “Deploying Surface Pro 3 Pen and OneNote Tips”
• If you do not want to see the Deployment Summary at the end of the deployment you can add the following entries customsettings.ini:

[Default]
;Skip Final Summary Screen
SkipFinalSummary=Yes
;Control behavior after system is complete
FinishAction=Shutdown|Reboot|Restart|Logoff

• If you want to customize the image further you can use the Sysprep and Capture TS to capture the image then import into MDT and then create a TS that deploys that custom image. We normally recommend you automate the entire Build Reference Image TS as much as possible to remove any potential for user error or change in how the reference image is created
• Information on how to modify UEFI settings: http://www.microsoft.com/surface/en-us/support/warranty-service-and-recovery/how-to-use-the-bios-uefi

Thanks for reading this blog and good luck with your Surface Pro 3 deployments.

Scott McArthur
Senior Support Escalation Engineer

Welcome back to the CORE Team Blog -- Paul Reynolds here. In previous blogs, I wrote about how to capture Storport traces in Windows 8 and Windows 2012. Please see:

Tracing with Storport in Windows 2012 and Windows 8 with KB2819476 hotfix

And

Tracing with Storport in Windows 2012 and Windows 8 without KB2819476 hotfix

This time around, I would like to explore what information you can draw from the raw data contained in a Storport trace. What conclusions can you reach regarding your disk performance? Do you have a disk that does not perform well?

To accomplish this, we will take advantage of free tools available to Windows and Office 2013 users:

• Windows PowerShell
• Windows Performance Toolkit
• Excel PowerPivot

First, we need to talk briefly about the Windows Storage Stack and where Storport traces are taken. It is important to note that Storport traces are at the very last “rung of the ladder” before Windows hands off I/O request packets to hardware. Hardware in this case encompasses firmware, drivers, HBAs, storage fabrics – anything after the Windows Operating System. It is important because it can help delineate where the problem is. Is the problem with the Operating System or with the hardware? Should I call Microsoft to open a support case or it is more appropriate to talk to my Storage Vendor? Storport traces are the perfect place to start to answer questions such as these.

It is assumed you already have a Storport Trace in hand – an ETL file captured using the procedures documented in the two blogs above for Windows 8 and Windows 2012, or Windows 2008 (see Bob Golding’s blog):

Storport ETW Logging to Measure Requests Made to a Disk Unit

As the old adage goes: a picture is worth a thousand words. When it comes time to deciphering Storport Traces, viewing graphs that summarize data and show trends, and viewing charts that have average and maximums, are much more helpful than looking at raw data. The top-level steps we will undertake are:

1. Capture the Storport Trace
2. Convert to the Storport Trace into CSV format
3. Scrub the data in the CSV file
4. Import the data into an Excel Spreadsheet

The easiest way to accomplish the last 3 steps above is to automate it using a Windows PowerShell script. At the end of the blog, there is a zip to download that has this file. Save the PowerShell script as StorPortPACMAN.PS1 in a directory on your C: drive called StorPortPACMAN :

PLEASE NOTE: you must have the following perquisites installed to successfully run the script above:

1. XPERF needs to be installed and in your system path.

Windows 7 or 8 – use the Windows Assessment and Deployment Kit (ADK): http://www.microsoft.com/en-US/download/details.aspx?id=39982

2. PowerPivot is part of Office 2013 but it needs to be added as a COM Addin. Click here for instructions.

At the end of this blog, there is also 2 spreadsheets in the zip you must download into the C:\StorPortPACMAN directory.

Run the script, and depending on which version of Windows was being run on the server, one of the Excel Spreadsheets will open and be refreshed with data in your Storport trace.

Here are screenshots of sample graphs and charts you will see in the first page of the spreadsheets:

This first graph shows request duration values over the time of the Storport trace. It is very useful to get the “big picture”. For the most part, the disk in this graph is performing fine except for a period near the beginning. Depending on the application you are investigating, this may be fine and the average value is what is important to you. Averages and maximums are shown in the chart below, which is next to this graph in the spreadsheet:

Finally, the chart data is presented in the graph below:

The Excel spreadsheets and their corresponding graphs and charts are only samples of what you can do for your disk analysis using Storport traces and Excel PowerPivot tools. Why use PowerPivot? For Storport traces it means being able to view and summarize more data. Excel by itself is an excellent tool, but problems may start to develop when your data approaches or exceeds a million rows of data.

It is not uncommon for a Storport trace to contain tens of millions of rows of data, especially if you decide to not use a filter while capturing the data. I generally suggest to not use a filter as your averages will be closer to results you obtain from other tools such as Perfmon or XPERF. Using filters will cause your disk to look worse than it really is.

Request Duration Times, as a rule of thumb, can be summed up as follows for SCSI Read(10) and Non-cached Write(10) I/O:

<  9ms = excellent
< 15ms = good
< 25ms = fair
> 25ms = poor

We purposely use the caveat, rule of thumb, because these values are using an assumed 64KB data I/O size. If a read or write is larger or smaller than that, these values should be adjusted.

Using an Excel Pivot table and chart lends well to focusing on a specific LUN through the use of filters built into the table or chart.

Special Cases:

We occasionally see a Storport trace that does not make sense. One example is a VM that has more than one SCSI disk and the Excel spreadsheet shows only one LUN. What happened to my other disk? It is there, but because of the way storage may be presented, the same LUN number is used for more than one disk. So what does one do in a situation such at this? The easiest way is to drop and drag a second property of a disk into the chart or graph you are viewing. There are 4 properties we gather in a Storport trace:

1. LUN
2. Target
3. Bus
4. Port

Since using LUN is not enough, we can add a second property to the chart, Target. To do this, at the top of the spreadsheet click on the Analyze tab under Pivottable Tools, then click on Field List to expose the data available to you. Drag and Drop the Target field onto Rows and underneath LUN. You will see something similar to this:

This will let you see all your disks if they have the same LUN number.
If you are at all like me, viewing charts and graphs might be fine for seeing the big picture and giving presentations, but your inner engineer is screaming to look at the data in detail, to make sure you are comfortable with it and understand it. To do this, click on the POWERPIVOT tab and then the Manage button in the Data Model area. This will open a new window that exposes the raw data to you so that you may filter it, sort it, or anything else you wish to make sure it all makes sense to you before using it.

I hope you find this blog helpful and gives you a new tool to use when investigating disk performance.

Paul Reynolds

Hello everyone,

This is Ashfana from the Windows Performance team. I’m here to talk about the basic philosophy behind Windows Store Apps which were introduced in Windows 8 and Windows 8.1. Windows Store apps were originally called Metro or modern apps before the RTM of the product. These are apps developed using a variety of languages like C#, C++, VB, HTML and Javascript, - which provide the modern, full screen immersive experience.

Windows has the largest software ecosystem thanks to millions of developers around the world, and Microsoft’s focus on ensuring backward compatibility for application software. This ecosystem has evolved over time and has reached a stage where – we aren’t able to fix some of the limitations and move ahead without causing existing applications to break. Some limitations are installation/uninstallation problems, Software state corruption, uncontrolled modification of important system registries and files, unreliable installer components, one app causing another one to crash, and security risks when running Apps under elevated token. This new App model was introduced to address these reliability and security issues and to develop a new ecosystem that allows Apps to run on multiple hardware platforms with minimum efforts for the developer.

Here are some of the features of Store Apps that make it very attractive for consumers and enterprises:

• Windows Store apps do not need an installer. They are either sideloaded to the image using DISM, or installed via Add-AppxPackage PowerShell Command, or installed directly from the Store or a Azure based portal. You no longer need MSI or other installer components, Windows already has the necessary components that can extract the Appx package and install it.
• Apps are installed per-user (unless they are sideloaded into the image before deployment). They maintain their state within folders in the user’s profile. This ensures better security.
  Apps run within a sandbox environment called an App container. This restricts an App from accessing much of the system and the users profile by default. Additional resources can be requested by an App by declaring capabilities within its manifest file. During first launch of the App, the user is prompted to allow/confirm access to these additional resources.
• Desktop Apps run under medium integrity and are able to access full privileges granted to a user. An untrusted desktop application can pose a greater risk. Windows Store Apps on the other hand run under base privilege and hence provides a greater level of protection.
• The Appx manifest and blockmap tell Windows how to install the App, chances of an installation going corrupt are very less. Even if an installation goes corrupt – it would not affect the system in any way.
• Store Apps provide an immersive experience, are generally very lightweight, and are best suited for scenarios where hard core processing can be done at the server side and results can be delivered to the App over the network.
• With the introduction of Universal Apps in Visual Studio 2013 update 2, developers can now write an App once and port it to run on multiple devices such as Xbox, Windows phones, PC, tablets and laptops. This makes application development time much shorter.
  

Structure of a Windows Store/Universal App:

Windows Store app are packaged into one or more files with the extension .appx. This appx package is the unit of installation for a Windows Store app. Appx packages are ZIP-based container files that contains the app’s payload files plus info needed to validate, deploy, manage, and update the app. From a high-level view, each Windows Store app package contains these items:

App payload
App code files and assets
Payload files are the code files and assets that you author when you create your Windows Store app.

App manifest
App manifest file (AppxManifest.xml)
The app manifest declares the identity of the app, the app's capabilities, and info for deploying and updating.

App block map
App package’s block map file (AppxBlockMap.xml)
The block map file lists all the app files contained in the package along with associated cryptographic hash values that the operating system uses to validate file integrity and to optimize an update for the app.

App signature
App package’s digital signature file (AppxSignature.p7x)
The app package signature ensures that the package and contents haven't been modified after they were signed. If the signing certificate validates to a Trusted Root Certification Authorities Certificate, the signature also identifies who signed the package. The signer of the package is typically the publisher or author of the app.

Packaging app:

When you create an app using Visual Studio, it packages your app, it automatically adds the app block map and signature files to the package. But you can also use the standalone MakeAppx and SignTool utilities if you want to manually package your app.

The steps that are involved in Package installation:

The Windows Store app deployment process occurs in multiple phases.

1) In the first phase, Windows acquires and validates the app manifest, app block map, and app signature. It checks the OS version and dependencies, sees if you have sufficient disk space, and also whether this app is already installed.

2) In the second phase Windows checks the app package’s deployment criteria to ensure that the app deployment will be successful.

3) Windows stages the package’s contents on the disk in the %ProgramFiles%\WindowsApps directory in a new directory named after the package identity:

<Package Name>_<Version>_<Architecture>_<ResourceID>_<Publisher Hash>

4) Windows registers the package into the user's account. During this phase, the extensions that are declared in the manifest are registered with the operating system.

The Future:

With this release of Visual Studio 2013, we have set out to accomplish three major goals:

1) Reach customers across phones, tablets, and PCs;

2) Deliver innovation that supports developer investments;

3) Make cross-platform technology easier and more capable.

Develop once for all Windows devices using a unified Windows runtime and VS tools that allow you to both support experiences unique to a device in XAML, HTML, and DirectX, and share the code that supports those experiences across all devices using C++, C#, or JavaScript. When your work is finished you can you can produce the app packages that you will submit to the Windows Store and Windows Phone Store with a single action to get your app out to customers on any Windows device. You may also just sign it and deploy this through SCCM.

More links:

Package manifest schema reference
http://msdn.microsoft.com/en-us/library/windows/apps/br211473.aspx

Capabilities of an App:
http://msdn.microsoft.com/en-us/library/windows/apps/br211422.aspx

Create an app package
http://msdn.microsoft.com/en-us/library/windows/apps/hh975357.aspx

App packager (MakeAppx.exe)
http://msdn.microsoft.com/en-us/library/windows/apps/hh446767.aspx

SignTool
http://msdn.microsoft.com/en-us/library/windows/apps/ff551778.aspx

How to create an app package signing certificate
http://msdn.microsoft.com/en-us/library/windows/apps/jj835832.aspx

Ashfana Begum
Support Engineer
Microsoft Performance Team

There have been situation where you as a MBAM Admin had to delete the entries of older/reimaged machine records from the MBAM compliance database. The only solution in this case was to run complex SQL queries to delete machines from the database. This tool helps you report the true state of encryption compliance in your environment by deleting the obsolete information from the MBAM Compliance Status database.

This is a command line tool which enables you to schedule it stale data deletion as a task to automate deletion of obsolete machine records from the MBAM compliance database.

This tool provides three different ways to delete machine records from the MBAM Compliance Status database:

1.     Delete machines which have not reported in last X days.

2.     Delete machines specified in a comma separated list via command line.

3.     Delete machines specified in a text file.

Note:

This tool doesn’t delete the recovery information or any other data from MBAM Recovery and Hardware Database. All delete operations are performed strictly on the MBAM Compliance Status Database.

This tool is available for download from the TechNet website http://gallery.technet.microsoft.com/MBAM-Compliance-Data-9b4c950das a self-extractable compressed file, which includes the executable and documentation.

Disclaimer:

This tool and documentation are provided "as-is". You bear the risk of using it. No express warranties, guarantees or conditions are provided. The tool supplied in this document is not supported under any Microsoft standard support program or service. However, you can report issues and bugs in the comments section on this page. Microsoft will, at its sole discretion, address issues and bugs reported.

Himanshu Singh

Windows Core Team

When you attempt to create a CheckPoint of a virtual machine that is running on a Cluster Shared Volume (CSV) , you may receive a General access denied error as shown below.

You will receive this error if the virtual machine’s VHD is placed on the root of the drive.

The reason for the access denied error is due to the VM worker process (VMMS) not having relevant permissions on the CSV volume.  Below are default permission that is present for a typical CSV volume.  It is strongly recommended that these permissions not be changed.

To resolve the issue, migrate the storage from Failover Cluster Manager or reconfigure the VM and place the VHDX in a folder off the root.  By moving the VHDx to a subfolder or if the VM is reconfigured, the VMMS service updates the permissions on the subfolder as it should.

For example, this is the current location of the file: 

C:\ClusterStorage\Volume1\Test Lab.Vhdx

You would want to move it (and any other VHDX files present) to a subfolder you can create, such as this: 

C:\ClusterStorage\Volume1\Test Lab\Test Lab.Vhdx

There are several options you can run through to accomplish this task.

Option 1:

Using the Virtual Machine Storageselection from Failover Cluster Manager, move it to the folder you created.  This is an option that can be done without affecting production as it can be done while the virtual machine is online and running.

Option 2: 

Shut the virtual machine down and, in Explorer, move the VHDx from the root of CSV to a folder you create.  In Failover Cluster Manager, bring up the settings of the virtual machine and manually change the path of the relocated VHDx.  This is an option that can be done but will affect production as it cannot be done while the virtual machine is online and running.  So you would need to schedule downtime to accomplish this task.

General Rule:

Microsoft has always not recommended to keep any type of data files in the root of a drive.  Even though things may appear to work fine, problems could arise from this configuration.

Shasank Prasad
Senior Support Escalation Engineer
Microsoft Corporation

Hi my name is Scott McArthur and I want to call out a tool that recently came out that allows Enterprise customers to set Asset Tags on Surface Pro 3.

This tool is available for download at the following location:

http://www.microsoft.com/en-us/download/details.aspx?id=44076

The tool requires the following:

• Surface Pro 3(other Surface devices not supported)
• UEFI firmware version 3.9.150.0 or newer

It can be run from within Windows or from WindowsPE.  The download comes with a README.TXT that contains the following reference:

This tool gets or sets the proposed Asset Tag, which will be applied on next reboot.

The current Asset Tag is an SMBIOS setting which can be queried via WMI:

(Get-WmiObject -query "Select * from Win32_SystemEnclosure").SMBiosAssetTag

To get the proposed asset tag:

AssetTag -g

To clear the proposed asset tag:

AssetTag -s

To set the proposed asset tag:

AssetTag -s testassettag12

Valid values for this can be:

• up to 36 characters long
• valid characters including A-Z, a-z, 0-9, period and hyphen

You can view the Asset Tag in the UEFI settings under Device Information.

Here is a PowerShell script demonstrating way to get proposed value and interpret errors.

Note that stout contains the Asset Tag and stderr contains error messages.

AssetTag -g > $asset_tag 2> $error_message
$asset_tag_return_code = $LASTEXITCODE
$asset_tag = $asset_tag.Trim("`r`n")

if ($asset_tag_return_code -eq 0) {
     Write-Output ("Good Tag = " + $asset_tag)
} else {
     Write-Output (
          "Failure: Code = " + $asset_tag_return_code +
          "Tag = " + $asset_tag +
          "Message = " + $error_message)

}

Hope this helps with your Deployments.

Scott McArthur
Senior Support Escalation Engineer

Hi this is Scott McArthur and I just wanted to call attention to a blog that I worked on with some of our PFE engineers that just posted related to Surface. 

How to Update the Surface Pro 3 Firmware Offline using a USB Drive
http://blogs.technet.com/b/askpfeplat/archive/2014/10/20/how-to-update-the-surface-pro-3-firmware-offline-using-a-usb-drive.aspx

This blog shows you how you can update firmware from a Bootable WindowsPE USB flash drive.  This is useful for some scenarios where you need updated firmware BEFORE you do a deployment to the device.  Hope it helps with your Surface deployments

Scott McArthur
Senior Support Escalation Engineer

This is a cross post from William Keener’s Support Diagnostics and Automated Solutions blog that we wanted to add to our site.  It relates to Bing and instant answers about Microsoft Products/Technologies/Support issues and here on the AskCore site, we are all about getting this type of information out there.  Any comments made should be made on the originating post so it can be properly seen, heard, or answered.

-------------------------------------------------------------

Using Bing for technical instant answers and automated solutions
http://blogs.msdn.com/b/williamk/archive/2014/10/31/using-bing-for-technical-instant-answers-and-automated-solutions.aspx

Bing has been providing factual instant answers (and translation instant answers) for some time now, but recently they added "technical" instant answers for questions about Microsoft products and technologies or technical support issues. My previous team built the content management system that our internal content delivery teams are now using to add technical instant answers to Bing. Here's an example technical instant answer for the "Cortana" search term: 

Now that I'm working on support diagnostics and automated solutions again, I have been working with the Bing and content delivery teams to get some instant answers created with links to some of our automated solutions.

And I'm happy to announce that the first one is live! So you can now search for "Windows Update Troubleshooter" (or a variety of related terms and error messages) and the first result will be a technical instant answer with a link to download and run our automated troubleshooter to fix problems with Windows Update.

When you click the link in step 3, you will be prompted to open (or run) or save the troubleshooter.

Just click Open (or Run) to launch the troubleshooter.

The content delivery teams will be constantly adding more technical instant answers, and we hope to have more live with automated solutions soon!

Note that technical instant answers are also available in the Bing app on Windows Phone. To see the phone experience, tap Search and then type or say "cortana" on your Windows Phone. Then click the "See More" link at the bottom of the second result (after the ad - "Meet Cortana on Windows Phone 8.1") and swipe left or right to view the content on each of the tabs.

Hi my name is Scott McArthur and I want to call out a recently published KB article:

Surface Pro 3 doesn't hibernate after four hours in connected standby
http://support2.microsoft.com/kb/2998588

If you are deploying an image to Surface Pro 3, you are missing out on the feature where after 4 hours in Connected Standby the device will hibernate. This is a key feature related to battery life so I would recommend that all Enterprise customers install KB2955769 and incorporate these PowerCfg commands into your deployment.

If you use Microsoft Deployment Toolkit 2013 for your deployments this is super easy. Here are the steps

1. Under Packages, import KB2955769

2. Create PowerCfg_Sp3.batthat contains the following commands:

REM sets CS battery saver time-out to four hours:
powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 7398e821-3937-4469-b07b-33eb785aaca1 14400
powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 7398e821-3937-4469-b07b-33eb785aaca1 14400

REM sets CS battery saver trip point to 100:
powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 1e133d45-a325-48da-8769-14ae6dc1170b 100
powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f 1e133d45-a325-48da-8769-14ae6dc1170b 100

REM sets the CS battery saver action to hibernate:
powercfg /setdcvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f c10ce532-2eb1-4b3c-b3fe-374623cdcf07 001
powercfg /setacvalueindex SCHEME_CURRENT e73a048d-bf27-4f12-9731-8b2076e8891f c10ce532-2eb1-4b3c-b3fe-374623cdcf07 001

powercfg /setactive SCHEME_CURRENT

3. Save PowerCfg_Sp3.bat to your Deploymentshare\Scriptsfolder

4. Open up the task sequence you use to deploy Windows and add a custom task in the state restore phase called PowerCfg-SP3

5. In the properties of this task sequence step, edit the following:

6. Click the Options tab and add conditional for “Task Sequence variable model equals Surface Pro 3”

Note:This ensures this only runs on Surface Pro 3 devices using the model variable

Hope this helps with your Surface deployments and keep eye on this blog for more tips and tricks for Surface

Scott McArthur
Senior Support Escalation Engineer

Hello, my name is Mayank Sharma and I am a Technical Advisor here at Microsoft. In this blog, I will discuss FIPS compliance with Bitlocker. Microsoft's solution for completely encrypting data inside laptops, desktops and removable drives. So let’s get started...

FIPS stands for Federal Information Processing Standard and is United States Government standards that provide a benchmark for implementing cryptographic software. It basically means that if a software is approved by one of the labs that do the testing for FIPS compliance, the software meets the government standard for cryptography. Thus can be commonly used by US Federal government and organizations around the world. There is a lot that can be written about FIPS. Better I route you to the following link:

FIPS Compliance
http://technet.microsoft.com/en-us/library/cc180745.aspx

To enable FIPS on a computer, i.e. tell it you have to be complaint with the government policies, we need to alter the following group policy

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The name of the policy is following:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Now that we know what FIPS is and what it does, let’s focus our attention back on Bitlocker, Microsoft’s security solution for protecting data across laptops and desktops. Bitlocker uses multifactor authentication to ensure Bitlocker encrypted drive(s) will always remain in good hands. To accomplish this task, it uses multiple protectors to protect a volume. While some are ‘primary’ protectors which will be used most of the times, namely TPM, TPM and PIN, Password etc., some will be used when Bitlocker senses something has changed and goes in a lockdown mode. During a lockdown mode, it will ask user to prove that user is genuine. Examples of protectors include recovery password, recovery key, Data recovery agent, etc.

Now here comes the tricky part. Whether or not Bitlocker is FIPS complaint is decided by if one of the cryptographic keys that protector is using is indeed FIPS compliant. Password protectors for the operating system drive/fixed data drive are not complaint with FIPS specification, so does the recovery password until Windows 8.  The below article discusses this in more detail:

The recovery password for Windows BitLocker is not available when FIPS
compliant policy is set in Windows Vista, Windows Server 2008, Windows 7
and Windows Server 2008 R2
http://support.microsoft.com/kb/947249

Let’s say there is a ‘happy go lucky’ organization that uses TPM+PIN protectors to authenticate the OS drive of user’s laptop running Windows 7 and storing recovery passwords in MBAM database. If a user gets locked out, Helpdesk will provide the information of recovery password to the user to unlock the machine. This is the happy ending of the story until one day FIPS were to be mandatorily implemented.

a. Will this happy go lucky Organization be FIPS complaint? No, as it is using recovery password as a protector which is not FIPS complaint.
b. Does this means while infrastructure needs to be rebuilt from scratch? Of course not!

Steps to make this environment FIPS complaint;

Step 1:

We need to get rid of the recovery password which is making the infrastructure non FIPS complaint. First thing would be to delete the associated recovery password with this Windows 7 machine. Run the following from an elevated command prompt:

manage-bde -protectors -get c:

This lists all the protectors

Volume C: [OSDisk]
All Key Protectors

    TPM And PIN:
      ID: {161941A3-8CB3-439C-8FC6-1642D0C97C8D}
      PCR Validation Profile:
        0, 2, 4, 11

    Numerical Password:
      ID: {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}
      Password:
        017666-710820-610731-029986-330385-020009-303017-612733

Note the ID of the Numerical password protector and to delete it run the following command:

manage-bde -protectors -delete c: -id {C6DF1E74-467F-4BE8-9C59-C9A9F345B9A0}

This will delete the recovery password protector.

Step 2:

Now, imagine if the user forgot the PIN or because of any other reasons gets locked out. We should need to have a way to break back into machine. So we need to add some protectors that will help us in lockdown situations. Fortunately, we still have a choice to make here. We can add any of the two protectors which are FIPS compliant.

a. Data recovery agent

How to use Bitlocker Data Recovery Agent to unlock Bitlocker Protected Drives
http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx

b. Add a recovery key to the volume, this is as simple as running the command where e: is the destination drive where you want to store the .BEK file.

manage-bde -protectors -add c: -rk e:

Just save this file in a safe place.  If a machine gets locks out, copy it over to a USB drive.  More information can be found  here:

What is a BitLocker recovery key?
http://Windows.microsoft.com/en-in/Windows7/what-is-a-bitlocker-recovery-key

Step 3:

Though not mandatory, once we will enable the group policy for FIPS, it will not allow creation of FIPS. We can additionally disable the creation of any more recovery passwords. Just disable the policy like I did below under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.

As "Password" is not a FIPS complaint protectors, you cannot use it with fixed data drive either. We can either use a smart card protector or a DRA… And happy go lucky should be happy again!

As stated above, this is specifically meant for Windows 7/Vista and Windows Server 2008/2008R2. Had the company been proactive in moving along to a newer version of Windows (i.e. Windows 8/8.1, Windows Server 2012/2012R2), it would not have any effect on them. The recovery password is FIPS compliant for Windows 8 and above operating systems.

So this is pretty much it. Keep your machines encrypted until next time.

I thank Himanshu Singh for taking time out to go through this blog.

Mayank Sharma
Technical Advisor
Windows Deployment Services

The US Central Marketing Organization (USCMO) here at Microsoft is putting on a new and improved webcast and I wanted to put them up for those who wish to view them.  Each webcast will stream live with interactive Q&A and will be made available on demand.  These webcasts run for about 30-60 minutes.  Please feel free to register at any time.

Protect Your Business Against Online Fraud
http://aka.ms/protectblog
January 20, 2015
In recent years the online fraud epidemic has become a reality.  Is your business secure?

Social in the Enterprise
http://aka.ms/enterpriseblog
January 21, 2015
FOX Business Network anchor Maria Bartiromo, the first journalist ever to report live from the floor of the NY Stock Exchange, shares why a good social strategy is crucial. Social networking expert and best-selling author Gary Vaynerchuk shares the secrets to social success in the enterprise. Charlene Li, renowned author and leadership and social consultant, provides concrete recommendations for how organizations can build effective networks to become leaders in the digital era. Andy Sernovitz, leader of the word of mouth movement, explains how building internal communities increases productivity and effectiveness. And host Alex Bradley, Microsoft Office, presents new, innovative social solutions. 

Windows Server 2003 Migration: Hardware Modernization
http://aka.ms/WS03blog
January 22, 2015
With the Pending End of Support in July 2015, organizations must understand their rationale for migration from WS03.  This is not just a support issue but importantly an opportunity to enlist the power and flexibility of modern infrastructures running platforms like Windows Server 2012 and Azure.  Migrating simply sets your infrastructure up to harness you Enterprise Cloud strategy both on and off premise.  You want to make sure that you hardware keeps pace with these dynamic technologies.  This webcast covers some of the most important aspects of upgrading the workloads on modern hardware.

It’s a New Year, Be Ready to Adapt
http://aka.ms/adaptblog
January 22, 2015
It’s a new year, be ready to adapt. Every New Year brings both the promise and the challenge of a quickly changing business environment. Staying ahead of the curve! Whether it’s your customers’ needs, security risks or compliance that require instant access to the data that will support good decisions.

HIPAA Compliant Cloud Solutions with Microsoft BAA
http://aka.ms/BAAblog
January 23, 2015
Join us for this important webcast on January 23rd at 11:00AM PST to learn about Microsoft’s HIPAA Business Associate Agreement (BAA). This discussion will help you to better understand how healthcare organizations with a Microsoft BAA can move toward a contemporary plan for using Microsoft’s cloud services. This webcast will show how the Microsoft BAA provides healthcare organizations with the opportunity to use cloud solutions to improve patient outcomes while maintaining compliance with the privacy and security regulations that are outlined in HIPAA.

Announcing the Enterprise Cloud Suite
http://aka.ms/suiteblog
January 26, 2015
With Enterprise Cloud Suite (ECS), Microsoft is now able to offer a comprehensive solution to customers that provides:
• End-to-End Productivity: provide users with tools to collaborate and stay in sync anytime, anywhere
• Data Protection: enable strong authentication, encryption and access controls across devices
• Device Management: manage devices and applications across PCs, smartphones and tablets
• Unified IT environment: leverage existing investments for identity and device management across on-premises software and cloud services
• Pricing: ECS provides the best pricing through built-in suite discounts vs. buying components separately

Get a fresh start in 2015 with new Windows devices
http://aka.ms/windeviceblog
January 28, 2015
Celebrate the New Year and get more productive in 2015 with the latest technology powered by Windows 8.1. Whether you’re looking for laptops, 2-in-1 devices, or tablets, there is definitely a lot to choose from. Join us on January 28th to check out a broad range of Windows 8.1 devices and special offers. In the meantime, visit the Windows for Business (http://www.microsoft.com/en-us/windows/enterprise/default.aspx) website to stay up to date!

Need fast AND affordable? Why not try SQL Server?
http://aka.ms/SQLserverblog
January 29, 2015
Why did RSI Retail Solutions, Lifetime Products, and Havas Media migrate to SQL Server? SQL Server runs mission critical workloads, provides top-of-the-line security features, and enables customers to leverage existing assets and knowledge base – without costing a fortune. By switching or adding new workloads to SQL Server 2014, you can improve your data platform performance and your bottom line on your terms.  Join Marcello Benati, Microsoft Solution Specialist, to learn how to easily migrate existing and new mission-critical workloads to SQL Server 2014.

Mobile Productivity in the Modern Workplace
http://aka.ms/mobileblog
February 4, 2015
Mobility is changing our personal and professional lives.  People are bringing their personal devices and apps to work. Employees expect more dynamic work environments to take advantage of mobile capabilities and work from anywhere. Apps, including productivity tools, need to work well on mobile devices and in the business scenarios these devices are used. To get work done from anywhere, mobile devices with basic services, like email, aren’t enough. In this webcast you will learn how Microsoft provides the richest productivity solution across any device, for any type of worker, in a secure, enterprise-grade way.

Windows Server 2003: Most Common Application Migration Concerns
http://aka.ms/commonblog
February 5, 2015
Build your migration plan - do it yourself, collaboration with a partner, or use a service.  Find out about your options whether moving your applications to the cloud or keeping in your infrastructure. 

Enabling Customer Insights Using Business Analytics
http://aka.ms/customerblog
February 12, 2015
Business analytics is about capturing that information in real-time and empowering people to put it to use, by combining data in new ways, to generate new insights. Hear from Pier 1 on how they use business analytics to drive their business.

Windows Server 2003: Security Risk and Remediation
http://aka.ms/remeblog
February 18, 2015
With Windows Server 2003 support ending on July 14, 2015,  many organizations find themselves in the situation where legacy, mission critical workloads and applications are running on a soon to be unsupported platform. Some organizations may be considering alternate security strategies – like ring-fencing their existing Windows Server 2003 servers –as a way to delay migration. This webinar examines the viability of common risk remediation tactics for Windows Server 2003-- and makes the case for migration is ultimately the best option.

The Connected Workforce
http://aka.ms/connectedblog
February 18, 2015
The world has become a giant network, with people connecting in new ways using social and mobile technologies. Has your company adapted to this networked world? By delivering seamless social experiences across familiar work applications on an enterprise-grade platform, Microsoft helps over 400,000 companies worldwide engage, inform and connect employees. During this webcast you will learn how Microsoft can help your company connect, inform, and engage employees using enterprise social technologies.

Hello, folks!

This blog is aimed to provide a high level overview of the Key Management Server (KMS) technology.

You may have found a lot of dispersed activation information available elsewhere on the Internet, but I’m going to try and pull it all together for you in a concise format that I hope you’ll find is easy to digest.

First, make sure you can meet the initial KMS requirements for deployment:

1. By default, the following ports are required for activation:

• 80
• 443
• 1688

2. Activation requests are fulfilled after meeting the corresponding product count minimum.

• Workstation OS: 25
• Server OS: 5
• Office: 5

3. Activated products require a connection to the corporate network at least once every 180 days.

Next, let’s take a look at the basic KMS infrastructure:

KMS host machines distribute activation signals, whereas KMS clients are machines that needs to be activated (they can be either servers or workstations).

KMS host or client machine roles can be distinguished through the type of keys used. KMS Host Key directs host machine to create a SRV record (_VLMCS) in DNS. To obtain a host key, visit here. KMS Client Key directs client machines to look for a SRV record in DNS which points to the KMS host machine. Obtain a client setup key here.

Office Volume Activation:

The Microsoft Office Volume License Pack is required on Office KMS host. Obtain the license packs here:

Microsoft Office 2013 Volume License Pack
Microsoft Office 2010 KMS Host License Pack

After installing the license pack, it will prompt you to install Office KMS host key. If nothing goes wrong with that process, your Office KMS should be all set.

For your reference, here are TechNet guides for setting up Office KMS activation.

Prepare and set up the Office 2013 KMS host
Set Up an Office 2010 KMS Host

Additional Tool:

Volume Activation Management Tool (VAMT) is a free utility that is very helpful to apply product keys and manage activation status.

Download and Installation

• This tool is part of the Windows Assessment and Deployment Kit (ADK), available here.
• The latest version of VAMT is 3.1 as of this writing, and supports OS’s up to Windows 8.1 and Server 2012 R2.
• VAMT Requirements:

• The .NET Framework is required and is installed automatically with the ADK.
• SQL Server Express is required and you should choose to install it as a feature when going through the ADK setup wizard.

• More Information:

• Volume Activation Management Tool (VAMT) Technical Reference

There are a couple of best practices to keep in mind when using KMS, and a few common mistakes you’ll want to avoid.

Best Practices

1. KMS OS host and KMS office host can be the same server
2. Keep roaming users on MAK key (roaming users are those who would not be connected to the company domain at least once every 180 days)

Common KMS Mistakes

1. Installing a KMS host key on clients.
2. The KMS host key does not match the host machine OS
3. The latest patches have not been applied to the host machine.

And now on to some common KMS commands you’ll want to keep on tap.

Install a product key on the KMS Host

• slmgr /ipk <KMS Host Key>

Activate a product key:

• slmgr /ato

Display OS License Information:

• slmgr /dlv

Display All License Information (including office activation status):

• slmgr /dlv all

Note: The popup window for this command doesn’t scroll, so run the following command to write the output to a text file.

cscript.exe c:\windows\system32\slmgr.vbs /dlv all > c:\temp\dlv.txt

I hope this has been a helpful high-level overview of our KMS technology and wish you all the best!

Kind regards,
Sophie Fei Xu
Support Escalation Engineer
Microsoft Global Business Support

A few years ago I wrote a blog entry entitled, “The Four Stages of NTFS File Growth”.

This attempted to explain what happens to a file as it gains complexity. Complexity being akin to fragmentation.

If you have not read the above mentioned blog entry, please do so now. This information will not make the slightest bit of sense unless you read my earlier post. I’ll wait.

http://blogs.technet.com/b/askcore/archive/2009/10/16/the-four-stages-of-ntfs-file-growth.aspx

Welcome back.

Since its posting, I have answered a number of questions, mostly about the structure called the attribute list. So today I want to cover this a little more in-depth to hopefully address some of these said questions.

In the previous blog entry, I explained how very complex files had the potential of creating an attribute list (shown below).

The base record and all the child records are each 1kb in size. Each child record keeps track of a portion of the file’s data stream. The more fragmented the data stream, the more mapping pairs are required to track the fragments, and thus the more child records will be created. Each child record must be tracked in the attribute list.

Keep in mind that the child records can hold much more than just two mapping pairs. This is just simplified to keep the diagram from being completely unreadable.

The problem with this is that the attribute list itself. It is NOT a child record, it is created using free space outside the Master File Table (MFT). A file’s attribute list has a hard limit of how large it can grow. This cannot be changed. If it were, it would break backwards compatibility with older versions of NTFS that wouldn’t know how to deal with a larger attribute list.

NOTE: The diagram shows the attribute list as being smaller than the 1kb file record. And while it is true that it starts out that way, the upper limitation of the attribute list is 256kb.

With the launch of Surface Pro 3, enterprises have been testing/deploying them. Almost all deploy a customized image to Surface Pro 3 and sometimes they hit a roadblock. Today, I will talk about some of the basic things to check that can help narrow down the issues.

Before we get to that, I would like to point out couple of articles/blogs that everyone should refer before deploying Surface Pro 3. One of my colleagues, Scott McArthur, has an excellent blogon deploying Surface Pro 3 using MDT. I would highly recommend reading through it.

Deploy Windows to Surface Pro 3 using Microsoft Deployment Toolkit
http://blogs.technet.com/b/askcore/archive/2014/07/15/deploy-windows-to-surface-pro-3-using-microsoft-deployment-toolkit.aspx

We also have an updated Deployment Guide available for download.

Deployment and Administration Guide for Surface Pro 3
https://www.microsoft.com/en-us/download/details.aspx?id=45292

Now, on to troubleshooting issues.  The first question we want to ask is:

Can the issue be reproduced on a Windows tablet, PC or Virtual Machine?

If the issue can be reproduced on any other Windows tablet, PC or VM, then most likely it is a software issue and we treat it as a regular Windows 8.1 case.  As such, we would troubleshoot it as if you would any other Windows issue.

However, if the issue presents itself only on the Surface Pro 3, we need to narrow it down to the factory image or the customized image that is being deployed. If the issue happens with the factory image, it would be good idea to engage Microsoft.

When it happens only with customized image, we need to narrow it down further if its application, driver or OS related.

It starts with a supported Operating System. Based on KB2858199below chart represents supported Operating System. Please refer to the KB for any updates to this policy.

Make sure the device is up to date with the latest drivers and firmware. Driver and firmware updates are available via Windows Updates. They are also available for download from the following link.

Surface software, firmware, and drivers
https://www.microsoft.com/en-us/download/details.aspx?id=38826

In addition, the following link lists the fixes that are included with these updates.

Surface Pro 3 update history
http://www.microsoft.com/surface/en-us/support/install-update-activate/pro-3-update-history

Once we know the OS that is being deployed is correct and we have the latest drivers and firmware, we would want to ask some of additional questions:

Can the issue be reproduced if we simply deploy the OS imported from an .iso and no other applications installed?

In other words, if we install Windows using a USB which has a Windows 8.1 Enterprise .iso and try to reproduce the issue, do we have it?

If not, we know it is one of the applications being deployed.  The next step is to install one application at a time to narrow down further.

For example, we have three applications that are installed as part of post install task sequence. Let us call them:

Application 1
Application 2
Application 3

We install Application 1 and test the behavior. If we do not see the issue, we proceed with Application 2 and so on. If the issue reproduces after we install Application 2, then it is certain that there is some compatibility issue with Application 2. At that point, contact the application vendor for an update or check if it is compatible with Windows 8.1.

A good practice would be to check and make sure that all the applications that are being included are compatible with Windows 8.1. Also, obtain updates for them if they are available.

The issue can be reproduced with only OS installed along with drivers.

In this scenario if using MDT/ConfigMan, does the driver package contain only the drivers for Surface Pro 3 or it has drivers for other hardware too.

As I have already mentioned above, Surface Pro 3 drivers are specifically written and optimized for the Surface Pro 3 device. We often see cases where during deployment a wrong driver is picked and then there are issues post deployment. To make sure it’s not driver related, create a new driver package (if using MDT/ConfigMan) with only Surface Pro 3 drivers and test deployment. The blog I mentioned above gives you an idea on how the folder structure should be for drivers. If you used the blog above to setup your environment then the chances of having issue with drivers are slim.

In case you do not have the structure as mentioned above then, as part of troubleshooting this is what you can do. It is similar to what has be already talked about in the blog above.

Here, I am using MDT 2013 with ADK 8.1 Update installed on Windows Server 2012 R2 Update with WDS.

Create a folder for Surface Pro 3 drivers called “SP Drivers”. You can download the latest driver here.

Next is to create a Selection Profile for the drivers.

Create a new task sequence for deploying Windows 8.1 and modify it to point to the selection profile created above.

Deploy this task sequence and test the behavior.

Device unexpectedly reboots to UEFI screen or hangs are UEFI screen during startup when undocked.

One of the common causes is the incorrect storage driver in use. The correct driver as of writing this is STORAHCI.SYS.

It is also available to download in the Surface Pro 3 driver pack here and is located under folder "..\Surface Pro 3 - January 2015\Intel\SATA_AHCI\9.4.0.1023".

If you do have machines that do not have the correct controller driver, download the driver mentioned above and update.

Device unexpectedly reboots to UEFI screen or hangs at UEFI screen during startup when docked.

In this case, we undock the machine and see if the issue can be reproduced. If it can, then check the above point for a possible cause.

We also want to remove any external devices connected to docking stating and see if the issue exists.

Is the issue related to Power Management?

When you deploy a customized image, Surface Pro 3 is not configured to hibernate after four hours. This issue is documented in KB2998588 and there is a blogon how to incorporate the commands in MDT.

Surface enters connected standby after 1 minute when PC is locked.

The above scenario is true irrespective of whether device is connected to AC power. Some organizations do not want the device to be entering connected standby or sleep state when Surface is docked. To work around this behavior, configure the device with the Powercfg.exe commands mentioned in KB2835052.

The below commands can be run as part of task sequence.

powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOIDLE <time in seconds>
powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK <time in seconds>
powercfg.exe /setactive SCHEME_CURRENT 

The VIDEOIDLE timeout is used when the PC is unlocked and the VIDEOCONLOCK timeout is used when the PC is at a locked screen.

Then we can change the connected standby / sleep timeout value using Group Policy preferences.

That can be configured using Computer Configuration -- > Preference -- > Power Options.

Use the Power Plan to control when the device goes to Connected Standby / Sleep using “Turn Off display after” setting:

I hope that this information helps working through deploying Surface Pro 3.

Thank you,
Saurabh Koshta
Support Escalation Engineer

Let us consider the following scenario of Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 deployed with integrated topology. This means you have integrated MBAM with Configuration Manager. You have deployed the MBAM group policy and all the clients started to report in so we are ready to check out the compliance status of all these machines. You browse the Reports via Configuration Manager or browse via the SSRS Reports URL and you see the following chart with the legend that doesn’t really make sense.

You do see some percentage information but do not really know what is what from the figure. Why or how did this happen? If you have modified the MBAM related RDLs using Report Builder, you would end up with this issue. When you modify the report using Report Builder, it modifies the schema causing the report to display erratic information.

Now that I have explained what the issue is and why it happened, how do you fix the issue? There is no easy way to undo schema changes caused by Report Builder. Below are the steps we need to follow to change the MBAM reports. Using notepad or some other ASCII text editor is advisable.

Step 1:

You first need to delete the MBAM folder from CM Reports.

Step 2:

Under following registry key, modify the value of CMIntegration to 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Enabled

Step 3:

Now Enable CM Integration Reports using Powershell.

Enable-MbamCMIntegration -BitLockerProtectionBaselineLogicalName <String> -FixedDataDriveConfigurationItemLogicalName <String> -OperatingSystemDriveConfigurationItemLogicalName <String> -ReportsCollectionID <String> -ReportsOnly [-SsrsInstance <String> ] [-SsrsServer <String> ]

You can obtain the logical name strings by viewing the BitLocker Protection baseline XML definition under \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines\BitLocker Protection, right mouse click and choose View XML definition.

Step 4:

Once the Reports are enabled in Configuration Manager, verify if the MBAM reports are viewable and as expected.
If you need to modify any MBAM CM integrated reports, avoid using Report Builder and use Notepad instead. That way, no schema changes are performed and reports will stay intact.

Good Luck!

Naziya Shaik
Support Escalation Engineer
Microsoft Enterprise Platforms Support

Microsoft BitLocker Administration and Monitoring (MBAM) needs web services no matter what topology you are using. These MBAM web services can be installed with or without SSL Certificates. To install MBAM web features using SSL, it is required to have a certificate ready to use and issued to the web server or whatever the hostname you are planning to use for MBAM. We can manually modify the binding of the MBAM web services to use SSL if one of the below applies:

1. you have already installed the MBAM web features without SSL and would like to add it later
2. you don’t see the certificate
3. you did not have the certificate ready by the time you were installing MBAM web features

However, the suggested method is to remove MBAM web features and add the features back with SSL.

It can be a tedious process, so stay with me. To modify the IIS binding:

Step 1:

Import the certificate to your web server using these steps.  My assumptions are that the certificate is valid and is verified.

Step 2:

Browse each of the MBAM subfolders on your web server with the default location being C:\inetpub\Microsoft BitLocker Management Solution\

1. Administration Service - web.config

Modify the Endpoint Binding and BindingConfiguration to the following:

<endpoint address="" binding=" wsHttpBinding" bindingConfiguration= "TransportSecurity"

2. Compliance Status service – web.config

Modify the Endpoint Binding and BindingConfiguration to the following:

<endpoint address="" binding=" wsHttpBinding" bindingConfiguration=" MaltaHttpsBinding"

3. Helpdesk website –web.config

Modify the endpoint address to use HTTPS and also Binding and Binding configuration to the following:

<endpoint address=" https ://<hostname>/MBAMAdministrationService/AdministrationService.svc"

behaviorConfiguration="AdministrationEndpointBehavior" binding=" wsHttpBinding"

bindingConfiguration="Microsoft.Mbam.ApplicationSupportService. AdministrationService1"

4. Recovery and Hardware Service – web.config

Modify Binding and bindingConfiguration to the following:

<endpoint address="" binding=" wsHttpBinding" bindingConfiguration=" TransportSecurity"

5. SelfService –web.config

Modify Binding and bindingConfiguration to the following:

binding=" wsHttpBinding" bindingConfiguration="Microsoft.Mbam.Server.UserSupportService. UserSupportService1"

6. User Support Service -web.config

Modify binding and bindingConfiguration to the following:

<endpoint address="" binding=" wsHttpBinding" bindingConfiguration=" TransportSecurity"

Once you have modified all the above web.config files, restart the MBAM web server from IIS Manager and verify you are able to browse all the URLs using HTTPS.

Good Luck!

Naziya Shaik
Support Escalation Engineer
Microsoft Enterprise Platforms Support

We have periodically received requests on some of the Tips and Tricks regarding Microsoft BitLocker Administration and Monitoring (MBAM).  So we will be posting a series of blogs and have them listed below.

Part 1: Domain Controller and Group Policy Management

This blog will be focused on Domain Controller and Group Policy Management.

Tip 1:

Before installing or adding MBAM web components, decide if you are going to use a custom name or a default hostname of your web server.

If you are going to use custom name, create an A Record in DNS and register the SPN for the custom name you have decided on.

setspn -s http/custom.contoso.com contoso\AppPoolName

setspn -s http/custom contoso\AppPoolName

Tip 2:

If you plan on using SSL, issue the certificate to the hostname you are planning to use.

For example, I like to use the custom host name such as MBAMRecovery.contoso.com and my web server name as server1.contoso.com.

Issue the certificate to MBAMRecovery.contoso.com.

Tip 3:

Setting SPN and Delegation

To set the SPN, use the below command:

setspn -s http/server1.contoso.com contoso\AppPoolName

If you have any preexisting SPN or duplicates, try deleting them and adding new ones.

setspn -d http/server.contoso.com contoso\AppPoolName

It is necessary to have set the SPN before proceeding with delegation. On the domain controller in the AD Users and Computers console, right mouse click on AppPoolName and on the Delegation Tab, select the below:

Click on Add and select Users or computers. For example, my app pool account name is IISAdmin

Once the user is selected, it should list the available services

Select it and say OK, then OK again on the properties window.

Tip 4:

If you are using the MBAM CM integration topology, do not specify 'MBAM Status reporting service endpoint' and set the 'configure MBAM Status reporting service' to Disabled

Tip 5:

For Groups & Accounts, the complete list is documented here. To simplify things, here is all we need.

Groups:

MBAM-RW (MBAM Read Write group)

MBAM-RO (MBAM ReadOnly group, can be used as Report users group as well)

MBAMAdvHelpdesk (MBAM Advanced helpdesk group)

MBAMHelpdesk (MBAM Helpdesk Group)

Accounts:

AppPoolName (Application pool account -member of MBAM-RW)

CompUser (Compliance and Audit Database domain user account -member of MBAM-RO)

Good Luck!

Naziya Shaik
Support Escalation Engineer
Microsoft Enterprise Platforms Support

This guide provides step-by-step instructions for installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 in a stand-alone configuration. In this guide we will use a two-server configuration. One of the two servers will be a database server that is running Microsoft SQL Server 2012. This server will host the MBAM databases and reports. The additional server will be a Windows Server 2012 web server and will host "Administration and Monitoring Server" and "Self-Service Portal."

You can find the complete article here:

Deploying MBAM 2.5 in a stand-alone configuration
http://support.microsoft.com/en-us/kb/3046555

If you experience any problems when you install MBAM 2.5, refer to our troubleshooting guide.

e2e: Troubleshooting MBAM 2.5 installation problems
http://support.microsoft.com/en-us/kb/3049652

Kaushik Ainapure
Solution Asset PM
Windows Division

Early in the month of May, Microsoft held it's Ignite Conference (formally known as TechEd) in Chicago, Illinois.  This conference was a huge success with over 23,000 attendees.  There are a lot of new things coming out with Windows 10 and Windows Server 2016 over the next year.  I wanted to provide you some of the sessions that deal specifically with what our Core Group supports (Failover Clustering, Storage, Hyper-V, and Deployment).  There were tons more sessions regarding all other aspects of Microsoft Azure, Applications (such as SQL, Exchange, Office 365), SCVMM, Security, etc, but I wanted to pull out these specific sessions since they deal with what we deal with.

Give it a look and see how the next version of Windows could be for you.  Each full session is approx 75 minutes in length.  I also pulled out a few "Ignite Studios" productions that are in the 20 minute or so range.

To see the full list of all sessions from Microsoft Ignite, please visit our Channel 9 site.

Failover Clustering / Storage
==============================
Stretching Failover Clusters and Using Storage Replica in Windows Server vNext
https://channel9.msdn.com/Events/Ignite/2015/BRK3487
In this session we discuss the deployment considerations of taking a Windows Server Failover Cluster and stretching across sites to achieve disaster recovery. This session discusses the networking, storage, and quorum model considerations. This session also discusses new enhancements coming in vNext to enable multi-site clusters.

Deploying Private Cloud Storage with Dell Servers and Windows Server vNext
http://channel9.msdn.com/Events/Ignite/2015/BRK3496
The storage industry is going through strategic tectonic shifts. In this session, we’ll walk through Dell’s participation in the Microsoft Software Defined Storage journey and how cloud scale scenarios are shaping solutions. We will provide technical guidance for building Storage Spaces in Windows Server vNext clusters on the Dell PowerEdge R730xd platform.

Exploring Storage Replica in Windows Server vNext
http://channel9.msdn.com/Events/Ignite/2015/BRK3489
Delivering business continuity involves more than just high availability, it means disaster preparedness. In this session, we discuss the new Storage Replica feature, including scenarios, architecture, requirements, and demos. Along with our new stretch cluster option, it also covers use of Storage Replica in cluster-to-cluster and non-clustered scenarios.

Upgrading Your Private Cloud to Windows Server 2012 R2 and Beyond!
http://channel9.msdn.com/Events/Ignite/2015/BRK3484
We are moving fast, and want to help you to keep on top of the latest technology! This session covers the features and capabilities that will enable you to upgrade to Windows Server 2012 R2 and to Windows Server vNext with the least disruption. Understand cluster role migration, cross version live migration, rolling upgrades, and more.

Overview of the Microsoft Cloud Platform System
http://channel9.msdn.com/Events/Ignite/2015/BRK2472
With the Microsoft Cloud Platform System, we are sharing our cloud design learnings from Azure datacenters, so customers can deploy and operate a cloud solution with Windows Server, Microsoft System Center and the Windows Azure Pack. This solution provides Infrastructure-as-a-Service and Platform-as-a-Service solutions for enterprises and service providers.

Architectural Deep Dive into the Microsoft Cloud Platform System
http://channel9.msdn.com/Events/Ignite/2015/BRK3459
The Microsoft Cloud Platform System has an automated framework that keeps the entire stamp current from software to firmware to drivers across all Windows Server, Microsoft System Center, Windows Azure Pack, SQL Server and OEM/IHV and prevent disruptions to tenant and management workloads. This session covers the complete architecture for CPS and deployment in your datacenter.

Platform Vision & Strategy (4 of 7): Storage Overview
http://channel9.msdn.com/Events/Ignite/2015/BRK2485
This is the fourth in a series of 7 datacenter platform overview sessions.

StorSimple: Extending Your Datacenter into Microsoft Azure with Hybrid Cloud Storage
http://channel9.msdn.com/Events/Ignite/2015/BRK2494
StorSimple provides a hybrid cloud storage solution with a hybrid storage array in the on-premises datacenter that seamlessly extends storage capabilities to the cloud. This session details the implementation and functionality of the solution and discusses how the solution solves the issue of growing IT costs related to storage growth and management.

Hyper-V Storage Performance with Storage Quality of Service
http://channel9.msdn.com/Events/Ignite/2015/BRK3504
Windows Server vNext allows you to centrally monitor and manage performance for Hyper-V workloads using Scale-Out File Servers. Learn how to monitor storage performance from a customer, Hyper-V, and storage admin’s viewpoint, then author effective policies to deliver the performance your customers need.

Spaces-Based, Software-Defined Storage: Design and Configuration Best Practices
http://channel9.msdn.com/Events/Ignite/2015/BRK3463
Going well beyond a feature walkthrough, this session delves into the nuances and complexities of the spaces-based SDS design. Starting with the hardware selection and continuing up the stack, this session empowers you to successfully design, deploy, and configure a storage solution based completely on Windows Server 2012 R2 and proven best practices. Examples galore!

Virtualization
===============
Platform Vision & Strategy (2 of 7): Server Virtualization Overview
http://channel9.msdn.com/Events/Ignite/2015/BRK2466
Windows Server and Microsoft Azure are ushering in the next generation of computing for modern apps and cloud infrastructure. What are Containers? Nano Server? New in Hyper-V? Azure IaaS? Or how does this fit into Microsoft’s cloud strategy? Get the answers and more! Come learn about new capabilities in Windows Server, Hyper-V and Azure VMs.

The Hidden Treasures of Windows Server 2012 R2 Hyper-V?
http://channel9.msdn.com/Events/Ignite/2015/BRK3506
It's one thing to hear about and see a great demo of a Hyper-V feature. But how do you put them into practice? This session takes you through some of those lesser-known elements of Hyper-V that have made for great demonstrations, introduces you to some of the lesser-known features, and shows you best practices, how to increase serviceability and uptime, and design/usage tips for making the most of your investment in Hyper-V.

Microsoft's New Windows Server Containers
http://channel9.msdn.com/Events/Ignite/2015/BRK2493
In this session, we cover what containers are, what makes them such an exciting technology, how they will work in Windows Server, and how Docker will integrate with them.

An Insider’s Guide to Desktop Virtualization
http://channel9.msdn.com/Events/Ignite/2015/BRK3853
Ready to drink from a fire hose? In this highly energized session, learn about insights, best practices, and hear unfiltered thoughts about Desktop Virtualization, VDI, vendors, and solutions. Discussion topics include: VDwhy, VDCry, VDI Smackdown, building and designing a Microsoft VDI solution, and 3D graphics. Experience the Microsoft and Citrix Virtual Desktop solution with a huge amount of videos and demos. With unique content and insights, this session is fun and packed with great content for everyone interested in Desktop Virtualization—and some nice giveaways. A session you don’t want to miss!

Shielded Virtual Machines
=========================
Harden the Fabric: Protecting Tenant Secrets in Hyper-V
https://channel9.msdn.com/Events/Ignite/2015/BRK3457
In today’s environments, hosters need to provide security assurance to their tenants. "Harden the fabric" is a Windows Server and Microsoft System Center vNext scenario, which includes enhancements in Hyper-V, Virtual Machine Manager, and a new Guardian Server role that enables shielded VMs. Technologies which ensure that host resources do not have access to the Virtual Machine or data.

Platform Vision & Strategy (5 of 7): Security and Assurance Overview
https://channel9.msdn.com/Events/Ignite/2015/BRK2482
Come learn how Microsoft is addressing persistent threats, insider breach, organized cyber crime and securing the Microsoft Cloud Platform (on-premises and connected services with Azure). This includes scenarios for securing workloads, large enterprise tenants and service providers.

Shielded VMs and Guarded Fabric Validation Guide for Windows Server 2016
https://gallery.technet.microsoft.com/Shielded-VMs-and-Guarded-44176db3
This document provides you an installation and validation guide for Windows Server 2016 Technical Preview (build #10074) and System Center Virtual Machine Manager vNext for Guarded Fabric Hosts and Shielded VMs. This solution is designed to protect tenant virtual machines from compromised fabric administrators.

Windows 10
===========
Top Features of Windows 10
http://channel9.msdn.com/Events/Ignite/2015/BRK2339
In this demo-heavy session, see why you need to start thinking: Windows 10. The answer to every question will be Windows 10, but what are the questions? How do you deliver a more secure standard operating environment? How do you make mobility familiar for all your users? What changes the deployment conversation? What changes the app conversation? How do you “mobilize” Win32 applications? What changes the way you manage device lifecycles? What changes how you buy your devices? There will be prizes, there will be fun and you’ll be ready, set for the rest of your Windows 10 experience at Microsoft Ignite.

The New User Experience with Windows 10
http://channel9.msdn.com/Events/Ignite/2015/THR0310
Are you ready for Windows 10? Well, it was designed and developed based on feedback from millions of people around the world, so we think you probably are! Join us as we show you how Windows 10 combines the familiar things you love with a modern touch. Get a deeper look at the user experience and discover new features. Find out how Windows 10 makes you more productive, celebrates a new generation of apps, and unlocks the power of hardware.

Upgrading to Windows 10: In Depth
http://channel9.msdn.com/Events/Ignite/2015/BRK3307
With Windows 10, we are encouraging everyone, including organizations, to upgrade from their existing OS (Windows 7, Windows 8, or Windows 8.1). This upgrade process is easy and reliable, but how exactly does it work? In this session, we dig deep and explore how the process works to ensure that everything (apps, settings, data, drivers) is preserved.

Windows 10: Ask the Experts
http://channel9.msdn.com/Events/Ignite/2015/BRK2320
We’ve talked a lot about Windows 10 already. In this session, we hold an open Q&A, hosted by the always-entertaining Mark Minasi, where you can ask anything about Windows 10. No questions are off limits. So if you’ve still got questions and are looking for answers, bring them to this session.

Provisioning Windows 10 Devices with New Tools
http://channel9.msdn.com/Events/Ignite/2015/BRK3339
A new feature in Windows 10, runtime provisioning will help to reduce the cost of deploying Windows PCs and devices such as tablets and phones. This new feature will enable IT professionals and system integrators to easily configure a general-purpose device during first boot or runtime without re-imaging for the organization's use. In this session, we look at the new tools that enable these scenarios, and exploring the capabilities and deployment options for them.

Overview of Windows 10 for Enterprises
http://channel9.msdn.com/Events/Ignite/2015/THR0342
Windows 10 brings a wealth of new features and solutions to the enterprise. In this session, we explain the various security, management, and deployment features of Windows 10 along with showing you some of the new end-user features that will not only make your customers more productive but also delight them.

Overview of Windows 10 for Enterprises
http://channel9.msdn.com/Events/Ignite/2015/FND2901
Windows 10 brings a wealth of new features and solutions to the enterprise. In this session, we explain the various security, management, and deployment features of Windows 10 along with showing you some of the new end-user features that will not only make your customers more productive but also delight them.

Overview of Windows 10 for Education
http://channel9.msdn.com/Events/Ignite/2015/BRK2305
While Windows has always provided great learning outcomes for students and a comprehensive platform for teachers and administrators, there are several reasons why education customers in general should take notice of Windows 10. From the minimal learning curve user experience for mouse and keyboard users, to the familiar usability scaled across Windows 10 devices, teachers and students will be productive and comfortable from the start. In this session we explain how we are simplifying management and deployment, including in-place upgrades from Windows 7 or 8.1 and provisioning off-the-shelf devices without wiping and replacing images. Learn about benefits of the new, unified app store, allowing flexible distribution of apps.

What's New in Windows 10 Management and the Windows Store
http://channel9.msdn.com/Events/Ignite/2015/BRK3330
Windows 10 continues to add new and improved management technologies, to ensure that Windows continues to be the best—and most flexible—operating system to manage. In this session, we talk about all the changes that are coming, including enhancements to built-in mobile device management protocols, new Windows Store and volume purchase program capabilities, sign-on capabilities with organizational IDs (Microsoft Azure Active Directory), sideloading and other app deployment enhancements, and new capabilities being added to other existing management technologies, such as PowerShell, WMI, etc.

Windows Server 2016
===================
Nano Server
http://channel9.msdn.com/Events/Ignite/2015/THR0480
Come hear about important transformations in Windows Server – the new installation option called Nano Server. Nano Server is a deep rethink of the server architecture. The result is a new, lean cloud fabric host and application development platform, resulting in 20x smaller than Server Core and a reduction in security attack service surface and reboots!

Deployment
============
How Microsoft IT Deploys Windows 10
http://channel9.msdn.com/Events/Ignite/2015/BRK3303
Learn how Microsoft IT adopted and deployed Windows 10 internally using Enterprise Upgrade as the primary deployment method. This approach reduced the deployment overhead by using System Center Configuration Manager Operating System Deployment (OSD) and upgrade which resulted in significant reductions in helpdesk calls. In addition we share how we are leveraging some of the new Enterprise scenarios to delight users while securing the enterprise. You can realize similar benefits in your enterprise by adopting these best practices as you migrate from Windows 7 and 8.x to 10.

Expert-Level Windows 10 Deployment
http://channel9.msdn.com/Events/Ignite/2015/BRK4301
Join us for a live demo on how to build a Windows deployment solution, based on Microsoft System Center Configuration Manager. In the session we are taking OS Deployment in Microsoft Deployment Toolkit and System Center Configuration Manager to its outer limits. Deployment tips, tricks, and hard core debugging in a single session. You can expect a lot of live demos in this session.

Windows 10 Deployment: Ask the Experts
http://channel9.msdn.com/Events/Ignite/2015/BRK3333
Still have questions about Windows deployment, even after all the other sessions this week? For this session, we gather as many experts as we can find for a roundtable Q&A session, with plenty of “official” and “real-world” answers for everyone, troubleshooting and implementation advice, and probably a fair number of opinions and “it depends” answers as well.

Preparing Your Infrastructure for Windows 10
http://channel9.msdn.com/Events/Ignite/2015/BRK3325
So you want to deploy Windows 10 in your organization? While many organizations will be able to do this with little impact, there are some scenarios and features that can impact existing server, management, and network infrastructures. In this session, we take a look at those impacts so you know what to expect.

Deploying Windows 10: Back to Basics
http://channel9.msdn.com/Events/Ignite/2015/BRK2316
Are you new to Windows deployment, or maybe just rusty? In this session, we review the tools that are available, explain all the acronyms, and explore best practices for deploying Windows 10. During the process, we show all the key tools that we recommend for building and customizing Windows 10 images, deploying Windows 10 images, provisioning new computers, and migrating from older operating systems like Windows 7.

What's New in Windows 10 Deployment
http://channel9.msdn.com/Events/Ignite/2015/THR0322
With the upcoming release of Windows 10, there will be new and updated ways to deploy Windows. In this session, we review new recommendations for upgrading existing devices using a simple in-place upgrade process, provisioning tools for transforming new devices into ones ready for enterprise use, as well as updates to traditional deployment tools and techniques (ADK and beyond). We also talk about application compatibility, hardware requirements, and other common deployment questions.

What's New in Windows 10 Deployment
http://channel9.msdn.com/Events/Ignite/2015/BRK3321
With the upcoming release of Windows 10, there will be new and updated ways to deploy Windows. In this session, we review new recommendations for upgrading existing devices using a simple in-place upgrade process, provisioning tools for transforming new devices into ones ready for enterprise use, as well as updates to traditional deployment tools and techniques (ADK and beyond). We also talk about application compatibility, hardware requirements, and other common deployment questions.

Deploying Microsoft Surface Pro 3 in the Enterprise
http://channel9.msdn.com/Events/Ignite/2015/BRK3327
You have chosen Surface Pro 3 for your organization. Now, get the tips and tricks directly from engineers who built it. This session offers useful information on how you can deploy, manage, and support these devices throughout your org like a jedi master.

Troubleshooting Windows 10 Deployment: Top 10 Tips and Tricks
http://channel9.msdn.com/Events/Ignite/2015/BRK3318
Need help with troubleshooting Windows deployment issues? Johan and Mikael share lessons learned around handling device drivers in the deployment process, common deployment issues and their workarounds, parsing log files, WinPE and PXE troubleshooting, UEFI deployments. As a foundation, Microsoft Deployment Toolkit and Microsoft System Center Configuration Manager will be used. You can expect a lot of live demos, tips, and tricks in this session.

Preparing for Windows 10 Deployment: Assessment, Compatibility, and Planning
http://channel9.msdn.com/Events/Ignite/2015/BRK3334
Before you can deploy Windows 10, you need to make sure your organization is ready. That requires information gathering, compatibility analysis, project management, and piloting – an iterative process. In this session, we talk about tools to help with common concerns around app and hardware compatibility, web compatibility, readiness for upgrades, and more.

Enjoy,
John Marlin
Senior Support Escalation Engineer
Microsoft Enterprise Cloud Group

I am not sure if everyone is aware of UserVoice but I am here to tell you about it.  UserVoice is where you can provide feedback to the Microsoft Product Groups who are now monitoring these forums.  Do you have idea or suggestion on how to make Windows Server 2016 better or a feature you would like to see added?  Well, speak up and let us know what you are thinking.

There are multiple forums to provide this feedback.  Below is the listing of the various features.  But first, how to start User Voice and how the Windows Server Product Team will respond.

How to start User Voice?

1. Create user account. (Enter contact in case we need to ask more questions. )
2. Add your voice! (I wish… )
      Or
3. Cast a vote to the idea you like. You get 10 votes total!

What ideas will be most considered by the Windows Server Product Team? 

• Idea with high votes will be considered heavily.
• Clear and actionable ideas will be reviewed quickly.  

Caution: Do not create a single idea with multiple ideas contained in it. We need to understand the priorities. Please make sure they are separate ideas so we can see clear votes on each distinct idea. In this case, we will likely to close the idea.

Once the Windows Server Product Team has reviewed the idea, the idea status will change.

Note:"Under Review" status means that the Windows Server Product Team is reviewing. It does not guarantee any deliverable.

We will provide notification on all declined ideas.

Each vote get released when the idea is closed (either decline or completed).

Now, as far as the various forums, here you go and let us know what you would like to see:

Clustering  
Diagnostics 
General Feedback 
Nano Server 
Networking 
Remote Management Tools 
Security and Assurance 
Storage 
Virtualization 

Also, if you are looking to provide feedback on Automation (PowerShell and Scripting), please provide your suggestions using our PowerShell Connect Site. 

Remember, these sites are for feature suggestions and ideas only.

To see our work in progress, please go ahead and install the Windows Server Technical Preview. More information on what’s new in the Technical Preview can be found here. You can join the conversation about the Technical Preview and swap advice with others at Technical Preview Forums.

Enjoy,
John Marlin
Senior Support Escalation Engineer
Microsoft Enterprise Cloud Group