Category Archives: Uncategorized

Have you noticed that new PCs and tablets seem to boot really, really quickly? Compared to your typical work desktop, these devices are up, running, and ready to logon in seconds! No longer is there time to go get a coffee and come back  to see the Username/Password prompt flash into existence. How does it boot so quickly? That’s due to the Unified Extensible Firmware Interface (UEFI). Once UEFI is enabled, it allows us to get around the limitations of the Basic Input Output System (BIOS) that has been around in one form or another since 1975. Those limitations included 16 bit processor mode, and being limited to 1 MB of addressable space. UEFI also uses a newer partitioning scheme, GUID Partition Table (GPT). GPT was designed to extend pass older limits. In this case, Master Boot Record (MBR) is limited to a maximum disk size of 2TB.

How does all this fit together? Well, to install a modern operating system (OS), a UEFI bootable device needs to be created. If you’re booting from a Windows 8.1 DVD, and UEFI is enabled in the BIOS of your pc, the required partitions are automatically created. If, however, you’re using the Windows 8.1 iso downloaded from Microsoft, then you need to build a bootable device yourself. This means using FAT32, I repeat, you need to use FAT32, *not* NTFS! The following screen shots and explanations will give you all the detail needed. Read through all the steps first, backup your old OS, then start playing.

First, choose an appropiately sized USB Flash Drive, in my example I’m using an old 32 GB Patriot Flash Drive. Insert it, then run diskpart from an administrative command prompt:

Note the Disk number for your USB disk, in this case Disk 1. Then type the following command: select disk 1

diskpart’s focus is now on Disk 1, let’s remove everything from that disk using: clean

next we’ll use GPT instead of MBR: convert gpt

let’s make a primary partition and then format it, note you’re using FAT32:

looks like it worked, now to check by using: list volume

looking good! We now have a FAT32 partition on a GPT disk. Exit diskpart, taking *careful* note of the drive letter. In the screenshot above, the * symbol is showing next to Volume 3, with a drive letter of “F”. The next step is to copy bootsect.exe from the desired operating system media. To do this, double click on the iso (or browse a DVD) and find bootsect.exe, under /boot:

copy bootsec.exe then type the following: bootsect /nt60 f: (or whatever drive letter you *carefully* noted above!)

next, copy the entire contents of the iso or DVD onto your newly formatted, bootable flash drive:

Once the copy process is completed, you should have a brand new USB FAT32 GPT bootable device. Follow the instructions to enable UEFI boot in your BIOS, reboot using the above mentioned USB and install a really, really fast booting version of your operating system. Even faster if you use an SSD. Good luck, and don’t forget to back up first!

Wayne McGlinn
CCSE+, MSCE, MCT, MVP
Brisbane

Great if you are playing a game of cards, particularly a high stakes poker game, not so great if you are trying to secure your corporate resources. “Man up, and defend yourselves!” said Ex NSA Director Michael Hayden. Difficult, when all our Administrators have a handful of ACEs!

Quick revision time: An Access Control Entry (ACE) is found in an Access Control List (ACL). Typically IT Pros refer to ACEs and ACLs, pluralising the acronyms rather than the words. The ACEs in an ACL determine what access rights a trustee has to a securable object. There are two types of ACLs: Discretionary Access Control List (DACLs) that contain Access-denied ACE and Access-allowed ACE, and System Access Control List (SACLs) that contain System-audit ACE. So DACLs grant or stop resource use, SACLs track who or what succeeded or failed that usage.

So how do we regulate what ACEs our Administrators hold? After all, they’re Admins; and by definition we totally trust our Admins, we have to! “Pardon Mr Snowden, you’re leaving?? But …” We do not, we can not trust our Administrators to hold all the top cards any longer. It’s not a personal issue, a lot of administration is automated; click a button on a web page and you can provision an entire Active Directory (AD) environment in Azure in a matter of minutes, literally. Organisations, corporations, governments, the local optometrist, all need a method of abstracting the necessary permissions – the ACEs – from the physical persona of the Administrator. For both the sake of the Admin, and his area of responsibility, let’s find a method of taking all the picture cards (including ACEs) away from Admins and only giving them Just Enough Administration rights to carry out their assigned tasks.

Without any more fanfare, let’s introduce JEA. Just Enough Administration (JEA) is a recent release of a Windows PowerShell Desired State Configuration (DSC) resource and configuration script that constrains administrative rights and permissions on both local and remote servers. In essence, any commands an Admin wishes to run on a server will run in a local administrative context, restricted to a subset of commands, and only for that session. Brilliant! I can now, through the use of the JEA Toolkit, chose what modules, what cmdlets, and even what parameters can be used for each Administrator, for each session, for each server! And, most importantly, through the SACLs, audit success and failures for every resource. As you can see, in the screenshots below, I can choose the modules, the security group, and then read the script to ensure I get the correct configuration.

This is just scratching the surface of what is available in JEA. For how to configure, manage, and create the JEA Endpoints used in constrained delegation, follow the links to download, read, and implement what will become the standard for administering your servers in the future.

http://blogs.technet.com/introducing-the-jea-toolkit-helper

Working smarter, not harder, is a goal all Administrators should work toward. Administrators are being asked to do more, with less, and in increasingly shorter time frames. Trying to keep up with new releases of operating systems (OS), patches, cumulative updates soon spirals into a chasing your tail kind of work environment. System Center Configuration Manager (SCCM) is a major tool in an organisation’s arsenal; producing reports, keeping the company OS updated .. lots of work to be done! So, let’s work smarter. Download the System Center 2012 Configuration Manager Servicing Extension from *HERE* The download is an msi file, simply install it and then restart your SCCM Admin Console.

A new Site Servicing entry now appears in the Administration Pane. This shows the version of your SCCM Site, what releases are available and links to get those updates! And things get better from there:

Here is a list of Cumulative Updates, version numbers, and release dates.

Here’s your Site Version and current updates.

There is an interface to “Create Query” to produce Reports of what Client Version your site has.

Click on “Create Query” and follow the bouncing ball!

And, as a huge bonus, a list of all the latest Blog Posts from the System Center Configuration Manager Team!

Working smarter, not harder. Helping Administrators get the right work/life balance. Not a bad conclusion, if I do say so myself 🙂

Happy New Year all!

My first post for the year is to explain what a Microsoft MVP (Most Valuable Professional) is, and why we are worth cornering. The origins of the MVP program date back to the early stages of Microsoft’s support and monitoring of the Usenet and CompuServe Developer Forums. One of the independent developers on the FoxPro Forum (Calvin Hsia) kept a list of the number of postings by person, including information on messages both sent and received. Making the Top Ten on Calvin’s List was a worthy achievement, whether a blessing or a curse was cause for discussion in itself! As the story goes, Microsoft saw the list and used it as a way to identify significant involvement with assisting the greater User Community. And so was born the MVP Program.

“Today, exemplary community leaders around the world were notified that they have received the MVP Award! These individuals were chosen because they have demonstrated their deep commitment to helping others make the most of their technology, voluntarily sharing their passion and real-world knowledge of Microsoft products with the community.” MVP Blog Website.

“Dear Wayne McGlinn, Congratulations! We are pleased to present you with the 2016 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Windows Expert-IT Pro technical communities during the past year. (ed. bolding added to original text) The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say “Thank you for your technical leadership. At Microsoft, we believe that technical communities enhance people’s lives and the industry’s success because independent experts, like you, help others extract greater value from products and technologies through the free and objective exchange of knowledge. As a Microsoft MVP, you are part of a highly select group of experts that represent technology’s best and brightest who share a deep commitment to community and a willingness to help others. ” extract from the official email notification. Mike Hickman, Director Community Engagement, Microsoft.

The MVP Award is earned each year, we cannot rest on our laurels and are continually assessed. So, in a nutshell, if you see anyone wearing an MVP badge at any technical conference, corner them! If you know of classes being taught by an MCT who is also and MVP, sign up! Why? Because we have proven the depth of our knowledge, because we are there to help anyone and everyone, in any way we can. I do not know all the answers, but I guarantee I can get hold of someone who *can* give an answer.

Hang on, let me explain that in a just bit more detail, and maybe stop Mal from having a minor myocardial infarction! Last week, in Chicago, Microsoft held their premier technical conference Ignite. Ignite is a blend of TechEd, MMS and other technical events in a week long geek-fest! From the opening Keynote through to the last session on Friday afternoon Microsoft showcased where they were, and more importantly, where they are going. Mobile first, Cloud first, all week long. Tech Sessions, Breakouts, HOLs and ILLs (Hands On Labs and Instructor Led Labs – courtesy of Learn on Demand Systems), and of course the Expo Hall; a mass of innovative displays and demonstrations from a multitude of IT companies.

My role last week was to be an MCT Ambassador and to present a series of ILLs focused on the upcoming release of Windows 10, in particular how Microsoft’s customers will deploy and/or upgrade their current fleets. Just prior to Ignite, Microsoft also released their latest preview versions of Windows 10, along with the Windows 10 ADK (Assesment and Deployment Kit). Hidden inside the ADK is a little gem of an application called Windows Imaging and Configuration Designer (WinICD).

That brings me back to the (fictitious) $1500 my boss gave me. CYOD (Choose Your Own Device) is gathering momentum; allowing your staff to choose their own device, be it a laptop, tablet, phone or even a desktop to be used in the corporate environment. Fantastic idea, choose any device and any operating system, as long as it’s Windows. The issue, though, is that when you toddle off to Harvey Norman and buy your device, it will typically come with either the “Home” or “Professional” version of Windows 10 (looking forward to after July that is). That means the IT Department has to take your device and then put the Corporate image on there; usually taking at least a day to get everything working smoothly. A fair bit of time and effort.

This is where the WinICD comes into play. Using the Designer, your Corporate IT professional creates a provisioning package, turning your “Home” or “Professional” version of Windows into “Enterprise” and setting your new device up to work in the Corporate environment. Awesome! As you’ll see from the screen shots below, it’s a relatively simple wizard that steps you through the creation of the package. Take the package, put it onto a flash drive, or email it, then run the package to provision your shiny new device into the Corporate SOE/MOE.

After downloading the Windows 10 ADK, go to the Installers folder and find the “Imaging And Configuration Designer-x86_en-us.msi” and double click. Once the install finishes, start the WinICD and Create a New Provisioning Package, filling in the details and path.

Next, select your version; notice the option to also provision a Windows Phone! Love it!

Specify the path.

This is where all the magic happens. There is a huge list of settings here; from Applications, Drivers, Certificates and most importantly, Upgrading Edition Product Key. This is where that “Home” version turns into “Enterprise” by inserting the Product Key for the new SKU!

Name your package, add in version number, rank and Package Owner.

Next, setup security for the package, selecting a certificate at this point means no UAC prompt when running the package – as long as the certificate is trusted.

Specify the path.

Build the package.

Success!

Either using a flash drive, or some other means (floppy disk? <g>) double click the package and accept the UAC.

Watch and wait through the various restarts and adding features.

Finally, completed. You now have a device that has been reconfigured, provisioned and ready for your work environment. Now go ask your own boss for the money to purchase a CYOD, confident that it can easily be integrated into your corporate environment.

Wayne McGlinn
CCSE+, MSCE, MCT, MVP
Brisbane