A colleague of mine brought the following article to my attention:
UK's largest NHS Trust ditches laptops in favor of Windows To Go
Seems that London’s Imperial College Healthcare NHS Trust, have hit the bulls eye here
A colleague of mine brought the following article to my attention:
UK's largest NHS Trust ditches laptops in favor of Windows To Go
Seems that London’s Imperial College Healthcare NHS Trust, have hit the bulls eye here
“Windows to Go”,
I am sure most of you heard and read about this new feature available with Windows 8. For those of you who do not know, “Windows to Go” is a fully fledged Windows 8 OS on a USB stick or external USB drive. One might argue that there are other methods to create an OS on a USB stick, true, but this is more than that. First of all, Microsoft gives for each Windows 8 Enterprise license you pay for a WTG for free. The deployment is made easy and is enterprise ready - Microsoft calls this a “Workspace”. And I believe that in a year or so this will be a widely used method to provide desktops to employees and to encourage the BYOD in the enterprise.
The scenarios that come to my mind:
I have been working by several clients where I am not allowed to connect my own laptop to the client’s network, and even if you do receive a derogation for that, still your machine will be limited in accessing all the resources you might need to use to get the job done. One of my clients has given me a VDI desktop. With a VMware plugin installed I am able to access a Virtual Windows 7 machine hosted on the client’s VDI infrastructure. I must tell you, unless the company has spent enough money on appropriately sizing their VDI environment the experience is really crappy. It is extremely slow and not very smooth. And on Fridays it is even inaccessible because everybody works from home on Fridays here in the Netherlands (even if I manage to connect it is really unusable. I am not joking, it is true).
Another client of mine has given me a laptop with their own image deployed and joined to their domain = a managed machine. Of course this works much better, but this requires me to carry 2 laptops with me at all times, because most of my stuff is on my Avanade machine. Sometimes if you get lucky, and beg long enough, the client will provide a small lightweight notebook which helps with limiting the amount of weight you have to carry daily. And still - schlepping around 2 laptops is not an ideal situation.
Now imagine that these 2 clients, instead of investing in a laptop and/or allocating a VDI desktop for me, would just give me a Windows To Go? A certified USB stick of 64 GB costs about 150 USD/EUR. The OS license is free as mentioned above, I keep my own hardware and do not have to carry anything extra with me. Such a WTG is joined to the customer’s Active Directory Domain and is a managed workstation from every perspective! Couple it with Direct Access, like Avanade did for example, and you have a perfect solution. And even if you are juggling 2 or more projects at a time all you need is to mark the USB keys correctly J !
Another scenario could be: Users get only workstations at work and incidentally they have to work remotely from home, so they do not really qualify for a notebook. Instead of buying them a laptop, give them a WTG! Everybody has a computer at home these days, and 85% of households have a couple, and at least one which is less than 3-4 years old. Why invest in hardware if the user has one at home already?
Take my work room for example: I have a nice big screen attached to a desktop which is nicely built into my desk and all the cables are nicely tucked away, I do not even have a proper spot or space where I can put my work laptop down, which means I need to go work either at the kitchen or dining room table. Which means my family is around me and I am in their way all the time (well actually they are in my way, but hey a husband at home has not rights in the kitchen). The kids are all the time asking something and every time I have to make a phone call I have to hide in one of the other rooms so they do not disturb. Now having the WTG, I just plug it into the desktop in my work-room and start my Avanade workstation which has all my stuff on it and is connected to the Avanade Network with Direct Access.
You know it can even be simpler than that: Imagine you have an office with flexible work places. Place on each workspace a desktop without any OS deployed – really with an empty hard drive (or no hard drive at all). Deploy WTG sticks and give it to the users. They can plug it into any of the workstations and have their own desktop always regardless of which workstation the user is using. What I mean to say is, all you need then is hardware for hardware’s sake – no OS is required on the machines.
Sounds nice no, well there are caveats to WTG from security perspective. You are probably wondering about the title of this article by now, about the “UEFI Only” part right? Well let me explain:
A couple of month ago I went out and bought a 32 GB USB 3 stick with an intention of installing Windows to Go on it. Well I was extremely disappointed when the wizard told me that the stick is not compatible. Reading some articles on TechNet explained this. Windows To Go is only supported on a certified sticks (I’ll post links to supported sticks later in the article). The main requirement is that the stick present itself as a fixed drive to Windows. Well I managed to install windows 8 on the stick using a VHD following one of the articles on the web, but this was not it. It was difficult to install and it performed badly. Then I found a piece of software manufacturers use to modify the sticks in the factories… and after “hacking” my stick I was able to flip the so called “removable bit” value. Now my stick presented itself as a fixed drive and I was able to use the built in wizard in Windows 8 (only enterprise version of Windows 8 has this wizard on board in the control panel). Eureka, I thought, and 45 minutes later I was able to start from my USB drive and actually logged into freshly installed Window 8. The performance was not amazing, but workable. I then went ahead and joined my machine to Avanade Domain and since I am a DA phase 2 pilot (internal pilot for Direct Access we have) I have dispatched an email to our DA man, Justin Martin, to put my new WTG machine into the correct OU. I also put our ITS Windows 8 Deployment lead on the CC (Simon Windell). To my surprise Simon reacted to my message - that the machine I have just joined to the Avanade domain must be immediately dis-joined form the Active Directory Domain, since the WTG is not allowed in Avanade environment for security reasons. I contacted Simon who explained that Windows To Go does not utilize the TPM chip for encrypting the drive and since Avanade requires TPM based encryption the machine is not compliant and thus is not allowed on the Avanade Domain. You can imagine both my surprise and disappointment, if we do not allow WTG ourselves, then how am I going to advise clients to use it? I am not going too deep into the reasons why, but the bottom line is since the standard out of the box Windows to Go installation allows both Legacy and UEFI boot, when booted using Legacy BIOS the system can be compromised, since the encryption pair is not stored on a TPM chip but on the stick itself.
OK, there must be a way to build a WTG which only supports UEFI right? And yes there is! Microsoft designed Windows to Go to work on as much hardware as possible. All you need is a machine which is capable of booting from USB. This is why when created out of the box a Windows to Go stick will support both Legacy BIOS and UEFI boot process. I am not going into the discussion whether the fear of that such a stick can be hacked and decrypted is feasible… Each company should investigate the probability and decide on their own. But in case you do not want to go and investigate then keep reading and learn how you can create an UEFI boot only Windows to Go.
Simon kindly has lend me a certified Windows to Go USB drive and I started to look for the way to build a WTG with UEFI boot only. The base for my method are these 2 TechNet Articles: Windows To Go Step by Step and Deploy Windows To Go in Your Organization. Basically I looked at the PowerShell script mentioned in both articles and following the logic created a Windows To Go stick which only boots if a device supports UEFI boot.
We will need a Machine with Windows 8 Enterprise installed – The WTG Host Machine. And an .iso image of the same Windows available.
To start we need to format the stick with GPT partition table since UEFI boot process only works when the partition is GPT:
Start Diskpart from elevated command prompt.
Type list disk and select the correct one:
In my case it’s Disk 1
Select Disk 1
Type Clean to clean any present partitions
Type Convert GPT to convert the disk to GPT partition table
Now we are going to create the EFI partition:
Type create partition EFI size=100
The MSR partition of 128 MB is already there and I suspect that this is created as soon as I converted the disk to GPT partition table.
Type: format quick fs=fat32 label=EFI
Type: assign letter=S
Now we need to create the OS partition which will take the rest of the space available
Type: create partition primary
Type: format fs=ntfs quick label=UFD-Windows (this can be anything i.e. WTG)
Type: assign letter=w (also the choice is all yours for assigning the drive letter)
Now we need to make it not mountable on other systems. This makes sure that if you plug the WTG into a running machine the drive will not be accessible and will not get a drive letter. Although the drive can be still mounted via the Disk Management in windows (and on MAC it does mount), but since we are going to encrypt the drive it still will not be accessible unless you know the password.
Type: attribute volume set NODEFAULTDRIVELETTER
(Keep the diskpart window open)
Here is what it should look like:
Now we need to load the OS onto the drive and we are going to use DISM.EXE to apply the image. Have the Windows 8 .iso file handy and mounted (which is easy in windows 8, since there is built in support to mount an .iso image)
So start another elevated command prompt, mount the DVD image and run the following command:
dism /apply-image /imagefile:G:\sources\install.wim /index:1 /applydir:W:\
Wait a while till it is completely done (get a coffee, because it will take time).
Once it is ready we need to move the boot files to the correct location:
Move the boot files to the UEFI partition:
W:\Windows\System32\bcdboot W:\Windows /s S: /f UEFI
Now we need to do 2 more things:
Make sure that when the WTG boots the physical drives are not visible and not mounted.
Remove the Windows Recovery Environment (since WinRe is not supported on a WTG)
This we do using the following 2 XML files: Just copy the code from each column and give the files the corresponding names.
San_policy.xml | Unattend.xml |
<?xml version='1.0' encoding='utf-8' standalone='yes'?> | <?xml version="1.0" encoding="utf-8"?> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> |
Copy this SAN_Policy.xml file to the root of W: and then execute the following command:
Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
This will apply the San_Policy.xml to the image.
Then place the following unattend.xml file into the “w:\windows\system32\sysprep” folder
So now we are all done! We have created a Windows to Go which will only boot using UEFI boot sequence. To check this we can now boot using the WTG, but before you can do this the BIOS needs to be edited to allow UEFI. This is not an issue if you have UEFI only device then there is no need to modify anything in BIOS (besides the boot order perhaps). But my machine is Dell Latitude E6410 and since my currently loaded Windows 8 is not UEFI, I had to turn the UEFI option on. After going through the first time setup of the machine (installing the drivers, etc…) I wanted to verify the fact that this is really booting using the UEFI boot sequence. To do that start elevated command prompt and run
bcdedit /enum
This will tell you whether your machine has booted using UEFI boot sequence or Legacy boot: I would say find the differences
(hint: path in the boot loader section)
UEFI Boot |
![]() |
Legacy Boot |
![]() |
So I went ahead and joined my machine to the Avanade domain and then wanted to bitlock the OS drive as required per Avanade Policy! Well that was not possible, since the domain policy does not allow Bitlocker on OS drive without TPM. Hmmm, that’s no good! I have booted back to the desktop and decided to turn on the bitlocker from there. The Windows to Go Host machine (this is the machine which is used to create Windows to Go sticks) is capable of accessing the partitions of the WTG which was created on this host and since it is then treated just like any other USB drive I was able to encrypt the drive from the powershell.
Start elevated Windows Powershell command prompt:
First we need to add the recovery password as an option: run the following command:
Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
This will also allow you to save the recovery password somewhere, in my image I have masked the recovery password of course.
Now we need to create a variable to store the password:
$spwd = ConvertTo-SecureString -String <password> -AsplainText –Force
Replace <password> with 6 digit pin code
Then run the following command to turn on Bitlocker encryption:
Enable-BitLocker W: -PasswordProtector $spwd
After this command the encryption process will start and it takes a considerable amount of time. I also read somewhere that you can just pause it and let is continue once you boot with the WTG. Nice thing is also that since my WTG host machine is domain joined the recovery password is also saved to the AD, but under my Host machine name (so not WTG hostname).
So this is all done and we have a working Windows To Go stick that is only bootable utilizing the UEFI boot sequence and is useless on machines where BIOS only support Legacy boot. The last thing I needed to prove to our ITS, was that the Secure Boot is on. Secure boot together with UEFI boot sequence guarantee that only specified OS is allowed to be booted. Problem is that my Latitude E6410 does not support Secure Boot. Incidentally a couple of days after I have created the UEFI only WTG I had a session planned with one of my colleagues to hook up SharePoint 2013 to Exchange 2013. Well once I got to his place in the morning he had a brand new windows 8 tablet from Acer. He was complaining that he was not able to load Windows 8 Enterprise on it using the image on the USB disk. This rang the bell by me, the reason the USB disk is not seen by the boot process is most probably because it is UEFI only so it needs a GPT formatted disk to be able to boot up from it. I told him “I’ll help you install the Enterprise version of Windows 8 on your tablet after you let me boot once from my own Windows to Go”. The boot went really smooth and after booted into the OS I checked whether secure boot is on:
Start elevated Windows Powershell prompt and run the following command:
Confirm-SecureBootUEFI
And ta-dah! Secure boot is on!!! It says TRUE!
Sorry for the quality of the image, but I used my phone to take it!
So in conclusion: My method is supported by Microsoft (since I have consulted a member of the product group). And I am sure my steps can be scripted to automate the tasks.
The only thing we need to figure out how can we filter and check whether a machine is or is not allowed to be joined to the domain.
I am currently on a project which involves cross-forest mailbox migration (as part of the AD migration/consolidation). In such cases the migration is a process which can take considerable amount of time, so naturally coexistence is important. So mail routing and GALSync need to be in place, and what offers the most value to the business is the Free/Busy lookups cross-forest. Now we all know that starting with Exchange 2007, but truly it is better implemented in Exchange 2010 and higher, there is what we call Exchange Federation. Exchange Federation allows federating two partner companies to share the Calendar and Contact information cross-forest. While this feature allows for sharing more than just Free/Busy, but also the subject of the appointments, the location, etc. (what I call "Rich" Free/Busy), it requires that both organizations have at least one Exchange 2010 CAS server present, and involvement of Microsoft Federation Gateway.
Now on my project the source environment is Exchange 2007 and implementing an Exchange 2010 is not feasible. So my good friend and colleague Arno Zwegers (who is an Exchange Ranger) has pointed out to me that we could offer a "simple" Free/Busy lookups without deploying Exchange 2010 CAS box in the source. This method also does not require access to the Microsoft Federation Gateway (which means you do not need publicly signed certificates per se, as long as the CAs which issued the certificates are mutually trusted).
So…
It is possible to provide free/busy lookups cross forest between two Exchange 2010 or 2007 or a mix of these, without the need of using the Microsoft Federation Gateway. This will offer only basic free/busy information.
Requirements:
So…
To be able to access Free/Busy information between Contoso Forest and Fabrikam Forest the following needs to be done:
Add-AvailabilityAddressSpace –Forestname "fabrikam.com" -AccessMethod OrgWideFB –Credential (get-Credential)
When prompted for the credentials use the "FABRIKAM\freebusy" credentials.
Set-AvailabilityConfig –OrgWideAccount freebusy
freebusy here is the local account we created earlier.
Add-AvailabilityAddressSpace –Forestname "contoso.com" -AccessMethod OrgWideFB –Credential (get-Credential)
When prompted for the credentials use the "CONTOSO\freebusy" credentials.
Set-AvailabilityConfig –OrgWideAccount freebusy
freebusy here is the local account we created earlier.
Now wait for 15-30 minutes and try scheduling an appointment between 2 users from 2 different forests.
I have successfully tried this in the situation with 2010 and 2007, but I am quite sure it will work for Exchange 2013 as well. (@Arno, Correct me if I am wrong)
* To accommodate Outlook 2003 clients which use Public Folders to retrieve the Availability information exFolders can be used to sync the System and Free/Busy Public Folders between two forests. "exFolders" is the new name for the old IORepl Tool (Inter-Org Replication Tool), which offers the possibility to synchronise Public Folders cross-forest.
Hello everybody, I am back with another article on Exchange 2013. This time I wanted to talk about OWA (Outlook Web App), and specifically about the improvements made to OWA when using a tablet device. In my case it is a 1st generation iPad (this would fall into the category of “keep your friend close, and your enemies even closer ).
You might all ask why OWA on an iPad when one can use ActiveSync? Well in my case I have been forced to use OWA on my iPad because the rest of the household forces me to.
Let me explain: Avanade requires a pin code for devices that connect with Active Sync, and since the iPad is the family device I was getting complaints that they all need to enter the pin code to use the iPad (all = my wife and 2 kids). Besides this, my 7 year old kept on trying to unlock the iPad using a wrong code which resulted in a remote wipe, which basically grounded their precious iPad for a whole day (until I came home from work and restored it from backup. Good to know the policies do work though ). As you can understand, any resistance, or claims that the iPad is my device, or that they should just remember the pin code, are all futile here. So I was doomed to using the OWA on my OWN iPad! Which any of you who ever tried it know is a painful experience. The Safari on the iPad only supports the light version of OWA:
Here is what it looks like:
Reading a message is bearable, but composing a new message or replying is quirky. The interface is not touch-friendly at all, and you end up zooming in and out in order to just press a correct button.
I have actually come across 2 cases by now where a customer has decided to block the ActiveSync for the users (because they do not want any mobile devices connecting at all), and they offer OWA for mobile users. Anyone trying to use OWA on their phone (no matter how large the screen is) is a lunatic, but it kind of works for a tablet.
“Here Comes the Sun” - OWA 2013
In their new version of Exchange Microsoft completely redesigned OWA and made it into a true Web App! It has become User Friendly, Touch Friendly and really fast. It also has a subset of features that the OWA 2010 light version did not have at all.
When I logged in for the first time into OWA 2013 on my iPad it took some time and I got a message from iOS stating that the Web App needs more space to work asking me to increase the default 256 MB to 512MB (I guess this is RAM, and I think this is only specific to the first generation iPad). And then you get to see this:
It’s like entering a different dimension. There is a large enough message list and a preview pane which automatically formats the message so you do not need to scroll sideways. As you can see there are Windows Phone like buttons on top for “Unread”, “flagged”, etc… And they are huge, by the way there is no way you can miss even if you have very thick finders. Basically the Metro User experience is all over here.
On the left bottom (to the left of the search button) there is a sort “windows” button, when pressing it you end up here:
Metro all over: from here you can jump quickly to 4 sections depicted in the tiles. Note how the Calendar tile is larger then the rest, just like on the Windows Phone, because it is important!
We go first to the Calendar – day view:
Top row allows you to jump to different day, while the bottom row (middle) allows for switching to week and month view:
Week view: see how the current day is marked with a blue stripe (Sunday in my case)
on the left there is a button that will pop up the current month:
And here is the month view: Note the 22nd is marked to identify the current date
The bottom bar on the right has the “+” sign which will allow you to create a new calendar entry
Simple clear interface, and hitting “more details” gives you even more options, i.e.reminder, attendees, notes, etc…
Now back to the Mail: Every message has inline buttons for reply/forward and mark read/unread. But you can also hit the famous 3 dots button on the right bottom of the dark grey bar which will popup a nice menu.
Pressing the inline Reply/Forward button will show you a menu with Reply, Reply to All and Forward – nice and big for extra fat fingers
The contacts I am skipping for now, but you can do the usual stuff there all touch friendly and all. I do want to show you the settings page though: There are only two sections there, one for setting the automatic replies: Extremely Important!
and the other one for the Time Zone settings:
And the last screenshot to show the parallel with Outlook 2013 – how unread messages get a blue vertical stripe to indicate that the message is unread:
That’s it for now, As you can see the Outlook Web App has become extremely mature and can be used on almost any browser. Bellow is the list of OWA features available per browser
Supported browsers on desktop and laptop computers
In the table below, the following definitions apply:
Desktops and laptops: Outlook Web App features available by Windows operating system and browser combination
Web browser | Windows XP and Windows Server 2003 | Windows Vista and Windows Server 2008 | Windows 7 | Windows 8 Release Preview |
Internet Explorer 7 | Good | Not available | Not available | Not available |
Internet Explorer 8 | Good | Good | Good | Not available |
Internet Explorer 9 | Not available | Best | Best | Not available |
Internet Explorer 10 | Not available | Not available | Best - plus offline access | Best – plus offline access |
Firefox 12 or later | Good | Good | Best | Best |
Safari 5.1 or later | Good – plus offline access | Good – plus offline access | Good – plus offline access | Good – plus offline access |
Chrome 18 or later | Good – plus offline access | Good – plus offline access | Best – plus offline access | Best – plus offline access |
Note: In previous versions, Outlook Web App had a built-in spell checker. In Exchange Server 2013 Preview, Outlook Web App relies on the web browser for spell checking, which Internet Explorer prior to version 10 doesn’t provide.
Desktops and laptops: Outlook Web App features available by non-Windows operating system and browser combination
Web browser | Mac OX X v10.5 | Mac OX X v10.6 and v10.7 | Linux |
Firefox 12 or later | Best | Best | Best |
Safari 5.0.6 | Best – plus offline access | Best – plus offline access | Not available |
Safari 5.1 or later | Not available | Best – plus offline access | Not available |
Chrome 18 or later | Best – plus offline access | Best – plus offline access | Best – plus offline access |
Note: Operating system and browser combinations not listed display the light version of Outlook Web App.
Supported browsers for tablets and smartphones
You can use the web browser on a tablet or smartphone to sign in to Outlook Web App. The available Outlook Web App features depends on the operating system and browser combination in use, as follows:
Tablets and smartphones: Outlook Web App features available by operating system and browser combination
Device | Minimum memory | Application | Support |
Windows 8 Release Preview tablet | 512 MB | Web browser | Best |
iOS 5 or later for iPhone | 512 MB | Web browser | Best |
iOS 5 or later for iPad | 512 MB | Web browser | Best |
Android 4.0 smartphone or later | 512 MB | Web browser | Best |
Android 4.0 tablet or later | 512 MB | Web browser | Best |
All other smartphones and tablets | Not applicable | Web browser | Light |
Note: iPad version 1 devices have 256 MB of memory. Outlook Web App requires 512 MB of memory; therefore, it's not supported on version 1 iPads.
I guess I have just proved the last statement wrong
See you in the next article