O R G A N I C / F E R T I L I Z E R: 08.13

Aug 22, 2013

2012 r2 series: open source

i keep catching myself getting far wordier than intended in these “summaries.” i’m going to work on that! catching up though. this makes 4 of 9 in this series. remember the days when microsoft was all about NOT developing for competing platforms to edge them out of the market? well, this post titled enabling open source software is all about the loving embrace of open source.


open source with windows

common engineering criteria (cec) drives consistency across products by requiring engineering compliance on a variety of factors with goals such as integration, manageability, security, reliability, etc. this same concept extends to all things cloud – private, hybrid, or public.

so what’s all this cec stuff do for open source, you say? well, it means having the same goal. single pane of glass administration, things that work in one environment should translate pretty easily to another, etc. here’s things microsoft has been up to:

  • linux community. microsoft has been pretty involved lately. in fact, they’re even checking in their stuff into the main kernel source code base. i guess “lately” isn’t exactly fair. they started doing work with this kind of stuff back with opsmgr.
  • drivers. ms has created what is called linux integration services (lis). basically, it’s a set of drivers for virtual devices. it contains stuff that allows such things as network and disk operating at near bare hardware performance and support for time sync, shutdown, heartbeat, live backups, and live migrations.
  • r2 updates. supports dynamic memory allocation based on guest need, 2d video drivers, vmbus updates to spread interrupts across multiple virtual cpus, and kexec to support the ability to grab crash dumps.

data center abstraction layer (dal) is a common management abstraction for everything in the datacenter. it’s os agnostic, uses existing dmtf standards-based management. open management infrastructure (omi) is basically the implementation for linux. what started off as a movement in opsmgr has grown to configmgr, vmm, and dpm.

  • opsmgr. nothing new here really. if you are an administrator of opsmgr, then you’re probably already aware of opsmgr’s ability to manage more platforms than just windows.
  • configmgr. i knew this work had extended to managing platforms in configmgr but only recently learned that anti-virus protection is also available.
  • vmm. personalize linux during deployment. deploy from templates (think of sysprep with linux), use a mix of linux and windows in service templates.
  • dpm. live backups of linux guests. file system consistent snapshots (buffers are flushed, capable by linux integration services).
  • powershell cmdlets. these cmdlets actually let you manage any cim based system.

CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Cmdlet          Get-CimAssociatedInstance                          cimcmdlets
Cmdlet          Get-CimClass                                       cimcmdlets
Cmdlet          Get-CimInstance                                    cimcmdlets
Cmdlet          Get-CimSession                                     cimcmdlets
Cmdlet          Invoke-CimMethod                                   cimcmdlets
Cmdlet          New-CimInstance                                    cimcmdlets
Cmdlet          New-CimSession                                     cimcmdlets
Cmdlet          New-CimSessionOption                               cimcmdlets
Cmdlet          Register-CimIndicationEvent                        cimcmdlets
Cmdlet          Remove-CimInstance                                 cimcmdlets
Cmdlet          Remove-CimSession                                  cimcmdlets
Cmdlet          Set-CimInstance                                    cimcmdlets


open source on windows

  • common open source application publishing platform (coapp). essentially a package management system like the advanced packaging tool (apt) on linux. coapp packages can be included in visual studio projects.
  • community collaboration. check out the azure gallery. it contains open source apps. also, recently, php was released on the same day for windows which included some significant performance improvements. the real story though is that a windows-version of php was released on the same day other os versions were.
  • oracle. on hyper-v? yup. not just database… but java and weblogic, too.
  • azul systems. jdk will be made available allowing customers to deploy java apps on windows azure using open source java – on both windows and linux.

Aug 20, 2013

2012 r2 series: three scenarios of pcit


pcit. there’s that term again. it doesn’t mean personal computer though. it actually means people-centric IT. as more and more devices are born to consume cloud-based services, it makes sense for management of such devices to be cloud-based as well. part 3 – people-centric IT in action – end-to-end scenarios across products – (coincidentally) looks at three scenarios of pcit.


scenario 1: company access, personal device.

company access already exists today through technology such as vpn. this is really more about giving users the ability to get to their work files on a personal device. it address some of the risks around compliance by utilizing authentication (ad fs) and encryption (work folders).1 of course, remote wipe is a part of the scenario.

the core component to scenario 1 is work folders. think of work folders as a skydrive pro for file servers. (skydrive pro is for sharepoint, in case you were curious.) work folders requires both a server2 and a client. windows 8.1 will be the first to get it with windows 7 and ios following shortly thereafter. work folders runs over https so if you are so inclined, you can publish it via the web application proxy – which integrates with ad fs.

for those IT admins that yearn for more control in their life, configmgr + intune delivers the ability to provision devices with work folders settings. group policies can be used for those pesky domain-joined machines. configmgr r2 has work folders support so you can use all of the familiar targeting capability to deliver policies.

1 optionally, use dynamic access control (dac) and rights management services (rms) can provide additional security/control. complexity is already super high, though.

2 basically, it’s a file server role in windows 2012 r2.

this statement will have you locked away in a cave by your executives for months:

Back to Hypothetical Joe: Suppose Joe buys a new Surface RT and wants to access files from work. He simply has to Workplace Join his device and enroll for management. As part of enrollment, his Work Folder configuration will be automatically provisioned and his files will start to sync to an encrypted folder. Joe now has all his work files available to him. As he makes changes to these files on his Surface RT, the changes synchronize to his desktop at work and vice-versa. As he creates sensitive documents, they are automatically classified and RMS protected.

Later, when Joe leaves the company, the IT team removes his devices from management and Joe’s Surface RT automatically wipes (rendered inaccessible) his Work Folders data while leaving all his personal data intact.


scenario 2: register to win!

unified device management (udm) requires azure AD, configmgr, and intune. once your environment is set up, the user will have to go to their respective “store” and download the company portal app. the cool thing is the device will show up in configmgr associated with the user.

granting access to company resources requires web application proxy and ad fs. unregistered devices will be denied access but will be provided links on how to get registered (to win!).


scenario 3: managing vpn

windows 8.1 has ms and third party vpn support built in, including new capabilities for profile management and on-demand vpn. let’s start with profile management:

  • configmgr + intune = provision vpn profiles and certs (intune for devices)
  • provision vpn profiles via powershell

automatic vpn (what i refer to as on-demand vpn) is managed by rules that are delivered to the device. when a user tries to connect to a company resource, vpn fires up. if any additional information is required, the user is prompted.

here’s a list of the powershell cmdlets from my 8.1 preview tablet:



technologies involved with pcit architecture:

Aug 16, 2013

2012 r2 series: productive users and protected information

this morning’s read: part 2 of 9, titled making device users productive and protecting corporate information. here’s my summary of another incredibly long and detailed post. don’t forget to go back and get the full read. away we go.

  • people-centric IT (pcit). addresses four key areas.
    • users. expect to have access to all of their corporate resources from anywhere.
    • devices. diversity is not just about controlling which models of a particular brand to use. diversity of device type continues to grow as well. diversity = complexity.
    • apps. complexity in cross-platform management and deployment of apps.
    • data. provide data access without while staying compliant and secure.
  • bring your own device (byod). byod is not a trend so much as a turning point. there’s no going back. diversity of devices will continue to climb which positions companies to have to fight the trend or embrace the trend. that’s what pcit is about.
  • user productivity. embracing byod effectively means having a healthy balance of access to corporate resources coupled with the right amount of security. with pcit, access policies can be enabled against the following criteria:
    • user’s identity
    • user’s device
    • user’s current network
  • common engineering criteria. engineers with server, configmgr, and intune shared common engineering milestones. focused on three key areas:
    • empowering users. users can have access to a variety of apps and data across a spectrum of devices – desktops, laptops, phones, tablets. windows, ios, and android are all supported (though it sounds like android might not get all the features initially.)
      • simple registration and enrollment.
        • workplace join. offers users a simple way to opt-in to IT services. creates user@device record in AD. governs access to resources and enables sso only. does not allow any IT control.
        • intune. users can enroll for management. wifi/vpn profiles, settings, side loading, etc.
      • consistent access to company resources. users can access apps, manage their own device, and access data via work folders.
      • automatically connect to internal resources. only works with enroll for management. vpn profiles launch on demand.
      • access resources from anywhere. data will be accessible via work folders and web application proxy.
    • unifying environment. single pane of glass management for apps and devices across scenarios from on-premise to cloud-based, including malware protection.
      • single console. the configmgr console is the basis of all management. cloud based management added through an intune connector.
      • user-centric app management. uses the user-centric model in configmgr to determine which app to deploy based on device and capability.
      • multiple delivery mechanisms. includes msi, app-v, remote apps, web links, windows store, app store, and google play.
      • cross-platform settings management. manage certifies, vpn, and wireless network profiles, apply compliance policies (to the extent of the platform, of course), receive inventory data, push installs, remote wipe and unregistration.
      • single identity. common identity from on-premise to cloud-based. ad fs tightly integrated to web application proxy is a key component.
    • protecting data. information access controlled by user, device, and location. shutdown access from devices no longer used.
      • control data. ability to selectively wipe data while leaving personal data intact. (see the original post for a table detailing device to capability.)
      • policy-based access control. made possible by ad fs, dynamic access control, web application proxy and work folders. obviously the implementation will be very complex.
        • web application proxy. provides ability to publish access to internal resources with optional multi-factor authentication.
        • work folders. file sync that allows syncing from corporate file server to user device over https. data is stored encrypted, locally on the device. files can be removed when device is un-enrolled from management.

Aug 15, 2013

2012 r2 series: customer scenario centricity

well, guess what? r2 is coming. you knew that already. what you might not know yet is r2 is coming october 18, along with windows 8.1. brad anderson has also been releasing a series of blog posts to highlight all of the forthcoming changes.

it’s a lot of material to read! figured i’d read along and post the high points. obviously i’m way behind since it’s a 9-part series which started at the beginning of july and is up to part 7 already. enough exasperation. let’s get started with part 1 titled beginning and ending with customer-specific scenarios.

  • cloud-first approach. build and deploy in their cloud first then deliver to customers and partners. ms currently operates > 200+ cloud services.
  • unified planning. client, server, system center, azure and intune all planned and prioritized together, including common release schedules and milestones.
  • three core pillars. centric to the support and inspiration behind r2 products:
    • empower people-centric IT (pcit). a move toward answering consumerization. users work anywhere on any device while operating in a secure and managed fashion. push to greater self-service capability. single pane of glass for device management.
    • transform the datacenter. technology which provides consistency in datacenter and public cloud platforms (investment, skillset, etc.)
    • enable modern business apps. new capabilities for both existing and new applications.
  • scenario-centric engineering. customer scenarios incorporated into all phases of development to prove the product operates as expected for customers instead of operating to an exact design specification, driven by focusing on:
    • plan based on customer needs.
    • design great products.
    • implement the software/service.
    • review scenarios frequently.
    • stabilize the software/service.

Aug 13, 2013

misc: spotting a fake

this isn’t so much a technical post. it’s just an explanation of how to spot check a profile before you decide to accept an invitation.

let’s say you get a mysterious invitation from someone on linkedin. at one point it was pretty easy to spot these but as all feats of engineering goes, things usually get better – including social. :) the new thing seems to be female profiles using attractive photos as a means of getting someone to accept the invitation. this is the easiest way i know how to spot a fake:

  • make a copy of the photo. in windows land, you can just drag the image off the browser and drop it to the desktop. like so:


  • next, go to google’s image search and drag the photo to the search bar – don’t think bing supports this – as illustrated below:


  • voila. 83 results.


hope you found that useful.