Simon May

Client and cloud

Simon May

  • Windows 7 licensing and virtual machines clarified

    Licensing is a complex subject and to be honest it’s not one that I talk about much because it’s a complex discipline in and of it’s own and there’s too much fun stuff to talk about in the client and cloud world.  This document, Licensing Windows 7 for Use with Virtual Machine Technologies tells you all you need to know about licensing with Software Assurance and Windows 7 on Virtual Machines.  Such nuggets as if you have Volume Licensing, an SA and the Windows 7 Professional Upgrade License (Volume Licensing Upgrade License) or Windows 7 Enterprise then you can run 4 virtual copies of Windows 7 on a server or desktop, just like this:


    What’s more there’s a great FAQ in the document, some of which is worth calling out:

    If I install and run four additional copies of the operating system, do I have to use Windows 7 Enterprise as the host operating system?

    No. You may use prior versions of Windows, including Windows Vista Business and Windows XP Pro. In addition to third-party product to host the four virtual machine environments, Volume Licensing customers have some flexibility in how they can deploy Windows 7 in their organizations.  As a benefit of Software Assurance coverage for Windows desktops, customers may leverage virtualization use rights.  This use right allows running the software in up to four local virtual machines.  While a customer’s right to use Windows 7 Enterprise may survive the expiration of their Software Assurance coverage, the Virtualization Use Right does not.

    Can I store my virtual machine in a .vhd file on removable storage media and open the .vhd file on another PC?

    Yes, as long as both PCs are licensed for Windows VECD and are not already running more than three copies of the software.

    Can other users remotely access virtual machines that I’m not using on my PC while I’m using my PC?

    No. The use of the software is limited to one user at any given time.

    How do I license my employee and contractor owned PCs so that they have access to my centralized desktop PC environment?

    Employee- and contractor-owned devices can be licensed with Windows VECD, which enables them to remotely access your centralized desktop PC environment. Additionally, for devices with a pre-assigned Windows 7 Professional license, they may run the permitted instances locally in a virtual machine on the Windows VECD licensed device.

    Go grab the document here (email it to your Licensing dude if you aren’t a licensing dude) and learn about Desktop Virtualisation

  • Manually configure Outlook 2010 for Exchange Online (BPOS)

    I live in Outlook, I think most people probably do too, so having recently moved the email for my domain over to something a little more reliable – BPOS – I thought it’d be nice to have access to that inbox through my Outlook, in addition to my Microsoft email.  To help with the setup of email the Sign In application can do it all for you the client’s available from the Administration Center or the download site.

    This however results in you having a separate profile within Outlook so it’s not quite what I wanted.

    This is what you need to do to add an Exchange Online mailbox to an existing Outlook profile in Outlook 2010 (the basic steps are universal):

    1. Close Outlook
    2. Open Mail32 (32-bit") from Control Panel
    3. Click E-mail Accounts… and then New… account settings
    4. Select E-mail Account and click Next on the wizard mail32
    5. Select Manually configure server settings or additional server types and Next again
    6. Select Microsoft Exchange or compatible service and Next again add new account
    7. Now fire up your browser of choice, IE nach, and log into your Outlook Web Apps.
    8. Look in the top right and you’ll see Options, then select About and copy the name next to Mailbox server name
    9. Go back to the mail settings dialogue and paste the name of your Exchange Online server in Server and your full Exchange Online email address in User Name
    10. Click the More Settings… button in the lower right and select the Connection tab, tick Connect to Microsoft Exchange using HTTP and click Exchange Proxy Settings… exchange proxy settings
    11. Next you’ll need the address of the mobile device URL for your region which you’ll enter in the first field, then click OK a couple of times to get back to the wizard

    Done, if you start Outlook you’ll find your new account is available for you

    multi accounts



  • I’m now an MTA (Microsoft Technology Associate)

    Find the MTA certification path that meets your needs 

    A few minutes ago I rocked over to the ultra high tech Microsoft Learning centre and took a few exams, just for some Friday fun…I might need help!  I’ve always been a big fan of certification (when it’s done right).  I started on the road to MCSE in NT4 back in the day, completed that, upgraded to 2000 and have kept things going since then.  There have been lots of changes to the programme though over the past decade (GULP!) and we now have a set of exams designed for the new crop of IT Professional entering the business out of the academic world.  The MTA.

    Microsoft Technology Associate (MTA) certification helps schools teach and validate fundamental technology knowledge [and] provides students with a foundation for their careers

    That’s a pretty darn important thing in the ultra competitive market and I thought it was a great idea when I was at Uni to do my MCSE to get me real world experience – I then rocked into a better job for more money than most of my peers.  Nice.

    What I can say having just taken the exams is that they’re pitched at about the right level, they aren’t super deep dive exams that require the depth of experience of a seasoned IT Professional but they are exams that let you demonstrate to an employer that you’ve got more of a grasp of Networking fundamentals and Security fundamentals than you might just get by attending some lectures.  The Windows Server 2008 exam was actually quite tricky, offering up some more complicated Active Directory Directory Services questions that you wouldn’t be able to answer without some real world experience.  To my mind that would make it a perfect exam to round out an industrial placement or internship year.

    If you’re an employer looking at a candidate with these exams you can rest assured that your not just getting someone who’s sat through some lessons.

    I took:

    • Networking Fundamentals: Exam 98-366
    • Security Fundamentals: Exam 98-367
    • Windows Server Administration Fundamentals: Exam 98-36

    But there are developer and C# focused exams too to prove your skills.

    As a result I can now add this logo to my business cards and blog and I’ve got a greater chance of standing out.

    If you want more info on the MTA program and how it builds into the MCTS exams then check out the Microsoft Learning website

  • iOS in the Enterprise

    Active Directory is the source of identity in the enterprise and iOS devices should be identified in and by AD in order to provide access to resources, in this article published on WServer News I explain the process of supporting iOS devices in your AD DS with Windows Server 2012 R2 and the Device Registration Service.

    The post iOS in the Enterprise appeared first on Devices, Services, Life: Simon May's Blog.

  • 5 Tips to cope with the BYOD post-holiday rush

    It’s that time of year again. Tech gifts are set to be the most popular this year again (after socks) and tablets are top of that tech gifts list. When you get back to work lots of your users will have shiny new Android, iOS and Windows devices that they’ll probably bring to the office. Some will use them as a distraction from work but many will want to use them to enable working in new ways. Not only that but this year it’s not just the tech trendsetters that will be getting tablets, it’s everyone at all levels in your organisation. Some people will just leave those devices at home for a start but some won’t and that will encourage more and more people to start bringing them into the office. It’s probably not tenable to just ban them outright any more – this season will put pay to that ability for most I think. So what can you do? We have two months and a few small upgrades might get you right to where you need to be.

    1. Email

    There can be no doubt that for almost every organisation on the planet email is the number one productivity, communications, CRM, sales, marketing and lol cat tool in our arsenal. If you’re going to spot a crunch point this will be it. If you’re running your email on-premises still it might be time to start considering a move to the cloud and my personal, favourite approach here is to go hybrid.


    Enabling a BYOD solution for your business at enterprise scale is going to mean you’ll have more and more people wanting to connect more and more devices to your email servers. Within Microsoft we have a limit of 10 which I recently found myself exceeding. Following this year’s holiday buying fest it’s quite likely that any individual might have: a mobile phone, a small tablet (7-8 inch, a present this year from the other half), a larger tablet (10 inch, bought last year as a present to themselves), a company provided laptop, a hot desk computer (only for when the user forgets their laptop). All those devices are going to “require” email access to make them useful. Of course this is also the tip of the iceberg, next year it’ll be wearables.

    Moving the email boxes of users who are entering a BYOD program over to Office 365 and leaving those with more traditional requirements on-premises could be a really smart move. Office 365 gives you this option like no other cloud email service can, integrating into your existing Exchange infrastructure providing that seamless familiar experience that users are used to. It’s too much to go into deep detail in this article about next steps but there are plenty of guides around the web.

    2. Work Place Join, Enterprise Registration

    The chances are that you know who everyone in your company is, what they do and what they should have access to do. The same is probably also true of your company owned laptops and desktops. The reason is of course that these people and devices have accounts within Active Directory (AD) and those accounts then let you specify what those users and computers are allowed to do and what resources they are allowed to access.


    Of course not all devices are created equal, they don’t all run Windows today and even if they do with BYOD they might not be members of your domain, known to AD. Essentially they are ghosts, visible but at the same time hidden. Within the Windows Server 2012 R2 wave we have a feature that helps us manage those ghosts and pull away their white sheet of invisibility, making them known to AD. The feature is the Device Registration Service otherwise commonly known as Workplace Join. This feature is complemented in Windows 8.1 with the ability to workplace join the device and iOS also has a similar ability, although the UI isn’t as slick. When a device is registered by the Device Registration service a few things happen, first an identity is created for the device within AD with a unique GUID (device names Aren’t-used per-se, although it is an attribute of the record) because a device can be enrolled multiple times, potentially by different people. Second a certificate is issued to the device to identify it. Now that our device is known to AD there is all sorts we can do to given the device.

    To deploy Device Registration you’ll need to deploy Windows Server 2012 R2, deploy the Active Directory Federation Services (AD FS) role, update the schema, issue some certificates and make some DNS changes. There’s a good guide to building this out in a lab here.

    3. Publish your internal sites, externally, safely

    Not all your internal websites are the most secret things your company has to offer. The intranet might have some proprietary information on it but you could still publish it securely and safely to people. Especially since we now know not only who they are but from what device they’re connecting. Going hand in hand with deploying AD FS in Windows Server 2012 R2 is going the new Web Application Proxy role which takes internal resources and publishes them externally safely using either claims based auth (AD FS) or pass through auth.

    Using rules for those published services, called relying parties in AD FS parlance, it’s possible to restrict the level of access over those published services using authorization rules that take a look at the claims an incoming request is making. Those claims can include device claims, so we can easily publish our intranet and create a rule that says if this device isn’t registered with AD don’t let the connection through, if the device is registered with AD and the user is allowed access to the intranet then allow the request.

    It’s actually the Web Application Proxy that publishes the enterprise registration service mentioned previously out to the internet. The Web Application Proxy also acts as an AD FS proxy allowing you to keep your AD FS server inside your network and taking these two services and linking them with Office 365 we can easily develop a single sign on environment.

    4. Device Governance

    It’s tough to require the ability to control all aspects of an individual’s personal device, in fact in some places it may soon contravene the law to remote wipe someone’s device without their permission, something you may want to do for example when they level the company. The idea of “governance” however is to allow access to specific resources – such as applications or remote help, once the individual has allowed you specific access to their devices.

    With this power comes the responsibility to not do such things as wholesale wipe their device. Once a device has been workplace joined we have the ability to start to selectively wipe the corporate aspects of their device. For example we could revoke the certificate that we placed on their device when they workplace joined. If they pulled any data down to their device and we’ve encrypted it with EFS, we would then be able to break the chain of trust that allows the device to access said data. Likewise we can do the same for sideloaded corporate apps.

    5. Data Governance

    It would be nice if we all knew all of the data inside our organisations. Sadly we don’t, especially when we consider the data explosion and how much data we will be storing in the future (I think storage space is like your salary: the more you earn the more you spend; the more storage you have the more you use!) Our users aren’t much good at managing their data either – they generally don’t understand ACLs and how to correctly permission their data. It would be far better if there were a better, more automatic way. Thankfully there is…

    Windows Server 2012 introduced Dynamic Access Control (DAC) and dynamic file classification through File Server Resource Manager (FSRM). Essentially this means that, given some rules, we can have our file servers look at the data they are hosting and apply access controls based upon the content of that data. For example we could look at all the Word documents on our file share and if they contain something that looks like a credit card number (using RegEx) we can classify the files as only for the eyes of people in our customer finance department (this is just file classification not DAC). The DAC part of the equation comes into play when we start to use those applied classifications in addition to the claims being made by the party accessing the files.

    The party accessing the files is going to be a user, but the device that the user is using to access the files could vary. In Windows Server 2012 we could take a devices identity in AD (the computer account) and decide that only users with a specific OS can access the files. Now that we have device registration in play too we can not only do this for Windows devices that are domain joined but also for Windows devices and iOS devices that are workplace joined. The upshot being that we could allow Jane from Finance access to a file with a credit card number in only from her Windows 8.1 domain joined device but not from her iOS device unless she registers the device and we therefore have the ability to track the data. All of this has been done without IT needing to understand the specific document or the specific device she used.


    Hopefully this article has been a little thought provoking. It’s probably a very big ask for you to get this stuff into production in time for the holidays but at least you can start to think about building a lab to try this out with those devices that Santa leaves for you. You’ll need some lab guides, and the Windows Server 2012 R2 and Windows 8.1 Enterprise Evals to be able to do just that – luckily it’s all free to try, our present to you.