The hybrid cloud is bringing agility and power to the enterprise, and Microsoft is leading the way with Microsoft Azure Stack and great new offerings across the on-premises datacenter and the cloud. See what's coming and what's already here in this hot Ignite session: Bring Azure to your Datacenter, featuring Mark Russinovich, Jeffrey Snover, and Jeremy Winter.

This "broad strokes" video gives you a strategic overview of the shifts these Microsoft leaders see in the cloud landscape and why they’ve chosen to do what they’ve done with these solutions. The speakers also discuss in detail how to manage the transition to the hybrid cloud, and how to do it on your own terms.

When you watch the video, you’ll probably want to go deeper on some of the topics these smart guys cover. Good news: Many, many 2015 Microsoft Ignite conference sessions (with details and demos) are available to view online, on your schedule, right here. Enjoy!

This year, at the Ignite Conference, we presented Just Enough Administration (JEA), a PowerShell toolkit for granularly managing administrator privileges.  Older versions of JEA do not work with the recently released  April WMF 5.0 Preview.  This is due to an issue with WinRM when registering a new endpoint.  The latest version (0.2.16.6) of JEA contains a workaround, and is available in the PowerShell Gallery.  Please install this version of the module to use JEA with the April WMF 5.0 Preview.

If you are updating an existing system with JEA to the April WMF 5.0 Preview, please take the following actions:

1. Update the xJEA module to version 0.2.16.6 (e.g. “Update-Module -Name xJEA”)
2. Delete the “C:\Program Files\Jea” folder

Once you have updated xJEA, you may notice the following error showing up when applying configurations using the xJeaEndpoint resource.  This error may be safely ignored.

WARNING: [WSManNetworkFailureDetected] The network connection to JEA-demo1 has been interrupted. Attempting to reconnect for up to 4 minutes...

WARNING: [WSManConnectionRetryAttempt] Attempting to reconnect to JEA-demo1 ...

WARNING: [WSManConnectionRetrySucceeded] The network connection to JEA-demo1 has been restored.

The WS-Management service cannot process the operation. The operation is being attempted on a client session that is

unusable. This may be related to a recent restart of the WS-Management service. Please create a new client session

and retry the operation if re-executing the operation does not have undesired behavior.

+ CategoryInfo : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException

+ FullyQualifiedErrorId : HRESULT 0x803381fa

+ PSComputerName : JEA-demo1

VERBOSE: Operation 'Invoke CimMethod' complete.

We apologize for any confusion or inconvenience this may have caused.  Thank you,

John Slack
Program Manager
PowerShell Team

Heya folks, Ned here again. Do you have an idea for Windows Server? Do you want to vote on future product features and scenarios floated by your peers and Microsoft? Do you like free awesomeness? Good. Go here now, tomorrow, and forever:

http://windowsserver.uservoice.com

Every piece of feedback and every vote goes directly to the Windows Server product engineering teams, without varnish or middlemen. The good, bad, and the ugly. For those interested in Storage feedback - i.e. the kind of people who visit FileCab - a shortcut:

http://windowsserver.uservoice.com/forums/295056-storage

For the ground rules, check out this brief FAQ. For more info on how voting works in UserVoice, check out this explanation.

Now go exercise your franchise!

- Ned "founding father" Pyle

Today we announced Service Packs for SCCM 2012 and SCCM 2012 R2. There’s been a lot of interest in these service packs, and I want to provide a little insight into the strategy behind them.

Looking at the big picture, there were two primary focuses with these service packs.

1. Windows 10 compatibility/readiness.
2. Updating SCCM + Intune hybrid deployments to bring them inline with Intune’s cloud-only EMM capabilities.

Here’s a bit more context on both these points:

Windows 10 Compatibility and Readiness

To start, we have done the best job ever preparing SCCM to support a new Windows release. This goes all the way back to the earliest planning meetings that took place when we began working on the Windows 10 project.

This is just another great example (among many others) of the ways we are doing better than ever before with common and unified planning across the company.

As we defined the end-to-end scenarios that would be delivered in Windows 10, we kept in mind the all-up Microsoft view of how all these efforts would be coordinated and aligned in a deeper manner than ever before. I can make that statement with some level of authority since I have led the SMS/SCCM teams for 12 years and have worked with many releases of Windows :). This is the best and most integrated planning and coordination we have ever done.

You’ll see the fruits of this in the end-to-end scenarios that are much more integrated and complete than ever before.

With these new Service Packs we have addressed many compatibility issues that have popped up during our testing of Windows 10 with SCCM. Throughout the testing process we only found a small handful of issues – this really emphasized to me the degree to which Windows 10 is far more compatible than any previous release of Windows. This is great news for everyone.

Our biggest goal with these Service Packs was to ensure you could deploy and manage Windows 10 with the SCCM you have in place today – aka there is no requirement to upgrade to a new version of SCCM in order to deploy Windows 10.

In other words, with SCCM 2012 and SCCM 2012 R2 you will be able to deploy and manage Windows 10.

Last week at Ignite we also announced SCCM vNext. In vNext we will light up and expose all the new capabilities coming in Windows 10 (more on this in the next section).

The level of interest and excitement around Windows 10 at Ignite – and broadly throughout the industry – is strong. You will be able to deploy Windows 10 as quickly as you want using SCCM 2012 and SCCM 2012 R2.

Updating SCCM more rapidly to integrate with Intune EMM Capabilities

One of the key trends we are seeing emerge right now is the convergence of the PC management and mobile device management roles and responsibilities in organizations.

While I was at Ignite, I had the opportunity to spend an hour in 1:1 meetings with 15 different organizations. Meetings like this provide an incredible opportunity to learn, stay grounded, and keep connected with customers. When I go into these meetings I always have a list of questions I want to ask as I try to identify trends and common needs, as well as ways to help their business. One of the questions I had last week was about the roles and responsibilities for PC management and mobile device management. Over the course of these meetings, 14 of the 15 companies said they had already combined these two roles or were in the process of making that combination. The primary goal of combining the roles is to deliver a consistent experience for users across all devices (PC’s and mobile devices) and provide a common solution for IT to enable users across those devices.

In the past, I’ve written about our world view that this convergence would occur – and we are seeing it accelerate today. With this world view in mind, we started building a connection between SCCM and Intune almost two years ago. Our vision here was to quickly and easily update the SCCM console as we added new features and capabilities to Intune. This concept is something we call “Weave” internally since we’re weaving in new capabilities from Intune into SCCM.

While we have had the infrastructure to connect SCCM to Intune, there have been a handful of technical challenges we have run encountered. These include: How do you update the SCCM database schema if that is required to weave down new capabilities? The result of these challenges is that we have not been able to quickly weave everything down to SCCM. Enhancing our weave capabilities was a huge priority for these Service Packs and it is a big focus for the coming version of SCCM that is now in technical preview for managing Windows 10 (SP1 is here, and you can get SP2here).

As Microsoft has begun sharing the details and vision of Windows 10 – as well as looking at how Windows 10 will be delivered as a service – and focusing on how we will be constantly delivering new value to it. While reading all the Windows 10 coverage, it may have occurred to you that SCCM is going to need to follow suit, so that as Windows 10 gets new capabilities SCCM is also updated to light-up and manage those new capabilities. We have always updated SCCM frequently via cumulative updates, and now we will increase that cadence further as SCCM effectively becomes more and more cloud connected. We will also release new SCCM capabilities several times a year.

* * *

With these Service Packs we really have brought the hybrid SCCM + Intune capabilities up to the Intune + cloud-only in just about every area. These Service Packs also significantly increase our ability to quickly weave more down to SCCM as we update Intune each month without requiring a Service Pack. This is a huge value add for SCCM users. Huge!

As we continue to develop and improve all of this, you will be able to use the SCCM console that all of you know so well for enabling users on all of their devices. This is a very unique set of capabilities for your end-user enablement needs. No other vendor on the market has this integrated solution with the rich PC management capabilities of SCCM and the rich mobile device management capabilities of Intune – all integrated into one place.

Over two years ago we saw this unification of roles developing, and we began working on the infrastructure changes you would need to enable this. It is awesome to see how SCCM and Intune are being used together – and to see how you SCCM users are making a big impact on your organization!

At Ignite we announced PowerShell Direct, and briefly demoed it’s capabilities in the “What’s New in Hyper-V” session.  This is a follow up so you can get started using PowerShell Direct in your own environment.

What is PowerShell Direct?

It is a new way of running PowerShell commands inside a virtual machine from the host operating system easily and reliably.

There are no network/firewall requirements or configurations.
It works regardless of Remote Management configuration.
You still need guest credentials.

For people who want to try it out immediately, go ahead and (as Administrator) run either of these commands on a Windows10 Hyper-V host where VMName refers to a VM running Windows10:

Enter-PSSession -VMName VMName
Invoke-Command -VMName VMName -ScriptBlock { commands }

*** Note: This only works from Windows 10/Windows Server Technical Preview Hosts to Windows 10/Windows Server Technical Preview guests.
Please let me know what guest/host operating system combinations you’d like to see and why.

Here is why I think this is really cool

Honestly, because it’s incredibly convenient.   I’ve been using PowerShell Direct for everything from scripted virtual machine configuration and deployment where each virtual machine has different roles and requirements through checking the state of my virtual machine (aka, has the guest operating system booted yet?).

Today, Hyper-V administrators rely on two categories of tools for connecting to a virtual machine on their Hyper-V host:

• Remote management tools such as PowerShell or Remote Desktop

• Hyper-V Virtual Machine Connection (VM Connect)

Both of these technologies work well but have tradeoffs as the Hyper-V deployment grows.  VMConnect is reliable but hard to automate while remote PowerShell is a brilliant automation and scripting tool but can be difficult to maintain/setup in some cases.  I sometimes hear customers lament domain security policies, firewall configurations, or a lack of shared network preventing the Hyper-V host from communicating with the virtual machines running on it.
I’m also sure we’ve all had that moment where you're using PowerShell to modify a network setting and accidently make it so you can no longer connect to the virtual machine in the process…I know I have.

PowerShell Direct provides the scripting and automation experience available with PowerShell but with the zero configuration experience you get through VMConnect.  Because PowerShell Direct runs between the host and virtual machine, there is no need for a network connection (shared or otherwise) and no need to enable remote management.  Like VMConnect, you do need guest credentials to connect to the virtual machine.

With that said, there are some PowerShell remote management tools not available yet in PowerShell Direct today.  We’re working on it, this is the first step.  If you expected something to work and it didn’t, leave a comment.

Getting started and a few common issues

I decided to make a picture of the most basic usage imaginable.

.5 – Dependencies
You must be connected to a Windows 10/Windows Server Technical Preview Host with Windows 10/Windows Server Technical Preview virtual machines.
You need to be running as Hyper-V Administrator.
You need user credentials in the virtual machine.

The virtual machine you want to connect to must be running locally (on this host) and booted.
I use Get-VM as a sanity check.

1 – Enter-PSSession -VMName works.  So does Enter-PSSession –VMGuid
Enter-PSSession -VMName VMName
Notice this is an interactive session.  I am running PowerShell commands on the virtual machine directly (same behavior as Enter-PSSession usually has).

2 – Invoke-Command -VMName works.  So does Invoke-Command -VMGuid
Invoke-Command -VMName VMName -ScriptBlock { commands } 
Notice this locally interprets the command(s) or script you pass in then performs those actions on the virtual machine (same behavior as Invoke-Command usually has).

It's that easy.

I look forward to seeing what you all build with this tool!  Happy scripting.

Cheers,
Sarah

Heya folks, Ned here again. It's been a week since Microsoft Ignite 2015 and those Storage Replica stickers went fast. Hundreds of them, but that wasn't enough when you're surrounded by 23,000 IT professionals hungry for laptop ornamentation.

So if you were turned away or couldn't make the show this year, I put together some Kalamity Jake wallpapers. These come in desktop and phone orientations, in a variety of resolutions and color schemes, both with and without logos. Redistribute to anyone you like. If someone tries to charge you for one of these, laugh in their face - they are free. If you want other colors or resolutions, drop me a line (and wait!). And be sure to visit us next year at Ignite, when I will have a whole new series. Collect them all! Or something.

Download all wallpapers in one convenient ZIP

Here are a few small scale samples.

The quality is exactly what you'd expect at this price from a Windows Server PM. ;-)

Have a great weekend,

- Ned "maybe I should cut off one ear?" Pyle

NOTE: You can find more information on the DSC Extension in our release history.

Today we released a minor update to the Azure DSC Extension: version 1.10.1.0.

This update addresses a couple of issues that were producing false error messages on some ARM deployments.

Please feel free to give us your feedback as comments to this post, or using Connect: https://connect.microsoft.com/PowerShell/Feedback.

UConn Health is a leading academic medical center in the northeastern United States whose mission spans clinical care, medical education, and research. UConn Health is home to the School of Medicine, School of Dental Medicine, John Dempsey Hospital, UConn Medical Group, UConn Health Partners, University Dentists, and a thriving research enterprise. It provides nearly US$1 billion in services annually in the region.

Because UConn Health receives funding from the State of Connecticut, which has undergone budget cuts, the organization found itself with a distinct need to trim IT costs, and turned to Microsoft to help them make their vision a reality. With help from Infront Consulting Group, UConn Health migrated its large VMware infrastructure to a private cloud built on the Hyper-V technology in Windows Server 2012 R2. By making the switch to Microsoft, UConn Health will avoid more than US$600,000 in VMware licensing fees over five years, halve its server count, trim IT management costs by a third, and improve the availability of clinical and business applications.

We caught up with Dass Sinnappen, IT Director, UConn Health, to tell us more about their IT modernization strategy and what they hope to accomplish going forward with Hyper-V in Windows Server 2012 R2.

Q:Can you tell me about the business problem you were trying to solve and why you chose Microsoft?

Dass: We had multiple versions of VMware running, and we wanted to standardize our environment as we built a private cloud to handle our many and varied workloads. In the end, we determined that Windows Server 2012 R2 with Hyper-V would best suit our long-term IT goals while helping us significantly trim cost.

Q: You previously ran VMware – why did you make the choice to switch to Windows Server 2012 R2 and Hyper-V?

Dass: It was all part of a big cost cutting process, since we were spending a lot of money on licensing. When we bought servers previously, it included the price of a VMware license for each server, which really adds up. Plus, because there have been so many enhancements to Hyper-V, it was the best way to go for functionality as well as cost savings as we looked to building out our private cloud strategy.

Q: What was your experience migrating from VMware-to-Hyper-V, was it difficult?

Dass: We did have our challenges getting started, as our environment was built with no standardization. Fortunately we were hooked up with a very good partner, Infront Consulting Group, and they really helped us. So once we got it going, it was a breeze. Down time was limited. We were able to migrate with the system down for just an hour before everything was good to go. We gave application users an estimate of two hours for the migration, and we did it in half the time, and we haven’t had anything fail so far.

Q:What are the most important benefits you have experienced by switching to Windows Server and System Center? Anything that pleasantly surprised you?

Dass: In addition to the cost savings, another important benefit for us is the consolidated management that allows us to manage everything with System Center Virtual Machine Manager (SCVMM).  Now we don’t have to have multiple tools. For someone to come in and just get started on it, it is just easy. We can also deliver a server in Hyper-V in 45 min to an hour fully patched thru SCVMM Our end goals was to get to a standardized platform so we can keep expanding quickly and seamlessly, and this allows us to do that.

We’ve also found that Hyper-V in Windows Server 2012 R2 is, simply, a great product. Once the business units saw the potential of hosting servers on our Hyper-V environment, at a very low cost, we have been asked to put more critical apps on it all the time. We have already moved many of our critical applications into Hyper-V now, and they are running well. Additionally, we used to have four or five people managing our IT environment, now we have two. We were able to move resources into different areas and utilize them on other projects that we have.

Q:Has Windows Server and System Center helped with or enabled a cloud strategy for UConn Health? If yes, can you tell me a little more about how?

Dass: Our move to Microsoft technology was a part of our strategy to build and utilize a private cloud to improve functionality and to decrease cost. As to the second part of your question, we are currently testing Azure Site Recovery as part of the Technology Adoption Program (TAP).  We hope to be able to use Azure as our disaster recovery site. As a health and state agency, we have to be careful what data goes out to the cloud, but soon it will be easy to recover data if something happens to our data center.

Q: For other customers that might be considering migrating from VMware to Windows Server and System Center, what advice would you give them?

Dass: We have talked to a lot of other customers, and so many have been fearful because they have been so used to their VMware experience. My advice would be to just take the step forward to Hyper-V; you won’t regret it. The cost savings and huge benefits of running a standardized Windows platform are well worth it. We’ve been running this system for over a year and it has been extremely stable.

Q: What are your next steps with Windows Server and System Center?

Dass: We’ve started building a cluster environment. We had 18 servers and are consolidating them by moving all the virtual machines (nearly 300) into four new clustered HP DL580s with Intel E7 processors and a 10GB network. When all is completed our environment will be much simpler yet even more robust. We are also in the process of creating a self-service portal for users to create servers for testing.

Q: What are you excited about with Windows Server and System Center in the future?

Dass: As I’ve seen how virtualization has changed at Microsoft, the road can only get better. I’m sure new and better features will be coming in the next version of Windows Server. We are excited for what the next version will bring us!

Here is a handy PowerShell snippet:

Get-VM | ?{$_.ReplicationMode -ne "Replica"} | Select -ExpandProperty NetworkAdapters | Select VMName, IPAddresses, Status

Which delivers an output like this:

As you can see, it lists the IP addresses of all the virtual machines running under Hyper-V.  A couple of notes to make about this:

• I use Hyper-V Replica heavily.  So I have developed the habit of always filtering out Replicas - so I do not worry about them.
• I look at the network adapter status, because (as you can see) it allows me to tell the difference between a VM without an IP address - and a VM that is not reporting whether it has an IP address or not.

Hopefully you will find this useful in your environments.

Cheers,
Ben

[This post comes to us courtesy of Sandeep Biswas and Sabir Chandwale from Global Business Support]

We have recently come across an issue where Office 365 Integration breaks on Windows Server Essentials. After investigating the issue, we determined that the Windows Server Essentials Email Service does not start and crashes if we attempt to start it manually.

In the Windows Server Essentials Dashboard, the state of Microsoft Azure Active Directory Integration appears as N/A

In the Application event log, we can see the following errors:

In the SharedServiceHost-EmailProviderServiceConfig.log we get the following exception:

This exception is raised when the provider framework queries the Office 365 subscriptions to populate the information in the dashboard. The issue only occurs if the trial Microsoft Power BI subscription is associated with Office 365 via the portal https://www.powerbi.com/.

When the trial Microsoft Power BI subscription is associated with Office 365 via the portal, it adds 1,000,000 licenses for Power BI; however, it does not add any subscription information. When the Windows Server Essentials provider framework queries the O365 subscription, it does find the licenses without any subscription information being associated with it. Hence it throws a Null Exception as highlighted in the SharedServiceHost-EmailProviderServiceConfig.log.

There are two user experiences currently available for Power BI: the new experience for Power BI, currently offered as a Public Preview via this portal and the current experience which is generally referred to as Power BI for Office 365 can be subscribed from the O365 Portal. We have not experienced any issues with Windows Server Essentials Dashboard Integration with Office 365 if Power BI for Office 365 is subscribed.

If you want to try Power BI in Windows Server Essentials integrated with Office 365, it is recommended that you go for Power BI for Office 365. If you have already enabled the new experience for Power BI via the portal https://www.powerbi.com/, the Windows Server Essentials Email Service will continue to crash whenever you launch the Windows Server Essentials Dashboard. We are working on a fix for this issue and will update the blog as soon as a solution is available.

Resolution (Updated on 05/18/2015):

To resolve the issue install the following hotfix on the server:

https://support.microsoft.com/en-us/kb/3055778

When organizations decide to start supporting mobility in earnest, the first app just about every organization wants to manage and secure first is E-mail.

This is the critical app that empowers mobile end-users to work productively, and it is an essential area for IT to protect. Think of how much of business flows through e-mail today. E-mail is the primary method most of us use to communicate within our organizations and with our partners. There is an incredible amount of confidential and sensitive information that flows through e-mail every day.

Just about every Enterprise Mobility Management (EMM) vendor has built their own custom e-mail application – and, honestly, the feedback I hear when talking with customers using these solutions is very consistent: The user experience is not good.

We can do better.

In December, Microsoft acquired a company named Accompli. Accompli had built the premiere e-mail app on iOS and Android. The e-mail experience was incredible and the millions of individuals that had downloaded and used the app gave it rave reviews. In February, Microsoft released updated version of the Accompli e-mail apps on iOS and Android – rebranded as Outlook.

Since that launch in February, the feedback has been extraordinary. There have been millions of downloads and countless articles written about the app.

The new Outlook really does present a rich and empowering experience for individuals.

Over the past 6 months, we have released Word, Excel, PowerPoint, OneDrive for Business, and OneNote for both iOS and Android. All of these applications are integrated with the Data Leakage Protection and Conditional Access capabilities of the Enterprise Mobility Suite (EMS). Your feedback here has been incredible. Your users love the richness and unmistakably Office experience on all their devices, and IT loves that they are able to deliver that rich experience while ensuring the corporate content is safe and secure.

One of the things that we have worked exhaustively to get right is the balance of delivering a rich and empowering experience for our users, while also delivering the security required to protect the corporate data and information that’s being accessed and used by end-users. Your feedback on the integrated EMS+O365 scenarios is that we have got that balance right.

Almost without exception your #1 request around the Office 365 and EMS integration has been to release an EMS-integrated Outlook so that Outlook can participate in the Data Leakage Protection (DLP) and Conditional Access capabilities of EMS. Another top request has been to deliver a “managed e-mail” solution with the rich capabilities and rich experience of Outlook. Last week at Ignite we demonstrated the managed Outlook app and announced it would be available during Q2.

When the Outlooks apps are updated this quarter, they will integrate with the conditional access and mobile application management (MAM) capabilities of EMS. This will allow you to set policies to do things like:

• Manage the sharing of data from Outlook via cut/copy/paste.
• Manage where file can be saved to.
• Designate that e-mail should only be sent to devices that are managed and compliant with IT policies.

The managed Outlook apps will deliver the best and most empowering experience for users while delivering the required security and protection required by IT. The managed Outlook apps will set the bar by which to compare any managed e-mail solution against – and you will find that the e-mail apps delivered by others in the market are woefully inadequate.

The ability the set DLP and Conditional Access policies for Outlook and all the Office mobile apps is a unique value to Intune, Azure Active Directory Premium, and EMS. This is just another reason why EMS is a must-have.

Here’s what it looks like in action:

Let’s take a look at a couple of the DLP scenarios:

To begin, a user copies text from a corporate e-mail:

When that user attempts to paste that content into a corporate-managed Word file, it works perfectly.

When the user tries to paste it into a personal app (Twitter, in this example), the paste option is not available – the data is being contained and protected:

To really see this in action, check out the post recapping my introduction of this new feature in my Ignite keynote.

One of the most interesting things we added to the Intune SDK that was used to build the managed Outlook was multi-identity support.

Multi-identity support enables a single app to be used in both your personal life and your corporate life. This type of functionality has been a common topic of discussion with customers using the managed Word, Excel, and, PowerPoint. The Office apps are pretty universally used in users’ personal and work life – and organizations needed a solution that enabled the data leakage protection for the corporate data, but did not limit users from also using the Office apps in their personal life.

This is an area where the Office team has done a mountain of customer research and they have become really focused on a rich experience that is also simple. Their customer research showed that users did not want to install multiple versions of the Office mobile apps – but wanted a single app that understood the need to use these apps for personal and business use.

With this in mind, we built that capability into our Intune SDK. Now, a user can switch between personal and business use within the same app. When being used for business, all the data leakage protection and security settings defined by IT are in place and enforced. When in personal use, the apps are not managed. Intune/EMS is the solution to deliver this multi-user support – and this represents a unique set of capabilities in the market today.

It makes senses that Microsoft would innovate on this first – there are, after all, only a small handful of apps that are used in both personal and business life, and Office is the most common (others include the browser, Adobe Acrobat, and a small list of others).

In the case of e-mail, Intune/EMS can set policies on the corporate e-mail, while leaving e-mail in the personal inbox untouched. Let’s take a look at how this works:

Inside of Outlook, the user is able to toggle between inboxes. When in the business or corporate context, all the DLP rules are applied. In the personal context, IT is not involved at all – we believe that this elimination of IT’s connection to personal data is how it should be.

The way Conditional Access works is we have integrated the EMS and Office 365 backend services. When a device is brought under management, we create an object in Azure Active Directory for the device. Intune then writes into the object multiple times a day that the device is in fact managed and if the device is compliant with the configuration policies that have been defined as required for accessing corporate content (PIN, encrypted, not jail broken). Any time a request is made to the Exchange online backend for e-mail, Exchange checks with the EMS components to see if Conditional Access is enabled and if the device requesting e-mail is compliant. If the devices is compliant e-mail flows to the device, and, if the device is not compliant, a single e-mail is sent to the device informing the user that the device does not meet the corporate requirement and a link is provided with instructions on how to bring it under compliance.

This is a deep and really exciting level of integration across O365+EMS. This level of cooperation happens around the globe and we actually track the performance and availability of O365+EMS working together globally to ensure the SLAs that we have committed to you. This deep level of integration and global perspective is not possible with other EMM vendors – and this is one of many reasons the Conditional Access and DLP capabilities are a unique value of Office 365+EMS.

And one more thing: We also announced last week that Skype for Business (formerly known as Lync) will be updated in Q3 with these DLP and Conditional Access capabilities.

Microsoft is the only organization delivering this kind of empowerment while providing a secure environment for your users’ content creation, content consumption, collaboration, and communication.

HI folks, Ned here again. We are studying customer patching pain points and behaviors within Linux and Windows Server environments across operating systems and applications. If you are a stakeholder in the patching/updating process for your company and would like to share your thoughts and feedback, please take a few minutes to fill out the following survey:

https://www.surveymonkey.com/r/YYZKBS3

If you want to give us direct and deep feedback, please email us at:

patchfeed@microsoft.com

Again, we are interested in feedback and experiences from both Windows Server administrators as well as Linux sysadmins.

We look forward to hearing from you,

- Ned "here comes the spam mail" Pyle

Yesterday, Alex Simons had a great post that’s part of a series he’s doing on the innovations and enhancements in Identity (both Active Directory and Azure Active Directory) for Windows 10.

This blog will outline the work we are doing in the Enterprise Mobility Suite (EMS), as well as System Center Configuration Manager (SCCM) to integrate the identity innovations in Windows 10 – and how this work extends many of those identity innovations to iOS and Android.

Alex’s latest post covered the multi-user capabilities of Windows 10 and with these innovations you can have a single Windows 10 login session that both a personal (Microsoft Account - MSA) and corporate (AD or AAD) account can be associated with. There has been a lot of work done in Windows 10 to make Windows 10 multi-user enabled. This work is industry-leading in terms of making the OS be multi-user aware within the same login session. Alex’s blog shows how you can easily add an MSA to an existing corporate device as well as add an AAD account to a personal device.

This concept of enabling multiple users on a device (and specifically multiple user identities within the same login session) is something we have heard that you want on all your devices. This request has come up most often from customers that have been using the Office mobile apps on iOS and Android.

One of the unique capabilities of the combined O365/EMS and Office 2013/EMS is the ability to apply data leakage protection (DLP) policies to the Office apps. EMS enables the DLP polices to be set such as where users can save documents, how cut/copy/paste work, as well as the open-in functionality on iOS. No other EMM solution can set these DLP polices.

The question that has most often come up has been: “Hey, my users use the Office applications in both their personal and corporate lives. I need the DLP polices to protect the corporate data, but I would also like to enable users to use the Office mobile apps on these devices for their personal use where the DLP policies would not be applied.

Here is what we are doing to make the apps that need to be used in both personal and corporate lives multi-user aware:

There are a handful of apps that people want to use in both personal and business contexts. The browser is certainly one, and the Office mobile apps (Word, Excel, Powerpoint, and Outlook) also top the list. We have made huge investments in the EMS/Intune MAM capabilities to enable “multi-identity” usage in a single app. During the day, you may be using Excel to create, edit, or view corporate content such as sales forecasts or costs. The company wants to protect sensitive data like this and wants to apply policies about where the user can save this corporate content to, as well wanting to prevent this data from being copied and pasted into a personal app. At home, this same individual may be using Excel to create, edit, or view details about the budget for the PTA, or for a little league team they are coaching. In this case, the DLP policies should not apply and, in fact, IT should not even be aware of how the app is being used in the individual’s personal life.

Here are some screen shots of the multi-user capabilities of EMS/Intune in the upcoming Outlook apps.

To begin, a user copies text from a corporate e-mail:

When that user attempts to paste that content into a corporate-managed Word file, it works perfectly.

When the user tries to paste it into a personal app (Twitter, in this example), the paste option is not available – the data is being contained and protected:

Inside of Outlook, the user is able to toggle between inboxes. When in the business or corporate context, all the DLP rules are applied. In the personal context, IT is not involved at all – we believe that this elimination of IT’s connection to personal data is how it should be.

Later this quarter, you will see the EMS/Intune MAM “multi-identity” capabilities first released on iOS and Android in the Microsoft Outlook app. As the Outlook app is updated in the iOS and Android stores, it will be multi-user aware and it will enable these DLP capabilities while in the “corporate” context while enabling IT to stay clear of anything in the personal context. I think the approach the EMS and Office teams came up with here (where it is a single app that understands the multi-user, multi-identity needs of apps like the Office apps) was a clever and great way to deliver this.

Over the next few months, you will see these capabilities integrated with all the Office mobile apps as they are updated. Later this year, you’ll see the multi-user and DLP capabilities that are being delivered as native part of Windows 10.

With Windows 10, because the MDM capability is built directly into the platform, device enrollment into Microsoft Intune is a natural extension of the way that you associate your corporate identity with your devices. Microsoft Intune provides great support for all of the new capabilities of Windows 10 that your IT department needs to keep your devices up to date, keep you productive, and keep corporate assets always protected.

Over the next few weeks, we’ll have additional posts detailing our multi-identity support, including the experience for Microsoft Outlook.

We’re excited to release “multi-identity” to further improve both your ability to protect corporate data and to empower your end users.  Keep your feedback coming – we love hearing what you need and your experiences with our MAM solution!

1. Overview

With the release of Windows Server 2016 TP2 a few weeks ago, I was wondering what new PowerShell cmdlets are now included (when you compare to Windows Server 2012 R2). However, the list of cmdlets is so long now that it is hard to spot the differences by hand.

However, there a cmdlet in PowerShell to show all the cmdlets available (Get-Command) and a little bit of programming would make it easy to find out what are the main differences. So I set out to collect the data and compare the list.

DISCLAIMER: As you probably know already, the Technical Preview is subject to change so all the information here about Windows Server 2016 is preliminary and may not make it into the final product. Use with care, you mileage may vary, not available in all areas, some restrictions apply, professional PowerShell driver on a closed Azure VM course, do not attempt.

2. Gathering data

First, I needed the list of cmdlets from both versions of the operating system. That was actually pretty easy to gather, with a little help from Azure. I basically provisioned two Azure VM, one running Windows Server 2012 R2 and one running Windows Server 2016 Technical Preview 2 (yes, TP2 is now available in the regular Azure VM image gallery).

Second, I installed all of the Remote Server Administration Tools (RSAT) on both versions. That loads the PowerShell modules used for managing features that are not installed by default, like Failover Cluster or Storage Replica.

Finally, I ran a simple cmdlet to gather the list from Get-Command and save it to an XML file. This made it easier to put all the data I needed in a single place (my desktop machine running Windows 10 Insider Preview). Here's a summary of what it took:

• Create WS 2012 R2 Azure VM
• Install RSAT in the WS 2012 R2 VM
  • Get-WindowsFeature RSAT* | Install-WindowsFeature
  • Restart-Computer
• Capture XML file with all the WS 2012 R2 cmdlet information
  • Get-Command | Select * | Export-CliXml C:\WS2012R2Cmdlets.XML
• Create WS 2016 TP2 Azure VM
• Install RSAT in the WS 2016 TP2 VM
  • Get-WindowsFeature RSAT* | Install-WindowsFeature
  • Restart-Computer
• Capture XML file with all the WS 2016 TP2 cmdlet information
  • Get-Command | Select * | Export-CliXml C:\WS2016TP2Cmdlets.XML

3. Process the data

With the two XML files at hand, all I had left to do was to compare them to produce a good list of what's new. The first attempt resulted in a long list that was hard to understand, so I decided to do it module by module.

The code starts by creating a combined list of modules from both operating systems. Then it builds a dictionary of all cmdlets for a given module, assigning the value 1 if it's in WS 2012 R2, 2 if it's in WS 2016 TP2 and 3 if it's in both.

Then I would show the total number of cmdlets per module per OS, then number of new cmdlets and the actual list of new cmdlets. Since the goal was to publish this blog, I actually wrote the script to format the output as an HTML table. Quite handy :-).

4. Show the results

Finally, here is resulting table with all the new PowerShell cmdlets (by module) in Windows Server 2016 TP2, compared to Windows Server 2012. Enjoy!

5. Share the code

For those wondering about the script I used to compile the results, here it goes.

#
# Enumerating all the modules from both OS versions
#

$Files= ( (Import-Clixml"C:\WS2012R2Cmdlets.XML"),
           (Import-Clixml"C:\WS2016TP2Cmdlets.XML") )
$ModuleDict= @{}

$Files|% {
  $_|GroupModuleName|SortName|% {
    $Module=$_.Name
    If ($ModuleDict.ContainsKey($Module)) {
      $ModuleDict.$Module++
    } Else {
      $ModuleDict.Add($Module,1)
    } # End If
  } # End Import
} # End 0..1

#
# Enumerate the cmdlets in every module
#

Write-Host"

} # End Module
Write-Host"

Starting in Windows 10/Windows Server Technical Preview, Hyper-V allows you to resize virtual machine memory without shutting down the virtual machine.  You might be thinking, “Hyper-V already has dynamic memory… what is this about?”.  I get a lot of questions about why you would use memory resize if enabling dynamic memory already automatically adds or removes memory to meet only the virtual machine's needs.  To answer this, I’d like to tell a story about when I asked a similar question of my college roommate. 

Are all wrenches the same?

I had a roommate in college who was a mechanical engineer, and one of his hobbies was modifying his car (and then driving it too fast). Living with essentially a part-time mechanic had its pros and cons: his expertise saved me from a few trips to the shop, but it also meant that he stored his huge toolset in our cramped dorm room.

The biggest part of the set was this enormous box of wrenches; the kind where each wrench had its special place in the box. I admit it was a beautiful set, but it also took up a lot of space. One day I asked him why he couldn't just use one adjustable wrench. Why did he need 100 different sizes? I thought I had stumped him.

He admitted that a wrench set and an adjustable wrench essentially fulfilled the same purpose. What I failed to realize however, was that there are scenarios which require a simple one-sized wrench. For example, applying too much torque to an adjustable wrench will break its threads. My roommate also pointed out that when you’re trusting your life to a wrench (like when installing a seatbelt), you don’t want the wrench to wiggle. He preferred a single piece of steel for those types of jobs.

The point is, just like wrenches, Hyper-V memory configurations are used in different scenarios. Dynamic memory is the adjustable wrench: it fits almost any situation. On the other hand, a VM without dynamic memory is like having one single-sized wrench: some situations call for it, but you’re locked into the size you started with.

The ability to adjust the amount of memory at runtime is like having my roommate’s fancy wrench set. A virtual machine without dynamic memory will no longer be locked into its initial memory allocation. Users can either add or remove memory based on their needs.

OK that's enough about wrenches; you get the idea. Let’s talk about real use cases.

Use Cases

Many types of Hyper-V users will benefit from this feature. However, there are two types that this feature especially applies to: desktop users and hosters.

Desktop users

Imagine you're a desktop user, and you go to spin up a VM. It doesn't work because you were a little too ambitious allocating memory for the rest of the VMs, and so you've run out of memory to give.

Without this feature, you’re stuck. You have enough memory to run all of your workloads, but it is tied up in VMs that don’t need it. Your only option is to shut down your VMs and reallocate the memory when they’re off. This means painful downtime for the workloads running on your machine. In the worst case, you have something critical running in those virtual machines. Best case scenario, this is just a huge hassle.

With runtime memory resize, you can simply remove memory from those other VMs without needing to stop anything. Once enough memory is freed up, you can go ahead and launch the new VM. This feature allows desktop users to create VMs without being locked down to the initial memory value.

Hosters

Now picture you’re a hoster.  Let's say a tenant wanted 60GB of memory in their VM at first, but they're quickly reaching that limit. Your tenant’s service business is booming, and they need more memory in their VM. They can afford double the memory in their VM, but they can’t afford to take their workload offline. Hopefully you can see how stressful this situation can be for hosters.

Before runtime memory resize, you would need to have a difficult conversation with your customer. You would need to explain that this is a complex change, and that it would likely mean downtime for their service (at a time when business is booming). Your tenant will certainly not be happy, and might reconsider buying a larger virtual machine.

With this new feature, selling more memory to existing tenants becomes trivial. You don’t need to have that difficult conversation, you just need to ask “how much?” and make sure there is enough physical memory on the system. Runtime memory resize does away with the complexity of selling more memory, which means more revenue and happier tenants.

Walk Through

Notes:

• Runtime memory resize is only supported for Windows 10/Windows Server Technical Preview
• If more memory is added than is available on the system, Hyper-V will add as much memory as it can and display an error dialogue.
• Memory being used by the virtual machine at the time cannot be removed. In this case, Hyper-V will remove as much memory as it can and display an error dialogue.

Virtual Machine Settings

To adjust the amount of memory in a running virtual machine (without dynamic memory enabled), first open virtual machine settings. Enter the desired amount of memory in the “Startup RAM” field. The virtual machine’s memory should adjust to the new value. In the screenshot below, note that the virtual machine is running but you can still adjust “Startup RAM”.

PowerShell

To resize a virtual machine’s memory in PowerShell, use the following cmdlet (example below):

Set-VMMemory-StartupBytes

Theo Thompson
Hyper-V Team

As Microsoft innovation continues to accelerate, we’re eager to put our new technology in the hands of our users as quickly as possible. Today, we announced the availability of the SQL Server 2016 Public Preview. With this release we are making it easier for our customers to maximize their data dividends with new security features, advanced operational analytics, and hyper-scale.

The proliferation of data is a reality, and customers around the world are benefitting from our storage solutions by reducing costs and simplifying their IT environments. You can find out more about the latest innovation from our StorSimple team, the StorSimple 8000 Update 1, in this post.

Azure Media Services Live Encoding is also available in Public Preview today. The scalability and agility of the cloud empowers users to build end to end live video workflows. In a world that wants real time coverage, this new cloud service is going to be a game changer for anyone that’s struggled to maintain the infrastructure required. Read more about building end to end workflows in the cloud.

In addition to data, storage and media services technology we also released SQL Server 2014 Service Pack 1, Microsoft Power BI Content Packs, System Center 2012 & R2 Configuration Manager Service Packs and the Microsoft Intune May Service Update.

We look forward to hearing from you as you try out the previews and share your feedback.

I have been spending some time creating PowerShell snippets to help when you need to troubleshoot / debug a Hyper-V environment.  Here is a handy one-liner that I recently created:

Get-VM "File Server" | Select -ExpandProperty NetworkAdapters | Select -ExpandProperty IPAddresses | %{Ping $_}

When you run this you get the following output:

As you can see - it gets every IP address from the specified virtual machine and attempts to ping that specific IP address.  This is a quick and handy way to see if a virtual machine is up and running.

Cheers,
Ben

Today, Alex Simons published a great post on Azure AD Join and the benefits it provides. In this post, I’m going to look at how to join Microsoft Intune and the Enterprise Mobility Suite (EMS) to Azure AD to light up some amazing scenarios.

I can’t even count the number of times I’ve talked to customers about a future scenario where they are able to tell their mobile end users: “Here’s a stipend, now go to an electronics store and buy a device for work.” Another variation of that discussion is simply sending a factory-imaged device from your OEM to the end user, and, then through the power of an AAD account, the device can be business-ready in minutes. Neither of these dreams have ever come about – primarily because today devices have needed to come on premises to get imaged and domain joined. Because of the necessity of this on-prem step, IT has had to often buy and provision devices for the end user so that they can be properly managed and secured. Real costs and real delays in getting the device to the end-user.

At long last, that future scenario is – finally!– nearly here. By joining a Windows 10 device to Azure AD it is extremely easy for end users to get the benefits of single sign-on, OS state roaming, and more (see the aforementioned blog post from Alex for more details). Another new (and incredibly powerful) part of joining Azure AD is the ability to automatically enroll the device in Microsoft Intune. From my customer visits, device enrollment is the single largest challenge organizations have in bringing mobile devices under management. We are trying to massively simplify this process and there is some great work that we have done in this area around Azure AD Join.

Imagine how this can work for you: Through the power and simplicity of a highly secure Azure AD account, users can immediately get access to corporate resources and the applications they need to be productive, while IT can be assured that those devices are secured for access (through Azure AD) and policy (through Intune) from the first minute of business life. Customers can also optionally choose to upgrade from Pro to Enterprise by simply passing a key through Intune. This means easily adding additional management (as afforded by the Enterprise SKU) simply by passing this key – there isn’t even a need to reimage!

Additionally, key access controls (like conditional access to e-mail, and OneDrive through Intune enrollment, and compliance assessment) are all assured from the start of a device’s life! All the user has to do is enter their Azure AD account.,. It’s just that simple.

Here are two key scenarios that are going to simply the lives of many IT Pros:

1. New device out-of-the-box:
   Open the box and log in with your Azure AD account. This triggers enrollment into Microsoft Intune. Check out this blog for step-by-step screenshots of the experience.
2. BYOD device:
   When the user needs to access a corporate document or resource they can add a workplace account. Doing this triggers enrollment into Microsoft Intune. This blog post has step-by-step screenshots and instructions.

Getting all of this set up is easy:

In the Azure AD administrative experience you just need to define:

• MDM Enrollment URL for Intune so that devices know how to reach the MDM service
• MDM terms of uses URL which is your customized disclaimer that our end users see prior to enrolling their device into management
• MDM compliance URL which is the Intune Portal where end users go to remediate if their device is blocked due to Conditional Access policies

I know what you’re thinking: “When should I consider joining Windows 10 devices to Azure AD?”

The answer is pretty simple: It comes down to choosing between Azure AD join + Microsoft Intune versus AD join + Group Policy + System Center Configuration Manager.

In Windows 10, the inbox management agent has been greatly enhanced to cover a myriad of new policy settings, but it will be a subset of what on-premises AD Group Policy provides today. I really like the approach Windows 10 took to smartly implement key policy settings via the inbox agent – and we also think that, for most customers, it won’t be an all or nothing decision. Instead, I expect it to be a choice based on the elements like the department, the specific job function, and other criteria.

Here are a couple of key questions to see if a device is right for Azure AD join or not:

1. Do you have devices that only run cloud apps or apps being exposed through the AAD App Proxy? If so Azure AD join is optimized for these types of apps
2. Is the Windows 10 MDM/Inbox agent functionality sufficient for managing the device and its apps? For example the apps on a device do not require AD group policy for configuration settings. As you become more familiar with the capabilities built into the MDM channel in Windows 10 you’ll be able to make the call if those capabilities are sufficient.

If you answer “yes” to these questions – for either a subset or all of your devices – then you’re likely ready to deploy and gain the benefits of joining Windows 10 devices to Azure AD and Microsoft Intune.

You’ll definitely want to become more and more familiar with the new management and enterprise capabilities of Windows 10 (which are all exposed via the MDM/Inbox agent). Some of the new capabilities like Enterprise Data Protection, Certificate management, Lockdown policies, and Device Guard are exposed through in way. For organizations that are moving entirely (or mostly) to the cloud the AAD+ Intune is a fantastic solution. Many of you will want to use these new capabilities with the SCCM capabilities you use today. We have built the MDM/Inbox agent to co-exist and interoperate with the SCCM agent on the same device for this purpose. I suspect this is how many Enterprise organizations will operate.

More to come in the next couple weeks!