by Jenni Flinders, Vice President, Microsoft US Partner Group

Whether it is for business or pleasure, travel is a part of our lives. Last week, I was in Miami for a series of partner meetings, and today, I am in Los Angeles to meet with more partners. That’s the great part of my job. Not only do I get to travel, I get to meet with the backbone of Microsoft technology – our partners.

Smartphones have had a dramatic impact on the way we travel, putting more information at our fingertips that helps us manage our business trip, vacation, or weekend excursion. It got me thinking about the different apps I have on my Nokia Lumia 1020, and how much I rely on them when traveling. Here are the travel apps most dear to me: call it my app survival guide and check out these apps before you take your next trip.

Planning

• Fly Delta– Check in for your flight, manage baggage, view flight statuses, and more.
• Avis– Create or modify your reservation, view your receipt, and access Roadside Assistance.
• INRIX Traffic– Navigate the streets like a local, get real-time traffic data and traffic predictions.
• Weather (Channel)–Know what the weather is like at your destination so you can pack for it, and stay updated on any weather-related travel delays.

Entertainment

• OpenTable– Avoid the long wait for a table by viewing what restaurants have availability and book a reservation.
• UrbanSpoon– A must-have if you’re a foodie; get the scoop on the best places to eat in any given area for almost any type of food.
• LivingSocial– Find local deals for shows, events, and other activities to check out during your free time.
• Beats Music– Stop searching for a local radio station and connect with your favorite tunes wherever you are with Beats’ streaming music service.
• Wordament– Pass the time on your flight, or anytime, with this real-time continuous word tournament.

Business

• Skype– Stay connected to the office via voice, video and IM whether on Wi-Fi or cellular data.
• OneDrive– Access all of your documents across platforms and devices from anywhere.
• Office Mobile for Windows Phone– View, create and edit Word, Excel, and PowerPoint documents right from your mobile device.

Photography

• Instagram– Share photos from your trip, and add filters, through this social photography app.
• BLINK– Take a burst of images to capture the best shot, or make a small animated image from a series of shots.
•  ProShot– A must for picture aficionados that allows  you to set custom filters and settings for your phone’s camera.

These apps help me book and manage my travel arrangements, explore the best parts of the city I’m visiting, relax, get work done, and create some amazing photos to remember it all by.

What apps are part of your travel survival guide?
Connect with me on Twitter @Jenni_Flinders and share your ideas!

The Microsoft Windows Azure Pack (WAP) Service Management Portal may not retrieve cloud settings from Microsoft System Center 2012 R2 Virtual Machine Manager (VMM 2012 R2) and you may receive the following error message:

Unable to retrieve clouds on VMM server 'SERVERNAME'. Please make sure the server name is correct and try connecting again.

For all the details and a resolution please see the following:

KB2935175 - The Windows Azure Pack Service Management Portal does not retrieve cloud settings (http://support.microsoft.com/kb/2935175)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Project Spark, which lets you build and share your own games, is now available in beta for Xbox One, for everyone. You can request a beta key by going to Project Spark’s website, or obtain an access code card from a Microsoft Store in your area.

The beta program lets creators use Project Spark’s developer-grade toolset on both Windows 8.1 and Xbox One platforms.

Since December, when the Project Spark beta was released on Windows 8.1 devices, more than 250,000 fans have signed up to take advantage of the game’s toolset to create custom adventures and unique worlds such as “Pinball Raid!,” “Blaze Jumper” and “Colour,” reports Xbox Wire.

Visit Project Spark to sign up. And, head over to Major Nelson’s blog for a Q-and-A with the Project Spark team to learn more about what you can create. There’s also more to read on Xbox Wire and the Windows Experience Blog.

You might also be interested in:

· Whoa, now THIS is a Batmobile! Check it out in first “Batman: Arkham Knight” trailer
· Muscle cars and speed demons part of Alpinestars Car Pack for “Forza Motorsport 5”
· Watch music videos using Xbox One’s Xbox Music

Suzanne Choney
Microsoft News Center Staff

This guide is meant to be a quick, fun guide to injecting drivers into a Windows image using a Surface Pro as an example target machine. I was unable to find a concise source of information on how to do this without getting an in depth lesson on the Windows ADK, or DISM, so I figured I'd introduce myself with a guide that I hope many will find helpful.

Before we get started, please make sure you are complying with the license agreement associated with the version of Windows you choose to work with.

What You'll Need

• Windows ADK (Assessment and Deployment Kit) - http://go.microsoft.com/fwlink/p/?LinkID=293840
• Windows ISO file - if you are a VL customer, grab this from the Volume Licensing Service Center (VLSC) or contact your procurement department
• Technician Computer (can be a virtual machine!) - where you will install the ADK and perform the actions listed below.
• Target Computer - in this case a Surface Pro 2
• Drivers for Target Computer - Since I'm using a Surface Pro 2, the firmware and driver pack can be found here: http://www.microsoft.com/en-us/download/details.aspx?id=38826

The one tool we'll need to use in the Windows ADK is DISM. We're not going to dive into any of the other components of the Windows ADK quite yet.

Getting Started

After installing the Windows ADK on your technician computer, you'll need to mount your Windows installation media and copy the install.wim file to a local directory. Windows 8+ has built in ISO mounting, though if you're on Windows 7, feel free to use your favorite ISO mounter (Virtual CloneDrive, Daemon Tools, etc.). In this example, the Windows 8.1 ISO is mounted to F:\. The install.wim file is located in the sources directory, F:\sources in this case. Copy the install.wim file to your local hard drive, I'm using C:\images to store the ISO, drivers, and install.wim file. 

The next step is identifying which version of Windows we would like to inject the drivers into. We're using a Windows 8.1 ISO, which contains two versions of Windows 8.1: Windows 8.1 and Windows 8.1 Pro. We'll be working with the Windows 8.1 Pro image.

On your Technician Computer, open the Deployment and Imaging Tools Environment as Administrator. To do this in Windows 8.1, press the Windows key, type deployment, select the Deployment and Imaging Tools Environment icon, and either right click and select "Run as Administrator" or press Ctrl+Shift+Enter. You should see a window that resembles the following:

We must first identify which edition of Windows we wish to work with. The following command will tell us more information about our install.wim file:

> Dism /Get-WimInfo /WimFile:C:\images\install.wim

In our case, we want to use Windows 8.1 Pro, Index 1.

In order to work with the WIM file, you'll have to mount it. Create a new directory for mounting your WIM, I'm using C:\images\wim_mount. Mount your WIM file with the following command:

> Dism /Mount-Wim /WimFile:C:\images\install.wim /Index:1 /MountDir:C:\images\wim_mount

Next, you'll have to collect the hardware specific drivers you wish to inject into your Windows installation. The Surface Pro Firmware and Driver pack includes everything we need and can be downloaded at: http://www.microsoft.com/en-us/download/details.aspx?id=38826. I extracted the driver package to C:\images\February2014SurfacePro2.

To inject drivers into the WIM file, use the following command:

> Dism /Image:C:\images\wim_mount /Add-Driver /Driver:C:\images\February2014SurfacePro2 /Recurse

You can also add individual drivers by omitting the /Recurse option in the command above and pointing it to a specific .INF file as such:

> Dism /Image:C:\images\wim_mount /Add-Driver /Driver:C:\images\February2014SurfacePro2/testDriver.INF

I always think it's a good practice to confirm that the drivers were added. Use the following command to get information on 3rd party drivers added:

> Dism /Image:C:\images\wim_mount /Get-Drivers

Once you've successfully injected the drivers and confirmed they're there, you must now commit the changes and unmount the WIM. The following command does exactly that:

> Dism /Unmount-Wim /MountDir:C:\images\wim_mount /Commit

Congratulations, you're (mostly) done! Now that you have a nice, new, driver-injected WIM file, you have options for deployment. You can throw it at your SCCM/WDS server and deploy it that way, or you could put it on a flash drive. I'll write up a quick blog post about preparing USB media for Windows installation as a follow up to this.

TL;DR

For those who don't want to read the wall of text above, here's the "too long; didn't read" version:

• Install Windows ADK
• Copy install.wim from sources directory of Windows installation media to local directory
• Open up Deployment and Imaging Tools Environment (DITE) as Administrator and enter the following italicized commands within the DITE window
• Figure out which edition of Windows you'd like to utilize and make note of the Index: Dism /Get-WimInfo /WimFile:C:\images\install.wim
• Mount the WIM file: Dism /Mount-Wim /WimFile:C:\images\install.wim /Index:1 /MountDir:C:\images\wim_mount_dir
• Extract drivers to local directory
• Inject drivers into offline WIM: Dism /Image:C:\wim_mount /Add-Driver /Driver:C:\images\drivers\ /Recurse 
  
• Confirm drivers were added: Dism /Image:C:\images\wim_mount /Get-Drivers
  
• Save changes to WIM and unmount: Dism /Unmount-Wim /MountDir:C:\images\wim_mount /Commit
  
• Add WIM to SCCM/WDS or prepare USB drive with new WIM file
• Install and enjoy
  

Additional Resources

Windows ADK Documentation - http://technet.microsoft.com/en-us/library/hh824947.aspx

Windows ADK Download - http://go.microsoft.com/fwlink/p/?LinkID=293840

Add and Remove Drivers Offline (DISM) - http://technet.microsoft.com/en-us/library/dd744355(v=WS.10).aspx

Surface Pro Firmware and Driver pack - http://www.microsoft.com/en-us/download/details.aspx?id=38826

Traveling doesn’t have to be a hassle, not when you have HERE Maps to help you get there. Now available for free from the Windows Store, this comprehensive app gives you dedicated city pages, detailed maps for major cities and directions (public transit, walking and driving).

With HERE Maps, you can save favorites to private collections after you’ve discovered great local hangouts – and pin those collections on your Start screen. Use the street level feature for panoramic views of more than 140 cities worldwide and explore as if you were already there. Download maps so you can navigate without having to worry about a pricey international data connection or being in Wi-Fi range.

Install HERE Maps from the Windows Store.

You might also be interested in:

• Don’t let this deal slip away: “Ice Road Truckers” now free in the Windows Phone Store
• Zillow update on Windows PCs and tablets improves searches and is more touch-friendly
• Find what you need on Superpages, now on Windows Phone

Athima Chansanchai
Microsoft News Center Staff

The Windows Embedded blog reports that the February 2014 Security Updates are now available on MyOEM for Microsoft Windows XP Embedded with Service Pack 3 and Windows Embedded Standard 2009.

This download includes cumulative database updates for the Windows XP Embedded and Windows Embedded Standard 2009 product development databases. This means that if you haven’t installed updates from previous months, you’re in luck – this one batch has all of those updates.

Find the full lists of security updates on the Windows Embedded blog.

You might also be interested in:

• Updated Embedded Lockdown Manager for Windows Embedded 8.1 Industry now available
• Free file transfer tool available if you’re moving from Windows XP to a new PC
• The business benefits of saying “goodbye” to Windows XP and “hello” to Windows 8.1

Athima Chansanchai
Microsoft News Center Staff

In a postTuesday over on the Windows Embedded blog, Senior Product Manager Partha Srinivasan provided new details around the update to Windows Embedded Compact 2013.

According to Srinivasan, intelligent devices have a number of unique requirements in order to function properly: low power needs, low resource requirements such as RAM/ROM, and multiple connectivity options.

“Microsoft’s solution to address these small-footprint devices is through Windows Embedded Compact, with better power management, the ability to run on a very small footprint and with low RAM, improved connectivity and networking features, and seamless connectivity to the cloud,” he reports.

For the rest of the story, head on over to the Windows Embedded blog.

You might also be interested in:

· Skype on Outlook.com now available worldwide
· Microsoft highlights mobile and cloud technologies for government at Federal Forum
· Convergence celebrates Microsoft’s customers

Jeff Meisner
Microsoft News Center Staff

The workplace has changed – we’re all more mobile and more social, and to stay competitive, small businesses need the right tools to compete. If businesses are running Windows XP or Office 2003 after April 8, they not only won’t have the right tools, but they run the risk of falling victim to malware because security updates and support for Windows XP and Office 2003 will cease.

That’s why it’s important for small businesses to upgrade their technologies to Windows 8.1 and Office 365 now, before April 8. Ending support doesn’t mean that as of April 8 Windows XP and Office 2003 will suddenly stop working. However, there will be no more security updates or technical support for Windows XP, which may lead to serious problems, including:

Higher costs and lower productivity.Reducing operating costs and improving employee productivity are among the top business priorities of small businesses. So it’s not surprising that 47 percent of small businesses said that lack of budget is a big reason they don’t replace older PCs, despite frequent issues and lost productivity (Techaisle, 2013). However, replacing older PCs and getting current on Windows and Office will likely cost less in the long run. According to the same report, small businesses are spending an average of $427 on repairs for PCs that are four years or older, not to mention hours of lost productivity while troubleshooting issues.

Exposure to security and compliance risks.Security is, of course, a huge concern for all businesses.Unsupported and unpatched computers are vulnerable to security risks. In fact, a recent report by Microsoft’s Trustworthy Computing team showed that Windows XP is five times more susceptible to viruses and attacks than Windows 8.1.

Lack of new apps. After April 8, app developers and independent solution vendors that build solutions for Windows XP won’t issue any updates for existing apps, and they won’t build new solutions either. In other words, whatever solutions are on your current Windows XP, that’s essentially it in terms of new features or other advancements. Your PCs won’t evolve with changing customer, market and competitive demands.

A recent study by Techaisle, a global analyst and research organization for small and medium businesses and channel partners, found that businesses using outdated technology on just three PCs spend an average of $1,683 a year on maintenance and upgrade costs above and beyond an up-to-date PC, and that an average of 42 hours of productivity is lost per employee, per year because of older PCs needing repairs.

“Technology has evolved rapidly over the past several years — hardware is cheaper, operating systems are faster, cellphones are smarter, cloud services are affordable and workforces are mobile,” said Thomas Hansen, vice president of Worldwide Small and Medium Business at Microsoft. “Small businesses using old technologies are missing an opportunity — from better protecting their data and reputation to being able to acquire and serve customers better. The good news is that upgrading to newer technology has never been easier.”

For tech-savvy and non-tech-savvy businesses alike, upgrading is easy — provided they know where to turn for help. Here are two ways to upgrade:

Find a technology partner: A partner, also referred to as an IT consultant or IT provider, can offer a tremendous amount of support to small businesses that need help deciding which device and software combination will best meet their needs. In many cases, a partner will also help businesses set up their new technologies and even train employees on the software tools.

To locate a Microsoft Certified Partner to help with technology upgrades, small businesses can:

• Contact their current IT provider.
• Request partner help from Microsoft’s Get2Modern website.
• Use Microsoft Pinpoint to locate a local technology partner that meets their needs.

Do-it-yourself: Tech-savvy small businesses can also upgrade their current PCs if they are compatible with the newer operating system and productivity tools. To find out if your current PCs will work with modern operating systems such as Windows 8.1, visit the Windows 8.1 website.

Alternatively, small businesses can download the Windows 8 Upgrade Assistant to see if their existing PCs can run Windows 8.1 and follow the steps in the upgrade tutorial— including backing up important settings and files — to install the new operating system. Once a small business has upgraded to Windows 8.1, it can choose the right Office 365 subscription to meet the needs of the business.

Microsoft also offers resources to help businesses safely transfer their files and data to their new devices, as well as free tools to help determine whether their applications will be compatible with the new technology.

For more information on the benefits of upgrading to modern technology, and help to do that, visit the Retiring Windows XP site, the Windows 8 Pro site and the Office 365 for Business site. There’s also more general information and resources on the XP end of support page, the Windows 8 Pro site and the Office 365 for Business site.

You might also be interested in:

· Free file transfer tool available if you’re moving from Windows XP to a new PC
· Support for Windows XP and Office 2003 ends April 8, 2014 — what’s next?
· Say goodbye to Windows XP and hello to more flexible and secure ways for health professionals to work

Suzanne Choney
Microsoft News Center Staff

Tim Tetrick

As you may have seen recently, SkyDrive Pro is now OneDrive for Business. 

OneDrive for Business is personal online storage for a company’s employees.  It’s the place where people can store, share, and sync their work files across multiple devices easily and securely.  With OneDrive for Business you can collaborate with others in real time right from within Office and edit documents from virtually anywhere via a web browser in real time using Office Online.  You can also access your files from native OneDrive for Business and Office Mobile apps (including Windows Phone, Windows 8, iOS, and Android devices).

At the SharePoint Conference 2014 in Las Vegas this week, Microsoft made some exciting new announcements regarding OneDrive for Business. 

Beginning April 1, 2014, OneDrive for Business with Office Online will be available for purchase as a standalone service.  Customers are already able to purchase OneDrive for Business as part of Office 365 plans and SharePoint Online plans, but this new standalone plan will make it especially easy for customers to get started using cloud storage and sharing.

The standalone offer gives businesses 25GB of storage per employee (with the option to purchase additional storage), offline sync and access from multiple devices and platforms, and a strong set of enterprise-ready administrative controls.  And when customers are ready for more Office 365 services, like business-class email or online meetings, it’s easy to add them.

For customers interested in the new OneDrive for Business standalone offering, Microsoft is announcing two promotional offers, beginning in April and running through September 2014.

• - Promotional pricing: $2.50 per user per month in all licensing agreements/programs (50% discount).

• - For customers with Office with SA or Office 365 ProPlus: $1.50 per user per month; agreement types included: Open, Enterprise Agreement, and MPSA.

Existing Office 365 customers do not need to take any action.  The new OneDrive for Business name and capabilities will automatically be reflected in their current service experience.  And more enhancements are on the way.  Several new capabilities will begin surfacing throughout this calendar year, including advanced auditing and reporting features, encryption at rest, data loss prevention (DLP), extensibility improvements, higher storage limits, and more!

To help your customers transition from the end of Microsoft support for Windows XP, Office 2003 and Exchange Server 2003 come April 8, the U.S. Partner team encourages you to check out the Get Modern with Windows 8.1 and Office campaign. It provides resources that will help you explain the benefits of modernizing your customers’ businesses by moving them to current versions of Windows, Office and Exchange.

The Countdown2Modern Checklist links you to information, resources and training that cover preparation, promotion, deployment and next steps – important as without security updates or support, your customers are vulnerable to malicious software and compliance issues.

Head over to the US Partner Team blog for more information.

You might also be interested in:

• Small businesses: Stay safe, get up to date before Windows XP, Office 2003 support ends April 8
• Manage your Office 365 rollout using Yammer
• New Reading View in IE 11 for Windows 8.1 lets you focus on content, without distractions

Athima Chansanchai
Microsoft News Center Staff

On Wednesday, Xbox Chief Product Officer Marc Whitten announced that the second, and more significant, system update for Xbox One is now rolling out. The update brings improved matchmaking, party chat and friends features that will make gaming on Xbox One an experience like no other.

“To me that means playing games like ‘Titanfall’ on the best multiplayer service on the planet, using a new headset or the one you already own, while live broadcasting your games on Twitch,” Whitten said.

For a list of what’s in the update, head over to Xbox Wire, and check out Major Nelson’s guided tour in the video above. 

You might also be interested in:

• Xbox One update gives you Bing Web search
• Respawn Entertainment releases two new trailers for Xbox One exclusive “Titanfall”
• App of the Week: Be part of every pass, shot and tackle in "FIFA 14" for Windows Phone

Steve Clarke
Microsoft News Center Staff

One of the most commonly used classes in SCOM is Microsoft.Windows.Computer from the Microsoft.Windows.Library management pack.  It has a number of properties including:

Microsoft.Windows.Computer

• PrincipalName
• DNSName
• NetbiosComputerName
• NetworkName

The property of NetworkName has caused me a lot of grief because some (poorly written?) management packs use it interchangeably with PrincipalName.  I'm not exactly sure how NetworkName is set or what its intended uses are.  But I have seen that it appears to be set inconsistently.  On most of my computers PrincipalName, DNSName, and NetworkName are all the same.  But on a few thousand of them, NetworkName matches NetbiosComputerName.

So, how do you know if you have the problem?  The most easy way is to check the SCOM database.

SELECT * FROM [OperationsManager].[dbo].[MTV_Computer] WITH (NOLOCK) WHERE [PrincipalName] <> [NetworkName] AND [NetworkName] IS NOT NULL

That should return zero rows.  If it doesn't, then you have computers where the NetworkName property doesn't match the PrincipalName, and may be at risk if you have management packs that assume they are the same.

Our most catastrophic problem was with the Hewlett Packard management pack, where discoveries and monitors liberally interchange NetworkName and PrincipalName.  But many other MP's make the same assumption.

Here are some examples of discoveries from the Windows 2008 R2 Remote Desktop management pack.

This one correctly uses PrincipalName.

This one makes the false assumption that PrincipalName and NetworkName are always the same.  I can say from experience, that they are sometimes, but not always the same.

So, what can we do about this?

My first suggestion is to avoid using NetworkName in our custom management packs as much as possible.  But how does that help us with the off-the-shelf management packs that make this dangerous assumption?

From what I can tell, NetworkName is only ever discovered once, right after agent installation.  So if you make a simple discovery to fix it, it should stay fixed.

A very simple solution is to use an unfiltered registry discovery, and just set NetworName to be the current value of PrincipalName.  Here is an example that I use:

      <Discovery ID="FixNetworkName.Discovery" Enabled="true" Target="Windows!Microsoft.Windows.Computer" ConfirmDelivery="false" Remotable="true" Priority="Normal">
        <Category>Discovery</Category>
        <DiscoveryTypes>
          <DiscoveryClass TypeID="Windows!Microsoft.Windows.Computer" />
        </DiscoveryTypes>
        <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.RegistryDiscoveryProvider">
          <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
          <RegistryAttributeDefinitions>
            <RegistryAttributeDefinition>
              <AttributeName>SystemKey</AttributeName>
              <Path>SYSTEM</Path>
              <PathType>0</PathType>
              <AttributeType>0</AttributeType>
            </RegistryAttributeDefinition>
          </RegistryAttributeDefinitions>
          <Frequency>21600</Frequency>
          <ClassId>$MPElement[Name="Windows!Microsoft.Windows.Computer"]$</ClassId>
          <InstanceSettings>
            <Settings>
              <Setting>
                <Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Name>
                <Value>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>
              </Setting>
              <Setting>
                <Name>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/NetworkName$</Name>
                <Value>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</Value>
              </Setting>
            </Settings>
          </InstanceSettings>
        </DataSource>
      </Discovery>

After deploying this, a number of management packs started working correctly for us.  I'll attach the example MP to the blog post.

Happy Wednesday,

One powerful feature of Windows Azure RMS is BYOK or Bring-Your-Own-Key. This feature is quite popular among customers with stringent security requirements (or, as I often say, the cloud using but also cloud reluctant crowd). We've tweaked our BYOK to not require flying to Redmond anymore...and no, this has nothing to do with Delta's recent changes to their frequent flyer program ;) 

For those new to the BYOK offering, this feature allows Windows Azure RMS tenants to be in full control of their tenant key (the root of trust for RMS), and to 'pin their key' to a FIPS140-2 HSMs (hardware security modules). This feature is described in detail at http://technet.microsoft.com/en-us/library/dn440580.aspx.

Until now, for security reasons, the BYOK option has required tenants to fly to Redmond (where we are based) to import their key into Microsoft’s HSMs in person. Despite this requirement to visit us, the keys were still bound to HSMs in each of our main geographies: EU, US, or APAC. Said differently, though you made a trip to (rainy) Redmond, that requirement never did imply the keys would function with our US-based HSMs... something our friendly customers in the EU would prefer we not permit for someone obvious reasons. 

Today we're happy to say that we added a significantly simpler and completely self-service option for BYOK. The new toolset enables you to transfer your key, from your on-premise HSM to Microsoft’s (per-GEO) HSMs, over the wire. There is no need to fly to Redmond anymore. Also, there is no need to spend a few hours with our friendly Azure RMS operators to execute the key ceremony'. By the way, if the concept of a 'key ceremony' means nothing to you, here is a video of a somewhat historical one.

We did this work in collaboration with our HSM partner Thales E-Security and so they vouch that this process results in a secure transfer of the key from your on-premises HSM into our data center HSMs in a manner that maintains the root principle of us never being able to see or export your key. This is described in this white paper from Thales: https://www.thales-esecurity.com/knowledge-base/white-papers/hardware-key-management-in-the-rms-cloud

Other than this new mechanism to import your key, all other aspects of BYOK stay the same. That includes pricing -- it is free -- as well as pre-requisites, restrictions, how Microsoft uses your key once you upload it, and how you get usage logs for your key.

The new toolset is in preview. If you would like to participate in this preview, please send email to mailto:askipteam@microsoft.com to get started. 

If you want to stay in touch with us, follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam. 

 Cheers,

   Dan on behalf of the Rights Management team

~ Cedric Davies

In Windows Server 2012 R2, Hyper-V added a new type of virtual machine called a Generation 2 virtual machine. Generation 2 virtual machines introduce a number of changes over the prior, now called Generation 1 virtual machines. Generation 2 virtual machines remove a lot of the old hardware still being emulated in Generation 1 virtual machines, making it easier for Hyper-V to move forward with new features and improvements.

Some reasons you might want to give Generation 2 VMs a try are:

• Boot from SCSI attached storage
• Guest OS install from synthetic networking (much faster than using legacy networking)
• Faster boot time (on the order of one or a few seconds)
• New Secure boot feature (more information on this feature below)
• Larger boot volume (64TB vs 2TB)
• Online expand of boot disk
• Online add/remove of DVD drives
• Smaller security attack surface
• Less host resources consumed emulating devices
  • No floppy drive
  • No serial ports (possible to add back by advanced users through Hyper-V WMI)
  • No pass-through DVD
  • No legacy network adapter
  • No IDE controller

Generation 2 VMs may not be suitable for you if you require:

• Any of the emulated devices removed
• 32-bit guest operating systems
• Windows guests prior to Windows Server 2012/Windows 8
• RemoteFX support

Note also that Generation 2 VMs do not support the older VHD format although by now you are probably already using the superior VHDX format anyway. You can always use the Edit Virtual Hard Disk Wizard in Hyper-V Manager to convert between VHD and VHDX disks.

Generation 2 VMs use different system firmware than Generation 1 VMs. Generation 1 VMs use a PCAT BIOS (as have the majority of OEM PCs until recently) whereas generation 2 VMs use UEFI firmware. Some of the advantages listed in the reasons you might want to try Generation 2 VMs are a direct consequence of this change, such as larger boot volumes and the new Secure Boot feature. One of the major advantages of UEFI firmware is that it is written in a high-level language (as oppose to 16-bit assembler for the BIOS) which makes it much easier for the Hyper-V team to maintain and extend. And this is exactly what Hyper-V has done. By extending the UEFI firmware to be aware of software based (otherwise known as synthetic) devices, Generation 2 VMs support booting from synthetic network adapters or synthetic SCSI disks and DVD. Using UEFI firmware has an important consequence on the format of a VMs boot disk, which is a major ‘gotcha’ that you need to be aware of. For more on the boot disk format see the Boot Disks section below.

Ultimately the decision on whether to try using Generation 2 VMs is up to you. You should be aware however, that once you’ve made your decision, there is no option in VMM for converting a Generation 2 VM to a Generation 1 VM (or vice a versa). For a more in-depth look at generation 2 VMs, please see John Howard’s blog.

The rest of this article focuses on the changes made in VMM 2012 R2 to support generation 2 VMs. First thing to note is that in VMM 2012 R2, Generation 2 VMs are not supported when deploying VMM services or VM roles. Other than that, VMM 2012 R2 has full support for both creating Generation 2 VMs and for discovering Generation 2 VMs created outside of VMM.

Creating Generation 2 VMs

The Identity page of the Create Virtual Machine Wizard was modified to allow you to select which type of VM you want to create. When creating a Generation 2 VM just select “Generation 2” from the generation dropdown. This will do two major things: First, when you come to the Configure Hardware page you will notice that those hardware devices that are not support by Generation 2 VMs such as floppy drives, legacy networking and IDE controllers will not be present. Second, when selecting the destination host for the VM only Windows Server 2012 R2 hosts will be allowed.

Figure 1 - Creating a Generation 2 VM

Figure 2 - Hardware for a Generation 2 VM

Of course if PowerShell is your thing, the VMM New-SCVirtualMachine cmdlet has been updated to take a Generation parameter of either 1 or 2. You can thus create a Generation 2 VM from PowerShell like so:

PS C:\> $h = Get-SCVMHost

PS C:\> New-SCVirtualMachine -Name MyVM -Generation 2 -VMHost $h[0] -VirtualHardDisk $disk –Path “C:\MyVMs”

Once the VM has been created, it shows up in the VMM console window just like any other VM. If you want to check the generation of a VM you can do so from PowerShell by checking its Generation property:

PS C:\> Get-SCVirtualMachine MyVM | fl Generation

Generation : 2

Or you can open up its Properties window:

Figure 3 - Generation 2 VM Properties

Just like you can create a Generation 2 VM, you can also create a generation 2 Template or Hardware Profile. As with Generation 2 VMs, a Generation 2 Template or Hardware Profile will restrict you to only include the hardware devices that are supported by Generation 2 VMs. When it comes time to create a new VM from your Generation 2 Template, the Identity page of the Create Virtual Machine Wizard will not contain an option for selecting the generation because the generation has been automatically inherited from your Template. This implies that Generation 2 Templates can only be used to create Generation 2 VMs, and likewise, Generation 1 Templates can only create Generation 1 VMs.

Secure Boot

Secure Boot is a feature of the UEFI firmware specification used by Generation 2 VMs and supported by Hyper-V and VMM. Secure Boot uses a signature checking mechanism during the boot process to validate that only approved components are allowed to run. By default, Secure Boot is enabled for any new Generation 2 VM. It is a simple on/off property that can be modified via the Firmware settings in the VM’s properties dialog or via the SecureBootEnabled parameter of the Set-SCVirtualMachine cmdlet. Note that the VM must be off in order to modify this setting.

Figure 4 - Secure Boot

PS C:\> Set-SCVirtualMachine -VM $vm -SecureBootEnabled $true

For the most part, you won’t need to worry about this setting as you’ll likely want to always leave this option enabled which is the default. For more details on the inner workings of Secure Boot see here.

Boot Disks

Instead of a BIOS, Generation 2 VMs use UEFI firmware, a consequence of which is that the boot disk of a generation 2 VM must be GPT (Technically, the boot disk can be MBR or GPT, as long as there is an EFI system partition present with a boot loader, but GPT is strongly recommended).Generation 1 VMs, on the other hand, must have a MBR partition table, a requirement of its PCAT BIOS.

While not a problem when installing Windows (Windows will lay out the partitions on the boot disk in the correct format automatically), this does present a problem for those sysprepped boot disks you have stored in your VMM library. If you wish to create both Generation 1 and 2 VMs from these disks you will need to keep both an MBR and GPT version in your library. Unfortunately there is no feature in SCVMM 2012 R2 that will allow you to automatically know which disks are MBR vs GPT. To keep it straight, I would recommend that you use a consistent naming format for your disks, or keep the disks in separate library shares. One easy way for quickly telling if a disk is MBR or GPT is to mount it (right-click and select Mount) and then look at its properties from diskmgmt.msc.

Note that this discussion is only about the boot disk for the VM, non-boot disks can be either MBR or GPT for either generation of VM.

Figure 5 - Properties of a GPT disk

Boot Order

Another change with Generation 2 VMs brought about by the new UEFI firmware is a much more flexible boot order configuration. For Generation 1 VMs you would set the boot order from the options (CD, IDE Hard Drive, PXE Boot, Floppy). Generation 2 VMs, on the other hand, allow the boot order to be set among all of the bootable devices on the VM. For example, if your VM had two network adapters, they would each have an option in the boot order list. In addition to your VM’s bootable devices, any UEFI application running in the VM can create file boot entries and Windows will do exactly that during installation.

From the Hyper-V Manager UI you can see the full boot list order and make changes to it there. You can also make changes to the boot list order via the Hyper-V PowerShell cmdlets. See John Howard’s blog entry on boot order for more information.

Figure 6 - Boot List as seen from Hyper-V

In SCVMM 2012 R2 we allow you to view and modify only the first boot device of the VM via our PowerShell cmdlets. This covers most user scenarios, however if you need more fine grain control of the full boot order list you’ll need to use either the Hyper-V Manager or Hyper-V cmdlets. To get the first boot device of a VM, get its aptly named FirstBootDevice property (note that the previously used property: BootOrder, will be $null for a generation 2 VM):

PS C:\> $vm.FirstBootDevice

SCSI,0,0

In the case that the first boot device is a disk or DVD, the format will be “SCSI,x,y”, where x,y indicate the SCSI bus and location. In the case that the first boot device is a network adapter, the format will be “NIC,x”, where x is the 0-based index of the network adapter. In the case that the first boot device is a file entry, normally added by Windows on installation, the format will be “File,name”, where name is the file name. An example would be “bootmgfw.efi”.

By default, when creating a new Generation 2 VM, the first boot device is set to the first disk which will almost always be “SCSI,0,0”. As mentioned previously, during installation of the guest OS, Windows will change it to something like “File,bootmgfw.efi”.

In order to modify the first boot device, you can use the Set-SCVirtualMachine cmdlet passing the device to set as the first boot entry in the FirstBootDevice parameter. The parameter is passed a string formatted as described above. For example, if you want to boot from your NIC, you would set it as such:

PS C:\> Set-SCVirtualMachine -VM $vm -FirstBootDevice "NIC,0"

When a new first boot device is set, all of the other devices in the boot list are simply pushed down; nothing is actually removed from the list. If you want to remove entries from the list you will need to use the Hyper-V cmdlets. When booting, Hyper-V will go through each boot device in turn until one of them successfully boots the VM. Each failed boot device will generate a failure message at the console screen. For example, when I set my disconnected network adapter as the first boot device I see the message, “Boot failed. EFI network”. Assuming you set the device you want to boot from at the top of the list (or at least, only behind entries that fail to boot), the VM will boot up using your desired boot device.

Known Issues

Unfortunately software bugs are a fact of life and here is a known issue with Generation 2 VMs that exists in VMM 2012 R2:

Remember when I told you that Windows will create its own first boot device entry during installation? Well, if a user creates a Template from that VM, generalizing the VM’s boot disk in the process, we copy the first boot device of the VM to the Template verbatim. The Template now has as its first boot device an entry that doesn’t refer to any actual boot device for that Template. This might not normally be a problem because when a VM boots it will go through the entries in the boot order one-by-one until the VM boots. However, when you try to create a new VM out of this Template, VMM will try to set the first boot device of the VM to the file entry as set in the Template and fail with this error:

VMM cannot find the device or this device is not valid for a boot device

The work around is simple enough; after creating a Template from a VM, modify the first boot device of the Template to a valid device. For example:

PS C:\> Set-SCVMTemplate -Template $t -FirstBootDevice "SCSI,0,0"

Wrap-up

Generation 2 VMs are a new type of virtual machine in Hyper-V that come with their own set of advantages and disadvantages. They represent a new direction for Hyper-V, and with their reduced set of legacy devices and new UEFI firmware they provide Hyper-V with a break from the past. In the future there will likely be new features that depend on these changes, like Secure Boot, and hence will only work with Generation 2 VMs. Getting started with Generation 2 VMs today will set you up to take advantage of these features tomorrow. Ultimately the decision is up to you, but whatever you decide, you can rest assured that VMM 2012 R2 provides support for creating and managing your Generation 2 VMs (outside of VMM services and VM Roles).

I hope that you have found this post helpful. Please feel free to submit feedback at the bottom of this post and/or ask questions on the VMM forums. Also, make sure to visit the VMM 2012 R2 TechNet Library.

Thanks for reading!

Cedric Davies | VMM Developer | Microsoft

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Skype is joining LitWorld, an international nonprofit organization advocating for literacy, to celebrate World Read Aloud Day Wednesday.  Skype in the classroom  has gathered a global community of guest authors who will connect with students and teachers through video calls to share their love of reading.

Some of the authors that teachers will bring their classrooms through Skype include: Kate DiCamill (“Flora & Ulysses”), C. Alexander London (the “An Accidental Adventure” series), Ridley Pearson (“Peter and the Starcatchers”) and Melissa Guion (“Baby Penguins Everywhere!”).

In 2013, LitWorld reached 65 countries and more than a million participants.

Students will have a chance to learn about the writing process and ask questions about the characters in the stories. You can find authors and guest speakers on a variety of topics on the Skype in the classroom website, along with teacher profiles. If you are a teacher and not a member of Skype in the classroom, sign up for free to get to these resources.

Head over to the Skype Social Good blog to find out more.

You might also be interested in:

• Skype on Outlook.com now available worldwide
• Are you a rule-breaking entrepreneur? Celebrate with Skype and be recognized
• Find out how to make the most of Bing for Schools, including getting free Surface RT tablets

Athima Chansanchai
Microsoft News Center Staff

Summary: Use Windows PowerShell to discover the tasks that are associated with your scheduled jobs.

 How can I use Windows PowerShell to discover the scheduled tasks that are associated with my scheduled jobs?

 In Windows 8 or Windows Server 2012, use the Get-ScheduledTask cmdlet:

£> Get-ScheduledTask -TaskName test1 | Format-List TaskPath, TaskName, State

TaskPath : \Microsoft\Windows\PowerShell\ScheduledJobs\

TaskName : Test1

State    : Ready

On earlier operating systems, you need to look in the Task Scheduler, I’m afraid. 

Hotfix Package 1 for Microsoft Application Virtualization 4.6 Service Pack 3 is now available for download. It contains the latest hotfixes for Microsoft Application Virtualization 4.6 Service Pack 3 (App-V 4.6 SP3). To see what’s fixed and get a download link please see the following:

2897394 - Hotfix Package 1 for Microsoft Application Virtualization 4.6 Service Pack 3 (http://support.microsoft.com/kb/2897394)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

On Saturday July 13, 2001, Microsoft was alerted of a nasty piece of malware called “Code Red.”  In just two weeks, ABC News reported that the Code Red worm had infected more than 300,000 Windows computers around the world.  When the news broke, it was like something straight out of a Tom Clancy novel.  Microsoft learned early on that if it was going to succeed at building trust with its customers, it could not make security an afterthought when developing its products and services. 

So how do you get a large organization like Microsoft to prioritize security with thousands of developers, writing millions of lines of code?  How do you get everyone marching toward the same goal? 

We spent time with some of the people behind the scenes in security at Microsoft to discuss their journey and how they helped to fundamentally shift the culture within Microsoft.

Now you can get the never-before told inside story on Microsoft Security: www.sdlstory.com

On Saturday, July 13, 2001, Microsoft was alerted to a nasty piece of malware called “Code Red.” In just two weeks, ABC News reported that the Code Red worm had infected more than 300,000 Windows computers around the world. When the news broke, it was like something straight out of a Tom Clancy novel. Microsoft learned early on that if it was going to succeed at building trust with its customers, it could not make security an afterthought when developing its products and services.

So how do you get a large organization like Microsoft to prioritize security with thousands of developers, writing millions of lines of code? How do you get everyone marching toward the same goal?

Some folks here recently spent time with a few of the people behind the scenes in security at Microsoft to discuss their journey and how they helped to fundamentally shift the culture within Microsoft.

Now you can get the never-before told inside story on Microsoft Security.

You might also be interested in:

· Be a game developer using Project Spark, now in global beta for Xbox One
· Find what you need on Superpages, now on Windows Phone
· Watch music videos using Xbox One’s Xbox Music

Posted by Jeff Meisner
Editor, The Official Microsoft Blog