HP Elite X3

January 23, 2017

Hello,

Christmas and New year is a great time, we all recieve gifts and make lots of promises for the new year that has arrived. So I recieved a Elite X 3 for testing and promised myself to really focus on nwow in 2017. This means limit travel as much as possible,replace face to face meetings with technology if the situation allows it and follow a schedule that “works” meaning professional activites will be performed outside of business hours if required . Time to unwrap …

The box is shiny, the material looks solid, nice. The hardware of the X3 is really impressive, fast, has 64 GB of storage, 4GB of RAM, 8MP hello enabled camera, fingerprint reader and dual sim. It uses USB 3.0 type C connector for the docking.

clip_image002

The docking has Displayport, USB, RJ45 connection and kensignton lock.

clip_image004

The setup of the continuum is pretty much like a normal Windows 10 setup.

I’ve setup the device using my work account gino.dhoker@realdolmen.com and after verification with the Microsoft Authentication app the device was correctly registered. Then I’ve added my personal hotmail account.

From time to time you’ll get the message that some apps are not supported yet… So it will open on the smaller phone screen instead of on the external monitor.

The goal is to verify if I can really work with just this device the elite X3 , I’ll test for one week but I’ll hold my Revolve 810 as a backup ! I am really curious to know if the continuum can step up to this. Keep in mind that you cannot run legacy Windows Aapplications on the Continuum platform.

For starters I must say that the phone itself is pretty big compared to my regular Nokia and if you want to do some work on the road you’ll need the additional Laptop dock : https://www.microsoftstore.com/store/msusa/en_US/pdp/HP-Elite-x3-Lap-Dock/productID.5069318900

Okay here we go …

Bummer one … The citrix app is not working in continuum mode … This means that the vdi connection is showed in the screen of the mobile device making it completely useless. HP Workspace has got a service that can solve that issue http://www8.hp.com/us/en/business-services/computing-services/workspace.html

clip_image006

For the rdp connections there is a “Microsoft Remote Desktop Preview” App available in the store that looks ok, as a replacement for the desktop variant “remote desktop connection manager”.

clip_image008

Office : you can only use the mobile version of office for now.

clip_image010

Biometric security : really impressive !

I must say that the Windows Hello and the iris camera work very well. As soon as you activate the feature it works like a charm.

clip_image012

Go through the setup and as soon as you lock the screen you’ll notice the friendly looking for you icon. If you move in front of the camera you’ll be recognised and the device will unlock automatically.

 

clip_image016clip_image018

Same for the fingrprint reader … Go through the wizard for setting up

clip_image020

Touch the sensor with at least one finger and from different angles.

clip_image022

And that’s it … You can now unlock the device using your fingerprint.

So I must say a good start for 2017 !

Enjoy .

Gino D


Quick Tip ! Bitlocker Pin screen gone !

January 11, 2017

 

Hello,

We recently used a partners’ deployment services in order to prestage approximately 5000 laptops for a windows 10 deployment. Today we recieved our first shipment from the factory and we started one in full confidence.

After all the image had been validated on site, everything worked there except for our part 2 sccm task sequence that we use to finish up some minor issues and enable bitlocker.

So all went well, machines booted, startup scripts worked, part 2 was recieved and executed by the client.

But wait … We were expecting to see this after boot

clip_image002

But instead we saw this…

clip_image004

Now this really a tricky issue because it took some time before we realized that the screen was actually there but we did not see it, so if you wait then the machine just shut down.

Ok so now for the solution :

On the machine run bfsvc.exe %windir%\boot /v

Reboot the device and it should be ok.

What probably happened is that some of the fonts that are on the UEFI boot partition are corrupted and result in the “blue” screen, the command bfsvc.exe copies the required files from windows\boot to the required partition.

Saved our day !

Some refs : https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/bitlocker-pin-pre-boot-screen-empty/f985c4f6-dd71-4586-bd46-50f513432bb3?page=1

Enjoy

Gino D

P.S. We were unable to execute this command in the task sequence environment so we had to run it during our startup script.


SCCM – Deploy Unknown Computers with Assettag as computername

January 5, 2017

Hi,

In a recent Windows 10 deployment project (with SCCM) a customer of mine wanted to use the Serialnumber as the computername within Active Directory. The customer is using Unknown Computers so they don’t the need to import them first. Also there was the need to identify if a computer was a desktop or laptop, this was needed to make sure the computer was joined in the right OU depending of that type and to make sure Bitlocker was only applied to laptop computers.  To provide this functionality I’ve created a vbs script:

Part 1: Set Computername variable

Set objOSD = CreateObject(“Microsoft.SMS.TSEnvironment”)

Set SWBemlocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objWMIService = SWBemlocator.ConnectServer(strComputer,”root\CIMV2″,UserName,Password)
Set colItems = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)

For Each objItem in colItems
strOSDComputername = objItem.SerialNumber
Next

objOSD(“OSDComputerName”) = strOSDComputerName

The variable OSDComputerName is a default task sequence variable. Therefore no further actions need to be taken in the task sequence to make sure it is used to name the computer.

Part 2: Set Chassis variable

Set colChassis = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType

            Case 3
                  StrType = “Desktop”
            Case 4
                   StrType = “Desktop”
            Case 6
                   StrType = “Desktop”
            Case 7
                  StrType = “Desktop”
            Case 8
                StrType = “Laptop”
            Case 9
                 StrType = “Laptop”
            Case 10
                  StrType = “Laptop”
            Case 11
                  StrType = “Laptop”
            Case 12
                   StrType = “Laptop”
            Case 14
                  StrType = “Laptop”
            Case 15
                  StrType = “Laptop”
            Case Else
    StrType = “unknown”
            End Select
    Next
Next

objOSD(“Chassis”) = StrType

The variable “Chassis” can now be used like any other task sequence variable to make sure certain steps only run for a laptop or desktop.

Save the above codesnippets into a vbs file and create an SCCM package containing the script.

Afterwards add a “Run Command Line” step to the task sequence, provide the package details and the following command line: cscript.exe “…vbs”

That should do the trick.

Obviously this is one solution among others, there are many other ways to accomplish the same but this seemed the easiest to me.

A little remark: When reinstalling a computer with Bitlocker enabled, make sure the Run Command Line step is located after the partition disk step, otherwise the script will fail as WMI cannot be accessed from WinPE. I’ve experienced this the hard way.

Hope this helps!

 

Best regards,

Bert

 

 

 

 

 

 

 


Quick Tip ! GPO delay Windows 10 DA

December 8, 2016

Hello,

We discovered in one of our customer environments that there was a long delay at computer startup time with Windows 10 build 1607.

Now we had an acceptance environment where the issue did not occur, only difference was that DA was enabled at production site and not at the acceptance environment.

So we activated verbose messaging using :

Computer -> Admin Templates -> System

clip_image002

… This revealed a 60 second timeout during startup : waiting for workplace connectivity.

A quick lookup revealed a default one minute wait time for connectivity before processing gorup policy. So we modified the following policy :

Computer -> Admin -> System -> Group Policy

clip_image004

This resulted in a much quicker computer startup.

Enjoy.

Gino D


#RMS in Azure

December 6, 2016

 

Hello,

Today we’ll run a RMS scenario in our demo office 365 environment. RMS provides the ability to restrict certain actions to documents ( office and other ) depending on the authenticating user by encrypting the required files. This way you can share confidential data in an easy way and make sure only the allowed persons can perform some actions with the documents.

You can find a clear overview here ( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms )

clip_image002

What is Azure Rights Management? | Azure Information Protection

https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms

 

Now, we’ll start by enabling the feature on a limited group.

Step 1 : we’ll limit the usage to a test group so we’ll use the procedure described in https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service

We have downloaded and installed the required Azure AD Rights Management Administration toolset.

clip_image004

Hmm. Apparently we need the MS Online Services Sign-in assistant first.

https://support.office.com/nl-nl/article/Microsoft-Online-Services-aanmeldhulp-opnieuw-installeren-6f295d05-ae37-4054-8faf-c89dd48d1827?ui=nl-NL&rs=nl-NL&ad=NL so download and install.

Ok straightforward setup of both components.

clip_image006

Now let’s create a test group that will be used in order to validate the RMS functionality. In this case we create a azure security group.

clip_image008

You’ll need to install the azure AD powershell module in order to retrieve the id of the group.

See : https://msdn.microsoft.com/en-us/library/jj151815.aspx

Then run some commands in order to retrieve the required ID.

clip_image010

Now we can set the RMS feature active for a specific security group and only if the user has the correct

PS C:\Windows\system32> Set-AadrmOnboardingControlPolicy -UseRMSUserLicense $True -SecurityGroupObjectId 532a71c3-f370-47bb-9dd8-34026ea751cf

WARNING: The tenant user on-boarding control policy will be updated by this operation.

license assigned.

clip_image012

Verify the result by using get-aadrmonboardingControlPolicy

clip_image014

Ok done, now let’s add our test user to the group.

clip_image016

And let’s add the required license to our user. In this case the allready assigned E3 license covers RMS ( see https://technet.microsoft.com/nl-be/library/office-365-plan-options.aspx and https://technet.microsoft.com/en-us/dn858608 )

clip_image018

And enable it !

clip_image020

You can now check the status by using portal.azure.com -> Rights management status

clip_image022

If you click through you’ll see that there are 2 templates allready published

clip_image024

On the client device download and install the rights management sharing application for Windows. This application is available for multiple OS’s.

clip_image026

Set it up

clip_image028

All went well

clip_image030

Now if you create a word document and save it then you can use explorer to add RMS based security to this document

clip_image032

If you use the protect in place option then you will see that the client will download the policies from the RMS system and then present the options to use these templates ( 2 templates are created by default )

clip_image034

As soon as the document is protected you’ll see the RMS banner if you open the document in Word.

clip_image036

Now you can also share the content in a secure way, this will create a secured attachment with specific rights included

However when I tried to share it with an external user with commercial email ( @hotmail / @gmail / … ) this will not work ( yet, this functionality will be implemented in a next version of the product )

clip_image038

But you can share it with other ( non commercial ) email addresses. Now there are 2 possbilities :

-> The recipient already uses an azure service so it has a azure active directory and can authenticate

-> The recipient does not already use an azure service so it needs to be enrolled in Azure ad in order to be able to authenticate

The user can use this link ( https://docs.microsoft.com/en-us/information-protection/understand-explore/rms-for-individuals-user-sign-up )

Once done you can track usage etc by using web link ( the specific link will be added to your email message )

clip_image040

Additional info and faqs can be found here : https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms

Overall some great functionality at your fingertips !

Enjoy.

Gino D


Windows 10 Enterprise IE11

November 6, 2016

 

Hello,

Windows 10 is great but there are some annoyances in an enterprise environment discovered. For example we deploy the Windows 10 to an environment where IE11 is the standard browser so we don’t want to confuse the user with the default edge icon.

You know this one

clip_image002

We can set the default browser and file type associations on a reference machine and export them by using dism /online

clip_image004

And we can import the again using the same toolset, no problem here.

But as soon as a user logs in a windows 10 device he/she gets a default profile and gets the edge and store icon attached to the quicklaunch bar.

Now there are several solutions for this :

-> We can script ( but we don’t want to do that , it starts simple but it ends up being a complete bible )

-> We can modify the default user profile ( copyprofile setting in unattend.xlm doesn’t add the quicklaucnh icons so this would be hardcoded in our default user profile, we don’t like that either)

-> We can use preferences ( it can be centrally managed and we can modify afterwards, not perfect we’ll explain but this is the best option for me )

What do we need :

Well actually 3 things , you’ll see that if you manually modify the quicklaunch bar and add icons to it using the explorer like this ( pin to taskbar Option )

clip_image006

There are 2 modifications : first a change in registry ( HKCU\Software\Microsoft\Windows\Current Version\Explorer\Taskband ) and second a link file that is created in %appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar)

clip_image008

So we’ll create a preference that performs the required actions :

Step 1:

Copy the icons of Office 2013 to the quicklaunch location

 

clip_image010

Copy them from the default startmenu location to the quicklaunch.

Step2 :

Create the shortcut for iexplore (X86 )

clip_image012

Step 3 :

Import the required registry keys

clip_image014

Et voila … Correct quicklaunch icons set.

Now we use an item level targetting so the settings only apply @ a windows 10 device because we have a mixed environment. Now the goal is to use the set once and do not reapply for these settings so they are only applied once but we noticed that when a user gets a new profile the registry settings are not applied the first time so we had to abandon that idea meaning the quicklaunch icons cannot be modified by the user as during logoff/logon they will be back set to default.

We have a call open to investigate the issue further.

Enjoy

Gino D

 

Update better ways available since 1607 : https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-taskbar


Endurance test Revolve 810

October 19, 2016

 

Hello,

Looking back I was very enthusiastic when I first recieved my HP Elitebook Revolve 810 ( 1st generation ).

This was way back in 2013 and a number ( read a lot ) of similar devices have been rolling into the market since then.

But let’s have a look at how the revolve looks now after over 3 years of intense use. And I mean intense as the device travels with me each day to a customer site and back.

The exterior :

clip_image002

-> Some edges show some chipped pieces but no “real” damage

clip_image004

-> Some minor scratches on the front due to “heavy” usage

clip_image006

-> It is still a catchy, elegant and stable device

So overall the device holds out ok.

The interior :

-> Well even according to today’s standards the device still performs ok, Windows 10 was a big improvement in terms of battery usage and even day to day operations like office perform faster compared to Windows 8.

-> I mainly use it in laptop mode, occasionally I read some items in tablet mode.

-> I use the mobile broadband connection quite a lot, the wireless projection to devices from time to time.

-> I don’t really use a stylus, somehow I prefer typing in onenote over writing with a pen.

The rest :

-> I boot using UEFI, secure boot and the device is encrypted by bitlocker.

-> For now it is Azure ad connected and I log on using my company credentials although that’s not really device related.

-> 2 available USB ports are a minimum but at certain sites I use external display, usb docking keyboard and mouse.

-> I update HP drivers and firmware regularly using HP utilities

The issues :

-> Well there were some issues with the fan. Now this is a “known” issue with this model so the fan was replaced and together with the latest chipset this has improved the spinning noise of the cooling a lot.

http://h30434.www3.hp.com/t5/Notebook-Hardware-and-Upgrade-Questions/HP-Revolve-810-Noisy-Fan/td-p/5063770

What I would like to see added :

-> Some kind of biometric authentication ( fingerprint or Windows hello capable camera )

-> more energy efficient processor or more battery power , no matter how much battery you have you always run out at a bad time 🙂

Enjoy

Gino D