Windows Enterprise Desktop

May 18, 2016  2:54 PM

Fingerprint Reader Requires PIN

Ed Tittel Ed Tittel Profile: Ed Tittel
Fingerprint authentication, Windows 10

Here’s an odd fact of Windows 10 life: MS has made much of Windows Hello for biometric identification including support for fingerprint readers at login. But if you try to set up Windows Hello on a properly equipped PC, you must first define a personal identification number (PIN) as an alternate login technique to supplement your password, before you can access the Windows Hello capabilities (including fingerprint set-up). That’s right: using a fingerprint reader requires PIN login in Windows 10! Otherwise, you may beat your head against the wall for some time before figuring out that something is missing from the PC local set-up. Here’s an illustrative screen cap from Settings –> Accounts –> Sign-in options from my Surface Pro 3 tablet, equipped with a Type Cover with Fingerprint Reader.

fingerprint reader requires PIN

The proximity of PIN and Windows Hello is apparently no accident here!

No PIN, No Hello: Yes, Fingerprint reader requires PIN login!

In reading over a variety of forum posts at TenForums and recently, this point was forcefully brought home to me. I had dithered about with the new Type Cover when I purchased it late last year, but it didn’t dawn on me until seeing those posts that it is apparently impossible to take advantage of Windows Hello (whatever biometric device you might choose to use) without first creating a PIN as an alternate login method.

Fortunately, this is easy to do. Click your way through the Settings –> Accounts –> Sign-in sequence in Windows 10. If you haven’t defined a PIN on the current PC, you’ll see a portion of the UI that looks like this:


A PIN is a string of numbers (usually 4 in count).

Once a PIN has been defined, the fingerprint or other biometric devices will show up and you can start configuring and using them. Go ahead, knock yourself out!

May 16, 2016  10:40 AM

Get Top Win10 Deployment Issues Info

Ed Tittel Ed Tittel Profile: Ed Tittel
Deployment tools, Windows 10, Windows Deployment Services

Last week, Microsoft Support released an article to TechNet that details “Top Support Solutions for Windows 10.” While many of them apply to power users and IT professionals alike, there are several categories of information aimed directly at IT professionals facing or contemplating larger-scale Windows 10 roll-outs. These should be of great potential help to those looking to avoid the top Win10 deployment issues that MS Support has already encountered.

top win10 deployment issues

The banner from this 5/3/16 TechNet article says it all.

Here’s a snapshot of the relevant content with links to details about top Win10 deployment issues, straight from that source (numbered items are renumbered in sequence for readability):

  1. Solutions related to inability to activate Windows:
  1. Solutions related to installing Windows updates or hotfixes:
  1. Solutions related to common setup, installation, and deployment issues:
  1. Solutions related to Windows Volume Activation:

List Items from Top Win10 Deployment Issues of Interest to IT Pros

In particular, the entries under items 3 and 4 are likely to be of great interest to those IT Pros inclined to work with the Microsoft Assessment and Deployment Toolkit (ADK) and/or who face potential issues related to volume licensing and activations via a Key Management Server (KMS) for Windows 10 Enterprise. These items also point to important documentation related to the ADK, and should help IT Pros get a running start into planning for, piloting, and eventually rolling Windows 10 out into production. Please take advantage of this opportunity to gain insight from the folks at Microsoft support about the top Win10 deployment issues they’ve already been asked to help out on by early adopters.

May 13, 2016  12:26 PM

Old Hardware Makes USMC Hit Win10 Update Snag

Ed Tittel Ed Tittel Profile: Ed Tittel
DOD, Large-scale deployments, Windows 10

In Q4 2015 Terry Halvorsen, the Chief Information Officer for the US Department of Defense decreed that all branches of the military needed to migrate to Windows 10 by Q1 2017. As it often does, the US Marine Corps (USMC) volunteered to go first in this effort. In all the DoD has around three million desktops (including both physical and virtual  machines) to update, so it made sense for the smallest of the four major military branches (Army, Navy, Air Force, and Marines) to go forth as a kind of initial pilot group anyway. Alas, along the way the USMC found that it encountered an unexpected Win10 update snag: the target hardware platforms lag far enough behind current technology that remote, unattended upgrades have proved more problematic than initially projected.

USMC hits Win10 update snag

Older hardware makes no-touch Windows 10 upgrades less likely to succeed.

As reported in a May 12 story from entitled “Outdated hardware snags Marines’ migration to Windows 10” the service found that only about 10 percent of its computers were amenable to remote, no-touch upgrades to Windows 10. They had been expecting that this approach would work with somewhere between 60 and 70 percent of the computers on the Marine Corps Enterprise Network (MCEN). Thus, this result comes as something of an unpleasant and potentially expensive surprise. In proffering an explanation for the Win10 update snag at a meeting of the Washington, DC chapter of the AFCEA, USMC CIO Brigadier Dennis Crall said:

Our challenges are with hardware, and hardware that is older than a couple years is having more difficulty accepting Windows 10 than hardware that is new. And when you look at what ‘new’ means within DoD, we purchase yesterday’s technology tomorrow. A lot of our brand-new systems are having difficulty with the upgrade as soon as they come out of the box, and we didn’t anticipate that.

What’s Causing the Win10 Update Snag?

I’ve got to give General Crall credit for the wonderful tagline bolded in the preceding quote (emphasis mine), but this upgrade effort faces serious problems for several reasons:

  • Increasing the level of human interaction means more time, effort, and expense in achieving the overall upgrade. Add more expense for refreshing those machines that remain unable to be upgraded despite the added effort.
  • The services now have to juggle the cost of the added expense for human effort against the costs of purchasing newer Win10-ready hardware. In cases where the cost of effort surpasses that for new gear, it makes more sense to “buy up,” but that was clearly not part of the original budgetary equation.
  • Some upgrades will not be able to exploit all of Windows 10’s advanced security features (for example, only UEFI machines can use Secure Boot and only machines that support the latest virtualization features can use Credential Guard). This means not all upgraded machines — especially older ones — may not be able to comply fully with the DoD’s “secure host baseline.” This is a common set of security configurations across the many millions of PCs under its aegis. Making exceptions for security poses well-known problems, too.

Virtualization appears to offer a partial remedy to the Win10 update snag. Bill Marion, deputy CIO for the Air Force, questions the need for thick clients for all circumstances, and observes that “the cost of a traditional desktop and office software and the security that goes around that is pretty expensive.” The USAF is pondering more use of “mobile devices[s] with a containerized cloud application [that is] lightweight, better encrypted, [and] easier to defend” as a possible alternative, he says. Admittedly, virtualization is better suited for what he describes as a “garrison environment” but native hardware appears better suited for the “tactical environment” for field operations. This approach could provide some much-needed relief for the services upgrade effort, though, and let the military concentrate on hardware upgrades where they could do the most good and create the greatest impact for the expense involved.

In general the military seems convinced that Windows 10 is a much more secure OS than earlier Windows versions, and fairly eager to get to that platform so as to benefit from what Halvorsen calls “security baked in from the beginning.” He remains positive that 80-plus percent of the DoD’s laptops and desktops will meet the January 2017 upgrade deadline, because most of them reside in offices on military bases and are managed through the Navy-USMC Intranet or the Air Force AFNET. The remaining 20-odd percent is another story, and may have to stay where they are on waiver status for years because they are integrated into weapons systems that might be at sea, are outside the USA, or are engaged on active military service missions. Thus, for example, the Navy has shipboard platforms still based on Windows XP that probably won’t be upgraded for years to come. Let’s hope that such systems never get exposed to external penetration attempts! But that means the Win10 update snag appears poised to persist for some time for specific hard-to-upgrade systems.

[Note: thanks to Cluster Head at who brought this story to my attention: Danke Schoen, mein Freund!]

May 13, 2016  9:30 AM

What’s the deal with HCI for VDI?

Margaret Jones Margaret Jones Profile: Margaret Jones

The converged and hyper-converged infrastructure markets have gotten a lot of lip service lately, especially with respect to supporting VDI deployments.

There are several reasons hyper-converged infrastructure (HCI) could be the right choice for companies looking to deploy virtual desktops. Hyper-converged platforms offer tightly integrated storage, networking and compute that are software-defined and tailored to run virtualization workloads. They also come with a management interface that can help IT administrators deploy, control and troubleshoot virtual desktops. All these advantages make it fast and easy to deploy VDI quickly, and shops can add more components as their deployments grow. And when all the pieces come from the same vendors, companies can rest assured that they’ll work together well, and there’s one throat to choke when something goes wrong.

But for shops that have already deployed VDI, investing in an HCI stack might not be the smartest or most cost effective choice. If there’s an opportunity to repurpose the servers and other hardware that used to support VDI when a business brings in HCI, then it could be worth it. Otherwise, companies could end up with a shiny new stack to support VDI while the old servers collect dust. Additionally, there are some personnel changes—and potential challenges—that admins should prepare for. HCI unites disparate hardware, so companies often find that they need fewer people to manage their new systems.

There are a lot of moving parts to consider and options to weigh. Deciding whether to deploy HCI goes beyond the question of use case. Companies must also consider which vendor to buy from. Get started with the decision making process with our three-part guide to hyper-converged infrastructure for VDI, VDI Hums on Finely Tuned Hyper-Converged Infrastructure.

May 11, 2016  9:53 AM

DISM Exports Drivers: Here’s How

Ed Tittel Ed Tittel Profile: Ed Tittel
Device drivers, DISM, Windows 10

As I learn more about the built-in Windows command line tool for Deployment Image Servicing and Management, aka DISM, I’m always amazed at its many capabilities. As anybody who’s upgraded Windows installations knows, Windows sometimes fails to produce the right device drivers during that process. As it happens, DISM can help with that. You can use the utility to export all of the current drivers to a folder on another storage device before performing the upgrade, then return to that folder once the upgrade is done to recover drivers that Windows may not have been able to supply on its own. Experts recommend using a USB flash drive for this purpose, but any Windows-compatible storage device will do. When DISM exports drivers it references their OEMnn.inf files as stored in the Windows DriverStore folder though, so you may also want to use a tool like DriverStore Explorer (RAPR.exe) to map those arbitrary names to specific devices and the drivers that go with them.

Syntax Details When DISM Exports Drivers

Here’s the syntax for performing this action:

dism /online /export-driver /destination:R:\DriversW10.1511.218

Let me explain a little more about what’s going on when DISM exports drivers, in list form:

  • The /online switch tells DISM to work from the windows image that’s currently running
  • The /export-driver switch tells it to grab the contents of the DriverStore folder in Windows. Its complete path is C:\Windows\System32\DriverStore.
  • The /destination switch tells DISM where to write the drivers it finds in DriverStore. Note that the R: identifies the drive to which I wrote those files for this example on my PC. You’ll need to change it to target your chosen destination instead. Note further that the folder into which the drivers get written — DriversW10.1511.218 identifies Windows 10, Version 1511, Build 218 — must exist for DISM to do its thing. That means you must create it yourself in advance before running this command.
  • Don’t forget to launch DISM from an administrative prompt (“Run as administrator”). Otherwise, it won’t work.
  • You might also run RAPR to produce a list of all the OEMnn.inf files in DriverStore,  and the devices to which they correspond. Take a screenshot to preserve that mapping for later reference. Stick it in the same destination directory for easy access later on.

I got a screencap of this from my production desktop to illustrate the output from running this command:

dism exports drivers

Apparently, I’ve got 25 drivers on my production PC that come from a source other than Microsoft.

Quick inspection of that output shows why I like to grab and save a RAPR listing of the same stuff (it tells you where to go looking for stuff in Device Manager to figure out which drivers to grab following an upgrade):


The Oemnn.inf names make more sense when you can map them to Driver Provider and Class information.

May 9, 2016  1:26 PM

Windows 10 Pilot = Key to Success

Ed Tittel Ed Tittel Profile: Ed Tittel
Pilot, Windows 10

With the free upgrade deadline for Windows 10 approaching on July 29, more businesses are thinking about migrating to that desktop OS version. But the vast majority of commercial concerns — particularly those with thousands of users and OS licenses — already obtain Windows from Software Assurance or Volume Licensing contracts. They aren’t under the same time pressure to take advantage of “free” upgrades because they pay over the life of their contracts anyway. For such organizations, the real concern is to make sure that key applications and services work properly in Windows 10. They don’t want production desktops and environments to be adversely affected by its rollout and deployment. That’s why initial testing and experimentation in the form of a Windows 10 pilot program can play an important role.

Now’s a Good Time for a Windows 10 Pilot Program

Moving from an old runtime regime to a new one is a demanding task. It takes considerable time and effort, and inevitably ends up costing money. But even for organizations that jumped onto Windows 8 (and market research says there were precious few of them), Window 10 will probably be a necessary migration. That’s because Windows 10 introduces a new model for upgrades and updates, which will keep coming at regular, fairly closely-spaced intervals from now on. That’s in stark contrast to a new major version once every two or three years since Windows NT made the scene in the mid-1990s, now over 20 years ago (Windows NT 4.0 appeared in 1996). Many commercial concerns and large organizations adopted an informal “every-other-release” migration plan in the past because of the time, effort, and expense involved. But it seems that Windows 10 is a matter of “when,” not “if,” for most outfits simply because it’s slated to stick around for a long, long time.

That makes 2016 a great year for organizations that haven’t already started piloting Windows 10 in-house to get going. Organizations can track behind the leading edge of Windows 10, which is simply called the “Current Branch” and represents the most current release of Windows 10 (Version 1511) plus the most current cumulative update and all subsequent interim updates (Build 10586.218 as I write this post). The first milestone after that is called the Current Branch for Business (CBB) which is also based on Version 1511, but which currently rests at Build 10240 at the moment. It’s designed to support staged deployments of new features to match scheduled rollouts typical in most production commercial environment. It tracks about 90-180 days behind the Current Branch, to give organizations time to test and vet upcoming updates, and to plan workarounds for updates that won’t work if put into production. The last stage in the branch structure is the Long Term Servicing Branch, which tracks one year or longer behind the Current Branch, and receives no new features but gets security and other updates necessary for proper operation. It’s aimed at factory floor machinery, POS systems, automated teller machines (ATMs), and other tightly-managed and locked-down systems.

selecting a service branch is a key element in any Windows 10 pilot program

The real bleeding edge is the Insider Preview Branch, which tracks new features as they appear (and which may never go into production).
[Source: TechNet: Windows 10 servicing options]

Despite the appeal of hanging back as far as the Long-Term Servicing Branch, most businesses will be served best by focusing on the Current Branch for Business. Power users and those working on Windows 10 evaluations going forward should stick to the Current Branch for a more forward-looking take on upcoming Windows 10 stuff. But only non-production machines should ever play host to Insider Preview releases.

At the same time, the Windows 10 pilot program can also try out new PCs. This might include some of the latest hybrid 2-in-1 devices (tablet + keyboard such as the Surface Pro 4 or Surface Book) or latest generation laptops (such as the Dell Latitude 13 7000 series). Ditto for desktops (something with a 1151 socket, a Skylake CPU, and an NVMe SSD). This is also a great opportunity to dig into Microsoft’s Azure Active Directory, which provides seamless integration for Office 365 via Azure AD accounts. Interested admins will find lots of cool new features and functions to play with.

The Perpetual Windows 10 Pilot Gets Underway

The most important aspects of any pilot program are to assess the impact of migration on key line-of-business applications and services, and to determine what must change (and what can be maintained) while keeping workers productively and constructively engaged. This also means testing deployment tools, provisioning and rollout tools and methods, and getting everything ready to take into the field. It will actually turn into an ongoing process that happens continuously going forward, because working with Windows 10 means keeping a forward-looking pilot project constantly engaged to track upcoming changes and releases from the Current Branch (or Insider Preview) that will ultimately propagate into the Current Branch for Business.

May 6, 2016  10:13 AM

Free Win10 Upgrade Ends 7/29/2016

Ed Tittel Ed Tittel Profile: Ed Tittel
Windows 10, windows 10 upgrade, Windows 7, Windows 8.1

At the outset of 2015, Microsoft announced it would offer a free upgrade to Windows 10 for devices running Windows 7 and 8.1. (Here’s a Terry Myerson blog post devoted to that topic, dated 1/21/2015.) That update was always planned to last one year from the release date for the new desktop OS. And sure enough, MS has now stated that the free Win10 upgrade ends on July 29, 2016, exactly one year to the day from that initial release date. MS Corporate VP Yusuf Mehdi stated this clearly in his May 5 post to the Windows Experience blog entitled “Windows 10 Now on 300 Million Active Devices — Free Upgrade Offer to End Soon.”

Here’s the relevant language, which appears at the tail end of the afore-cited blog post:

today, we want to remind you that if you haven’t taken advantage of the free upgrade offer, now is the time. The free upgrade offer to Windows 10 was a first for Microsoft, helping people upgrade faster than ever before. And time is running out. The free upgrade offer will end on July 29 and we want to make sure you don’t miss out. After July 29th, you’ll be able to continue to get Windows 10 on a new device, or purchase a full version of Windows 10 Home for $119.

The actual MSRP for Home is $119.99. For those interested in Windows 10 Pro instead, the “full version” MSRP is $200 in the USA. You can also find OEM versions of that license (good for installation on a single computer, but not transportable from one computer to another like the full version) for $140 or thereabouts. But according to Microsoft, that’s what it will take to jump on the Windows 10 bandwagon after the 7/29 deadline comes and goes.

Free Win10 Upgrade Ends 7/29/2016

Here’s the word, straight from MS Corporate VP Yusuf Mehdi.

How to beat the “free Win10 upgrade ends” restriction, if you must

Users running Windows 7 or 8.1 who don’t wish to migrate to Windows 10 before the expiration date hits can trade some time and effort against the future expense of buying a license thereafter. How’s that? Simply by upgrading, making a snapshot, then rolling back to the pre-upgrade machine state. In somewhat more detail, here’s a 10,000-foot overview of that process:

  • Start by making an image backup of your current running Windows 7 or 8.1 environment
  • Perform the upgrade install from that current environment to Windows 10
  • Apply all pending updates to that Windows 10 install, then make another image backup of the new Win10 environment
  • Restore the original image backup of your current running Windows 7 or 8.1 environment

You’ll be back where you started, but you’ll be out the time and effort required to make those backups and perform the upgrade. After July 29 comes and goes, you’ll be able to restore the image of the Windows 10 environment you created to exercise your free upgrade offer before the expiration date passed. You’ll also be out the storage space necessary to keep that upgrade image in suspense until you’re ready to wake it back up. If my experience is any guide, this will take 3-4 hours of your time, and somewhere between 20-25 GB of disk space on the low end, and probably no more than 100GB of disk space on the high end (YMMV, though, depending on how much stuff you allow Windows to keep in the Photos, Pictures, and Documents folders in the Windows Library environment). If you need more time, don’t let the free Win10 upgrade ends deadline catch you either napping or unaware!

May 5, 2016  10:19 AM

No Blocking Store Access in Win10Pro

Ed Tittel Ed Tittel Profile: Ed Tittel
Group Policy, Windows 10, Windows Store

I was amused to read Mary Jo Foley’s latest report at ZDNet this morning. She relays that Microsoft has dropped the ability for Windows admins to keep blocking Store access in Windows 10 Pro. Their reasoning is apparently two-pronged:

  • According to Microsoft, Store access is “required for all versions of Windows 10 except Enterprise and Education ‘by design'”
  • Those organizations that really want clamp-down capability on Windows 10 desktops should buy licenses for Enterprise, not Pro

blocking Store access in Windows 10 Pro no longer possible

Though KB3135667 looks like troubleshooting advice, it’s really a policy statement (not Group Policy, either).

Why Blocking Store Access for Win10Pro Is Valid No Mo’

The official change is covered in KB Article 3135667. It is entitled “Can’t disable Windows Store in Windows 10 Pro through Group Policy.” In asking MS to confirm this change, MJ Foley asked why blocking Store access in Windows 10 Pro is no longer supported. IMO, that response is a masterwork of doublespeak:

Microsoft is focused on helping enterprises manage their environment while giving people choice in the apps and devices they use to be productive across work and life. Windows 10 Enterprise is our offering that provides IT pros with the most granular control over company devices. Windows 10 Pro offers a subset of those capabilities and is recommended for small and mid-size businesses looking for some management controls, but not the full suite necessary for IT pros at larger enterprises. The ability to block access to the Windows Store is typically for organizations who want more control over corporate-owned devices. This fits into the value of Windows 10 Enterprise.

My translation: to maintain complete control over your Windows deployments, don’t buy the retail-oriented Windows 10 Pro. Instead, you must sign up for a volume license agreement, and jump on the Windows 10 Enterprise bus. Any questions? MJ Foley’s summation of the forces driving this change is also a gem: “Driving visibility and use of Windows Store has been one of Microsoft’s goals with Windows 10.” Given that OS revenues are dropping, and that commissions on Windows Store sales are turning into a cash cow, I guess this makes sense — at least, to Microsoft. I’m wondering if business customers who’ve shied away from volume licensing until now feel the same. Having myself recently been inducted into the Microsoft Volume Licensing Service Center, I think the answer is “probably not!”

[Thanks to Shawn Brink over at the News Forum at for bringing this matter to my attention. Keep up the good work!]

May 4, 2016  12:22 PM

SD-based Apps Won’t Update in Win10!

Ed Tittel Ed Tittel Profile: Ed Tittel
Windows 10

There’s an interesting problem facing those running Windows 10 on limited storage capacity tablets and similar devices. Given typical eMMC or flash “drives” of 32 GB or less, best practice can dictate that such limited storage be augmented with SDXC cards readily available in sizes from 32 to 256GB. This may also involve relocating all kinds of storage from the primary storage device to that SD card, including user files of all kinds (documents, downloads, and so forth) as well as application and app files of all kinds. Recent reports from the field indicate that some people who’ve moved Windows 10 apps from the Store to SD devices can’t apply updates from the Store to keep them current. If you or your users find that SD-based apps won’t update, there’s a simple but potentially vexing fix you can apply.

SD-based apps won't update in Windows 10

Windows 10 is very accommodating about changing locations for all kinds of data, but says nothing about apps needing NTFS formatting to update.

If SD-based apps won’t update on your system, a fix is possible…

The problem apparently stems from conflicting defaults. App Store updates expect to reside on NTFS formatted storage devices, but SD cards are typically formatted using some form of FAT (usually exFAT for larger devices) formatting instead. It seems that Windows 10 won’t propagate app updates into non-NTFS storage devices. Thus, the fix is to reformat the SD device from its current format to NTFS. The downside, of course, is that all relocated apps will then have to be reinstalled onto the newly-reformatted SD card. This takes time and effort, as documented in these CNET and How-to-Geek articles.

On the other hand, it seems that it might work to copy the contents of the SD card to some temporary location, reformat it to NTFS, then restore those contents onto the newly-formatted drive. I’m going to try this on my Surface Pro 3, as soon as I have enough time to set all this up and try it out. I’ll report back later after I’ve attempted to make this work. My hope is that this will also fix the “SD-based apps won’t update” problem. Stay tuned!

[Thanks to Sergey Tkachenko at, whose recent Fix story provided the impetus and information for this blog post.]

May 2, 2016  11:11 AM

This week’s forecast: Partly cloudy with a chance of Windows 10

Eddie Lockhart Eddie Lockhart Profile: Eddie Lockhart

The path to Windows 10 has been full of sunny skies for many companies right out of the gates. The operating system already stakes its claim to second place in the market based on desktop share by version. But what about the organizations that are happy with their earlier versions of Windows?

An OS upgrade just isn’t in the forecast for some companies whether Microsoft likes it or not. And it seems Microsoft does not like that. As a result, some Windows 10 storm clouds have rolled over a few organizations still using their non-Windows 10 umbrellas.

First of all, the OS automatically downloads itself on to some users’ computers when they perform a routine Windows update. Other times, a Windows Update will “recommend” that the user make the move to the new OS. That suggestion does not care who you are or what you are doing, just ask this poor weather woman:

Microsoft has even hidden Windows 10 advertisements in its security updates for Internet Explorer on Windows 7 and 8.1. Not only does the security patch include a Windows 10 ad generator that stamps a Windows 10 upgrade ad at the top of every new tab a user opens, but it also automatically installs a how-to guide on upgrading to Windows 10.

Just like an unwanted snow storm, Windows 10 inserts itself into users’ lives so it is important to keep that in mind as companies consider making the move to the new OS.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: