Re: Anyone willing to bet...
AKA a Microsoft Account.
38 publicly visible posts • joined 22 Jun 2009
Perhaps once the tech has matured enough and time has rolled on, there will be the future-equivalent of a wireless charging pad built in to the parking space surface, so you just park up, go into the services and do whatever, while your vehicle is charged wirelessly.
To get even more futuristic - perhaps these kind of wireless charging capabilities could be built in to roads themselves in future. You could have a 'charging lane' or something like that.
Gosh it's naive of me to think this country could organise that.
Unfortunately, don’t be fooled by the ‘machine-wide installers’ that they use. All these do is drop the (mostly) same old installer in Program Files on your master image, which is then run by end users who log on. When run by each user at logon, it just installs the product into the user profile the same way the standalone installer does.
So no different but an easier way to deploy the same tool the same way to users of golden VDI images. End result is the same.
Sure I get you. I think we are mostly on the same page :)
Application control (from whichever vendor, we happen to use Appsense but there are others) is an absolute base requirement these days as you say. Application control shuts the door on all your concerns.
eg. 'a user downloading a file and running it from their profile'. The user doesn't download a file - a process does, running as the user (or another user). So you use application control to prevent, say, chrome.exe from writing to <wherever>, or excel.exe, or whatever. Why should chrome.exe get to write to the Documents folder? Or the Appdata\Local\<anything-other-than-Google-subfolders> folder?
Then to combat a user running a piece of code they downloaded (or side-loaded somehow) - application control will stop that. Why should the user be able to run any old code? As you say - they shouldn't. So we don't let them right? You've alluded to certificate-based validation of exes which is one way. Say they want Teams - we let them download and run Teams, and teams only, and then we let the teams.exe process run the meeting-addins, etc. and so on and so forth. We configure it tight.
Obviously i'm simplifying things as you know :)
I think we are on the same page.
Just my point is it really doesn't make any difference which part of the disk it is downloading to and running from, when an application control product is in control. Thus - who cares how Teams\Slack\Whatever installs - we just manage it with application control, and roam it and it's personalisation data around a server farm with UPM\FSL. Happy users.
I wish I had bloody shares in an application control company the amount i'm bleeting on about this :)
"Teams will have to copy a huge slug of crap back in again on each login."
Stop using 'legacy' profile management like Citrix UPM that copies hundreds of files, (or thousands in badly-configured environments) at each logon and log off - utilise your brand new shiny entitlement with MS, via your RDS CALs, to use FSLogix profile containers. There is no file copying at log on/off.
It is free to you.
We are currently mid-migration from UPM to FSLogix so this is the voice of experience :) You will wonder why you didn't do this sooner.
Citrix have started doing a profile container too if you prefer to stay with Citrix for profile mgmt.
Watch your logon times drop through the floor. It is quite a revelation :)
Also you can use the FSLogix Office Data File Container to enable fully managed, roaming Outlook cached mode to your Xenapp users, so you can stop the PAIN of Outlook online mode, or the semi-pain of SMB-hosted OST files.
Do it :)
Out of interest, what are your issues with applications in the user's profile?
(Like most reg readers I've worked in IT a long time so I'm familiar with many of the classic responses to that question). eg.
*Users can download and install apps themselves : Use application control, now they can't.
*Profile bloat : all VDI shops use a profile management solution that helps you manage profile bloat, be it UPM, UEM, FSLogix etc.
*Files can be downloaded and overwrite genuine files : use application control, now they can't.
The profile is just 'a piece of disk', but it happens to be one that roams with the user. Permissions aren't hugely relevant because - application control. If you view the 'user profile' as an area where the user has full read\write, unmanaged access to save and execute whatever they want, then sure I can see the problem.
Application control is the key - doesn't matter what NTFS permissions there are, or what process is trying to do the reading\writing - application control has a vice-like grip on it all. I'm not trying to say it is a utopia, it needs careful thought and implementation (like the rest of our IT systems).
Alternatives are:
1. Say NO to these apps your users\business needs, because 'SECURITY'.
2. Use your weight with the application vendors to have them see the 'error of their ways' and change the way they package and deploy their applications.
Or - accept it, you can't control what business critical (or non-critical) app your users will need next week, or how it is packaged\delivered, but you can ensure you have an IT environment that is capable of dealing with it whatever it may be.
I suppose different approaches to the same problem.
None of us want to work in an IT team that just says 'No' to everything all the time, like we did in the 90's/00's. We have technology these days that should enable us to say 'Yes!' a lot more now :) Or- maybe 'Yes!, but......'.
The real reason I think for the move away from MSI (VSTOR, C2R, Squirrel etc.) is WVD, full-on user virtualisation in Azure (hence FSLogix purchase), flexibility for software deployment on-the-fly, no reboots, self-updating apps etc. Sounds good right if we can manage it effectively!
I don't disagree with you but our world is changing, and the expectations of, for example, non-persistent VDI environments are different now than they were two years ago. Today's users need to perceive a more flexible environment, not the rigid IT delivery of the 00's - if we don't provide them with what they need they go 'shadow' on us.
#quote: "There's no such thing as Shadow IT - only your users telling you what they need.".
We also use Teams on XenApp - it (like other modern software) just requires a different way of managing it. We use for example FSLogix to containerise and roam while maintaining performance, and use Application Control (in our case Appsense) to permit\deny anything from anywhere. Trusted Ownership FTW.
Teams, and it's ilk (eg. Squirrel-based installers into the user profile) - are here, and here to stay so we need to adjust how we deliver. A 'bag of shit' it may be now, but it won't be long before everyone wants\needs it and we as IT need to have an answer other than 'No' - otherwise: GOTO #quote.
IMHO. YMMV. et al.
Snap.
Even factor in Office suite and it gets no better. Office 2016 vol + Exchange on prem (+ multi-site DAG, hardware, backup) is still less than 1000 E3 licenses, even by year 3 let alone year 5.
Sure you don't get the cloud services of O365. But like many mid-sized orgs down here in the real world, our lot can't see past "all we need is word, outlook and excel".
Not a reflection on the tech or the model necessarily - more the pricing :)
Small business (<300 seats) things look a bit better.
"I agree with the 'just say no'. The MShaft DHCP server is WORTHLESS. I just use bind for DNS with isc-dhcpd on a Linux or FreeBSD box. It has worked for me for nearly 2 decades, and was relatively painless to set up with a short RTFM session."
Thanks for:
1) commenting so eloquently on something you demonstrably know nothing about
2) firing out the 'it's worked for me for 20 years, it must be fine' classic
3) taking the time to do both in a public IT forum
Brightened up my day.
SA is relevant to larger organisations who have take DR seriously and need to failover hundreds or thousands of Windows VMs to failover sites. Instead of licensing for the primary physical virtualisation hosts, and the failover hosts, you only pay the SA percentage on top to license both and can failover at your leisure.
To the small fry with 5 Windows servers and a couple of old Linux boxes who think they're Mr Robot, the real benefit of these 'outrageous' and 'extortionate' licensing schemes is not something easily grasped.
That's not to say I disagree with the terms 'outrageous' and 'extortionate' with respect to some MS licensing (ahem SQL server Ent ahem) - just that their offensiveness is dynamic based on the scale at which you're looking at these costs.
ROI calcs, based on hard facts not Utopian whims, can often have surprising results....
I also believe that you can run a medium-sized enterprise's IT environment, from desktop through apps to servers and virtualisation, a lot cheaper using MS Windows over, say 5 years, than attempting to run a purely non-MS shop of the same scale, with the same requirements, same results, same end-users IT literacy (lack thereof) - mainly because I believe this sort of environment can be built and run by a smaller, cheaper IT technical team than an equivalent *nix environment.
Reminds me of the classic adage: "Linux is only free if your time has no value". Of course things have moved on a lot since that phrase was coined but in terms of enterprise requirements (not a farm of web servers, or containers, or Facebook\Google, or specialist requirements - real-world enterprise log-on-and-do-your-work environment), you buy MS Windows and hit the ground running. Fast.
MS know what these companies want and expect from their IT and IT staff, and what they're prepared to pay for it. And yes stretch it a bit. OK a lot.
Of course this is just now, and will change over time. And that is a great thing about our industry right?
You think when your machine downloads an update, it comes from Microsoft's own servers?
One word - Akamai.
They must pay an awful lot of money to CDNs like Akamai to globally\geographically distribute the vast number of TBs of data all their products consist of.
You didn't think that every installation of Windows across the whole world downloaded updates from a single server\cluster in Redmond somewhere, right?
To me, they are just swapping out a long-standing CDN infrastructure for a new one. You still download your update bits from "someone else's computer" as you have done for years.
So what - in reality - is the difference?
Objectively it makes sense to me tbh and i can see how it might save them a lot of money, with - realistically - negligible impact on customers. A bit crafty\cheeky though I suppose!
Yes there are some large updates. No your pc might not cache all the pieces of a full update necessarily. Yes you can control it. Yes you can turn it off.
eg. https://4sysops.com/archives/windows-update-delivery-optimization-wudo-in-windows-10/
re: Network\Bandwidth, WU has been using BITS for years without issue\uproar over bandwidth??
In corporate where you have little pockets of computers distributed nationally\internationally, and unlikely to have WSUS in each site, this will clearly be a beneficial option to the administrator.
GPOs provide control over the type of remote computer your machine pulls updates from - eg. local subnet, AD-site based, Internet etc.
Interestingly it apparently might be relevant to the borked WSUS CU issues with 1607. "This is a bug in the Windows client that will be fixed in an upcoming cumulative update." Hmm.
Agree it could be nice for the tin-foil hat brigade if there was a clear gui-based method to disable this 'new' functionality (ie. CDNv2) and revert back to the old way (CDNv1). But then that would require MS to keep paying Akamai, thus negating any financial gains (which is what it is all about) of moving to this new approach.
IMHO - much ado about nothing.
I'm arguing with some of the statements posted previously, namely that:
Win 8.x requires an MS account.
Win 8.1 is an upgrade only.
Win 8.1 can only be installed from the MS store.
I'm saying they are not true (because they aren't). Of course there are use cases out there where people will be upgrading Win 8.0 to 8.1 through the app store, with their MS accounts, on WinRT, while standing on one leg. Naturally. But to come on to an IT Pro site, making statements like those above in such a way as to make them sound true, is not fair to anybody reading it.
Personally - I don't care how those people are going to upgrade. There'll be someone somewhere ready to make a fast buck out of helping them with their upgrade i'm sure. From an enterprise perspective however.....
"Show me the local account option there. You know, in spite of it being an upgrade to a (virtual) machine which was primarily run on a local account."
Honestly I can't answer that question with much authority, as I haven't upgraded 8.0 to 8.1 using an MS account through the app store, as I think you might have gathered..... :-) However, in the 'don't-piss-our-business-customers-off' edition (which in my case is called, erm, Win 8.1 Professional and which I suspect is code-wise exactly the same as every other edition other than the SKU\licensing differences), when upgrading from 8.0 or fresh-installing 8.1 (I have done both) you are prompted to sign in with a MS account during OOBE\mini-setup, you click 'Create a new account', and then when the new account sign-up form appears, you click, cunningly, 'Sign in without a Microsoft Account'. Rocket science... I'm not trying to say it's the most intuitive thing ever - but it's there in plain sight.
To argue I upgraded using an MS account, by virtue of the fact my ISO came from MVLS, is pretty weak!!
@M Gale
Wow! It's not a store download only, nor is it an upgrade only (technically - marketing wise it might be). Where does all this FUD come from!
I got the Windows 8.1 ISO from MVLS and did a clean install to a blank hard drive. Just like all it's predecessors. Next, Next, Finish. I don't understand the confusion here?
MS store - I don't have an MS account (MVLS account is corp, not mine), yet I managed to install 8.1 fresh.
I'm posting this from said Windows 8.1 Pro install, which - for the sake of clarity - I downloaded the ISO image of from MVLS, installed clean onto a blank hard disk drive, created a local user during setup, logged in and joined to an AD domain - all without having to use an MS account, hack around anything or 'go into the control panel' or anything! It's almost like it's just the same as Windows 7!! (but we can't say that round these here parts else we're liars and heretics!).
Try it. Just get the ISO image, create a VM and boot the ISO. Run through setup, same as Win7 etc., and you'll see what I mean. Try it. Go on. Then come back here and post the results...............
You don't have to like Win8, you certainly don't have to use it. Personal opinion and taste of course., horses for courses always. But these points we're arguing about are facts, they're not open to the interpretation of personal opinion. We should get our facts right when discussing in a public forum, that's all.
@stevenroper - No you're just spreading FUD. Our industry doesn't need any more of it, there is enough already. Other people read this as if it is factual information, and then go off assuming and\or spreading the same rubbish. I don't care whether people buy or use Windows 8 or 9 or 21 or whatever. MS have enough money, I have no interest in them making any more, i'm not a shareholder or employee. It annoys me however to see crap like this come from a fellow "IT professional" . Same applies to all the Apple bashing and Freetard calling etc. Just wish people would get their facts straight before jumping on the bandwagon. Sadly, the people who gave you twice the upvotes than downvotes are similarly minded - if they had used it themselves, they wouldn't be giving you upvotes would they.
Criticising any product because of some issues with a *beta* 18 months ago seems a bit strange too doesn't it, in our industry?
@steven roper - quality gibberish there. Clearly no idea what you're talking about!
re: Microsoft account. Not needed in 8.0, not needed in 8.1.
re: installing software. Have you actually tried to install software like you would expect to? Or are you referring to WinRT on Surface?
re: cloud storage. Been using 8.0 and now 8.1 since launch, i have no cloud storage from anywhere (i think my icloud account might come with some but i dont' use it). I see no references, pop ups, nags etc. to coerce me to use cloud storage? I have a c: drive - it lets me use it like all the previous versions of Windows. Where are you being "constantly pushed towards unwanted cloud storage"? Maybe i downloaded a different version to you.
re: ownership. I know this is hot in the industry, fair enough. But my experience of 8.x suggests no transfer of ownership of my hardware, OS or data. Yet anyway. Other than rhetoric, where and how is Windows 8.x urging you to move your data to the cloud?
re: walled garden - you really haven't used it have you. Unless you're talking WinRT again.
re: constantly monitored, logged and spied on. Sure another hot topic, but do you feel Win8.x does this any more than say OSX Mavericks or iOS? (if you use them), or your OS-independent broadband provider at home?
Availability - got my 8.1 from MVLS. This is an IT pro site right? App Store schmapp schmore.
Installed fine, OOBE does admittedly try to trick you into signing up to an MS account, but two clicks get you round that and using a local account as per the last 15 years. Join to domain, wham bam. It's windows 7 but faster. Really don't see what all the fuss is about TIFAKMSJUDJEHZ and all the other stupid stuff people moan about it. None of it matters - it's a means to an end, a tool to do a job, the job being the important thing right? It's not a religion.
Try it - it's pretty good. Win 7 on steroids.
I think a alot of confusion comes from MS\Windows trying to be all things to all people. As a sysadmin dealing primarily with vsphere, windows\AD\Exch\SQL and supporting technologies, it ticks all the boxes for me (like 7 did, like Mavericks does, like Xub 13.10 does). Tool to do a job.
If you're an IT pro put off by the new start menu and not booting straight to desktop, then i think you're in the wrong job...
Still - i will admit.... doesn't come close to MBP with Mavericks for a bit of couch-based slickness at home :-)
Complicated install? For the 'next, next, finish' guys sure it might seem complex when it doesn't just install. This is core infrastructure software that provides the basis for our customers' IT services - there can't be many techs worth their money that go at something like this without a pot of coffee, a shut door, google and a big pile of PDFs printed out....
IMHO! Nothing personal - just a bug bear of mine about our industry.
DRS available in Enterprise, S-DRS only in Ent+.
Doing a 5.0 to 5.1 upgrade this afternoon - only a small one though. SRM included. Fun fun fun.
Thanks for the article Trev!
our users don't have rights to install anything.
we insist on ie simply for centralised and managed patch management. don't give a hoot what the users think, we need to be able to apply patches across the board quickly and reliably. hence we stipulate (and force) ie.
we use wsus to standardise on ie7 - contemplating the ie8 rollout, we've been using it in IT since its release and has caused no issues with our internal web apps or anything else. so guess will be rolling that out soon.
if mozilla release some sort of centralised updating mechanism that corporates can use to reliably and quickly update all firefox installations across our wan, then we might take it a bit more seriouly as a corporate tool.
personal opinions and preferences aside, my employer employs me to keep things as secure and manageable as possible.. rightly or wrongly, at the moment, that is ie simply due to manageability (gpo\ieak) and patch management (wsus).
bye!
That scene above "Thwough him to the floor \ Bickuth Dickuth" is pure genius. Watching Palin desperately trying to keep it together.
Epitamy of British comedy IMHO, and still stands proud to this day.
My other faves:-
"Conjugate the verb 'To Go'" - Romanes eunt dormus http://www.youtube.com/watch?v=IIAdHEwiAy8. Horrifyingly similar to a particular Latin teacher i had a school....
And the 'Jehovah' sketch at the stoning with Cleese. Brilliant.
Will be spending the rest of the afternoon watching clips on youtube now methinks! Thanks reg!