Brent Ozar and the Free SQL Server Content

SQL Server is a great product however it’s not something I often talk or rave about. It’s the unsung hero of the majority of the software we use and a lot of the time, we don’t look after it properly and that’s assuming we deploy it properly in the first place. A colleague and friend of mine @LupoLoopy was at a SQLBits conference last week where Brent was speaking and it pipped my forgotten interest for SQL Server so I took to Brent’s site for some SQL inspiration.

It didn’t take long for me to find some great material. If you are in the SQL Server business then I’d really recommend some if not all of this material to you. I haven’t gotten through them all myself yet, but the eBooks I have no doubt are great insightful reads and the tools, sp_Blitz and sp_BlitzIndex will be so useful to you, you’ll probably wonder how you lived without them as I did when I first saw them.

Please don’t thank me for any of these tools and documents as they are all property of Brent Ozar Unlimited, his SQL Server practice but please do thank me for showing them to you if you haven’t already heard of Brent. If you haven’t heard of Brent then he is a SQL Server Master and a Microsoft MVP for SQL Server: a big deal basically.

SQL Server Tools

sp_Blitz is a free tool that gives your SQL server a full bill of health and tells you everything you want to know but didn’t know was wrong with it. My personal feeling is that this tool should be made mandatory to run against all SQL servers at periodic intervals to keep them in a sensible state of health.

sp_BlitzIndex is another tool but instead of checking out the health of your SQL Server, this checks the health of your database indexes so that you can get the most performance out of your databases.

SQL Server eBooks

SQL Server 2005, 2008, 2008 R2, 2012 and 2014 Setup Guide. This is a full on how to setup SQL Server by Brent book and probably number one on your reading list if you are ever installing SQL Server.

AlwaysOn Availabity Groups Setup Checklist isn’t a book as such but it’s a very helpful ticksheet you can use to make sure that when configuring SQL Server AlwaysOn Availability Groups that you haven’t missed a step and be left scratching your head wondering why it isn’t working as you had designed.

High Availability and Disaster Recovery Worksheet is the final example I like from Brent which helps you to decide which HA and DR technologies you should employ in your SQL Server designs. This is a really simple yet effective sheet to have with you if you design SQL Server deployments.

Windows Live Outlook Domains Termination

I’ve been using Windows Live Domains, now known as Outlook.com domains for a number of years. It’s a free service that allows you to consume Outlook.com and other services usually associated with Outlook.com such as OneDrive but using your own custom domain name and email addresses instead of using a default domain.

I’ve seen this coming on the cards frankly, but today the penny dropped when I received an email from the Outlook.com team advising of the termination of the service. As of today, no new domains will be accepted for registration in Windows Live Domains. As of July 31st 2014, just under 60 days from now, the Windows Live Domains management site will be stopped preventing the addition or removal of accounts from any existing domains also, essentially shutting you out.

As a token of goodwill, Microsoft are offering 90 days free Office 365 Small Business Premium for up to five users which is a nice offer but I think it’s badly pitched. I think that offering Office 365 Small Business Premium as carrot to move to Office 365 is the wrong kind of carrot. A much better solution would be to have offered people a service credit to the value of 5 users on Office 365 Small Business Premium and here’s why.

Replacing Windows Live Domains with Office 365

Windows Live Domains offered email as a service for free and allowed you to create up to 500 accounts per domain plus an option to create move if you contacted support to request an extension. Office 365 Small Business Premium is £8.40 per user per month excluding VAT and supports up to 25 users.

Office 365 Small Business Premium also includes Lync conferencing, a SharePoint Online Public Website and licenses for Office 2013 desktop application suite and Office for iPad. Giving people an offer which includes a bunch of extra (although note also that it is excellent) functionality is nice but if someone is using Windows Live Domains for email they will no doubt have in place, other services for conferencing and a public website already so these features are not relevant to these users. Licenses for desktop versions of Office and Office for iPad is also nice, but small businesses will have already gone out and purchased their licensing through a local License Reseller or via Retail channel.

Office 365 Small Business at £3.30 per user per month is a better carrot because it doesn’t include the Office licenses which as I mentioned, is likely something people will already have acquired through other sources but it’s still not ideal as it still includes Lync conferencing and the SharePoint Online Public Website and it still has the limit for 25 users. Opening up Lync conferencing certainly could be viewed as a way to expand business opportunities and the SharePoint Online Public Website could be viewed as a way to get yourself a new, modern looking site with a simple to manage and design interface but they are all extras to less.

If you are using Windows Live Domains with a high user count then Office 365 Midsize Business is a better option as it supports up to 300 users, still 200 short of the default limit in Windows Live Domains but at £9.80 per user per month excluding VAT and requiring an annual commitment as opposed to a pay as you go model in the other Small Business plans, that’s getting quite expensive. Anything beyond 300 seats and you are looking at Enterprise level plans which I’ll let you look at for yourself.

Exchange Online a Better and Cheaper Option

So what is the best option? Well I think that the best option for someone looking for a move from Windows Live Domains to Office 365 is actually not an Office 365 Plan but an Exchange Online Plan, Exchange Online Plan 1 to be specific.

Exchange Online Plan 1 is only £2.60 per user per month (excluding VAT) and gives you a direct replacement for services offered by Windows Live Domains. It gives you the Office 365 Exchange Online based messaging solution, far more powerful than the messaging solution of Windows Live Domains but it doesn’t try to be a bigger service, it’s there solely to be a replacement for your email service but a vastly improved one at that.

Exchange Online is managed through the same interface as Office 365 and it is classed as an Office 365 SKU in the licensing section of the portal which means adding Lync, SharePoint or other SKU services later on down the road is a viable option and you can even switch over to Office 365 full product SKUs if you desire later on.

Time is Tight

This is another area that I think Microsoft haven’t been very considerate to people using the service currently. With less than 60 days notice before the whole thing goes belly up, that isn’t a lot of time for Small Businesses or home users of the service to consider their options wisely, evaluate possible paid for alternatives and to migrate out. Many small businesses are going to need to bring in outside services to help them understand this move and perhaps even manage and complete the move for them if they don’t have the skills internally to understand setting up an Office 365 tenant or configuring MX records to reconfigure email delivery.

Even if these businesses do have the skills internally, do they have the resources? Everybody has a day job and somebody having to take the time out to orchestrate this email platform move is no doubt going to be letting other areas of their job slip in the process.

The time is tight aspect is made worse by the next point.

Manual Migrations All the Way

I knew this was going to be the case. The reason I knew this is because on the Windows Live Domains forums for some time, people have been asking for a method to move seamlessly between Windows Live Domains and Office 365 and there has been no good answer and it’s been confirmed today that the answer is manual migrations.

The email gives a link to a Microsoft article at http://windows.microsoft.com/en-gb/outlook/migrate-custom-domain which describes the migration process but simply put, you cut over your DNS MX records to Office 365 if that is where you elect to go and then you have to manually export and re-import all of your mail, calendar and contacts using a.PST files or such.

If 60 days was the timeline but it was a push-button migration where you could elect to invoke the move at a time appropriate for you, login to a portal and click move me to Office 365 now and two or more hours later, your service was back online but using Office 365 now instead, 60 days wouldn’t be an issue but to manually re-configure the service and move mail and all your personal information over in that time too if a bit much to ask.

A problem that I’ve read a number of occurrences about on the Windows Live Domains forum is that when people de-provision their Windows Live Domains service to move to Office 365 it can sometimes take a long time for Office 365 to accept the domain as Windows Live Domains does not sometimes fully release it, causing Office 365 to report that it is currently tied to another Microsoft messaging service. Microsoft really need to have ironed out the bugs in this if people’s stories migrating to Office 365 from Windows Live Domains is going to be a good one. I personally moved a domain over without any issues and the whole thing took no more than an hour including DNS propagation but that’s just one story in a few hundred thousand I’m sure.

The other problem is the competitors. You can almost bet your boots that Google and company will start a marketing campaign targeted at small business off the back of this termination of service and the fact that the migration to Office 365 is manual means it’s no harder to pick yourself up and move to another company for email than it is to upgrade to Microsoft’s premium Office 365 service.

The Outward Push

I want to sound positive here because I really like what Office 365 is about and the services it provides. I’ve been using Exchange Online Plan 1 for one of my own personal domains for about a year now and I keep toying with the idea of bolting on some extra SKUs to it to get more from it but I’m struggling here in this context.

Windows Live Domains, although there is no count that I know of, likely has a lot of users right now. Some of these people may be home users with just a one or two addresses to move, others could be businesses which started out small and have naturally grown and evolved over time but have become dependant on Windows Live Domains to make their business success with many, many accounts.

I think that the everything is free culture that the Internet has generated over slightly yester years is certainly to blame for a percentage of this and I think that if people want a high quality email service or other additional services then you have to pay for that and that’s why I am personally happy to pay for Office 365 services. You don’t get uptime and availability warranties with your free Gmail account now do you?

What I do think is that the placement of this 90 day five user promotional deal to encourage people to Office 365 is pitched at the wrong level and I think that coupled with the tight sub 60 day timeline and the proposal of a manual migration is probably going to generate a degree of Microsoft hesitation rather than happiness and will probably make some of these people look to move to other such services as it would be no more difficult to do so.

I’d quite like to see an updated communication from Microsoft that they realised they pitched the Office 365 deal at the wrong level and that they are changing it to offer service credits for any tier instead but I can’t see it happening in reality. I hope for Microsoft’s sake that they know more than I do in this case and that this move doesn’t backfire on them.

Blog Effectiveness Feedback

Web design and layout is an interesting beast with one man (or woman) and their view of aesthetically pleasing or effective layout and use of screen real estate being different from the next. With my blog, I’m generally happy with how it works but I like to operate my blog with an agile based approach, taking small iterative steps to continuous improvement.

When I normally make changes to the site, things I deem to be improvements, they are self-led ideas that I think would be good but not often do I really consider the effects on the viewers of the site but for this occasion, I’m going to flip that on it’s head.

I’m looking for anybody out there who reads my site for feedback. I’m not looking for feedback on the topic of the articles because frankly, that isn’t going to change unless my technology pattern at work changes, unlikely in the current circumstances, but I’m looking for feedback on the site itself.

  • How Do You Find the Layout?
  • Is the Navigation Useful?
  • Is the Content Clearly Legible in the Current Size and Font?
  • Does the Site Render Badly on Your Device of Choice?
  • Anything Else You Can Think of?

I normally have comments disabled on my blog for fear of the spammers but for this post, I’m going to leave them enabled although I may disable them again at a later date to prevent the spammers moving it to squat. If you’d prefer, you can send me a tweet to @richardjgreen or get in touch with me via one of the other contact methods outlined on the Contact page from the navigation at the top.

I’m really interested to hear what the community and people who actually use my site think of it and if there are ways you feel it could improve to make my content more accessible to you.

Microsoft Azure Spending Limits Clarification

Lots of people want to use Microsoft Azure that much is clear, but a lot of people based on threads which get started on the TechNet forum get stuck when it comes to the relationship between trial accounts, standard accounts, billing and limits so I wanted to set the record straight a little using some good old plain English.

This is in response to a thread I answered on the TechNet forum last night which you can see at http://social.msdn.microsoft.com/Forums/windowsazure/en-US/a78f28e6-3929-45ef-9c52-cee62d3ab17a/set-spending-limit-after-free-trial?forum=windowsazurepurchasing#a603ca13-5911-4cf9-a142-ec1615192e95.

Trial Accounts

When you sign up for a Microsoft Azure trial account, you are prompted to provide a payment instrument during the sign up. Payment instrument is a really horrible term for a payment method. In a nutshell, it wants you to provide a credit card. When you sign up for the free trial, you get $200 of credit available to consume over a one month period.

The $200 credit is imposed in the form of a spending limit. If you consume all $200 before your month is up, all of your services will be suspended. If you’ve got credit left at the end of the one month period you will lose it, so use make sure you use it even if it’s just to get a grasp on how to create various types of virtual machine, websites, cloud services or databases.

If you consume all $200 before the month is up and you want to resume the services that you have provisioned thus far you can remove the spending limit on the trial account which will begin placing cost incurring charges against your credit card payment instrument.

MSDN and BizSpark Accounts

If you have access to Microsoft Azure via an MSDN subscription or a BizSpark subscription you will have at your disposal $150 per month of Microsoft Azure credit included in your agreement. This entitlement lasts for the duration of the agreement and at the termination of your agreement, all services will become suspended when the final credit amount expires in your final month.

If you want to resume these services, you will need to add a payment instrument, a credit card to the account and disable the spending limit. Unlike a trial account, you are not forced to add credit card information at the point of enabling the subscription so be sure you don’t forget to add this detail.

If you are using your $150 a month entitlement but find that you could do with a little bit extra then you can opt to disable the spending limit on the subscription, add payment details in the form of a credit card and once you reach the $150 free entitlement, any excess usage of the Microsoft Azure platform will be billed to your card.

Understanding Spending Limits

Spending limits I think are the largest cause for confusion in Microsoft Azure. Spending limits are what they are called, they are a limit to prevent spending money over a given amount. They do not represent a fixed spending commitment (eg. Spending $100 a month even if you only consume $25 of services), a question I’ve seen asked on TechNet Forums on more than a few occasions.

Spending limits is not a feature which is generally available for normal subscriptions. Spending limits are only available for the Trial, MSDN and BizSpark subscription as previously mentioned. If you are an enterprise customer or a conventional pay-as-you-go customer you cannot enable a spending limit on your subscription as this option is not available.

With MSDN and BizSpark subscriptions, when you disable the spending limit, you will continue to consume your monthly or triad period entitlement to funds. The trial or monthly funds will be consumed first before any charges are levied against your credit card. Once you exhaust all of your credit, you will start being billed.

If you elect to reactivate a spending limit on an MSDN or a BizSpark subscription, you cannot customise the limit value. When you reactivate the spending limit, the limit will be restored with the same limit as was previously imposed. To re-iterate, you cannot customise the spending limit as the limit value is defined by the type of subscription that you have.

You can read the official Microsoft article on MSDN about spending limits configuration and when they are or are not available at http://msdn.microsoft.com/library/azure/dn465781.aspx.

Alternative to Spending Limits

With spending limits not available for conventional subscriptions, many people will be thinking what is there to stop me from racking up a massive bill unknowingly and then having to try and explain or justify perhaps to business partners or co-workers or such like, how you managed to spend so much. By default, nothing, there is nothing to stop you from spending an infinite amount of money. Luckily, we have a solution in the Billing Alert Service.

The Azure Billing Alert Service is currently in preview although it has been around for a while now and I expect it to stay due to the lack of spending limits for conventional subscriptions. Although the Azure Billing Alert Service does not explicitly stop you from spending too much money, it does allow you to configure warnings and alerts before you spend too much money and allow you a chance to react to potential billing spikes such as shutting down services or virtual machines.

I have previously written a show post on how to enable and configure the Azure Billing Alert Service which you should take a look out to find out more how to configure this your own subscription.

I hope that this post clarified the meaning of spending limits in Microsoft Azure, when you can and cannot use them and how to access the Azure Billing Service alternative.

Repairing a Damaged SQL Azure Sync Group

As a follow-up to my TechNet Guide published previously on Configuring a Windows Azure SQL Sync Group, in this post, I will explain how to repair a broken sync group.

Firstly, let me explain how I broke it. I have two SQL Azure databases in sync: one database in the North Europe region and another in the West Europe region. Following some security advice for WordPress, I decided I wanted to change the table prefixes for my database from the defaults of wp_. I made all of the required change to the config.php file, on the database tables and all the other changes required as per the article guide I used at http://wpcanada.ca/2009/how-to-change-wordpress-table-prefix/. After doing this, I couldn’t do anything to the blog: edit posts, author new posts, delete posts. I busted out SQL Server Management Studio to manually delete the post I was trying to clear out and I got an error message that there was a problem with the trigger.

I’m not a SQL expert so I hadn’t encountered triggers before but I could tell from the trigger name, wp_posts_dss_delete_trigger what this was. The trigger was based on the old wp_ table prefixes and now my prefixes are different. I logged into Windows Azure Management console and tried to update the database schema through the Sync Group configuration which succeeded but nothing was working still.

After much T-SQL research and experimentation, I got the fix.

Backup Everything

I can’t stress this point enough which is why it is in red, a colour which I normally try to avoid at all costs.

If you chose to follow this post to help recover a broken SQL Azure Sync Group and a potentially broken application trying to use that database, please make sure you back everything up. The changes we will make to the database in the following steps have the potential to ruin your day if done improperly and I can’t be responsible for any data loss as a result.

The easiest way to backup a SQL Azure database is from the Windows Azure Management portal which allows you to generate a .bacpac file which is an export of the entire database schema and table contents. This .bacpac file will be written to a Windows Azure Storage BLOB Container of your choice.

Clear and Delete the Sync Group

Firstly, you need to clear out the Sync Group. Full instructions for this are on Windows Azure MSDN at http://msdn.microsoft.com/en-us/library/windowsazure/jj991914.aspx but in a nutshell, remove any reference databases from the Sync Group first, leaving only the Hub database. Once this is done, delete the Sync Group, leaving you with standalone, non-communicative databases.

Next, login to your SQL Azure database using either the Windows Azure SQL Management console or via SQL Server Management Studio from your own machine. You should be connecting to the database which was formerly the Hub database as this is our primary and the one which needs rescuing. We’ll deal with the Reference databases at the end of the process.

Drop the Sync Group Database Tables

View the tables in the database and you should see a number of tables which have the prefix DataSync instead of the usual dbo. There are four tables as standard for all databases which have the following names:

  • DataSync.provision_marker_dss
  • DataSync.schema_info_dss
  • DataSync.scope_config_dss
  • DataSync.scope_info_dss

There will also be other DataSync tables which match you existing pre-change table names. Drop all of the DataSync tables. The T-SQL query for this is as follows:

Repeat this process for your custom name DataSync tables. In my case these were WordPress table names such as DataSync.wp_posts_dss_tracking.

Drop the Sync Group Triggers

This was the hardest part for me to find information on and complete. With all of the tables dropped, we’re halfway there but the triggers are the actual problem not the tables. Each table has three associated triggers for INSERT, UPDATE and DELETE actions. The triggers are what tells the Sync Group that the Hub database has a change that needs to be replicated to other copies of the database.

First, we need to find all of your triggers. The following code is courtesy of Joe Stefanelli on Stack Overflow athttp://stackoverflow.com/questions/4305691/need-to-list-all-triggers-in-sql-server-database-with-table-name-and-tables-sch.

This will output a query result with a list of all of the triggers on the database, the trigger name and the table for which it is registered. Right click the trigger_name header in the query result and select the Copy option. Open a New Query window and paste the output into the query window which now gives you a list of all of the triggers. On the first line, prepend the syntax DROP TRIGGER to the line then copy the DROP TRIGGER syntax down onto the start of each line.

For me, this gave me the following query ready to execute (for WordPress remember):

Ensuring that your query is pointed at the correct database if you are using the SQL Server Management Studio, now press the Execute button to execute the query. You should get the response Command(s) completed successfully.

Testing the Database

With this done, the triggers are now history which should bring your database back to life. Either use your application which drives the database or if you are comfortable doing so, try some INSERT or UPDATE queries against the database to verify this. If you get any errors it means you either missed a table or a trigger during the drop phases. If your database works then congratulations, your application is no longer a brick but we now need to restore the Sync Group functionality.

Delete the Reference Database(s) (Optional)

This step is optional but I did it for cleanliness. As we’ve basically just completely doctored with the schema and operation of a database, I didn’t like the idea that my Reference replica of the database was in an even worse state. I elected to delete the Reference database and create a new database in it’s place. You can either delete the database from the Windows Azure Management portal or from SQL Server Management Studio while connected to the SQL Server.

Please make sure you delete the Reference Database and not the Hub database if you do this though as if you delete the Hub by accident then you’ve just deleted the database which we spent the time fixing up.

Recreate the Sync Group

Recreating the Sync Group to get you back in business for resilient SQL Azure databases services means following the steps in my previous post Configuring SQL Azure Sync Groups. The only thing which you need to account for is the fact that your SQL Servers already exist and your Hub database already exists. Assuming you performed the optional step above to delete the Reference databases, you’ll need to do the following:

  1. Create new Reference databases.
  2. Create a new Sync Group.
  3. Configure the Hub and Reference partnership for the Sync Group.
  4. Scan the database schema and select the options to Sync.
  5. Enable automatic time based sync (if you are using this mode).

The previous post has the full details and screenshots should you need it for referral.

Hopefully you’re all back in business now and this post has helped you get out of a hole. The lesson I learnt here is that if you are making major changes to a database which is configured in a SQL Azure Sync Group then consider removing the databases from the Sync Group and deleting the Sync Group first then, once all your changes to the schema and table names are complete, then you can re-create the Sync Group and get your resiliency back on.

Microsoft User Experience Virtualization (UE-V) 2.0 Review

In this post I’m going to show you Microsoft User Experience Virtualization (UE-V) 2.0 which is a really nice product from Microsoft for customers with access to Microsoft Desktop Optimization Pack (MDOP). MDOP is available as a free entitlement to customers with Software Assurance on their Windows Enterprise Desktop licenses. UE-V is designed as a 21st century replacement to Roaming Profiles.

Roaming Profiles Backstory

I’ve been a long time fan of Roaming Profiles whether you use them as a means to deliver virtual desktop infrastructure (VDI), a means to allow users to logon to multiple conventional desktops throughout a business or as a crude method to centrally backup user data so that if their laptop or other computing device fails, simply logon to a new machine and you get back the same experience.

Lots of people have hated on Roaming Profiles for their misgivings which they do indeed have: slower logon times, issues with the synchronisation of the profile between multiple machines and the occasional profile corruption issues. Some of the stigma with Roaming Profiles is alleviated when you combine it with folder redirection, another technology which I am a fan of however it’s still not perfect.

Roaming Profiles and Windows 8.1

Roaming Profiles have defiantly taken a back seat in Windows 8 and Windows 8.1. Log in to a Windows 8 or Windows 8.1 machine using a domain account that is setup with a Roaming Profile and you will quickly see that even when you connect a Microsoft Account (MSA) that some things just don’t work properly. Despite all my attempts to correct it, the OneDrive immersive UI app just never worked properly and Sync Settings between multiple PCs is completely disabled with all of the options greyed out to prevent their use.

I wasn’t too bothered about the lack of Sync Settings previously. This is mainly because of the fact that I work from home on a machine joined to my home domain with my other PC, a Surface Pro tablet connected to the same domain with the same roaming profile so my settings would sync in that manner but in a scenario where I could be using a work computer joined to a work domain means I wouldn’t have any sync activity between home and work. If you use a Surface RT or a Surface 2 running Windows RT you are in the same situation as even on the same network, you cannot domain join Windows RT leaving you with no sync options.

The lack of the OneDrive app did leave me feeling a little bit at a loss but not so much as I could quickly access OneDrive using the website and OneDrive worked just fine on my Windows Phone but the real kicker arrived with Windows Phone 8.1 Preview and tab sync for Internet Explorer. I’m a tab abuser and I commonly am known to have in the region of 20 tabs open all for various work and non-work related things all in various states of read and unread so being able to sync these tabs between my desktop from day job, my Surface for intensive evening browsing or my Windows Phone for casual pickup browsing hurt.

Introducing UE-V

User Experience Virtualization (UE-V) came to my attention a year or so ago when I was working with Application Virtualization (App-V), also from MDOP but I’d never seen the reason to try it out when Roaming Profiles worked for me but with the now lack of Internet Explorer tab sync between my devices, it made me want to have a go and see if it could improve my roaming experience by any amount.

Whereas Roaming Profiles captures the entire Application Data Roaming folder from the user profile and copies the changes back and forth between the clients and the server hosting the profile share and logon and logoff, UE-V works with a client-side agent which reads application data from a UE-V User Settings share at application runtime and writes back changes at application close.

Features of UE-V

The changes are captured per-application and not for the profile as a whole which means the change delta sync is very fast to converge, isn’t dependant on the user logging on or off whilst connected to the corporate network and working in tandem with Offline Files sync provider on the client allows for users to make changes to application settings which get written back to the share as soon as the agent detects a connection to the network making this a technology which could work really well with DirectAccess remote access technologies. This silo approach to sync also means that in the rare event of any corruption occurring whilst synchronising would be limited to only effecting one application and not your whole profile. All of these settings are sent back to the server in small files with the format .pkgx and are structured in an easy to understand hierarchy per application.

UE-V User Settings Packages

Because UE-V works not by operating at a roaming profile but instead as a man in the middle, monitoring your applications, tracking changes to settings and recording them to the central store, it doesn’t interrupt the way Windows handles profile state. For Windows 8 and Windows 8.1 users this means that you can connect an MSA to a domain user account and the options for Sync Settings are available and work and also that native apps like the OneDrive app work and sync properly which was my main driver for taking UE-V for a test drive.

UE-V Agent

This per-application nature of UE-V is perhaps also it’s Achilles heel dependant on the nature of your user base. Because UE-V works with applications and not profiles, it needs to know about your applications. For default Microsoft applications such as Notepad, WordPad, Calculator and Windows 8 immersive UI applications such as Weather, Sports, Finance and the like you can enable and disable the sync of settings for these applications out of the box either via the client manually or with a Group Policy Object using the UE-V ADMX file from the Microsoft Desktop Optimization Pack Group Policy Administrative Templates download. UE-V natively supported Office 2007 and 2010 also however Office 2013 is not natively supported but more on that in a minute.

To support custom applications including Office 2013, you need XML files to provide application definitions. These definition files can either be generated by you as an administrator for your custom line of business (LOB) applications using the Microsoft User Experience Virtualization Generator application or you can download XML files generated by others from the TechNet Gallery and hope that they fit your need. Microsoft thankfully provide an official set of XML files for Office 2013 for UE-V 2.0 which you can get from the TechNet Gallery in the form of either the Microsoft Authored Office 2013 (32-bit) UE-V Template or the Microsoft Authored Office 2013 (64-bit) UE-V Template. Standard community issued XML files can be obtained from the main list on the TechNet Gallery here.

Deploying UE-V

Deploying UE-V is really simple and because the .pkgx files generated for each application are typically very small and are transmitted across the network in a much friendlier approach that a giant squirt of traffic as you would have observed with Roaming Profiles it required little planning or infrastructure on either your SMB file share server or your network capacity.

The UE-V agent is installed using an .msi file which means you can install it via a Group Policy Software Installation policy, using a Computer Configuration startup script from a Group Policy Object, via System Center Configuration Manager or any other deployment toolkit which can accept an .msi file. You could even use System Center Updates Publisher (SCUP) 2011 to generate a custom update for the .msi file and deploy it using Windows Server Update Services (WSUS) if you have that implemented instead of a full product suite like SCCM and the GPO approach doesn’t take your fancy.

Configuration of the agent is done via Group Policy ADMX settings with settings that can be applied on a per computer or a per user basis allowing you to hone your deployment as you see fit for the business needs. If you are using System Center Configuration Manger you could use the System Center 2012 Configuration Pack for Microsoft User Experience Virtualization download from Microsoft to fully integrate the management of UE-V and SCCM into a single pane of glass.

In terms of the SMB file shares, in it’s simplest form, you need two shares. One for user settings packages and one for your XML custom templates. Permissions on the custom templates share simply need to be read for Domain Computers as the client runs in the context of the computer. Permissions on the user settings packages share where user data will be written requires similar permissions to a Roaming Profiles share: Permissions for your users, Domain Users for arguments sake to Create Folders at the root of the share and then Full Control for Creator Owner for sub-folders to allow users to own their own folder.

Creating custom XML files is pretty simple and painless so long as you have a reference computer with the applications you want to capture settings for installed. A simple event of launching the application to allow UE-V to monitor registry and file locations accessed by the application, close the application and then save your XML file is about as hard as it really gets.

UE-V XML Generator

Deployment of the XML files to the agents is a simple case of copying the files into the share you created earlier.

UE-V Template Store

Microsoft had the foresight also to include an option in the UE-V ADMX Group Policy extension which allows you to enable sync for either an administratively controlled list of Windows immersive UI apps or you can enable the setting to include all unlisted Windows immersive UI apps so that any app the user installs from the Windows Store or any app you develop as a business and sideload using your Enterprise rights for sideloading will be tracked too.

UE-V ADMX Settings

With a suitable selection of XML files imported into the Template Store, the client will on it’s next schedule, sync with the store and begin to include any new templates as I previously eluded to as shown below.

Roaming Profiles and UE-V Co-Existence

UE-V and Roaming Profiles can co-exist perfectly which makes migration super simple. In any environment, you can simply roll out the UE-V agent to your clients, setup your Group Policy with the appropriate settings to point users to the correct SMB file shares for both their own personal settings to be stored and a second share for your custom XML definitions. Once deployed, you can let UE-V sync application settings for users whilst the Roaming Profile is still in effect and when you have decided that you’ve let the overlap run it’s course, pull away the Roaming Profile attribute from a users Active Directory User Object. The profile for that user will be converted back from a Roaming Profile to a Local Profile and UE-V will have already captured all their application settings and will now operate as the single version of authority for application settings.

For me personally, I’m not the kind of user with a long list of applications. I found with some monitoring that I had all the applications I needed for UE-V to be successful for me in sync within about a week of normal working practice. One the week was up, I pulled the Roaming Profile attribute from my user object, free of the Roaming Profile logon delay and associated lack of Sync Settings in Windows 8.1 to be left with a Local Profile and all the Sync Settings I could ever want available.

In an environment with a long list of applications you may need a month or more to successfully overlap the deployment of the two but either way, it’s totally achievable and with the right amount of overlap your users probably won’t event notice the change. I’m still using Folder Redirection with Offline Files to keep my Documents are other vital folders protected but I think that feature will be a given for any company, it’s the profile that’s the real issue here.

The Future for UE-V

Microsoft have just recently made the UE-V 2.1 Beta available via Microsoft Connect. I haven’t yet tried this as it was made available only a few days after I deployed UE-V 2.0 here but I will be looking at it soon. The release notes promise better control over some of the settings requested through customer feedback from UE-V 2.0 and includes native support for Office 2013 so you don’t need the custom XML templates for it any longer.

UE-V certainly has a good future and if you are in the market for a Roaming Profiles replacement I would definitely look at it.

Hide Quick Launch in SharePoint 2013

In SharePoint 2010, we had a method for hiding the Quick Launch on a SharePoint site to clean the interface look and feel if you are building out a site which doesn’t benefit from having a quick launch.

In SharePoint 2010, we did this using a Content Editor Web Part and editing the source HTML code of the Web Part to include some custom CSS however in SharePoint 2013, those same CSS Selectors don’t work because Microsoft have changed the names of some of the CSS Selectors. In SharePoint 2013 to hide the Quick Launch we now do it using the following approach.

Add a Script Edit Web Part from the Media and Content category.

Once you’ve added the Web Part, Edit the Web Part and add the following code snippet.

<style>
#contentBox {margin-left:0px}
#contentRow {margin-left:19px}
</style>

If you want to take this a step further and hide the top navigation links, you can add an additional line of inline CSS code to achieve this. Edit the Web Part and add the following line in addition to the code already specified for the Quick Launch.

.ms-core-navigation {display:none}

Microsoft EMET 4.1 Review

Microsoft Enhanced Mitigation Experience Toolkit (EMET) is something which has seemingly been around for years, a little known and less travelled piece of Microsoft software. In this post, I’m going to explore what EMET is, what it has to offer and briefly how it works.

What is Microsoft EMET

Microsoft EMET (Enhanced Mitigation Experience Toolkit) is a piece of software which can be deployed to assist in a defence-in-depth strategy to protect computers running Microsoft Windows. EMET employs deep hooks into applications monitoring them as they run looking for suspicious activities. Because EMET monitors code activity for patterns common to attacks, it is heuristic in it’s nature which means there are no definitions to keep up to date like anti-virus software which work by protecting against known attacks. EMET isn’t looking for the known but instead, for the unknown.

Believe it or not, EMET has been around for sometime although it’s largely never heard of. Even me as a Microsoft bigot hadn’t heard of EMET until about six months ago when I accidently stumbled upon it.

EMET has been available since 2009 in the dawn of Windows XP with new versions slipping out on a regular basis. The current general availability release is version 4.1 Update 1 and there is a version 5.0 available in Technical Preview. The current version 4.1 Update 1 supports operating systems from Windows XP Service Pack 3 all the way up to Windows 8.1 and Windows Server 2012 R2. Version 5.0 Technical Preview only supports Windows Vista Service Pack 2. Whether this is down to the end-of-support for Windows XP and therefore a purely commercial withdrawal from Windows XP is unknown but in that EMET is a 32-bit process even on 64-bit installations of Windows, it would be nice to think that there is some evolution happening and not just iteration.

Who is Microsoft EMET Designed For

EMET is not designed for home use due to the potentially complex nature of it’s configuration. You could safely deploy EMET at home if you left it in it’s default state protecting Office, Adobe Reader and Java but I probably wouldn’t recommend it without knowing what you are doing. EMET is designed for enterprises who want to add an additional layer of defence and protection to their client computers in addition to anti-virus and firewall software.

What Does Microsoft EMET Protect

Out of the box, EMET will protect Internet Explorer, Microsoft Office, Adobe Reader and Oracle Java but due to the way in which EMET is built, it can be extended to protect any application you desire but this needs to be taken with caution. Enabling certain mitigation hooks can cause applications to crash if EMET believes a certain operation is malicious when in fact it is desired behaviour. Microsoft have a list of known issues with EMET and application compatibility at http://support.microsoft.com/kb/2909257. There are various threads on the TechNet Forum discussing other compatibility issues with EMET.

The key takeaway is that you need to test EMET thoroughly before widespread deployment. Enabling mitigations in EMET can easily break an application or a whole system if you enable mitigation for an application which is key to hardware or operating system function (such as the known issue with ATI Video Drivers for example).

Reading the Microsoft Security Research and Defence Blog at http://blogs.technet.com/b/srd/ you can read some pretty complex and deep dive information on how that various mitigations in EMET work, how EMET has been able to thwart some of the more recent exploits from day zero. I for one don’t at this moment in time understand the what SEHOP means or how that protects me, I just know that it does although I do intend to read up on these various protection types.

What Does Microsoft EMET Cost

Nothing, it’s free for anyone who wants to download and install it. It’s worth noting that currently, only EMET version 3.0 is available for support through the Microsoft support channel of Microsoft Premier Support for enterprises. This is a very good reason to make sure you test the deployment of new mitigations in EMET before deploying them but I would consider whether deploying EMET 3.0 is the right thing to do regardless of support. EMET 3.0 is quite an old version and misses out on the newest certificate trust pinning feature.

Microsoft EMET Client Deployment

Microsoft EMET is installed using a traditional .msi file which can be manually installed or can be deployed with Group Policy Software Installation, System Center Configuration Manager or a third-party application management solution.

Microsoft EMET 4.1

The client when launches shows the current status for the four main protection types, DEP, SEHOP, ASLR and Pinning. DEP is a protection type which should be quite common for most system administrators as a Windows feature since Windows XP however SEHOP and ASLR will likely require some research. Pinning is a new feature in EMET 4.1 which allows you to protect against certificate man in the middle attacks. EMET locks the signature of trusted certificates such as those for Microsoft Windows Live, Office 365, Skype, Facebook and Twitter. This is a really nice feature and one that I’m personally a fan of although I would like to see more certificates listed by default such as Google.

If you opt for the EMET 5.0 Technical Preview, there are additional new features also but being a Technical Preview, you are even further beyond the scope of support so do this at your own risk for sure.

Microsoft EMET 4.1 Custom Certs

The Apps configuration list allows you to enable and disable mitigations for specific applications as well as define custom applications to be protected by EMET.

Microsoft EMET 4.1 Custom Apps

Microsoft EMET Client Configuration

When configuring EMET you have a number of options. You can either do this per client manually, using Group Policy with the provided ADMX file or with a configuration export. A configuration export gives you the most flexibility however it requires you to have a reference computer configured with EMET to your current specification. Once configured, you can export the configuration to a file which you can then import to other EMET clients automatically using System Center Configuration Manager for example.

Configuration using Group Policy is simple and allows you to control almost everything such as the status for system-wide protections and to configure user-defined application protections including which mitigations to apply for them however it does not appear to allow you to configure the certificate trust pinning. I’ve used Group Policy in my scenario as it was the easiest for me to implement and administer.

Microsoft EMET 4.1 GPO

Is Microsoft EMET Worth Deploying

This is a good question and one I considered before I deployed it at home for myself and I came to the conclusion of yes. Windows 8.1 is a good operating system with lots of protections included out of the box such as Windows Defender and Windows Firewall. It is regularly updated and patched to address performance, security and other issues by Microsoft closing holes as they are found and the success of the Windows Update service means that this patching is commonplace and reliable. System Center Endpoint Protection 2012 R2 which I use as my anti-virus protect does a great job of scanning for known viruses but as was said in a recent interview with a top dog from Symantec, anti-virus is “dead” (http://www.engadget.com/2014/05/06/symantec-declares-antivirus-dead/). Protecting systems at as many other levels as is viable and logical to do so therefore makes a lot of sense and a product which is free from Microsoft can only help to do this.

On my PC at home I have EMET running in the recommended security configuration and the process is consuming 14.9MB of memory. On my fairly standard desktop PC with 8GB or my Surface Pro tablet with 4GB RAM, 14.9MB is nothing to even think twice about and for that little bit of memory consumption, it’s a little extra piece of mind keeping me safe at all times.

If you try out EMET for yourself or if you have used it previously, please get in touch and let me know what your personal experiences are. I’d like to hear from anyone with previous experience with EMET due to the somewhat unknown nature of this product.

Older Posts